"Enos D'Andrea" <temp4282138...@edlabs.it> wrote: > On 14/01/2015 12:24, Stefan Sperling wrote: > > > Bootstrapping trust is always going to be hard no matter what we do > > and how hard we try. [...] Now the answer has become "buy a CD > > and cross-check it with signify" and it's still not enough. [...] > > <paranoia> > > "Buying a CD" in my case includes a 5.000 mile trip through multiple > "five-eyes" nations, whose overzealous three letter agencies officially > intercept physical shipments to install backdoors and hardware implants. > > "Cross-checking" of OpenBSD commercial CD sets at present can only be > partial, as no official full checksums seem to be provided. Even > cross-checking *all* files referenced by the ISO filesystem would still > allow a malicious boot sector to directly reference unallocated space. > > Let's call a spade a spade: the worst-case scenario is an APT > intercepting the shipment of a commercial CD set, substitute one or more > CDs and repackage it. Extremely unlikely for the average person, > not-so-much for IT security consultants with important clients. > > </paranoia> > > > Regards > > -- > Enos D'Andrea
Where have you heard that? Intercepting physical mail secretly is really hard, especially if you don't want the post office to know about it. Think of everyone who would need to know. Anyone who doesn't know would be trying to get the package correctly delivered. Best case you plant somebody (multiple people; imagine if your plant was assigned to something else on the critical day) in the destination post office. It's extremely unlikely for anyone. Travel to Canada and receive it there. Oh wait, Canada is really friendly with all the governments you're scared of. Hopefully you don't live in one of these nations. Why are you not scared of your own government? They pose the greatest threat to your liberty. And since this software is developed out of Canada, how do you know it can be trusted to begin with? Why do you trust Theo exactly? He seems like a nice guy, and he's done a very good job with OpenBSD, but you don't know him. If he were a secret agent, that would be exactly what he'd want you to think. No, you trust Theo and OpenBSD because you have no better option. Don't pretend you increase your security by proving the software came from a source you can't prove is trustworthy. You'd do better to audit the source. Security is about pushing attacks out of your attackers' ability or price range. If your attackers' ability and price range is greater than what you're willing to expend on security, you're compromised. Are you willing to go to the effort that defending against your outlined attack requires? Probably not. Unless you're very very important, you eliminate the possibility of distribution attack by getting signify keys of CDs. -- Martin
