[146692] in cryptography@c2.net mail archive
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_l)
Fri Sep 6 20:12:55 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <20130906210020.GV29404@leitl.org>
From: =?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?= <l@odewijk.nl>
Date: Sat, 7 Sep 2013 01:41:47 +0200
To: Eugen Leitl <eugen@leitl.org>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============8962371604740520402==
Content-Type: multipart/alternative; boundary=001a11c2a12025f0fd04e5bf9648
--001a11c2a12025f0fd04e5bf9648
Content-Type: text/plain; charset=UTF-8
That they have the capacity doesn't mean they ever actually did it,
Schneier's comment is conservative. It is obviously within in their (legal)
capacity to change anything going accross US and INTNET cables and to forge
a some families of signatures.
2013/9/6 Eugen Leitl <eugen@leitl.org>
> On Fri, Sep 06, 2013 at 04:25:12PM -0400, Jerry Leichter wrote:
> > A response he wrote as part of a discussion at
> http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html:
> >
> > Q: "Could the NSA be intercepting downloads of open-source encryption
> software and silently replacing these with their own versions?"
> >
> > A: (Schneier) Yes, I believe so.
>
> This is why I've been verifying Tor downloads using
> out of band fingerprints of signing key.
>
> Just because active attacks are more expensive than passive attacks
> and are fundamentally detectable, don't assume they're not being
> used in highly targeted cases.
>
> If you have ever been under telco surveillance, that's enough
> effort already spent to warrant slipping you some custom malware with
> no added bill of materials.
> _______________________________________________
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
--001a11c2a12025f0fd04e5bf9648
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">That they have the capacity doesn't mean they ever act=
ually did it, Schneier's comment is conservative. It is obviously withi=
n in their (legal) capacity to change anything going accross US and INTNET =
cables and to forge a some families of signatures.</div>
<div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2013/9/6 Euge=
n Leitl <span dir=3D"ltr"><<a href=3D"mailto:eugen@leitl.org" target=3D"=
_blank">eugen@leitl.org</a>></span><br><blockquote class=3D"gmail_quote"=
style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class=3D"im">On Fri, Sep 06, 2013 at 04:25:12PM -0400, Jerry Leichter =
wrote:<br>
> A response he wrote as part of a discussion at <a href=3D"http://www.s=
chneier.com/blog/archives/2013/09/the_nsa_is_brea.html" target=3D"_blank">h=
ttp://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html</a>:<br>
><br>
> Q: "Could the NSA be intercepting downloads of open-source encryp=
tion software and silently replacing these with their own versions?"<b=
r>
><br>
> A: (Schneier) Yes, I believe so.<br>
<br>
</div>This is why I've been verifying Tor downloads using<br>
out of band fingerprints of signing key.<br>
<br>
Just because active attacks are more expensive than passive attacks<br>
and are fundamentally detectable, don't assume they're not being<br=
>
used in highly targeted cases.<br>
<br>
If you have ever been under telco surveillance, that's enough<br>
effort already spent to warrant slipping you some custom malware with<br>
no added bill of materials.<br>
<div class=3D"HOEnZb"><div class=3D"h5">___________________________________=
____________<br>
The cryptography mailing list<br>
<a href=3D"mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a><=
br>
<a href=3D"http://www.metzdowd.com/mailman/listinfo/cryptography" target=3D=
"_blank">http://www.metzdowd.com/mailman/listinfo/cryptography</a><br>
</div></div></blockquote></div><br></div>
--001a11c2a12025f0fd04e5bf9648--
--===============8962371604740520402==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============8962371604740520402==--
