Reflections on Trusting Trust

[Alexander Leidinger]

Peter Jeremy <PeterJeremy at optushome.com.au> wrote:

> On Wed, 2005-Nov-30 19:42:50 +0100, Alexander Leidinger wrote:
>> But if you get the same *wrong* data (for the PGP keys it's
>> relatively easy to verify) from several locations (cvsup*.FreeBSD.org +
>> cvsweb.freebsd.org + www.freebsd.org, don't forget to check if they
>> point to a reasonable amount of different IP's;
>
> Keep in mind that for most people these addresses will all go through
> a single ISP.  You need to to check several locations via several
> different paths (eg home and work or maybe cross-check with a friend
> who uses a different ISP).

Yes.

>> the printed handbook
>> and the handbook on the release CDs), then you have other things to
>> worry about...
>
> I agree that if Agent Smith is out to get you then you have problems.
>
>> Assuming enough resources: ATM only by downloading all and diffing
>> them. If they all match, you are either busted already since the
>> attacker controls too much, or you can say the probability is high
>> enough that you got a copy of the original repository.
>
> This is non-trivial because the repository is not static and CVS
> doesn't store transaction logs that would allow you to reproduce the
> repository state at a point in time.

I didn't sayd it's easy. And you need a little bit of knowledge. But then you
"just" need to "diff -ru" and review the differences. This is not a
"true/false" test, so you need to do an amount of work and understand the
results.

I agree that this can be improved, but if you need this confidence *now*:
it's not that hard, just time consuming (depending on the amount of data you
want to verify, and at least for the pgp keys it's easy, since this part of
the repository doesn't change that often).

Bye,
Alexander.

-- 
http://www.Leidinger.net/     Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org/        netchild @ FreeBSD.org  : PGP ID = 72077137
Look out!  Behind you!