On Fri, 24 Nov 1995, Laszlo Vecsey wrote:
Where can one get PGP burnt into cdrom? Or the equiptment to do it
If you can wait a while, TERENA (UKERNA, SURFnet, etc) are producing a PGP CD at the start of next year ...
Would PGP on CD-ROM truely gaurantee a corrupt/virus free executable? A virus already running in memory could tamper with what it's doing, perhaps extracting the necessary keys and dumping them to a log file. This would be especially dangerous on a UNIX system where many people might be using PGP, thinking it is secure.
I think the only way to be safe is to actually boot up off of the CD-ROM, and hope that the hardware in your computer physically hasn't been tampered with :)
My original post mentioned two things, the other was to cross-compile the sources. Maybe do it on 3 different systems (e.g. Sun, HP and DEC), and compare the binaries, then burn a CD. A virus would have to be very versatile to infect multiple platforms and insert code for another. It would also be silly for a virus to just dump keys when PGP runs, it would be far easier to look for any occurance of secring.pgp, and mail it, and/or monitor when it was opened and record keystrokes. And log files must go somewhere. I don't know if I mentioned, but I keep PGP and my keys on pcmcia memory cards that aren't in the system at the same time as a network or modem card. Moreover I can also simply use the DOS version (I use linux to communicate) - It would require quite an effort to create a virus that would work and pass data across the required OS problems and not break with the twice a week kernel-level changes :). ViaCrypt also has a PCMCIA implementation of pgp, and it should be fairly easy to implement in an ASIC, or small embedded micro. That would be much harder to compromise. Of course anything so useful commercially woudl be the subject of our legal system. It takes quite an effort to create a complex virus to do this. It reminds me of the Glomar Challenger that was used to recover the remains of a russian sub (my memory is somewhat faulty). Such a virus would require a great investment in time and money. What target would be worth it? Many otherwise feasible things aren't economically pracitcal. zerucha@shell.portal.com -or- 2015509 on MCI Mail finger zerucha@jobe.portal.com for PGP key