On 08/22/2013 06:22 PM, Jasper den Ouden wrote: >> The solution of course is as you urged takethe...@gmx.de , to get a >> free operating system such as Linux or BSD, complete with free >> build tools & compile your own (even non programmers can do that, >> eg on an OS downloaded from http://www.freebsd.org > Compiling your own fixes the issue of the sources not corresponding to > binaries. (well possibly there is a hole you compile with a > compromised binary)
That is why the binaries that are built for you are done by at least three people and they have to match (diff -b or my hexcmp spit out nothing and return 0). That was supposed to handle the possibility of poison build tools. If you are that concerened, disassemble but only programmers that have worked with assembler code will know what to do with it. That includes me but I think we are getting rarer all the time. But the code is also getting larger all the time making study of the assembler code more difficult. If you ask me, gpg4win was ready for prime time a long time ago. I haven't finished it but here it is: http://www.securemecca.com/public/GnuPG/ http://www.securemecca.com/public/GnuPG/TrustOfGPG4Win-2.txt If you don't think it is a problem, three of my relatives Windows OS computers got infected with two of them being in the last two weeks. "We like Chrome!" I like Firefox not for the browser itself but because NoScript can be slapped onto Firefox. There went over 75% of the malware threats from web-sites. The main problem after that is PEBKAC - Let me scan your machine - okay. NOT! Since Phil Zimmerman refused to allow government back end hooks and almost went to jail for it and all kinds of efforts are made to give a product that can be trusted, then you have to look at the people. Well read the comments of the many people like Werner Koch, David Shaw, Robert Hansen and others reassures me. They are always concerned about the security of GPG, and GPG4Win. I don't even worry about that end because they have never said anything that raises red flags in me. Now if they said that NoScript is useles ... My trust in GPG4Win is entirely predicated on whether the OS (this is individual) is safe enough. The NSA didn't use back end hooks to take down a hacker selling stolen credit card data. They watched and got his machine infected with their malware. They stole his key-ring, monitored his key-strokes with a logger, and then uploaded all of his files. They deciphered the files and at the right moment snagged him and dragged him off to court. Why didn't they use the back end hooks in GPG4Win? Answer - the probability for back end hooks is very low. GPG4Win is ready if the Windows system it is used on is ready. I suspect well over 95% of the Windows OS that are being considered for slapping GPG4Win on them aren't ready for GPG4Win being installed on them. Worry about that first. GPG4Win is ready. Windows users, are you? HHH _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
