Trusting updates of PureOS?


#1

What I really mean; What does an evil doer need to alter on my computer to get me to believe that an update is genuine?

In some cases it is to get me to change some part of of browser certificate management system. Or - can someone just emulate the genuine certificate for a website, and insert some bit of software into the stream of things coming to my computer?

I have heard that the certificates themselves are encrypted such that not even the NSA could break them, secure. Hmmm.

Yes I know that one can check the SHA-MD5 of the original download of an ISO. Hmm, that means I trust what the webpage that has the SHA-MD5 is not compromised either. Hmm. Back to original, I must trust the https system to work. So how can I accidentally be persuaded to alter my browser certificates to let a rat get into my house? Perhaps just download a bit of software?


#2

As long as you are using the default green distros (should be 2)
We would all be in the same boat.
Assuming their developers are going through security audits, a splash of signature checks, perhaps some scans on the cache, constantly checking for vulnerabilities and whatnot we should be looking decent in regards to security compared to say even windows that is being super hardened and maintained.

Functionality may be a smidgen different. I am assuming that because of the Luks issue I am experiencing (and what appears to be others), this may not be the case. I am sure these are simple things that they will update us on and are working on solutions . Appears to be a relatively small team to handle tons of requests so patience and whatnot are always the right thing to do.

The odds of an attacker not only installing a special certificate into your browser then, being psychic that you would check the md5 hash on a particular website to change the code on the page after pointing you to it instead of you simply using a hash utility is rather unlikely. usually you get STDs from clicking on links from forums, emails, installing software, evil maids, compromised routers(default login/password), basic social engineering scams, using the OS your computer came with, falling victim to clicking the add which have super attractive folks in your area that know you are the one so they want to webcam you or having child porn on your device. You know the basics :slight_smile: As far as telemetry/adds and backdoors I think we all fall victim to, so the best you can do is not make it easier by encrypting your drives, burner images, tons of fake accounts, a pay as you go phone bought by someone else that maybe has snake on it and finding a generator that adds tons of fake web traffic to the devices that you obviously use and tag you for various algorithms.


#3

if you have legitimate concerns about this just follow Ed Snowdens example. He is a professional in this field and he still does NOT trust his device. he runs qubesOS on it and all the other known tricks.

what quarantees does your device offer that it can protect the verification mechanism you are using. in other words how do you KNOW that the certificator is uncorruptable ? and that is only talking about your own device … what about the other (oh few billion) out there ?

Purisms physical infrastructure sits on Amazon-Web-Services (AWS) if i’m not mistaken …


#4

I guess I set myself up when I mentioned NSA. I should know that Librem and Pure do not promise to be able to defeat the NSA. IMO; They desire to stop Surveillance Capitalism from victimizing our lives.

Mostly I think of the circumstance of my using a public WiFi. Where some party might intercept my internet connection, and offer all kinds of ways to corrupt my efforts to protect my bank account, personal information, personal connections.

End to End encryption: No one I know does it.
Anything I do can be corrupted if the connection can supply their own version of an update to a program that I run, and meets the basic encryption standard to be installed.

I was looking for a warning from things like; when the WiFi provider says, “in order to run on our WiFi, you need to install our Certificate.” or what weakness there might be in the encryption of updates. Like something about Ubuntu updates use a key for each update, or some such thing. I am sure Pure OS is as good as anyone else.

Librem One is a big step in the right direction in that I can get a first hop out from the WiFi connection that I hope the wifi provider must make a bit of effort to re-route.


#5

plenty of individuals/entities do it but what PROOF do they offer that their hardware instrastructure can NOT be infiltrated/compromised deliberately or by force ? they make claims about free-software/open-source but so far NONE have dared make PUBLIC claims about their hardware infrastructure. maybe it’s a law requirement that hardware infrastructure remain vulnerable :smiley: