Why trust gpg4win?

Marko Randjelovic markoran at eunet.rs
Thu Sep 12 23:10:51 CEST 2013 

On Thu, 12 Sep 2013 15:55:24 +0200
"Jan" <takethebus at gmx.de> wrote:
> 2.1 Most people have only one PC and windows as operating system, so
> the linux/unix distribution should be installed on an USB device.
> This device must not be plugged into the PC if windows is running, in
> order to avoid a manipulation. Further I would uninstall the network
> drivers on the USB device, so it is almost an offline PC. If the user
> receives an encrypted file via email, he saves it to hard disk. Then
> he turns off the PC, plugs in the USB drive and boots off it. He
> copies the file from the hard disk to the USB drive (this should
> cause no trouble). Only if the file is of a simple file format (jpg,
> RTF, mp3, PDF(?), etc.(?)) he accepts it and opens it with a secure
> minimalistic tool. He might even first run a program like an anti
> virus software(?) in order to check whether the structure of the file
> agrees with the official definition of the sated file format.  

All the time I read suggestions on using USB sticks and I must say
people are crazy about USB sticks. It is more convenient to use optical
media then USB stick because they are read only. Boot from Live CD, not
from USB stick and use USB stick only for data. In a desktop PC you can
put two CD devices and boot Live CD from CD1 and write your data to
CD2. You can use write-once media or rewritable media so you do not
waste to much plastic.

If you write your data to CDROM, then it is much more safer to transfer
data to another PC. It is much more complicated to make a virus that
will insert itself into a CDROM then into a USB stick. Furthermore,
such action would be odd and could be blocked by a security software
like SELinux.

-- 
Marko Ranđelović, B.Sc.
Software Developer
Niš, Serbia
markoran at eunet.rs

Note: If you see a nonsense enclosed between lines

BEGIN PGP SIGNATURE
END PGP SIGNATURE

then this message is digitally signed using OpenPGP compliant software.
You need an appropriate plugin for your email client or other OpenPGP
compliant software in order to verify the signature. However, the concept
of computer insecurity implies digital signature is not absolute proof of
identity.

More information about the Gnupg-users mailing list