Why trust gpg4win?

Pete Stephenson pete at heypete.com
Tue Sep 10 00:29:43 CEST 2013


On Mon, Sep 9, 2013 at 11:39 PM, Robert J. Hansen <rjh at sixdemonbag.org> wrote:
> On 9/9/2013 4:52 PM, Jan wrote:
>> Imagine an intact offline PC without "auto play" enabled for USB drives.
>
> Can't.
>
> USB is a peer protocol.  There's an astonishing amount of computational
> power on both sides of that USB cable.  Protocol negotiation is complex.
>  Put it all together and you get a peer-to-peer protocol which you
> *cannot* secure because (a) there are too many computational resources
> available to an attacker and (b) the protocol itself is too complicated
> and there are many ways a malicious token could compromise the remote
> system even without autoplay installed.

I'm sure we've all seen serial-to-USB adapters. Now I wonder if it'd
be possible to do something in reverse: USB-to-serial.

Serial connections are pretty well-understood, well-documented, and
(hopefully) less likely/able to be an attack vector. It'd be
interesting to see if one could have a USB hub or something to which
one could connect a USB flash drive or other device, have the hub
negotiate the connection with the device, and then send serial data to
the computer where a relatively simple (and presumably
easier-to-secure) program could interpret it. Sure, speeds wouldn't be
anywhere near the same as with USB and one would have to do some
hackery to mount volumes (perhaps a USB-to-serial-to-FUSE interface
for common file systems?) but it might work for relatively small file
transfers (or for those willing to wait).

Is such a thing even possible?

-- 
Pete Stephenson



More information about the Gnupg-users mailing list