Verify archive GPG signatures

[Andy]

On 16/11/06, Scott <geekboy at angrykeyboarder.com> wrote:
> I've yet to have a problem.
and how would you know if your OS had been compromised?
Any checks you do from inside the OS are useless as they could have
been altered, or the OS itself could be tampering with the file before
execution.

Of course you could use an external ant-virus scanner, (I mean an
antivirus program on a liveCD), but if you burnt that CD from the
compromised OS you don't know it didn't recognize it and replace it
with something else.

I believe there was a security person who talked about using a VM as a
method of making the user think their machine was intact, the evil
code runs outside the VM, the user only sees the VM and to them they
can not see the outside world.

Of course external checks on traffic from the machine will alert you
to it communicating where it shouldn't.

Given that all these things are possible its amazing people will still
run a proprietary Operating System, how do you know what its doing to
your machine? Does Windows or MacOS run slower than Linux? If so how
do you know it isn't maintaining a Virtual Machine that you are
trapped inside? you can't be certain.

Of course you can't be certain with open source either, did you
compile Ubuntu from source? did you read all the source? did you
compile it on a system you knew to be secure? (you would have had to
have compiled from had using a compiler compiled by hand on a machine
compiled by hand, never ending circle (though you could write a C
compiler in machine code, a very basic one and then write a less basic
one in C and use the machine code one to compile the new one)

Not trying to make people paranoid or anything.

Sorry for going OT

- Andy

-- 
DRM: Digital Restrictions Management -- learn about the dangers at
http://www.defectivebydesign.org/what_is_drm