Hash: SHA1

On 09/21/2016 03:56 AM, Georgi Guninski wrote:
> On Tue, Sep 20, 2016 at 05:57:59PM -0400, Steve Kinney wrote:
>>> search the interwebz for references.
>> TL;DR
> Here are some links of the more important screwups IMHO.

Below:  The kind of content people bitch about CPunks not having near
enough of.  Really annoying stuff, in the sense that now I have to
look at the whole thing of this happy horse shit.

Gee thanks.


> Suspect zero or more of (spec) backdoors, social engineering,
> gross incompetence:
> https://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000160.html
> GnuPG's ElGamal signing keys compromised Thu Nov 27 09:29:51 CET
> 2003
> https://www.debian.org/security/2008/dsa-1571 13 May 2008 Debian It
> is strongly recommended that all cryptographic key material which
> has been generated by OpenSSL versions starting with 0.9.8c-1 on
> Debian systems is recreated from scratch. Furthermore, all DSA keys
> ever used on affected Debian systems for signing or authentication
> purposes should be considered compromised; the Digital Signature
> Algorithm relies on a secret random value used during signature
> generation.
> [1] http://seclists.org/fulldisclosure/2011/Sep/221 Thu, 22 Sep
> 2011 Ubuntu Importing trusted apt gpg keys uses "--list-sigs",
> which doesn't check the signatures. Also trivial keyid collisions.
> https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128 
> 2012-06-14 Ubuntu Trivial import of trusted apt gpg keys via easy
> collision of the long keyid (probably spec backdoor). Circumvents
> the pseudo fix for [1].
> https://lwn.net/Articles/22991/ (not crypto), Debian, micq February
> 18, 2003 Mr. Kuhlmann decided that enough was enough, and he was
> going to take some action. As of mICQ, the code will, when
> built for the Debian distribution, print out a message which says
> some unflattering things about Mr. Loschwitz and encourages use of
> a different version; the program then exits. In other words, when
> built for Debian, mICQ thumbs its nose at the user and refuses to
> run. To help ensure that this code got into the official Debian
> version, it was written in an obfuscated manner, set to trigger
> only after February 11, and only if it was not being run by Mr.
> Loschwitz. For the curious, here is a posting containing the code
> in question.

Version: GnuPG v2.0.22 (GNU/Linux)


Reply via email to