Why trust gpg4win?
Robert J. Hansen
rjh at sixdemonbag.org
Mon Sep 9 23:39:06 CEST 2013
On 9/9/2013 4:52 PM, Jan wrote:
> Imagine an intact offline PC without "auto play" enabled for USB drives.
Can't.
USB is a peer protocol. There's an astonishing amount of computational
power on both sides of that USB cable. Protocol negotiation is complex.
Put it all together and you get a peer-to-peer protocol which you
*cannot* secure because (a) there are too many computational resources
available to an attacker and (b) the protocol itself is too complicated
and there are many ways a malicious token could compromise the remote
system even without autoplay installed.
Don't get me started on Firewire, which is even worse. Oh, yeah, I just
love the idea of random dongles I can plug into my machine which get
root-level read-write access to RAM *as part of normal operations*.
More information about the Gnupg-users
mailing list