[Nottingham] gpgpwd - keeping a commandline passwords list

Mike Cardwell nlug at lists.grepular.com
Wed Jun 20 09:01:51 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 19/06/12 23:20, Paul Tew wrote:

>> Lets just assume that Windows is insecure and stick to Linux ;)
>> If I were running a Windows machine it would definitely be sat on
>> top of TrueCrypt FDE.
> Mike,
> 
> This is my position... If I don't assume GNU/Linux is insecure then
> I'm a fool. As a computer user I feel like Margaret Thatcher et.al.
> after the Brighton bombing when the IRA published the statement
> “You have to be lucky all the time. We only have to be lucky
> once.”
> 
> At the moment GNU/Linux the best option for sure, but just because
> it has open source (even if I strip it of those precompiled blobs
> that enhance my user experience) doesn't mean it is secure.

Agreed. I never stated that GNU/Linux is "secure", just that Windows
definitely isn't. I also never said anything about the open source
nature of Linux being the reason I believe it's more secure. I
discounted Windows from the discussion because we were discussing a
GNU/Linux application on a GNU/Linux mailing list. Certain Windows
apps may sync the clipboard to disk, but that's not important. What's
important is knowing if any Linux apps do the same thing? Of course,
if you've got full disk encryption, that should solve the problem.
Assuming your encryption key isn't compromised.

> I can read C and C++, it takes me time but I can read it. However,
> I can't read something as dense as kernel code nor can I read every
> line of every application that I want to place on my system. At
> some point I have to take stuff on faith. With open source I place
> my trust in an army of folks who (I hope) have my best interest at
> heart and who are legion enough to read every line of source code
> for me and find the malicious stuff. I don't know these people and
> some of them may have malign intentions themselves, I just don't
> know.
> 
> On the other hand I could purchase a Windows system and place my
> faith in the multitude of Microsoft employees who all have a chain
> of responsibility ending at Steve Ballmer (shudder) or some other 
> individual. Now, Microsoft want to make money, this I understand.
> In order to make money they have to be nice to me or I'll jump
> ship,

I don't think history shows that Microsoft built its market share
through being nice to its users. It did it by being ruthless to its
competitors, restricting its resellers options, buying people out, and
providing a "works ok most of the time" operating system.

> but, (and here's the clincher) they can use any and all devices to
> milk me of any information that they then can use to extract even
> more revenue. So, if I go on MSN Messenger (Oops, that would be
> Windows Live Messenger now) and tell my friend that my shoes are
> worn out, should I be surprised that Clarks Shoes bombard me with
> emails? I may be flattered by this focused attention or on the
> other hand I may loath and abhor this intrusion into what I thought
> was a private conversation. It is a straight trade-off; they work
> hard to protect me from bad guys (and in this they have loads of
> experience and an army of employees), in return I give them some
> personal data which they can sell. Oh, by the way, I also gave them
> some money for the OS and for the office software too.

I have no problem with organisations collecting and using this sort of
data in this manner. I do have a problem with organisations doing this
without asking permission from the user first though, or using
technicalities to claim that they received permission when they really
didn't. If you want to use Windows Live Messenger, use Pidgin on Linux
and encrypt your chats with OTR ;)

> Windows is insecure of that there is no doubt, but only probably
> because it has been, and still is, the most popular operating
> system. Given the number of attacks, it is probably quite robust.
> Don't go thinking for one minute that GNU/Linux is any more secure.
> The only reason it doesn't suffer the indignities heaped on Windows
> is because it isn't used nearly so much and probably because it is
> the launchpad for hackers/crackers (and you don't defecate on your
> own doorstep do you?).

Historically Windows has been insecure because it put usability ahead
of security and has let users do stupid things. Modern Windows is
getting much much better though. Windows 7 seems to actually be pretty
decent. It will be interesting to watch Windows 8 struggle on the desktop.

I wont be happy until full disk encryption is the default, and you
have to go out of your way to disable it. I suspect that would make
your job a little bit harder though ;) Just out of interest, what
proportion of the machines you receive for analysis, use full disk
encryption? How about the GNU/Linux ones?

- -- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
-----BEGIN PGP SIGNATURE-----

iQGGBAEBCgBwBQJP4ZHWMBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu
Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt
aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBJkICACMJAa8GMJN
xapq4jksqqCfjLF/wxWRJx1/sR0zrTjA1fig/29/TTKwlPyePVLB0ULSI8MYWj+A
OrPe3D+5CMEuC/E+BRtz+luwa+GhgOyyvU/EXacAtcnWwJWj/MvPkzJiWVZTX/Qu
bBH9qLNsPrnGK/sYd/58csZdtjf94+rPl21RMqFNpCn0aKDmwACaukI2CMxSjWFi
e9mDwa8WIKBcU9zCtkcx5cydX7XaAnnKOnwjygLvIt6JEAJ4b74+kPb7M8EXM4ay
oHSe/tQP4T5RJVcwaCvIUvLuR6BOac3MOXiykcCgSJHYs7xKjb2A4yIhn/z2Wqo0
taEfIQDKIHrd
=eOFz
-----END PGP SIGNATURE-----



More information about the Nottingham mailing list