Re: Tor exit nodes

[Adam Borowski <kilobyte@angband.pl>]

On Mon, Oct 09, 2017 at 04:11:21PM +0300, Lars Wirzenius wrote:
> * I think having security and crypto training at every Debconf would
>   be a good idea: how to use gpg, how to configure gpg well, how to
>   secure one's laptop, etc.

Hell yeah.

> * The Yubikey 4 seems to be the best hardware option. It's not free
>   hardware, however. I'm OK with that for my own use, and I'd be OK
>   for that for Debian's use. But before Debian spends money on that,
>   we should have consensus that it's OK. I'm also OK for Debian to
>   choose an option with free-er hardware, but have no personal
>   experience with those.

Let's discuss the threat model.  If I would be a three letter agency, I'd
order Yubico (there's so many ways to force a company to do something) to
introduce a backdoor: when a secret handshake (cryptographically signed :p)
is entered, the keycard spills its storage.  This can be programmed into the
kit low-paid goons on the border have, and instruct them to apply to all
storage devices they search on a person.  Such an instruction is already a
part of their orders, thus no knowledge or skills on the side of the goons
are required.  Your secret key will then stay on file, without you being
aware of this.

I for one concluded there's enough ways for a government to screw me, thus I
bought a Yubikey 4 (most convenient, durable and fast).  But if I suddenly
receive the Bogatov treatment, my secret key will be not trustworthy.


Meow!
-- 
⢀⣴⠾⠻⢶⣦⠀ We domesticated dogs 36000 years ago; together we chased
⣾⠁⢰⠒⠀⣿⡁ animals, hung out and licked or scratched our private parts.
⢿⡄⠘⠷⠚⠋⠀ Cats domesticated us 9500 years ago, and immediately we got
⠈⠳⣄⠀⠀⠀⠀ agriculture, towns then cities.     -- whitroth on /.