Why trust gpg4win?

[Peter Lebbing]

On 13/09/13 09:19, NdK wrote:
> PS: I'll tell you a secret: there are USB keys with a "write protect"
> switch :)

Since people were concerned about hacking the USB key, you need to define the
scenario.

First of all, if we are talking about hacking through a rogue firmware update
for the USB key: is the write protect switch directly connected to the "Write
enable" line of the flash chip or is it done in the firmware? In the latter
case, it's useless. In the former case: the flash chip is reasonably
intelligent, and "closed source". There could be an exploit to write to it even
when the "Write enable" line is not asserted.

If we're talking about hacking the USB key by getting your hands on it and
physically altering it, I don't even need to explain. Although if you keep the
stick next to your offline PC, the attacker will probably not bother with the
stick ;).

So it really depends on your threat model if that switch is useful.

> And attacking your update medium is probably easier than attacking the USB 
> key.

I think in my case, the only difference is the added possibility of attacking
the package manager. I put a debian mirror on an external hard disk, connect
that to my offline PC and then update the system.

I think it would be difficult to remove the package manager from the equation,
unless you switch distro's :).

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>