You forgot one option. Invite Theo to give a talk, and ask him to
bring the CDs. If you can't trust Theo's CDs, all hope is lost.
Just need to make sure there're some mountains around for Theo to go
climb. If you live on a flatland, then, sorry, you're doomed.
On 12/6/07, Douglas A. Tutty <[EMAIL PROTECTED]> wrote:
> On Thu, Dec 06, 2007 at 11:48:55AM +0100, Hannah Schroeter wrote:
>
> > One risk would be the plans of "online surveillance" of computers e.g.
> > in Germany. One way to install surveillance even on OpenBSD would be to
> > actively interfere with the internet connection with the surveilled
> > person, in the man-in-the-middle sense, and inject trojanned code
> > ("Bundestrojaner") into the updates of the victim.
>
> Using software from any source without interference from an
> all-pervasive government is a very special, but unfortunatly today, a
> very real issue for many people around the world. To be secure, you
> have to get pieces of the puzzle over multiple paths. It all can't come
> via the net since then you're open to man-in-the-middle.
>
> Key-revocation announcements could come over the net (via an announce
> list) but the new key would then have to come over a second channel.
>
> One second-channel option is the q6mth CD issue, which could include a
> new public key and e.g. known-hosts fingerprints. This is vulnerable to
> a very determined man-in-the-middle who can replicate and then alter the
> CD before it arrives to you in the mail.
>
> Another option is a trusted courier flying to Alberta and get a CD from
> the OpenBSD store (yeah, right).
>
> In fact, likely any other technological option (e.g. an answering
> machine in Alberta that spits out the alphanumerics of the current
> master public key) is still suceptible.
>
> If every piece of information you receive is filter through your
> government, is there any hand-shaking protocol that can allow you to
> establish a verified information connection (not necessarily encrypted)?
> I don't think so.
>
> Sure, Debian has signed .debs that use gpg as a back end (the system is
> called apt-key), it relies on you trusting the fist key that you get
> from them. Since Debian doesn't actually mail out its own CDs,
> everything is off its mirrors. apt-key only 'protects' you from a later
> man-in-the-middle.
>
> I think that this is the central 'problem' that people are dancing
> around.
>
> Personally, if this thread is to continue, I would like to see it move
> from a "Why doesn't OpenBSD do things this way?" to a "What are the
> threat models for OpenBSD identity theft and how can we protect
> ourselves?".
>
> Doug.
>
>
--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted." -- Gene Spafford
