I loved the article and especially the part about digital signature verifications. What sense does it make to download the TOR Browser Bundle and not verify the download against the pgp/gpg signature they provide? I would go so far as to call it irresponsible!
Irresponsible perhaps but also all too human. I get weary that people's valuable time is being wasted by the loss of trust and irresponsibility of governments - because the main threat for this stuff is your favorite 5-eye. I suppose the repository system in Linux is a good feature from that point of view, and that's very reliant on contributors. Who knows what might have been popped into some driver or other. How often do people actually compile stuff from source? I suspect its rare - I don't often do it, and I've been compiling stuff from way back, and even there it can be hard to make repeatable (so you get the same checksum). The other thing that bothers me at the moment is that we cannot even rely on the checksums and code-signing certificates, after the revelations about Realtek, Jmicron etc. It's really scary that most retail motherboards have Realtek nics, and I can't really trust the driver code. I have also been wondering whether there might be scope for an EFF monitoring tool, which reported back on the checksums of downloaded file URLs. This would pick up cases where MITM had been used, unless it had universally been used! Perhaps AV vendors would also be in a very good position to be doing this.
Saw that article last night. It seemed a little silly. If you're sophisticated enough to do all the things this guy does to verify digital signatures for software, why doesn't he just use Linux? Packages in the repos for modern Linux distros are all signed and the signature is automatically checked by the package manager on your system. This has been around in Linux for a long time. Super easy way to accomplish the same thing and it works for everything on your system, not just the software for which you can find signatures. I get that not everyone is going to use Linux, but this guy (given his computer savvy and level of concern about security) seems like a prime candidate. And in the end he'll have a much more secure system than whatever fussing around with Windows he does.
It is definitely an endorsement of the repository/package management system of software distribution.
I share your concerns in so many ways. I am especially wary of TOR downloads because its the supporting beam for my internet activity. Hours every single day! Takes less then a minute to confirm a clean download. Seconds in fact.
