On Fri, Sep 06, 2013 at 04:25:12PM -0400, Jerry Leichter wrote: > A response he wrote as part of a discussion at > http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html: > > Q: "Could the NSA be intercepting downloads of open-source encryption > software and silently replacing these with their own versions?" > > A: (Schneier) Yes, I believe so.
This is why I've been verifying Tor downloads using out of band fingerprints of signing key. Just because active attacks are more expensive than passive attacks and are fundamentally detectable, don't assume they're not being used in highly targeted cases. If you have ever been under telco surveillance, that's enough effort already spent to warrant slipping you some custom malware with no added bill of materials. _______________________________________________ The cryptography mailing list firstname.lastname@example.org http://www.metzdowd.com/mailman/listinfo/cryptography