Preventing OTA Updates
From Android Wiki
OTA updates are all cryptographically signed to prevent you from spoofing the update and installing something on your phone that you shouldn't. Ironically, this signature checking makes it relatively easy for you to prevent OTA updates from being applied once you have gotten root access on your phone.
To prevent OTA updates, you can simply move the otakeys.zip file from the expected location to another location on your device.
mv /system/etc/security/otakeys.zip /system/etc/security/otakeys.zip.nothankyou
That one line will move the otakeys to a location the updater can't check for it - and once the OTA update is downloaded, it will be unable to apply.
Note, however, the OTA update will say "failed" and then immediately restart downloading it once the signature check fails - so this fix is less than ideal but will at least prevent you from waking up one day to a phone that doesn't love you as much as it did the day before.
It should also be noted that the "recovery mode" of the phone does NOT use the otakeys.zip to check for the signature - currently it uses a compiled-in list of signatures to check for - so moving the otakeys.zip has no effect at all on doing an SD Card update.