Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] secure download tool - doesn't exist?!?

Eleanor Saitta ella at dymaxion.org
Mon Jul 1 19:21:23 PDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2013.07.01 17.28, adrelanos wrote:
> Eleanor Saitta:
>> On 2013.07.01 15.15, Julian Oliver wrote:
>>> ..on Mon, Jul 01, 2013 at 06:03:01PM +0000, adrelanos wrote:
>>>> In response to "the tool doesn't exist"...
>> 
>>> apt-get install tor && torify wget http://path.to/file
>> 
>> And how did you verify the trust path for your initial debian
>> install?
> 
> Thats a different issue to be discussed and solved separately.

No, it really isn't.  Either you have a trustable chain or you don't.

Now, admitting that you have no trustable chain is fine; it means
you're looking at outcomes and scope of compromise required to affect
a single user, etc., because that's all that you've got left.  In
fact, it's useful to start thinking this way, because then, while
chain of custody in the download process is still important, you start
thinking about detection of interference rather than assuming that
your house-of-cards updater will always work.  Which it won't, no
matter how good it is, if for no other reason than that it will have
bugs which someone will eventually exploit.

E.

- -- 
Ideas are my favorite toys.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlHSOSMACgkQQwkE2RkM0wqFdAEAje76I5CbHdDQ+HtBB2b2b5Eg
iXspCoeAQ0t0eda0fL0A+wT2eaCEyXRlqLFAp8UW9f6Y6m8hqddR3yAvST+ACuNV
=gqUf
-----END PGP SIGNATURE-----



More information about the liberationtech mailing list