download in Windows from github, put on separate USB, then boot via Ubuntu USB, leave Internet unconnected, verify the file hash on the ubuntu machine, then run the bitaddress file from separate USB
So I did a bit of googling/youtubing and know how I can check the md5 hash and sha1 hash of a file. Only problem is, I don't see any hash in the readme file or anywhere else. Where is the hash found?
And what file should I be hashing? The bitaddress.org.html file? The zip file?
The URL is redirected when loading off bitaddress.org to include a release and SHA1:
https://www.bitaddress.org/bitaddress.org-v2.6.2-SHA1-4d98755d7e78caa4361228a2b11b0faa0f65e6de.html
"release notes" is signed by "ninja" using PGP, and contains a SHA-1 hash of each "release":
https://www.bitaddress.org/pgpsignedmsg.txt
However, the private key for ninja is also only found on the web page, I don't see an MIT link, etc:
https://www.bitaddress.org/ninja_bitaddress.org.txt
This means that all content on the website could be diligently replaced by a hacker with no means of detection.
When you download from github to your drive and then load the file in your browser:
https://raw.github.com/pointbiz/bitaddress.org/master/bitaddress.org.html
and then verify the signature and hash provided on bitaddress.org, at least then both sites have to agree on the same SHA1 hash. You can also see when the bitaddress.org.html was last modified, and review the commits to see what changed, such as the last one five days ago:
https://github.com/pointbiz/bitaddress.org/commit/ef1d9614f1c9f11598a603e965f0cbaa7d2f3314
Another question: in bitaddress, under paper wallet, I should be able to bash my keyboard to generate a sufficiently random key pair, right? I.e., I don't have to roll a die a hundred times or whatever.
You didn't see the instructions "move your mouse around to generate some extra randomness" when you loaded the page? 
