On 8/24/2013 5:14 PM, Jan wrote: > We will not be able to change the fact, that most people use an > insecure Windows or Mac OS, neither.
In a lot of ways, Windows 7 and beyond are much harder targets to crack than Linux is -- Microsoft's implementation of ASLR is much stronger than Linux's, for instance, to name just one technology that makes Windows 7 a harder target than Linux. *No* operating system deserves the label "secure." *All* operating systems are vulnerable to more or less equal degrees. The number one factor in the security of a system is the diligence and attentiveness of the system administrator. Someone who keeps a Windows box fully patched, checks links to make sure they're not being spearphished, who only runs apps from trusted partners, etc., is going to have a much more secure operating system than someone running an OpenBSD box but who clicks on everything they come across. > GIVEN THAT, can we provide a way of secure communication for the > majority of the people? No, not until/unless people are willing to pay the price for secure communication. It doesn't come for free. Give people the choice between insecure but convenient and secure but a difficult learning curve, and people will overwhelmingly choose the former. We cannot make people care. That's one of the hardest truths I've had to accept. > It seems quite easy to advice people to have an offline windows PC > with gpg4win on it and all their private stuff and a windows(?) > online PC next to it. They could transfer encrypted messages with an > USB stick from one PC to the other. I think this is a vector for an > attacker, but how serious is this problem? Very serious. USB tokens are great tools for propagating malware. Compromise the box that's connected to the net, and as soon as someone plugs a flash drive into it, compromise the flash drive. Bring it over to the new computer, plug in there, and bang, you've spanned the air gap. This is not a new attack: it's been known about for many years and has been demonstrated in real-world environments. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
