Hannah Schroeter wrote: ... > As the talk about those "online surveillance" plans includes talk about > tailored attacks for each victim, they could investigate which OS one > uses and which ways of updating, so they could tailor their attack > vector appropriately. ...
Some of this is mitigated in that when using OpenBSD, the connections to the repositories is signed. Though, it looks like HTTP transfers are not, and there is the question of getting the initial installation packages. If the installation process (from the purchased CDs) had a list of the public keys for the official mirror sites, then that would go a long way. Having the installation process pre-load the keys into the data for the ssh, ftp and afs clients would be even fancier. -Lars
