On Saturday, March 10, 2018 at 1:19:28 PM UTC-5, Marek Marczykowski-Górecki wrote: > On Fri, Mar 09, 2018 at 05:12:08PM -0500, Peter Todd wrote: > > On Fri, Mar 09, 2018 at 12:19:47PM -0800, [email protected] > > wrote: > > > I was looking at the canaries, and I liked the idea of a proof of > > > freshness with the latest news headlines. While people can't create > > > canaries ahead of time, it is possible to conspire to modify or backdate > > > one of them after they have been published. To prevent this, we could use > > > a blockchain-based timestamp, where the hashes of each canary are placed > > > within the blockchain of a powerful cryptocurrency. Something similar to > > > these services: > > > > > > https://opentimestamps.org/ > > > http://originstamp.org/home > > > > > > This way, if there ever is a interruption of canaries, followed by a > > > court order or something forcing you guys to backdate a falsified canary > > > or modify old ones, we will all be able to check. > > > > The easiest way to do this is to simply use the OpenTimestamps (OTS) git > > integration. > > This blog post explains how: > > > > https://petertodd.org/2016/opentimestamps-git-integration > > > > Addiitionally, while not covered in that blog post, OTS also supports a mode > > where it rehashes the git tree in such a way that an efficient, > > SHA256-based, > > timestamp proof can be extracted later for each file. In the next release > > this > > will be done by default, but for now you have to add the --rehash-trees > > option > > where the ots-git-gpg-wrapper command is called. > > > > FWIW, as of this week, Bitcoin Core maintainer Wladimir J. van der Laan > > started > > using OTS to timestamp Bitcoin Core commits and tags. > > Is there any sensible way of installing OTS client securely? There is a > chain of dependencies which are not packaged for neither Debian or > Fedora (python-opentimestamps, bitcoinlib, pysha3, ...). And since pip > rely only on https (so, integrity of its infrastructure), the only > alternative is downloading sources manually, verifying its signature > (after finding and verifying what key should really be used for that > particular package), then installing it in /usr/local or such. > > And even if I'd do all that (I gave up after two iterations), then I > need to manually track updates for all those packages. Otherwise I risk > exposing my development environment for yet another attack vector. Well, > by installing ots client I do that anyway, but by not updating that > stuff, I make things easier for the attacker, because he/she could use > publicly known, already patched vulnerabilities. > > I have better use for my time... > > I see two solutions for this problem: > 1. Package all the dependencies for Fedora (preferred) and/or Debian. > 2. Make a split-gpg-like integration so those possibly > outdated/backdoored (pip install...) packages would run in separate VM > (maybe even DispVM). > > I'm not sure about ots client interface, but the second approach may be > not that hard to implement. > > -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing?
I like the second approach. A quicker method (to implement) is to pass the hash by using the javascript version of the opentimestamps client: https://github.com/opentimestamps/javascript-opentimestamps on a different computer/dispVM "ots-cli.js stamp -H 05c4f616a8e5310d19d938cfd769864d7f4ccdc2ca8b479b10af83564b097af9" That way you don't even need to give the vm access to your files. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/f05a5171-9b64-42c4-b789-4aa6cd1b317c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
