On Tue, 10 Sep 2013 15:18, ndk.cla...@gmail.com said:
way to connect about anything to a computer. Emulated keyboard which
sends ANSI control codes to take over your box without you noticing?
Uh? Whithout you noticing? For sure you know more than me, but to my
knowledge an USB keyboard only
On Fri, 13 Sep 2013 09:19:10 +0200
NdK ndk.cla...@gmail.com wrote:
Il 12/09/2013 23:10, Marko Randjelovic ha scritto:
All the time I read suggestions on using USB sticks and I must say
people are crazy about USB sticks. It is more convenient to use
optical media then USB stick because
Il 12/09/2013 23:10, Marko Randjelovic ha scritto:
All the time I read suggestions on using USB sticks and I must say
people are crazy about USB sticks. It is more convenient to use optical
media then USB stick because they are read only. Boot from Live CD, not
from USB stick and use USB
On 13/09/13 09:19, NdK wrote:
PS: I'll tell you a secret: there are USB keys with a write protect
switch :)
Since people were concerned about hacking the USB key, you need to define the
scenario.
First of all, if we are talking about hacking through a rogue firmware update
for the USB key: is
09/12/2013 22:03, NdK wrote:
You really should define your security perimeter.
09/13/2013 09:19, NdK wrote:
I can be reasonably sure nobody will hack my machine just to read my
mail. Obama can be reasonably sure that *many* attackers will try.
My security perimeter should be equal to the
On 09/10/13 21:42, Jan wrote:
10/9/2013 14:19, Werner Koch wrote :
So what about using that free USB stack for AVR's to implement a flash
device? You would be able to audit about everything; flylogic even has
these nice pictures of the ATmega88 masks...
10/9/2013 16:33, David Smith wrote:
In 09/13/2013 14:05, NdK wrote:
Some other approach might be to compare the output of several
versions of gnuPG, PGP etc.. This way you could check whether the
information was secretly decrypted with a second FBI key. This is
even
possible for someone how is no programer. Do you think
On 09/13/2013 14:05, NdK wrote:
What happens if one of your correspondents is willing to undergo the
whole procedure and he's an FBI agent?
I'd tell him confidential information, - but I did not intent to protect
me against such a thread by means of gnuPG.
If you want to
certify that your
Il 13/09/2013 21:12, Jan ha scritto:
How can you check there isn't a weakness in RNG, for exampel [...]
There are statistical test with which you can test whether a random
number generator produces for instance uniformly distributed numbers.
This in connection with the above procedure might
Il 11/09/2013 11:48, Pete Stephenson ha scritto:
Actually, I was thinking of something that was the exact opposite:
some device (which I don't think exists) that would allow one to
connect a USB flash drive to the device, and have the device convert
that into RS232 serial data for the
To: gnupg-users@gnupg.org
Sent: Thursday, September 12, 2013 8:43 AM
Subject: Re: Why trust gpg4win?
Il 11/09/2013 11:48, Pete Stephenson ha scritto:
Actually, I was thinking of something that was the exact opposite:
some device (which I don't think exists) that would allow one to
connect a USB flash
On 12/09/13 15:55, Jan wrote:
Do you see any reasonable attack vectors? What do you think?
The moment someone plugs in a mass storage device and we're talking about
attacking his computer, I think of a manipulated file system, exploiting an
error in the file system driver of the kernel (which
On Thu, 12 Sep 2013 15:55:24 +0200
Jan takethe...@gmx.de wrote:
2.1 Most people have only one PC and windows as operating system, so
the linux/unix distribution should be installed on an USB device.
This device must not be plugged into the PC if windows is running, in
order to avoid a
On 10/09/2013 15:18, NdK wrote:
You'd be exposed nearly to the same attack vectors. Plus some more (the
ones that handle the extra layer), so you'd have to check more code.
So what about using that free USB stack for AVR's to implement a flash
device? You would be able to audit about
On Wed, Sep 11, 2013 at 11:01 AM, Jan takethe...@gmx.de wrote:
On 10/09/2013 15:18, NdK wrote:
You'd be exposed nearly to the same attack vectors. Plus some more (the
ones that handle the extra layer), so you'd have to check more code.
So what about using that free USB stack for AVR's to
On Tue, 10 Sep 2013 09:50, ndk.cla...@gmail.com said:
First error: USB is *not* a peer protocol. It's master-slave. FireWire
is a peer protocol.
However, that is implemented by computers at boths ends and the software
there may have backdoors or explotable code which coult be used for all
kind
On 10/9/2013 14:19, Werner Koch wrote :
However, [USB] is implemented by computers at boths ends and the software
there may have backdoors or explotable code which coult be used for all
kind of tricks [...]
I am shocked! Why was USB constructed that insecure?!
On 10/9/2013 14:19, Werner Koch
On 09/10/13 15:16, Jan wrote:
I don't understand this, what does AVR etc. mean? Is there a substituion for
USB? I'd be grateful for an explanation.
AVR is a semiconductor manufacturer who make microcontrollers (amongst
other things).
___
Gnupg-users
10/9/2013 14:19, Werner Koch wrote :
So what about using that free USB stack for AVR's to implement a flash
device? You would be able to audit about everything; flylogic even has
these nice pictures of the ATmega88 masks...
10/9/2013 16:33, David Smith wrote:
AVR is a semiconductor
On 9/9/2013 4:52 PM, Jan wrote:
Imagine an intact offline PC without auto play enabled for USB drives.
Can't.
USB is a peer protocol. There's an astonishing amount of computational
power on both sides of that USB cable. Protocol negotiation is complex.
Put it all together and you get a
On 08/25/2013 07:39 AM, Larry Brower wrote:
BSD might have too high a learning curve for most ordinary people. A
custom BSD distro targeted at non-technical people would be useful here.
Perhaps one which took Security and Privacy into account as design goal.
http://www.pcbsd.org/
On 08/22/2013 11:22 AM, Jasper den Ouden wrote:
Compiling your own fixes the issue of the sources not corresponding
to binaries.
Only if you're sophisticated enough to be able to understand the
compiler itself, all of the libraries that are linked in, etc. etc. Even
in open source software
On Sat, Aug 24, 2013 at 11:14 PM, Jan takethe...@gmx.de wrote:
It seems quite easy to advice people to have an offline windows PC with
gpg4win on it and all their private stuff and a windows(?) online PC next to
it. They could transfer encrypted messages with an USB stick from one PC to
the
Hello Pete !
Pete Stephenson p...@heypete.com wrote:
The easiest and least-expensive solution to this situation is using
smartcards: http://g10code.com/p-card.html -- the private key is kept
securely on the smartcard. Any private-key operations (i.e. signing or
decrypting) are handled
- Original Message -
From: Jasper den Ouden o.jas...@gmail.com
To: gnupg-users@gnupg.org
Sent: Thursday, August 22, 2013 8:22 PM
Subject: Re: Why trust gpg4win?
As others noted, endpoints are too often insecure. Arent computers
getting much cheaper now, as shown by say, the raspberry
On 08/24/2013 11:34 PM, mirimir wrote:
Small flash cards are cheap enough to use once and then destroy.
This doesn't resolve the problem of the device being compromised as soon
as it is plugged into a compromised system. There is a lot of malware
that will copy itself to any disk that gets
On Sun, Aug 25, 2013 at 2:33 PM, Jan takethe...@gmx.de wrote:
Can you recommend such an operating system? Your idea seems practicable and
convenient to me.
Would users have to refrain from flash videos?
I would suggest OpenBSD for that. If BSD is to exotic, then Debian Stable.
Flas is known
On 08/25/2013 08:24 AM, Josef Schneider wrote:
I would suggest OpenBSD for that. If BSD is to exotic, then Debian Stable.
Flas is known to have more security holes than one can count, so I
would stay very far away from it!
BSD might have too high a learning curve for most ordinary people. A
On 08/25/2013 02:09 PM, Larry Brower wrote:
On 08/24/2013 11:34 PM, mirimir wrote:
Small flash cards are cheap enough to use once and then destroy.
This doesn't resolve the problem of the device being compromised as soon
as it is plugged into a compromised system. There is a lot of malware
Thanks to everyone for the vivid discussion.
@HHH: Thanks for your text at
http://www.securemecca.com/public/GnuPG/TrustOfGPG4Win-2.txt
As my little discourse here should have shown to you,
Windows users as a group by and large just don't care about
securing their systems. They want a one
On 8/24/2013 5:14 PM, Jan wrote:
We will not be able to change the fact, that most people use an
insecure Windows or Mac OS, neither.
In a lot of ways, Windows 7 and beyond are much harder targets to crack
than Linux is -- Microsoft's implementation of ASLR is much stronger
than Linux's, for
On 08/25/2013 04:04 AM, Robert J. Hansen wrote:
On 8/24/2013 5:14 PM, Jan wrote:
SNIP
It seems quite easy to advice people to have an offline windows PC
with gpg4win on it and all their private stuff and a windows(?)
online PC next to it. They could transfer encrypted messages with an
USB
On 07/26/13 22:20, Johan Wevers wrote:
Yes, I know the mantra, and I'm sure that obvious backdoors are not
present because they would be found rather quickly. However, more subtle
bugs leading to decipherable messages can take more time to find. The
infamous PRNG bug in pgp 5 on Unix is a
On 23-08-2013 10:37, David Smith wrote:
Yes, I know the mantra, and I'm sure that obvious backdoors are not
present because they would be found rather quickly. However, more subtle
bugs leading to decipherable messages can take more time to find. The
infamous PRNG bug in pgp 5 on Unix is a
Hi Jan
you can try this one: http://goldbug.sourceforge.net/
which is available in version 02.
It has OpenSSL and gpg method, so additional layers of security.
Regards
2013/7/25 takethe...@gmx.de
Hi everybody,
why should I trust gpg4win? I have doubts since it was ordered by the
Bundesamt
On 08/23/2013 01:09 PM, Randolph D. wrote:
you can try this one: http://goldbug.sourceforge.net/
which is available in version 02.
It seems disingenuous to say, well, GnuPG says they have no connections
to the BSI but if you're concerned about that then try my crypto product
because I have no
The solution of course is as you urged takethe...@gmx.de , to get a
free operating system such as Linux or BSD, complete with free
build tools compile your own (even non programmers can do that,
eg on an OS downloaded from http://www.freebsd.org
Compiling your own fixes the issue of the
On 08/22/2013 06:22 PM, Jasper den Ouden wrote:
The solution of course is as you urged takethe...@gmx.de , to get a
free operating system such as Linux or BSD, complete with free
build tools compile your own (even non programmers can do that,
eg on an OS downloaded from
On Fri, Jul 26, 2013 at 12:14:08AM +0200, Julian H. Stacey wrote:
Hi, Reference:
From: atair atai...@googlemail.com
Date: Thu, 25 Jul 2013 21:17:43 +
atair wrote:
...
Therefore, changes that look like
back doors are VERY unlikely to find their way in a
Mark H. Wood wrote:
On Fri, Jul 26, 2013 at 12:14:08AM +0200, Julian H. Stacey wrote:
Hi, Reference:
From: atair atai...@googlemail.com=20
Date: Thu, 25 Jul 2013 21:17:43 +=20
=20
atair wrote:
...
Therefore, changes that look like
back doors are VERY
Thanks to everyone for their answers.
Thanks for pointing out to me, that MS colaborates with secret services. I
searched the web and learned that Outlook.com, Skype and Skydrive are not
secure:
http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data
Further, I
On 25-07-2013 23:17, atair wrote:
This basically means, that everyone(!) can access, modify and
redistribute the source code of the program (see [2] if you're
interested). There are lots of people (usually volunteers from all
over the wold) who do peer reviews on the sources (and if you start
On Jul 26, 2013, at 4:02 PM, Jan takethe...@gmx.de wrote:
Still I wonder whether there are many sources for SHA1 sums of
gpg4win, that could be used by a windows user to test the integrity
of his download (C't ?). Are the SHA1 sums of gpg4win presented on
the download site checked
Hi everybody,
why should I trust gpg4win? I have doubts since it was ordered by the
Bundesamt für Sicherheit in der Informationstechnik (BSI), which has
close connections to secret services. Is gunPT any better? Finally, why
should I trust gunpg? I'm a windows user.
Thanks for any answers,
On 7/25/13, takethe...@gmx.de takethe...@gmx.de wrote:
Hi everybody,
why should I trust gpg4win? I have doubts since it was ordered by the
Bundesamt für Sicherheit in der Informationstechnik (BSI), which has
close connections to secret services. Is gunPT any better? Finally, why
should I
Hi, Reference:
From: atair atai...@googlemail.com
Date: Thu, 25 Jul 2013 21:17:43 +
atair wrote:
...
Therefore, changes that look like
back doors are VERY unlikely to find their way in a release, because
hundreds of people are looking how the software evolves and will
On 7/25/2013 3:34 PM, takethe...@gmx.de wrote:
why should I trust gpg4win?
It's been years -- 25 years or more -- since I've read Victor Milan's
The Cybernetic Samurai. I only remember one scene from the novel, but
it's a scene of such vividness that it's been permanently burned into my
brain.
Am Do 25.07.2013, 18:31:17 schrieb Robert J. Hansen:
Why should you trust GPG4WIN? Beats me. That's on you.
No. That is a question that can easily be answered by the public (in both
directions) and already has been answered here. Not the why is up to him but
the final whether is. :-)
On Thu, 25 Jul 2013 21:34, takethe...@gmx.de said:
why should I trust gpg4win? I have doubts since it was ordered by the
Bundesamt für Sicherheit in der Informationstechnik (BSI), which has
close connections to secret services. Is gunPT any better? Finally,
If you are interested in my take on
On Thu, 25 Jul 2013, takethe...@gmx.de wrote:
why should I trust gpg4win? I have doubts since it was ordered by the
Bundesamt f?r Sicherheit in der Informationstechnik (BSI), which has
close connections to secret services. Is gunPT any better? Finally, why
should I trust gunpg? I'm a windows
On 07/25/2013 07:34 PM, takethe...@gmx.de wrote:
Hi everybody,
why should I trust gpg4win? I have doubts since it was ordered by the
Bundesamt für Sicherheit in der Informationstechnik (BSI), which has
close connections to secret services. Is gunPT any better? Finally, why
should I trust
On 7/25/2013 3:34 PM, takethe...@gmx.de wrote:
why should I trust gpg4win? I have doubts since it was ordered by the
Bundesamt für Sicherheit in der Informationstechnik (BSI), which has
close connections to secret services. Is gunPT any better? Finally, why
should I trust gunpg? I'm a windows
52 matches
Mail list logo