Why trust gpg4win?

Robert J. Hansen rjh at sixdemonbag.org
Mon Sep 9 23:39:06 CEST 2013


On 9/9/2013 4:52 PM, Jan wrote:
> Imagine an intact offline PC without "auto play" enabled for USB drives.

Can't.

USB is a peer protocol.  There's an astonishing amount of computational
power on both sides of that USB cable.  Protocol negotiation is complex.
 Put it all together and you get a peer-to-peer protocol which you
*cannot* secure because (a) there are too many computational resources
available to an attacker and (b) the protocol itself is too complicated
and there are many ways a malicious token could compromise the remote
system even without autoplay installed.

Don't get me started on Firewire, which is even worse.  Oh, yeah, I just
love the idea of random dongles I can plug into my machine which get
root-level read-write access to RAM *as part of normal operations*.




More information about the Gnupg-users mailing list