If you have any questions, contact us:
Telegram:maintex
ICQ:1607000

  #1 Old 05-22-2015, 02:35 PM
Newer
 
Newer's Avatar
 
Join Date: May 2015
Posts: 61
Newer is on a distinguished road
Default Word of Warning - All versions of PGP are NOT created equal

The version lines that are usually shown by default in PGP keys and PGP signature blocks, often reveal which OS the person is using.

PGP/GPG Version strings:

You can tell a fair bit about a user's PGP/GPG setup from their Version: string. Here are some typical examples:

Version: GnuPG v1.4.11 (GNU/Linux)

This key belongs to a Linux user.

Version: GnuPG v2.0.19 (MingW32)

This key belongs to a Windows user.

Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

This key belongs to a Mac OS X user.

Versions that should make you nervous:

Version: 9.9.0.397

This person is using the official PGP version, as published by Symantec. I've read statements by Kevin Mitnick that he no longer trusts PGP, since it was acquired by Symantec. In his post, Mitnick refers to the case of Diskreet, which back in the early days, was an encryption package sold by Symantec. This software purported to use the full 56-bit DES cipher algorithm, which was quite strong for its day. Mitnick stated that he acquired a copy of the Diskreet source code, and discovered that the actual key was nowhere near 56-bits, but was incredibly weak. He went on to say that based on his experience, he would not trust any version of PGP published by Symantec.

His caution is only underscored by the Snowden revelations earlier this Summer, which set out the NSA's campaign of attempting to weaken or backdoor crypto.
I, for one, would not trust any closed-source crypto software published by an American company -- that goes double for companies with a history like Symantec.

To the best of my knowledge, Symantec does not publish PGP source code, and as an American company, their crypto software is now suspect.

Versions of PGP that should make you run away screaming:

Versions of PGP with these Version: strings are based on the BouncyCastle Java crypto libraries. They should be avoided like the plague.

Version: BCPG v1.45
Version: BCPG v1.47

These versions of PGP are absolutely NOTORIOUS for generating MASSIVELY UNSAFE PGP keys by default. These versions typically generate DSS/Elgamal keys
with signing keys with a size of 1024-bits, and an encryption sub-key of as little as 512-bits.

512-bit keys are so unsafe, that they were being broken by hobbyists on spare hardware a dozen years ago. 1024-bit keys were deprecated by NIST more than 3 years ago.

Version: BCPG C# v1.6.1.0
Copied from SR2 forums and credit goes to OP.

This version of PGP generates by default a PGP key of 1024-bits, with NO encryption sub-key. Again, these keys are unsafe/obsolete.

Recommendations:

Any software that uses the Java Bouncycastle crypto libraries (like PortablePGP) should be avoided like the plague. These typically contain BCPG in the Version: string.

GPG4Win/Kleopatra/GPA are also deprecated -- Kleopatra generates RSA keys without an encryption sub-key. Dual RSA keys, with one RSA key for signing, and the other exclusively for encryption have been standard since the Fall of 2009.
GPA will not generate keys over 3072-bits in length.

GPG4USB or Gnu Privacy Tray (GnuPT) are recommended, as they are:

* Easy to use

* Standards compliant

GnuPT, in particular, is frequently updated. Usually, when there is a new GPG version (e.g. 1.4.15), the GnuPT developers issue an update with a day or two, reflecting the change.

Download links:

GPG4USB: http://gpg4usb.cpunk.de/index.html
Newer is offline   Reply With Quote
  #2 Old 06-24-2017, 10:04 PM
Allow
 
Allow's Avatar
 
Join Date: Nov 2013
Posts: 146
Allow 1
Default

still working?
Allow is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


Cybercrime forum, cybercrime site, ,fraud forum, russian fraud forum, Credit cards, carder, infraud, carders.ws, crdpro, fraudsters, darkpro, crdcrew, dumps, cvv, cc, stuff carding, legit seller, vendor, free cvv, dumps+pin, skimmer, ,shimmer, emv software, emv chip writer, free cc+cvv, valid cards, track 2, free cvv, dump pin, dumps, cvv, cc, credit cards, real carding, legit vendor, carder forum, carding tutorial, russian hackers, online cvv shop, track 101, enroll, fullz