On Tue, Sep 20, 2016 at 05:57:59PM -0400, Steve Kinney wrote:
> > search the interwebz for references.
Here are some links of the more important screwups IMHO.
Suspect zero or more of (spec) backdoors, social engineering, gross
GnuPG's ElGamal signing keys compromised
Thu Nov 27 09:29:51 CET 2003
13 May 2008
It is strongly recommended that all cryptographic key material
which has been generated by OpenSSL versions starting with 0.9.8c-1
on Debian systems is recreated from scratch. Furthermore, all DSA
keys ever used on affected Debian systems for signing or
authentication purposes should be considered compromised;
the Digital Signature Algorithm relies on a secret random value used during
Thu, 22 Sep 2011
Importing trusted apt gpg keys uses "--list-sigs", which doesn't
check the signatures. Also trivial keyid collisions.
Trivial import of trusted apt gpg keys via easy collision of the
long keyid (probably spec backdoor). Circumvents the pseudo fix for
(not crypto), Debian, micq
February 18, 2003
Mr. Kuhlmann decided that enough was enough, and he was going to take
some action. As of mICQ 0.4.10.1, the code will, when built for the Debian
distribution, print out a message which says some unflattering things about
Mr. Loschwitz and encourages use of a different version; the program then
In other words, when built for Debian, mICQ thumbs its nose at the user and
refuses to run. To help ensure that this code got into the official Debian
it was written in an obfuscated manner, set to trigger only after February 11,
only if it was not being run by Mr. Loschwitz. For the curious, here is a
containing the code in question.