[Nottingham] gpgpwd - keeping a commandline passwords list

Paul Tew binarybod at gmail.com
Tue Jun 19 22:21:54 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 19/06/12 09:50, Mike Cardwell wrote:
> Lets just assume that Windows is insecure and stick to Linux ;) If I
> were running a Windows machine it would definitely be sat on top of
> TrueCrypt FDE.
Mike,

This is my position... If I don't assume GNU/Linux is insecure then I'm
a fool. As a computer user I feel like Margaret Thatcher et.al. after
the Brighton bombing when the IRA published the statement “You have to
be lucky all the time. We only have to be lucky once.”

At the moment GNU/Linux the best option for sure, but just because it
has open source (even if I strip it of those precompiled blobs that
enhance my user experience) doesn't mean it is secure.

I can read C and C++, it takes me time but I can read it. However, I
can't read something as dense as kernel code nor can I read every line
of every application that I want to place on my system. At some point I
have to take stuff on faith. With open source I place my trust in an
army of folks who (I hope) have my best interest at heart and who are
legion enough to read every line of source code for me and find the
malicious stuff. I don't know these people and some of them may have
malign intentions themselves, I just don't know.

On the other hand I could purchase a Windows system and place my faith
in the multitude of Microsoft employees who all have a chain of
responsibility ending at Steve Ballmer (shudder) or some other
individual. Now, Microsoft want to make money, this I understand. In
order to make money they have to be nice to me or I'll jump ship, but,
(and here's the clincher) they can use any and all devices to milk me of
any information that they then can use to extract even more revenue. So,
if I go on MSN Messenger (Oops, that would be Windows Live Messenger
now) and tell my friend that my shoes are worn out, should I be
surprised that Clarks Shoes bombard me with emails? I may be flattered
by this focused attention or on the other hand I may loath and abhor
this intrusion into what I thought was a private conversation. It is a
straight trade-off; they work hard to protect me from bad guys (and in
this they have loads of experience and an army of employees), in return
I give them some personal data which they can sell. Oh, by the way, I
also gave them some money for the OS and for the office software too.

Windows is insecure of that there is no doubt, but only probably because
it has been, and still is, the most popular operating system.
Given the number of attacks, it is probably quite robust. Don't go
thinking for one minute that GNU/Linux is any more secure. The only
reason it doesn't suffer the indignities heaped on Windows is because it
isn't used nearly so much and probably because it is the launchpad for
hackers/crackers (and you don't defecate on your own doorstep do you?).

In 7 years of forensic analysis I have examined thousands of desktop
machines and of these I can count on the fingers of my hands the number
of Linux machines I have looked at. Bear in mind that I look at all the
Linux machines that come in to our office and there are 6 analysts - it
averages out at about 1 or 2 machines every year.

Every option has a drawback, no operating system is perfect. Do I trust
Microsoft - of course not! Do I trust GNU/Linux - hmmm! I know an awful
lot about computers and stuff (not as much as most folks reading this
post I suspect) but tell you what, I'll encrypt everything anyway, turn
on the firewalls, do the occasional dip checks into process activity,
network traffic and other stuff and just try to stay alert to bad guys
wanting to steal stuff from me or do bad things to my machines for the
sheer hell of it.

Incidentally, I think the GNU/Linux option is the best one by a country
mile - it's not perfect but it is the best one.

Now, who wants to argue the point from an Apple perspective...

Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP4PsTAAoJENgvgNENpMNWlccIAJ0b1bCobBdzSzkYFevphOhd
Toi01NB/CBMwGGPnlG8x7wiZlz6zDeAH4vKE2TxuytZIZnOvBrpwbLQYP7DRiNB2
cZ/LhIF8ReLH+NdofOo0C6XVcsDlqFwgucn5E6MpUk2tkYM2qAtTcsSx5edcbLKz
ZD4lmtrqt/Wx572Ww5hJWcWlqRsffLAUi/k5WUkUN+/w5kQMSC7dhxmeMoytg2QH
SKFQpYEX1Y0h5CD/sZmSFLFkSHBU3G2pqIPT3mQCkplC4Nc/TIm7KDW9kG68d9xD
dHkmLOPDtgeI6TLSXgIceAk+Hj26lwV9bNhx/U2riUKLTu2fQoZN23ArYeH1bA4=
=fquV
-----END PGP SIGNATURE-----

More information about the Nottingham mailing list