cryptogon.com news – analysis – conspiracies

September 7th, 2013

Hijacking the stream and substituting the content?

Trivial. I used to do this for fun on wi-fi networks last decade. Definitely trivial.

But what I don’t get is how the downloads would pass hash checks?

For example, you can check GPG’s SHA-1 values here.

What’s SHA-1, you ask?

In cryptography, SHA-1 is a cryptographic hash function designed by the United States National Security Agency and published by the United States NIST as a U.S. Federal Information Processing Standard. … In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use. NIST required many applications in federal agencies to move to SHA-2 after 2010 because of the weakness.

Oh.

Via: Bruce Schneier:

How Far • September 5, 2013 4:22 PM

Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions? Is there any way to detect such interference had the NSA enough control over communications channels to automatically replace binaries and published hash lists?

Bruce Schneier • September 5, 2013 4:35 PM

“Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions?”

Yes, I believe so.