220600+ entries in 0.057s
mircea_popescu: case exactly mirrored by freenode : about a year after they lost at least one server to what appeared like quite the nsa, and promising a full investigation, nothing's been released.
mircea_popescu: "More than two years after unknown hackers gained unfettered access over multiple computers used to maintain and distribute the Linux operating system kernel, officials still haven't released a promised autopsy about what happened."
mircea_popescu: who the hell came up with the idea of putting these together even ;/
mircea_popescu: ehh, diddled php implementations << obviously i mean pgp not php.
mircea_popescu: this however... this is something where raising awareness actually does something.
mircea_popescu: clicking on cat pics, and derping about what zoe whoever said about imaginary feminist issues is a waste of one's youth.
mircea_popescu: it's already underway. but, the more the merrier. this is the sort of thing where one can make a difference.
mircea_popescu: not terribly costly, considering what "VC" firms spend and what they get for it.
mircea_popescu: adlai i would guess something between 50 and 100 BTC's worth of S.NSA engineer's time, and maybe a few months-box worth of hardware.
mircea_popescu: we might consider publishing the "harmless" keys, but for one thing i am not altogether convinced they're so harmless, and for another, much more interesting would be a hunt for diddled php implementations.
mircea_popescu: in that particular circumstance, where an outside but present chance existed that the box was compromised itself.
mircea_popescu: the case of hpa was exceptional because at the time the lightning struck (and understand just how unlikely the event we had on our hands this morning was), a call had to be made.
mircea_popescu: there's been a total of three pairs, so six total keys to date. i have little doubt that as the program progresses through the list, more will be found. generally, the idea is to discuss this with the owners and them only.
mircea_popescu: there are other people matching exactly hpa's profile (high value foss target) with keys apparently added in the same manner. not too many.
mircea_popescu: because i did lots of the former and the latter never occured.
mircea_popescu: how often have you moved a file across the tubes ? how often did it have a magically changed byte ?
mircea_popescu: understand, opsec is extremely weak all over. including among supposedly experienced hackers. so, a simple scenario : guy with owned userland gpg sends secret info to hpa, it is magically encrypted to wrong key, email sniffed en route, secret is now known, but only to the people knowing what to look for. hpa responds with something like bad key, guy re-encrypts it and resends it.
mircea_popescu: especially amusingm, the "key was damaged in transit" one. people p2p HD movies all day, nobody's seen this. gpg data moves around as archives - try flipping a byte in an archive see if you can stil lget the content. etc.
mircea_popescu: this, of course, is not the only mechanism that would allow such a key to exist. nevertheless, alternative explanations border on the risible.
mircea_popescu: clearly people looking at/for him would be the target, if anything.
mircea_popescu: in any case, the idea that hpa is the target of that attack - if indeed it is an attack - are at best naive and at worst disinfo.
mircea_popescu: but it is a theory - until someone produces such a diddled implementation it stays a theory.
mircea_popescu: this sort of thing (the so called "fail to pass" testing) is the exact sort of stuff we've seen from the nsa to date, and so it would mesh with that experience.
mircea_popescu: such as, encrypt to it, or email the NSA, or whatever else.
mircea_popescu: if however his pgp implementation is compromised in a specific way, the wrong key on the server may very well be the magic packet, causing it to behave in an unexpected - and not otherwise detectable - manner.
mircea_popescu: with a correctly working pgp implementation, the user connects ot a sks server, discards the wrong key and proceeds as expected.
mircea_popescu: suppose someone needs to talk to hpa - either to verify his signature or to send him encrypted communications.
mircea_popescu: one of the more interesting constructions as to the possible intended uses is, a tandem arrangement. it would work like so :
mircea_popescu: this is factually correct. it is also not the whole story.
mircea_popescu: i am plainly saying that while the weak keys incontrovertibly exist, it's unclear why they exist. someone put the effort into making them, which is not exactly trivial.
mircea_popescu: that aside, the question of how exactly weak keys came to be, and what are they doing there and so on and so forth is not nearly as uninteresting as the usg agency would like to make it.
mircea_popescu: there are all sorts of classes of broken keys, which we're obviously still sorting through.
mircea_popescu: the right move would be to get in the wot, cultivate your presence here afterr which next time you may have an angle.
mircea_popescu: this constitutes harassment in zoe quinn degree. i now must have my own oprah show.
mircea_popescu: halp halp i've been lyfthreatenet across hte internets
mircea_popescu: hmm, anyone has a ready link to the discussion of the reddit deleting the blockchain thing because they had so much fucking consensus it ended up imploding under their feet ?
mircea_popescu: ‘Holy shit, they broke RSA!’ or ‘This is false advertising, they didn’t really do anything!’ imbeciles, << no but it's THE CONTROVERSY
mircea_popescu: again. team meade scores another hit on their imaginary, wildly irrelevant scoreboard.
mircea_popescu: asciilifeform not deliberate trolalge, deliberate damage control. can't google misspelled terms
mircea_popescu: team meade scores another hit on their imaginary, wildly irrelevant scoreboard. for which they get paid. with tax dollars. by idiots.
mircea_popescu: right, because poisoning hpa was the idea, not poisoning others.
mircea_popescu: asciilifeform notice that idiots are doing their pressing. "If I wanted to poison HPA with a fake key, why would I create a degenerate one? A fake key with strong factors would have gone unnoticed, at least by this analysis"
mircea_popescu: but she's REALLY bad. i mean sweet singer of michigan level bad.
mircea_popescu: something to do with bare adolescentine breasts, one would hope, for the sake of everyone's sanity ?