On 7/25/2013 8:59 AM, Manu García wrote: > I'm not a member of this list, but have read an article that I'd like > to share, and put into your knowledge (if you don't know it already) > because I think is rather important.
It is not very important, to be honest, but we still thank you for bringing it here. :) > In said article, about security in the Cloud you can read this: > > «Michael Bailey, a computer security researcher at the University of > Michigan, notes that the software attacked—an e-mail encryption > program called GNUPrivacy guard—is known to leak information, and > that the experiment wasn’t carried out inside a real commercial cloud > environment.» The overwhelming majority of technology journalism is somewhere between wildly uninformed and complete bollocks. This article is one of them. The first rule of using GnuPG -- and this is something that the GnuPG developers strongly endorse -- is that *you must control the physical hardware GnuPG is running on*. If you don't, then there is literally no end to the malfeasance an attacker can perpetrate. If you don't have physical control over the hardware, don't run GnuPG on it! So, in light of this first rule, is it really all that surprising that GnuPG should have security problems when it's run "in the cloud" -- which means running it on hardware you don't physically control? Rule One exists for a reason. Violate Rule One and it becomes pretty easy to play hob with GnuPG. This article is all about some researchers who violated Rule One and discovered a new way to play hob. It's interesting research, but completely irrelevant to GnuPG users who are wise enough to obey Rule One. :) > I always thought that GnuPG was rather secure, but it seems that > among experts it's a well known weak and poor ciphering technology > which no security experts consider seriously. Beware of all experts. An ex is a has-been, and a spurt is a drip under pressure. For what it does -- securing communications in transit -- GnuPG is a well-regarded piece of software which is widely used in some extremely demanding fields. I have personally seen it used by international telecommunications companies to secure tens of millions of dollars of transactions, for instance. > At least that's the impression I get reading said article. And this is why you should beware of all tech journalism. The overwhelming majority of it is simply awful and uninformed. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users