Re: AW: Ok this is a stupid questions

[vedaal via Gnupg-users]

On 2/26/2019 at 10:29 AM, "Stefan Claas"  wrote:
Von: vedaal via Gnupg-users
Gesendet: Montag, 25. Februar 2019 22:09
An: justina colmena; gnupg-users@gnupg.org
Betreff: Re: Ok this is a stupid questions
Why do you think GnuPG is useless if you check the source-code, run
it on hardware you trust, and a Linux variant you trust, with a
Chromium/Iron browser, and avoid anything google or microsoft or apple
or any non-FOSS product? 
I have learned in the past trust nobody. Therefore I would not rely

on  people from the GnuPG ecosystem and what they say.

 =

It depends on how realistic your threat model is.

For someone in a politically repressive regime who is being targeted,
yes, trust should be very limited, and clearly earned.

For those  whose threat model is criminal hacking by individual
opportunists,  there is a certain leeway.

When i first started out, I knew people who read every single line of
PGP 2.x sourcecode, and even today, refuse to migrate to gnupg because
they haven't the time to read all the code.

(Although some have considered that if there would be a minimalist
version, with a small enough code to read, they would definitely use
it.)

These people routinely 'airgap' their encrypting functions.

I respect it, 

but there is literally no end to how paranoid one can be ...

For example, has anyone you know, ever checked how the compilers
work?  (Reviewed gcc's source code, and the hardware necessary to make
it run, to ensure that nothing is 'added/subtracted/altered' when it
gets to machine language? Even more difficult when it is a proprietary
compiler.)

GnuPG is offering a FOSS privacy tool.

One can scrutinize it, appreciate it, and say thank you,

or be paranoid enough to never use it,

or some other in-between balance, that's comfortable for the
individual's threat model.
The gnupg-users list can help with clearing up technical questions
and let the users decide for themselves.
vedaal___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: Ok this is a stupid questions

[Stefan Claas]

Von: vedaal via Gnupg-users
Gesendet: Montag, 25. Februar 2019 22:09
An: justina colmena; gnupg-users@gnupg.org
Betreff: Re: Ok this is a stupid questions

Why do you think GnuPG is useless if you check the source-code, run it on 
hardware you trust, and a Linux variant you trust, with a Chromium/Iron 
browser, and avoid anything google or microsoft or apple or any non-FOSS 
product? 

Why do you think FOSS is more secure? Do you think that people
always check the source code, with every release of their OS updates or the 
GnuPG updates? I doubt that. And how about FOSS developers? Do they regularly 
check their sites if the code was exchanged and if their keys are already 
compromised? The detached signatures or hashes of FOSS software are not time 
stamped. Is / was FOSS, like GnuPG, ever audited by major and trustworthy 
institutions, were users could read reports about their findings? Can you 
always trust developers, because they have many sigs on their keys but not sign 
back the signers keys?
I have learned in the past trust nobody. Therefore I would not rely
on  people from the GnuPG ecosystem and what they say.

Last but not least don’t forget rule 41, for example, which allows the FBI to 
hack computers worldwide. And if they can hack and access computers then others 
can do so too. You also never read here best practice tips like use a second 
computer, not connected to the Internet, and GnuPG in command line mode. 
Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users