On Fri, Sep 06, 2013 at 04:25:12PM -0400, Jerry Leichter wrote:
> A response he wrote as part of a discussion at 
> http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html:
> Q: "Could the NSA be intercepting downloads of open-source encryption 
> software and silently replacing these with their own versions?"
> A: (Schneier) Yes, I believe so.

This is why I've been verifying Tor downloads using
out of band fingerprints of signing key.

Just because active attacks are more expensive than passive attacks
and are fundamentally detectable, don't assume they're not being
used in highly targeted cases.

If you have ever been under telco surveillance, that's enough
effort already spent to warrant slipping you some custom malware with
no added bill of materials.
The cryptography mailing list

Reply via email to