[Cryptography] Bruce Schneier has gotten seriously spooked
eugen at leitl.org
Fri Sep 6 17:00:20 EDT 2013
On Fri, Sep 06, 2013 at 04:25:12PM -0400, Jerry Leichter wrote:
> A response he wrote as part of a discussion at http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html:
> Q: "Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions?"
> A: (Schneier) Yes, I believe so.
This is why I've been verifying Tor downloads using
out of band fingerprints of signing key.
Just because active attacks are more expensive than passive attacks
and are fundamentally detectable, don't assume they're not being
used in highly targeted cases.
If you have ever been under telco surveillance, that's enough
effort already spent to warrant slipping you some custom malware with
no added bill of materials.
More information about the cryptography