PSA: Your crypto apps are useless unless you check them for backdoors

Discussion in 'privacy technology' started by lotuseclat79, Feb 5, 2015.

  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    I loved the article and especially the part about digital signature verifications. What sense does it make to download the TOR Browser Bundle and not verify the download against the pgp/gpg signature they provide? I would go so far as to call it irresponsible!
     
  3. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Irresponsible perhaps but also all too human. I get weary that people's valuable time is being wasted by the loss of trust and irresponsibility of governments - because the main threat for this stuff is your favorite 5-eye. I suppose the repository system in Linux is a good feature from that point of view, and that's very reliant on contributors. Who knows what might have been popped into some driver or other.

    How often do people actually compile stuff from source? I suspect its rare - I don't often do it, and I've been compiling stuff from way back, and even there it can be hard to make repeatable (so you get the same checksum).

    The other thing that bothers me at the moment is that we cannot even rely on the checksums and code-signing certificates, after the revelations about Realtek, Jmicron etc. It's really scary that most retail motherboards have Realtek nics, and I can't really trust the driver code.

    I have also been wondering whether there might be scope for an EFF monitoring tool, which reported back on the checksums of downloaded file URLs. This would pick up cases where MITM had been used, unless it had universally been used! Perhaps AV vendors would also be in a very good position to be doing this.
     
  4. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Saw that article last night. It seemed a little silly.

    If you're sophisticated enough to do all the things this guy does to verify digital signatures for software, why doesn't he just use Linux? Packages in the repos for modern Linux distros are all signed and the signature is automatically checked by the package manager on your system. This has been around in Linux for a long time. Super easy way to accomplish the same thing and it works for everything on your system, not just the software for which you can find signatures.

    I get that not everyone is going to use Linux, but this guy (given his computer savvy and level of concern about security) seems like a prime candidate. And in the end he'll have a much more secure system than whatever fussing around with Windows he does.
     
  5. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    It is definitely an endorsement of the repository/package management system of software distribution.
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594

    I share your concerns in so many ways. I am especially wary of TOR downloads because its the supporting beam for my internet activity. Hours every single day! Takes less then a minute to confirm a clean download. Seconds in fact.
     
Loading...