[Nottingham] gpgpwd - keeping a commandline passwords list

[James Moore]

On 20/06/2012 10:03, Mike Cardwell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 19/06/12 23:20, Paul Tew wrote:
>
>>> Lets just assume that Windows is insecure and stick to Linux ;)
>>> If I were running a Windows machine it would definitely be sat on
>>> top of TrueCrypt FDE.
>> Mike,
>>
>> This is my position... If I don't assume GNU/Linux is insecure then
>> I'm a fool. As a computer user I feel like Margaret Thatcher et.al.
>> after the Brighton bombing when the IRA published the statement
>> “You have to be lucky all the time. We only have to be lucky
>> once.”
>>
>> At the moment GNU/Linux the best option for sure, but just because
>> it has open source (even if I strip it of those precompiled blobs
>> that enhance my user experience) doesn't mean it is secure.
> Agreed. I never stated that GNU/Linux is "secure", just that Windows
> definitely isn't. I also never said anything about the open source
> nature of Linux being the reason I believe it's more secure. I
> discounted Windows from the discussion because we were discussing a
> GNU/Linux application on a GNU/Linux mailing list. Certain Windows
> apps may sync the clipboard to disk, but that's not important. What's
> important is knowing if any Linux apps do the same thing? Of course,
> if you've got full disk encryption, that should solve the problem.
> Assuming your encryption key isn't compromised.
>
>> I can read C and C++, it takes me time but I can read it. However,
>> I can't read something as dense as kernel code nor can I read every
>> line of every application that I want to place on my system. At
>> some point I have to take stuff on faith. With open source I place
>> my trust in an army of folks who (I hope) have my best interest at
>> heart and who are legion enough to read every line of source code
>> for me and find the malicious stuff. I don't know these people and
>> some of them may have malign intentions themselves, I just don't
>> know.
>>
>> On the other hand I could purchase a Windows system and place my
>> faith in the multitude of Microsoft employees who all have a chain
>> of responsibility ending at Steve Ballmer (shudder) or some other
>> individual. Now, Microsoft want to make money, this I understand.
>> In order to make money they have to be nice to me or I'll jump
>> ship,
> I don't think history shows that Microsoft built its market share
> through being nice to its users. It did it by being ruthless to its
> competitors, restricting its resellers options, buying people out, and
> providing a "works ok most of the time" operating system.
>
>> but, (and here's the clincher) they can use any and all devices to
>> milk me of any information that they then can use to extract even
>> more revenue. So, if I go on MSN Messenger (Oops, that would be
>> Windows Live Messenger now) and tell my friend that my shoes are
>> worn out, should I be surprised that Clarks Shoes bombard me with
>> emails? I may be flattered by this focused attention or on the
>> other hand I may loath and abhor this intrusion into what I thought
>> was a private conversation. It is a straight trade-off; they work
>> hard to protect me from bad guys (and in this they have loads of
>> experience and an army of employees), in return I give them some
>> personal data which they can sell. Oh, by the way, I also gave them
>> some money for the OS and for the office software too.
> I have no problem with organisations collecting and using this sort of
> data in this manner. I do have a problem with organisations doing this
> without asking permission from the user first though, or using
> technicalities to claim that they received permission when they really
> didn't. If you want to use Windows Live Messenger, use Pidgin on Linux
> and encrypt your chats with OTR ;)
>
>> Windows is insecure of that there is no doubt, but only probably
>> because it has been, and still is, the most popular operating
>> system. Given the number of attacks, it is probably quite robust.
>> Don't go thinking for one minute that GNU/Linux is any more secure.
>> The only reason it doesn't suffer the indignities heaped on Windows
>> is because it isn't used nearly so much and probably because it is
>> the launchpad for hackers/crackers (and you don't defecate on your
>> own doorstep do you?).
> Historically Windows has been insecure because it put usability ahead
> of security and has let users do stupid things. Modern Windows is
> getting much much better though. Windows 7 seems to actually be pretty
> decent. It will be interesting to watch Windows 8 struggle on the desktop.
>
> I wont be happy until full disk encryption is the default, and you
> have to go out of your way to disable it. I suspect that would make
> your job a little bit harder though ;) Just out of interest, what
> proportion of the machines you receive for analysis, use full disk
> encryption? How about the GNU/Linux ones?
>
>
When I worked at the shop in Radford, I must've seen thousands of 
machines. Not a single one of them had *any* sort of encryption. That I 
couldn't get around in two minutes*. Not even Government machines (of 
which I saw and dealt with several - mostly malware jobs), which you'd 
think given the decade-long furore about laptops and flash drives etc., 
being left on trains, it would be standard procedure to demand that all 
such systems are fully encrypted.

*To justify: marking home folders private in Windows is easily defeated 
by booting off a live Linux CD, such as Knoppix.