On Sat, 07 Sep 2013 09:33:28 +0100 Brian Gladman <b...@gladman.plus.com> wrote:
> On 07/09/2013 01:48, Chris Palmer wrote: > >> Q: "Could the NSA be intercepting downloads of open-source > >> encryption software and silently replacing these with their own > >> versions?" > > > > Why would they perform the attack only for encryption software? They > > could compromise people's laptops by spiking any popular app. > > Because NSA and GCHQ are much more interested in attacking > communictions in transit rather than attacking endpoints. Except, one implication of recent revelations is that stealing keys from endpoints has been a major activity of NSA in the last decade. I'm not going to claim that altering patches and software during download has been a major attack vector they've used for that -- I have no evidence for the contention whatsoever and besides, endpoints seem to be fairly vulnerable without such games -- but clearly attacking selected endpoints is now an NSA passtime. Perry _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography