On Sat, Sep 07, 2013 at 07:42:33PM -1000, Tim Newsham wrote: > Jumping in to this a little late, but: > > > Q: "Could the NSA be intercepting downloads of open-source > > encryption software and silently replacing these with their own versions?" > > A: (Schneier) Yes, I believe so. > > perhaps, but they would risk being noticed. Some people check file hashes > when downloading code. FreeBSD's port system even does it for you and > I'm sure other package systems do, too. If this was going on en masse,
There is a specific unit within NSA that attempts to obtain keys not in the key cache. Obviously, package-signing secrets are extremely valuable, since they're likely to work for hardened (or so they think) targets. For convenience reasons the signing secrets are typically not secured. If something is online you don't even need physical access to obtain it. The workaround for this is to build packages from source, especially if there's deterministic build available so that you can check whether the published binary for public consumption is kosher, and verify signatures with information obtained out of band. Checking key fingeprints on dead tree given in person is inconvenient, and does not give you complete trust, but it is much better than just blindly install something from online depositories. > it would get picked up pretty quickly... If targeted, on the other hand, it > would work well enough...
signature.asc
Description: Digital signature
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
