PEBKAC (was GPG weakness)

Henry Hertz Hobbit hhhobbit at securemecca.net
Fri Jul 26 00:38:24 CEST 2013 

On 07/25/2013 12:59 PM, Manu García wrote:
> Hi.
> 
> I'm not a member of this list, but have read an article that I'd like to
> share, and put into your knowledge (if you don't know it already) because I
> think is rather important.
> In said article, about security in the Cloud you can read this:
> 
> «Michael Bailey, a computer security researcher at the University of
> Michigan, notes that the software attacked—an e-mail encryption program
> called GNUPrivacy guard—is known to leak information, and that the
> experiment wasn’t carried out inside a real commercial cloud environment.»
> 
> Source:
> http://www.technologyreview.com/news/506976/how-to-steal-data-from-your-neighbor-in-the-cloud/
> 
> I always thought that GnuPG was rather secure, but it seems that among
> experts it's a well known weak and poor ciphering technology which no
> security experts consider seriously. At least that's the impression I get
> reading said article.
> 
> Are devs taking some measures to make GPG really secure?

PEBKAC.  I went to Herr Professor's web-site and there was
nothing to verify the statement.  From now on do your own
checking before asking these questions.

http://web.eecs.umich.edu/~mibailey/

Here is what most people did with Windows:

Used it out of the box as-is.  Should we turn off auto-run, the
infamous idea that made Stuxnet possible?  "Nooooooooooooooooo!"
Should we install Firefox plus Noscript?  "Noooooooooooooooooo!"
Should we stop reading POP email with email clients that render
HTML and use something like Thunderbird or another email client
that doesn't render HTML?  "Why do I want to use my dad's type
of email?  I use OutLook's web-mail most of the time anyway
doggone it!  I love those phish and make sure I click on the
links that infect my Windows system!"

http://securemecca.com/public/NoPhishProblems.txt

Let's do all of these other things wrong and when we install
GnuPG, by all means we should NOT use an OpenPGP card instead
of the files.  After all, we want the hacker to not only get
the pass-phrase with their key-logger, we want them to get
the whole darn key-ring as well.  We have to take pity on the
poor hacker and help them.  What's the fun in there not being
any files except stubs on the file system saying the keys are
really on the OpenPGP card?  Oh no, we got hacked and instead
of cleaning up the machine and making it safer ahd then just
changing the pass-phrase (we used an OpenPGP card) out went our
entire key-ring with our keys given a life-time of forever
which now belongs to the hacker as well because we refused to
use an OpenPGP card.

BTW, most people now use iPhone instead.  They love Apple
tracking their every move and getting an ad to go to Joe's
Bistro because they are listed as being near the bistro based on
their iPhone giving out its geo-location information and Apple
giving that information because Joe's Bistro pays them to do
it and it is about lunch time anyway isn't it?

Finally, I have no doubt that this will be quoted as authoritative
by Wikipedia.  I have news for you.  In the olden days the
statement made at Technology Review without corroboration is
known as hear-say.  Hear-say is deemed as inadmissable in a
court of law.  Therefore, as Judge Hobbit I deem it inadmissable
in my court-room.  Furthermore I could find no place where
Associate Professor Michael Donald Bailey at the University of
Michigan ever made such a statement.

Case Closed

Judge Henry Hertz Hobbit
Re:  Signed, sealed, and delivered


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130725/668bb614/attachment-0001.sig>

More information about the Gnupg-users mailing list