Question for app developers, like Enigmail etc. - Identicons

Tue Jun 13 15:33:57 CEST 2017

On 13.06.17 14:16, Peter Lebbing wrote:
> On 13/06/17 09:43, Stefan Claas wrote:
>> Another thing i will do in the future, which i haven't read in popular
>> tutorials,
>> is that once checking the hash/sig of the provided package i will also hash
>> the binaries after unpacking and print them out on a piece of paper, so
>> that i
>> can frequently check the values.
> I use Open Source Tripwire for that. Its specification language is quite
> lacking in my opinion, but it's not so bad that I start looking around
> for a different solution. I've been using it for ages, and haven't
> noticed any significant development on it since I started using it. As
> far as I remember.
>
> Note that someone in a position to replace your binaries is also in a
> position to replace the sha256sum binary or whatever other binary you
> are using to generate the hashes, so your hashes can just lie to you. As
> can Tripwire.

During my lunch break i thought of that too. I think as a good start
i will next time (which popular tutorials also do not mention) install
the next version available on an USB stick, symlink to them and put
the USB stick in a safe place. Should an email arrive i will then insert
the USB stick to decrypt/verify the message.

Regarding hashes, maybe it's possible for the authors who are
providing packages that they not only include the hash or sig,
of the package but the hashes of the unpacked binaries too,
on their download page. Should one hash discrepancy show
up on my computer i could try another one and see if the hash
matches then.
>
> And so I come to my other comment, in reply to:
>
>>  So what i have learned from this whole
>> thread, also about my proposal for identicons, i should buy me
>> an offline computer, send Thunderbird/Enigmail to /dev/null
>> and transfer signed/encrypted messages from my online usage
>> computer with a USB stick to my offline computer and verify
>> decrypt the messages there. :-)
> Security is not an absolute. Quite the opposite: security is rather
> simple economics. How much are you willing to spend on your protection,
> and how much is an attacker willing to spend to compromise you? It's
> that simple. There are some unpleasant little factors such as that you
> need to do it right all the time, yet the attacker only needs to do it
> right once. But in the end, it all boils down to: who is willing to go
> that step further? As long as your secrets aren't very valuable, an
> attacker will not want to spend a lot on obtaining those secrets; they'd
> rather point their attention and money elsewhere.
>
> So Tripwire is something that raises the cost of the attack; it's
> defence in depth, not an absolute defence. And as the name suggests, if
> the attacker doesn't notice Tripwire, they might well set off an alarm.
> But if they notice it.... <snip>.
>
>
For me i see this way, for big Organizations i would not have a single
chance, but i assume that i am no target for them, because i am of no
interest to them.

On the other side, where money is involved etc. and people are good
in keeping their computers clean, and they rely on popular tutorials,
the "green bar problem" would still be there, imho.

Regards
Stefan