Re: Have I caught a firmware attack in the act? Or am I just paranoid?
Read only switches are a security feature because you can read the
content without the fear that it may be altered.[...] The read-only
switch makes it as safe as a read only burnt dvd.
The physical read-only switch on SD cards isn't: it's enforced at
software level, not hardware level.
That is only half of the truth. If you have an SDcard - USB adapter the
adapter is responsible for doing the check and the adapter is hardware.
If you mean that the SDCard itself enforces the check then this is of
course not the case.
gpg signatures of packages are least trustworthy since the NSA has a
private key stealing programme. Never trust a signature as long as you
do not know about the key handling policy - and to be safe the key
handling policy needs to be offline enforced like described here (I
would suggest that you trust my web page too if you trust in what I am
Downloads can and often are impersonated if you do not use tor so
that you will be shipped the malwared-packages for comparence instead
of the original ones.
apt (by default) won't install packages with a bad signature: are you
claiming to have seen fake packages _with a valid signature_, or are
you referring to downloads of something other than Debian packages?
(I haven't read your links: as I don't have proof of who you are,
doing so would itself be a security risk.)
Most people do not enforce secure offline storage of secret keys -
they encrypt on unsafe online computers and they do not secure the data
carrier where the secret key is stored. If you have read my previous
posts you know that both conditions need to be met in order to avoid the
secret key to be stolen. You need to check the sha-s at least via tor
(if you do not have all the original packages available on blue ray
media). Intelligence can not spoof all downloads - there is always a
certain percentage of downloads which get the original data; i.e. they
only spoof the download if they know who is downloading.