-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/21/2016 03:56 AM, Georgi Guninski wrote: > On Tue, Sep 20, 2016 at 05:57:59PM -0400, Steve Kinney wrote: >>> search the interwebz for references. >> >> TL;DR >> > > Here are some links of the more important screwups IMHO. Below: The kind of content people bitch about CPunks not having near enough of. Really annoying stuff, in the sense that now I have to look at the whole thing of this happy horse shit. Gee thanks. ;o) > > Suspect zero or more of (spec) backdoors, social engineering, > gross incompetence: > > https://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000160.html > > gpg > GnuPG's ElGamal signing keys compromised Thu Nov 27 09:29:51 CET > 2003 > > > https://www.debian.org/security/2008/dsa-1571 13 May 2008 Debian It > is strongly recommended that all cryptographic key material which > has been generated by OpenSSL versions starting with 0.9.8c-1 on > Debian systems is recreated from scratch. Furthermore, all DSA keys > ever used on affected Debian systems for signing or authentication > purposes should be considered compromised; the Digital Signature > Algorithm relies on a secret random value used during signature > generation. > > [1] http://seclists.org/fulldisclosure/2011/Sep/221 Thu, 22 Sep > 2011 Ubuntu Importing trusted apt gpg keys uses "--list-sigs", > which doesn't check the signatures. Also trivial keyid collisions. > > > https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128 > 2012-06-14 Ubuntu Trivial import of trusted apt gpg keys via easy > collision of the long keyid (probably spec backdoor). Circumvents > the pseudo fix for [1]. > > https://lwn.net/Articles/22991/ (not crypto), Debian, micq February > 18, 2003 Mr. Kuhlmann decided that enough was enough, and he was > going to take some action. As of mICQ 0.4.10.1, the code will, when > built for the Debian distribution, print out a message which says > some unflattering things about Mr. Loschwitz and encourages use of > a different version; the program then exits. In other words, when > built for Debian, mICQ thumbs its nose at the user and refuses to > run. To help ensure that this code got into the official Debian > version, it was written in an obfuscated manner, set to trigger > only after February 11, and only if it was not being run by Mr. > Loschwitz. For the curious, here is a posting containing the code > in question. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJX4kllAAoJEECU6c5XzmuqIuwH/0MCyoCkcjXa50TDb1jbQ/lV 3muyhnnFjhEWwyzNg89ECrv/KQ2tcXljebc1c0nH3LA8lQZsl6kuJ//ki7mSsvDx yCp44/gbPh5cSOgI0+LH+4HWpKtzPn9httiaOhCnQGE3qpqSX/fKoSu6XOKoyL2a ZBNypCEdITugcUsIgW1k2GdVzZ7pV8BpV/bEAZHeAhWJC/6JYnjN2nPyvYidVkbB FmQuz1DC4il4+OLqI0xfgGuFS3FM/MGnfrG8oEvgq7zREWwXWW9/riOBoNEHgEew s5DL0uVt7i2Zdoj0GD1Bipu9XEvPKfcMQ5vsaa9ZUSSWUouWt5itKWyW+LgE280= =LU1x -----END PGP SIGNATURE-----