Why trust gpg4win?

Werner Koch wk at gnupg.org
Mon Oct 28 18:58:11 CET 2013

On Tue, 10 Sep 2013 15:18, ndk.clanbo at gmail.com said:

>> way to connect about anything to a computer.  Emulated keyboard which
>> sends ANSI control codes to take over your box without you noticing?
> Uh? "Whithout you noticing"? For sure you know more than me, but to my
> knowledge an USB keyboard only sends key scan-codes (not ANSI sequences,
> that's why you need to set the keyboard language). And if you have an

And that key strokes may for example represent 
"<Alt-F2> ping -c1 SOMEHOST; exit" and the attacker will know the time
you inserted the USB stick.  Now start doing some real thing.

> Pete proposed to use an USB-to-Serial interface to avoid attacks against
> the USB stack on the PC. Why should an AVR be used to implement a flash
> device?

Because you wrote the USB stack and thus it is trustworthy.
Implementing a backdoor in the AVR proper to detect the use of such a
free software USB stack and subvert it would be much harder than to
implement something into a closed source USB stack.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list