On 07/25/2013 12:59 PM, Manu García wrote: > Hi. > > I'm not a member of this list, but have read an article that I'd like to > share, and put into your knowledge (if you don't know it already) because I > think is rather important. > In said article, about security in the Cloud you can read this: > > «Michael Bailey, a computer security researcher at the University of > Michigan, notes that the software attacked—an e-mail encryption program > called GNUPrivacy guard—is known to leak information, and that the > experiment wasn’t carried out inside a real commercial cloud environment.» > > Source: > http://www.technologyreview.com/news/506976/how-to-steal-data-from-your-neighbor-in-the-cloud/ > > I always thought that GnuPG was rather secure, but it seems that among > experts it's a well known weak and poor ciphering technology which no > security experts consider seriously. At least that's the impression I get > reading said article. > > Are devs taking some measures to make GPG really secure?
PEBKAC. I went to Herr Professor's web-site and there was nothing to verify the statement. From now on do your own checking before asking these questions. http://web.eecs.umich.edu/~mibailey/ Here is what most people did with Windows: Used it out of the box as-is. Should we turn off auto-run, the infamous idea that made Stuxnet possible? "Nooooooooooooooooo!" Should we install Firefox plus Noscript? "Noooooooooooooooooo!" Should we stop reading POP email with email clients that render HTML and use something like Thunderbird or another email client that doesn't render HTML? "Why do I want to use my dad's type of email? I use OutLook's web-mail most of the time anyway doggone it! I love those phish and make sure I click on the links that infect my Windows system!" http://securemecca.com/public/NoPhishProblems.txt Let's do all of these other things wrong and when we install GnuPG, by all means we should NOT use an OpenPGP card instead of the files. After all, we want the hacker to not only get the pass-phrase with their key-logger, we want them to get the whole darn key-ring as well. We have to take pity on the poor hacker and help them. What's the fun in there not being any files except stubs on the file system saying the keys are really on the OpenPGP card? Oh no, we got hacked and instead of cleaning up the machine and making it safer ahd then just changing the pass-phrase (we used an OpenPGP card) out went our entire key-ring with our keys given a life-time of forever which now belongs to the hacker as well because we refused to use an OpenPGP card. BTW, most people now use iPhone instead. They love Apple tracking their every move and getting an ad to go to Joe's Bistro because they are listed as being near the bistro based on their iPhone giving out its geo-location information and Apple giving that information because Joe's Bistro pays them to do it and it is about lunch time anyway isn't it? Finally, I have no doubt that this will be quoted as authoritative by Wikipedia. I have news for you. In the olden days the statement made at Technology Review without corroboration is known as hear-say. Hear-say is deemed as inadmissable in a court of law. Therefore, as Judge Hobbit I deem it inadmissable in my court-room. Furthermore I could find no place where Associate Professor Michael Donald Bailey at the University of Michigan ever made such a statement. Case Closed Judge Henry Hertz Hobbit Re: Signed, sealed, and delivered
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users