[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Have I caught a firmware attack in the act? Or am I just paranoid?

Read only switches are a security feature because you can read the content without the fear that it may be altered.[...] The read-only switch makes it as safe as a read only burnt dvd.

The physical read-only switch on SD cards isn't: it's enforced at software level, not hardware level.

That is only half of the truth. If you have an SDcard - USB adapter the adapter is responsible for doing the check and the adapter is hardware. If you mean that the SDCard itself enforces the check then this is of course not the case.


Downloads can and often are impersonated if you do not use tor so that you will be shipped the malwared-packages for comparence instead of the original ones.

apt (by default) won't install packages with a bad signature: are you claiming to have seen fake packages _with a valid signature_, or are you referring to downloads of something other than Debian packages?

(I haven't read your links: as I don't have proof of who you are, doing so would itself be a security risk.)

gpg signatures of packages are least trustworthy since the NSA has a private key stealing programme. Never trust a signature as long as you do not know about the key handling policy - and to be safe the key handling policy needs to be offline enforced like described here (I would suggest that you trust my web page too if you trust in what I am saying):


  Most people do not enforce secure offline storage of secret keys - they encrypt on unsafe online computers and they do not secure the data carrier where the secret key is stored. If you have read my previous posts you know that both conditions need to be met in order to avoid the secret key to be stolen. You need to check the sha-s at least via tor (if you do not have all the original packages available on blue ray media). Intelligence can not spoof all downloads - there is always a certain percentage of downloads which get the original data; i.e. they only spoof the download if they know who is downloading.

Reply to: