[146686] in cryptography@c2.net mail archive
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
daemon@ATHENA.MIT.EDU (Eugen Leitl)
Fri Sep 6 17:14:55 2013
X-Original-To: cryptography@metzdowd.com
Date: Fri, 6 Sep 2013 23:00:20 +0200
From: Eugen Leitl <eugen@leitl.org>
To: cryptography@metzdowd.com
In-Reply-To: <00E0407E-0BB6-491B-8DA1-34DFDDBA757F@lrw.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Fri, Sep 06, 2013 at 04:25:12PM -0400, Jerry Leichter wrote:
> A response he wrote as part of a discussion at http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html:
>
> Q: "Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions?"
>
> A: (Schneier) Yes, I believe so.
This is why I've been verifying Tor downloads using
out of band fingerprints of signing key.
Just because active attacks are more expensive than passive attacks
and are fundamentally detectable, don't assume they're not being
used in highly targeted cases.
If you have ever been under telco surveillance, that's enough
effort already spent to warrant slipping you some custom malware with
no added bill of materials.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
