(Old) An detection system for governments spyware

in #hash6 years ago (edited)

images.jfif

It is a system for alerting about governments national spyware. This system tries to avoid software publishers' cooperation with some governments e.g. Ubuntu and China for spying Chinese citizens,

Problem is east
Lack of independent security audit firms in these countries. Using vpn has some flaws.
a. using VPN like Tor makes you a more attractive target
b. still by buying VPN companies, governments (and therefore the participating software publisher) can know your real country

Problem in West
With cooperation of telecom companies with software publisher they can know if a IT company is downloading a software or an ordinary user which cannot detect an unknown spyware. Using VPN have 2 problem:
a. It makes you a more attractive target specially if you use Tor
b. still by buying VPN companies, governments (and therefore the participating software publisher) can identity you

Technique
An OS with a package manager that every time user connect to new vpn or proxy, the package manager downloads the repository index. The key is that all packages in older cache of index should exist in new index. if checksums (and release dates) in older index does not exist in the index that downloaded by new vpn, the package manager alarms the user
Note: This index is incremental. But clients don’t have to download from beginning of database.

What about OS itself? The users can do above checks manually for OS installation image file.
Also consider a scenario if someone purchased a device in a safer country, this package manager will detect evil illegal deals when he travel to home country and come back.

The OS updates will not allowed to manipulate the package manager. Only OS re-install can change it.

P2P systems will not help here, because bootstrapping in these systems are central.

Advantages of this Technique:
1- Easily check downloads by various VPNs through time. (without need for paying for all of them at simultaneously.)

2- If consider paid VPN as safer tunnel you will not need to always have one. Only periodically buy a short term subscription for checking packages index honesty

3- If some governments want to do something it will became so hard (they have to buy even VPN companies with few users) and also so risky for repository owner.

#checksum #bank #database
6 years ago in #hash by
$0.00
    2 votes
    Reply 2
    Sort:  
  • Trending
    • [-]
     6 years ago  

    Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
    https://steemit.com/privacy/@mahdi2/a-technique-for-making-authors-and-some-governments-deals-a-risky-business

    [-]
     6 years ago (edited) 

    Delete

    $0.00
      Reply