Troy Benjegerdes [ARCHIVE] on Nostr: 📅 Original date posted:2014-01-03 📝 Original message:On Fri, Jan 03, 2014 at ...
📅 Original date posted:2014-01-03
📝 Original message:On Fri, Jan 03, 2014 at 09:59:15AM +0000, Drak wrote:
> On 3 January 2014 05:45, Troy Benjegerdes <hozer at hozed.org> wrote:
>
> > On Tue, Dec 31, 2013 at 05:48:06AM -0800, Gregory Maxwell wrote:
> > > On Tue, Dec 31, 2013 at 5:39 AM, Drak <drak at zikula.org> wrote:
> > > > The NSA has the ability, right now to change every download of
> > bitcoin-qt,
> > > > on the fly and the only cure is encryption.
> >
> > No, the only cure is the check the hashes. We should know something
> > about hashes here. TLS is a big pile of 'too big to audit'. Spend
> > a couple of satoshis and put the hash of the source tar.gz and the
> > binaries in the blockchain. Problem solved.
>
>
> Which is why, as pointed out several times at 30c3 by several renowned
> figures, why cryptography has remained squarely outside of mainstream use.
> It needs to just work and until you can trust the connection and what the
> end point sends you, automatically, it's a big fail and the attack vectors
> are many.
>
> <sarcasm>I can just see my mother or grandma manually checking the hash of
> a download... </sarcasm>
'make' should check the hash. The binary should check it's own hash. The
operating system should check the hash.
How about if I sell your Grandma an android table loaded only with free
software, and use the existing infrastructure android provides to only
allow software to be installed that can be integrity-verified from a
public key that can be downloaded from the blockchain?
Would you pay $50 (or 2 litecoin) more for at tablet with free software
that protects you and your grandma's interests, rather than selling them
to google/apple/microsoft?
I'm working on eventually being able to build hardware for which the
entire design specifications, from case to cpu core verilog, all they way
up to the pre-installed cryptographic currency wallet(s) are all signed
and released as part of the Debian archive.
But I need people like you to explain to your Grandma why this hardware
costs more than hardware that monetizes eyeballs and sells your private
information to the highest bidder.
📝 Original message:On Fri, Jan 03, 2014 at 09:59:15AM +0000, Drak wrote:
> On 3 January 2014 05:45, Troy Benjegerdes <hozer at hozed.org> wrote:
>
> > On Tue, Dec 31, 2013 at 05:48:06AM -0800, Gregory Maxwell wrote:
> > > On Tue, Dec 31, 2013 at 5:39 AM, Drak <drak at zikula.org> wrote:
> > > > The NSA has the ability, right now to change every download of
> > bitcoin-qt,
> > > > on the fly and the only cure is encryption.
> >
> > No, the only cure is the check the hashes. We should know something
> > about hashes here. TLS is a big pile of 'too big to audit'. Spend
> > a couple of satoshis and put the hash of the source tar.gz and the
> > binaries in the blockchain. Problem solved.
>
>
> Which is why, as pointed out several times at 30c3 by several renowned
> figures, why cryptography has remained squarely outside of mainstream use.
> It needs to just work and until you can trust the connection and what the
> end point sends you, automatically, it's a big fail and the attack vectors
> are many.
>
> <sarcasm>I can just see my mother or grandma manually checking the hash of
> a download... </sarcasm>
'make' should check the hash. The binary should check it's own hash. The
operating system should check the hash.
How about if I sell your Grandma an android table loaded only with free
software, and use the existing infrastructure android provides to only
allow software to be installed that can be integrity-verified from a
public key that can be downloaded from the blockchain?
Would you pay $50 (or 2 litecoin) more for at tablet with free software
that protects you and your grandma's interests, rather than selling them
to google/apple/microsoft?
I'm working on eventually being able to build hardware for which the
entire design specifications, from case to cpu core verilog, all they way
up to the pre-installed cryptographic currency wallet(s) are all signed
and released as part of the Debian archive.
But I need people like you to explain to your Grandma why this hardware
costs more than hardware that monetizes eyeballs and sells your private
information to the highest bidder.