Robert J. Hansen
rjh at sixdemonbag.org
Mon Apr 10 05:25:06 CEST 2017
> I think this is being confounded by adjoining two conversations---that
> smartcards provide additional security given a compromised system, and
> the satirical quote your provided. I was referring in this case to the
If you send or receive sensitive communications from a compromised
endpoint, you're screwed. The smartcard will not save you. It can't.
When I hear people talk about how the smartcard will keep their keys
safe even after a system compromise, I hear that as being like a
survivalist talking about how great it is his tiny bomb shelter will
keep his seeds safe after a direct hit from a nuclear bomb. Great, I'm
very happy for you, but you're giving *terrible* advice to people who
are worried about the bomb dropping. Even encouraging them to move
somewhere that's not a high-priority target for a nuclear strike, as
impractical as that advice is, is better.
> My point is that if you base your entire threat model and practices on
> the fact that some attacker somewhere is going to succeed in a targeted
> attack against you, then you may as well give up on security period.
If your threat model includes Tier-1 actors, you're gonna get Mossaded.
You. Cannot. Win.
Therefore, any threat model that assumes you're the target of Tier-1
interest is inherently -- I'll say it again -- screwed. Once you become
a target of Tier-1 interest it's all over.
Don't come to their attention. And don't mislead newbies by making them
think they can win against Tier-1s, either.
> You seem to be suggesting that key safety isn't even a concern if you're
> compromised---that nothing else matters, and the distinction between a
> compromise as you described with or without access to the key(s) is
You seem to think that your bomb shelter surrounded by five hundred
meters of radioactive fused glass is somehow a win. After all, your
keys are safe, right?
Preserve the security of your endpoint system. Nothing else will do.
More information about the Gnupg-users