Il 12/09/2013 23:10, Marko Randjelovic ha scritto: > All the time I read suggestions on using USB sticks and I must say > people are crazy about USB sticks. It is more convenient to use optical > media then USB stick because they are read only. Boot from Live CD, not > from USB stick and use USB stick only for data. In a desktop PC you can > put two CD devices and boot Live CD from CD1 and write your data to > CD2. You can use write-once media or rewritable media so you do not > waste to much plastic. It's just a matter of trust (and speed). After all, you need to take the system image from "somewhere". That's probably the weakest link. Or, at least, it's the easiest to compromise.
PS: I'll tell you a secret: there are USB keys with a "write protect" switch :) > If you write your data to CDROM, then it is much more safer to transfer > data to another PC. It is much more complicated to make a virus that > will insert itself into a CDROM then into a USB stick. Furthermore, > such action would be odd and could be blocked by a security software > like SELinux. And maybe there's a buffer overflow in the ISO9660 driver that can be exploited <g>. Hey, we're talking of the most tested codepaths (unless you use some exotic filesystem)! Maybe technical solutions for a social problem aren't always the right answer? You can *never* be 100% sure. No way. You can be "reasonably sure". You can be "certifiably sure" (given that you define which kind of attacks you think you'll be exposed to and find a standard to certify against). I can be "reasonably sure" nobody will hack my machine just to read my mail. Obama can be "reasonably sure" that *many* attackers will try. So my scenario and Obama's one are "a bit" different, and require *greatly* different solutions. I can't afford the costs and inconveniences of a solution based on Obama's needs (and I'd be indeed quite stupid to try to adopt it), and he can't afford the risk of a solution tailored on mine. PPS: at least here in Italy a *completely offline machine* becomes illegal after 6 months. Law dictates that every computer where personal data is handled (and even a name and surname *is* "personal data") *must* be updated *at least* every 6 months. And attacking your update medium is probably easier than attacking the USB key. BYtE, Diego. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
