[146810] in cryptography@c2.net mail archive
Re: [Cryptography] MITM source patching [was Schneier got spooked]
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Sun Sep 8 11:52:13 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <CAGSRWbiPzxFccKhjSS4mNSwMDuwcfNxHiD0RiM-nh3TnigNEFg@mail.gmail.com>
Date: Sun, 8 Sep 2013 08:28:27 -0400
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tim Newsham <tim.newsham@gmail.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============2318755748574580333==
Content-Type: multipart/alternative; boundary=001a11c373e4a29a1d04e5de68b8
--001a11c373e4a29a1d04e5de68b8
Content-Type: text/plain; charset=ISO-8859-1
On Sun, Sep 8, 2013 at 1:42 AM, Tim Newsham <tim.newsham@gmail.com> wrote:
> Jumping in to this a little late, but:
>
> > Q: "Could the NSA be intercepting downloads of open-source
> > encryption software and silently replacing these with their own
> versions?"
> > A: (Schneier) Yes, I believe so.
>
> perhaps, but they would risk being noticed. Some people check file hashes
> when downloading code. FreeBSD's port system even does it for you and
> I'm sure other package systems do, too. If this was going on en masse,
> it would get picked up pretty quickly... If targeted, on the other hand,
> it
> would work well enough...
>
But is the source compromised in the archive?
It think we need a different approach to source code management. Get rid of
user authentication completely, passwords and SSH are both a fragile
approach. Instead every code update to the repository should be signed and
recorded in an append only log and the log should be public and enable any
party to audit the set of updates at any time.
This would be 'Code Transparency'.
Problem is we would need to modify GIT to implement.
--
Website: http://hallambaker.com/
--001a11c373e4a29a1d04e5de68b8
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">On Sun, Sep 8, 2013 at 1:42 AM, Tim Newsham <span dir=3D"l=
tr"><<a href=3D"mailto:tim.newsham@gmail.com" target=3D"_blank">tim.news=
ham@gmail.com</a>></span> wrote:<br><div class=3D"gmail_extra"><div clas=
s=3D"gmail_quote">
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Jumping in to this a little late, but:<br>
<br>
> =A0Q: "Could the NSA be intercepting downloads of open-source<br>
> encryption software and silently replacing these with their own versio=
ns?"<br>
> =A0A: (Schneier) Yes, I believe so.<br>
<br>
perhaps, but they would risk being noticed. Some people check file hashes<b=
r>
when downloading code. FreeBSD's port system even does it for you and<b=
r>
I'm sure other package systems do, too. =A0 If this was going on en mas=
se,<br>
it would get picked up pretty quickly... =A0If targeted, on the other hand,=
it<br>
would work well enough...<br></blockquote><div><br></div><div>But is the so=
urce compromised in the archive?</div><div><br></div><div><br></div><div>It=
think we need a different approach to source code management. Get rid of u=
ser authentication completely, passwords and SSH are both a fragile approac=
h. Instead every code update to the repository should be signed and recorde=
d in an append only log and the log should be public and enable any party t=
o audit the set of updates at any time.<br>
</div><div><br></div><div>This would be 'Code Transparency'.</div><=
div><br></div><div>Problem is we would need to modify GIT to implement.=A0<=
/div></div><div><br></div>-- <br>Website: <a href=3D"http://hallambaker.com=
/">http://hallambaker.com/</a><br>
</div></div>
--001a11c373e4a29a1d04e5de68b8--
--===============2318755748574580333==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============2318755748574580333==--
