[Cryptography] Kali Linux security is a joke!

[Jerry Leichter]

On Mar 18, 2015, at 8:39 AM, Henry Baker <hbaker1 at pipeline.com> wrote:
>> An issue with HTTP for apt is information leak.  People listening on the
>> wire will know what software you're installing on machines.
> 
> Another issue with HTTP is denial-of-service.  NSA/GCHQ routinely
> hijack HTTP for MITM,
HTTP is clear text, they can simply record it.  No need for MITM as the term is generally used.

> but even when they can't serve up properly
> signed package files, they can make pretty sure that their victims
> can't get the properly-signed files from the proper server, either.
And this is different from screwing up the HTTPS negotiation as a way to deny service ... how?

I would also be very surprised to learn that anyone has made it a practice to block updates via denial of service.  The Western intelligence agencies want to be invisible.  Blocking access to updates is anything but.  The, err, what's the opposite of "Western" - not really a geographical designation - in this context, other powers don't really care if you know you've been blocked.  They are already implementing tons of blocks anyway - if they don't want you going to that update site, adding its name and IP to their block list is trivial.

> Thus, since so many of the recent package updates & upgrades have
> to do with security issues (Heartbleed, etc.), NSA/GCHQ can deny
> their victims the opportunity to upgrade their security.
Do you have *any* evidence of NSA/GCHQ actually doing this?

                                                        -- Jerry