473800+ entries in 0.303s
cazalla: r u
trying
to shit post me back or wot m8
cazalla: what can i say other
than he's right.. 9/10 aussies i met on 4chan love nothing more
than shit posting
assbot: Logged on 18-05-2015 02:45:11; decimation: Note
that your headline was dinged for being inaccurate, while
this guy's blog is more inaccurate by his own admission
mircea_popescu: case exactly mirrored by freenode : about a year after
they lost at least one server
to what appeared like quite
the nsa, and promising a full investigation, nothing's been released.
mircea_popescu: "More
than
two years after unknown hackers gained unfettered access over multiple computers used
to maintain and distribute
the Linux operating system kernel, officials still haven't released a promised autopsy about what happened."
assbot: Logged on 28-02-2015 02:20:09;
trinque: flushing with fear on command is
to my knowledge not possible
cazalla: he answered it from memory but why necro
that?
assbot: Logged on 28-02-2015 01:55:22; cazalla: so i made a bitbet under
the influence and couldn't fund it until later, i assume 0 conf address listed for it in /propositions/ is
the address of which i need
to fund?
kakobrekla: dunno it was sorta almost working until you started
to fiddle with varnish
assbot: Logged on 18-05-2015 03:05:47; mircea_popescu: kakobrekla hey, is something
the matter with assbot ?
LC^: mircea_popescu:
thx for answering my questions so far. I have
to jump on a call, but if I decide
to go ahead with an article on
this and have additional questions I'll look for you around here.
mircea_popescu: who
the hell came up with
the idea of putting
these
together even ;/
mircea_popescu: this however...
this is something where raising awareness actually does something.
mircea_popescu: it's already underway. but,
the more
the merrier.
this is
the sort of
thing where one can make a difference.
LC^: so do you expect your findings
to inspire such a hunt?
mircea_popescu: not
terribly costly, considering what "VC" firms spend and what
they get for it.
mircea_popescu: adlai i would guess something between 50 and 100 BTC's worth of S.NSA engineer's
time, and maybe a few months-box worth of hardware.
LC^: have you attempted
to notify
the owners yet and have you had any responses from
them?
mircea_popescu: we might consider publishing
the "harmless" keys, but for one
thing i am not altogether convinced
they're so harmless, and for another, much more interesting would be a hunt for diddled php implementations.
mircea_popescu: in
that particular circumstance, where an outside but present chance existed
that
the box was compromised itself.
mircea_popescu: the case of hpa was exceptional because at
the
time
the lightning struck (and understand just how unlikely
the event we had on our hands
this morning was), a call had
to be made.
mircea_popescu: there's been a
total of
three pairs, so six
total keys
to date. i have little doubt
that as
the program progresses
through
the list, more will be found. generally,
the idea is
to discuss
this with
the owners and
them only.
adlai thinks a better question could be, "just quite how little human and computer labor did
this experiment
take?"
LC^: how many keys have you found so far? do you plan
to disclose
the owners of
the other keys
that are similar
to hpa's? it doesn't seem
to be a big risk
there for
the owners
mircea_popescu: there are other people matching exactly hpa's profile (high value foss
target) with keys apparently added in
the same manner. not
too many.
LC^: OK, what about
the other keys? Are
they similar
to hpa's key? in
the sense
that
they've been attached
to other keys, but lack
the proper signature?
mircea_popescu: because i did lots of
the former and
the latter never occured.
mircea_popescu: how often have you moved a file across
the
tubes ? how often did it have a magically changed byte ?
LC^: there are parts in some archive formats you can modify and
the archive will still work,
though year I understand your point,
the suggested
theory of damaged in
transit would suggest random damaging not controlled modification
mircea_popescu: understand, opsec is extremely weak all over. including among supposedly experienced hackers. so, a simple scenario : guy with owned userland gpg sends secret info
to hpa, it is magically encrypted
to wrong key, email sniffed en route, secret is now known, but only
to
the people knowing what
to look for. hpa responds with something like bad key, guy re-encrypts it and resends it.
mircea_popescu: especially amusingm,
the "key was damaged in
transit" one. people p2p HD movies all day, nobody's seen
this. gpg data moves around as archives -
try flipping a byte in an archive see if you can stil lget
the content. etc.
LC^: particularly people looking
to send him highly confidential info
that would need
to be encrypted
mircea_popescu: this, of course, is not
the only mechanism
that would allow such a key
to exist. nevertheless, alternative explanations border on
the risible.
mircea_popescu: clearly people looking at/for him would be
the
target, if anything.
mircea_popescu: in any case,
the idea
that hpa is
the
target of
that attack - if indeed it is an attack - are at best naive and at worst disinfo.
mircea_popescu: but it is a
theory - until someone produces such a diddled implementation it stays a
theory.
LC^: I see, so
the key would serve as an exploit of sorts or a
trigger
mircea_popescu: this sort of
thing (the so called "fail
to pass"
testing) is
the exact sort of stuff we've seen from
the nsa
to date, and so it would mesh with
that experience.
mircea_popescu: such as, encrypt
to it, or email
the NSA, or whatever else.
mircea_popescu: if however his pgp implementation is compromised in a specific way,
the wrong key on
the server may very well be
the magic packet, causing it
to behave in an unexpected - and not otherwise detectable - manner.
mircea_popescu: with a correctly working pgp implementation,
the user connects ot a sks server, discards
the wrong key and proceeds as expected.
mircea_popescu: suppose someone needs
to
talk
to hpa - either
to verify his signature or
to send him encrypted communications.
LC^: I'm just
trying
to understand what
the risk is here and why would someone create such keys, intentionally
mircea_popescu: one of
the more interesting constructions as
to
the possible intended uses is, a
tandem arrangement. it would work like so :
LC^: OK, what is
the whole story?
mircea_popescu: this is factually correct. it is also not
the whole story.
LC^: OK, but can
they actually be used? some argued
that
the weak key supposedly belonging
to hpa can't be used
to decrypt emails or other data encrypting by him because it was not signed by his real key
mircea_popescu: i am plainly saying
that while
the weak keys incontrovertibly exist, it's unclear why
they exist. someone put
the effort into making
them, which is not exactly
trivial.
LC^: are you suggesting
that some software was intentionally sabotaged
to produce weak keys?
mircea_popescu: that aside,
the question of how exactly weak keys came
to be, and what are
they doing
there and so on and so forth is not nearly as uninteresting as
the usg agency would like
to make it.
mircea_popescu: there are all sorts of classes of broken keys, which we're obviously still sorting
through.
LC^: I guess
that is
the main problem you're
trying
to highlight, correct?
that some generators might be broken and generate weak keys
LC^: or are
there indications
that
they've been generated by a broken generator
LC^: and whether
the other keys
that have been factored are similar
LC^: so wanted
to get your opinion on
the issues
that have been raised, mainly
that
the first key was not signed by
the owner so was likely added by someone else, with or without malicious intent.
BingoBoingo: LC^: You may also want
to hang around for when Stan wakes up
LC^: I want
to write an article about your Phuctor-related findings.
mircea_popescu: the right move would be
to get in
the wot, cultivate your presence here afterr which next
time you may have an angle.
mircea_popescu: hmm, anyone has a ready link
to
the discussion of
the reddit deleting
the blockchain
thing because
they had so much fucking consensus it ended up imploding under
their feet ?
mats: 'phunctor',
thins instead of
things, using 'Loper-OS' and 'Loper-os', shitloads of passive
tense sentences...
mircea_popescu: ‘Holy shit,
they broke RSA!’ or ‘This is false advertising,
they didn’t really do anything!’ imbeciles, << no but it's
THE CONTROVERSY
mats: as
though no editor was involved at all
mircea_popescu: again.
team meade scores another hit on
their imaginary, wildly irrelevant scoreboard.
mircea_popescu: asciilifeform not deliberate
trolalge, deliberate damage control. can't google misspelled
terms
mircea_popescu: team meade scores another hit on
their imaginary, wildly irrelevant scoreboard. for which
they get paid. with
tax dollars. by idiots.
mircea_popescu: right, because poisoning hpa was
the idea, not poisoning others.
mircea_popescu: asciilifeform notice
that idiots are doing
their pressing. "If I wanted
to poison HPA with a fake key, why would I create a degenerate one? A fake key with strong factors would have gone unnoticed, at least by
this analysis"