Silk Road forums
Discussion => Security => Topic started by: IDoNotLikeProhibition on September 22, 2013, 11:31 am
-
Hey dear SilkRoaders,
do headers like "Version: GnuPG v2.0.17 (MingW32)" mean that the one I am writing to is using windows?
I see many vendors with Version Info like that and I would not feal that comfortable if my vendor is running his operation on windows.
I know that it is not showing his actual used system put it could be an indicator to see if he is taking security seriously. Or give a reason to ask before buying ;)
Thanks for your replies :)
-
Yep. Unless they are faking their version info, those are the Windows users.
-
+1 for you now that I am able to do it ;)
So in my view this should be added to one of the "secure buying" threads.
I don't know much about programming but I bet windows is saving more hidden info than other systems.
It is like the concerns I once asked myself and already read about in these forums, wether printers have internal memory and are saving print jobs or not.
As I can count many vendors with MingW32 they all will get some questioning before I trust them with my order ;D
-
Hey dear SilkRoaders,
do headers like "Version: GnuPG v2.0.17 (MingW32)" mean that the one I am writing to is using windows?
I see many vendors with Version Info like that and I would not feal that comfortable if my vendor is running his operation on windows.
I know that it is not showing his actual used system put it could be an indicator to see if he is taking security seriously. Or give a reason to ask before buying ;)
Thanks for your replies :)
The MingW32 does indicate that the key owner is using a version of Gnu Privacy Guard for Windows
Here's another one to stay away from: BCPG. The BCPG is used in the version string of PGP software which used the Java BouncyCastle crypto libraries. As I said in some previous posts:
Java based PGP/GPG implementations based on the BouncyCastle Java crypto libraries should be avoided like the proverbial plague. These versions, as a general rule, are out of date, and produce dangerously undersized PGP keys. The current standard calls for a minimum RSA PGP key size of 2048-bits; many versions using the BouncyCastle libraries (BCPG) default to 1024-bits. Some BCPG versions that _do_ make use of encryption sub-keys (and many don't) even default to encryption sub-keys as small as 512-bits. (FWIW, 512-bit RSA encryption keys were abandoned almost 20 years ago due to insecurity.)
* 1024-bit keys (RSA or DSS/Elgamal) are way too small. Even the National Institute on Standards and Technology (NIST), said that 1024-bit keys should not be used after 2010. They further stated that 1024-bit keys could continue to be used, with increased security risks, no later than the end of 2013, after which time they were not to be used at all, period. (Just in case you haven't noticed, the end of 2013 is only about 3 months away.)
* Several years back, somewhere between 2007 and 2008, a flaw was found in PGP RSA keys that were used for both signing and encryption. It was discovered that some secret key bits were being leaked, making such keys easier to break. Many BCPG versions generate such weak keys.
* Starting in the fall of 2009, both the PGP and Gnu Privacy Guard developers changed the default key formats from DSS/Elgamal to dual-RSA, and changed the default key size from 1024-bits to 2048-bits.
Anyone that finds PGP/GPG "too hard to use" and relies on such broken BCPG software because it is "easy to use" is fooling themelves -- they are trading security for ease of use.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
See how long those vendors are around for... don't see many using Windows that have been around for years to be honest. Guessing they're in jail or they have other means of keeping things secure.