Re: [Bitcoin-development] Fake PGP key for Gavin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/23/2014 03:12 PM, Troy Benjegerdes wrote: I find it more likely that fake PGP keys are from corporate industrial espionage and/or organized crime outfits. Intelligence agencies will stick to compromised X509, network cards, and binary code blobs. We're seeing the same thing happen to a couple of developers active in the censorship circumvention problem space as well (though it's not for the first time it's happened). Besides, why would an intelligence agency want your bitcoin when they can just intercept ASIC miners and make their own? Perhaps they have other motives for attempting a cybil attack against developers than trying to acquire Bitcoins. Say, by making it easier to subtitute alternate versions which are instrumented to make the users easier to spy upon and later take down? - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ The enemies know the system. The allies do not. --Jay Jacobs -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlMwixgACgkQO9j/K4B7F8FQEACfQG8+5rYDuJd+6P50Bgc8RRfU Q28AoNdyUbR2k05wTka30OcUUQNK5FcN =IeMU -END PGP SIGNATURE- -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Fake PGP key for Gavin
On Sat, Mar 22, 2014 at 06:03:03PM +0100, Mike Hearn wrote: In case you didn't see this yet, http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html If you're using PGP to verify Bitcoin downloads, it's very important that you check you are using the right key. Someone seems to be creating fake PGP keys that are used to sign popular pieces of crypto software, probably to make a MITM attack (e.g. from an intelligence agency) seem more legitimate. I find it more likely that fake PGP keys are from corporate industrial espionage and/or organized crime outfits. Intelligence agencies will stick to compromised X509, network cards, and binary code blobs. Besides, why would an intelligence agency want your bitcoin when they can just intercept ASIC miners and make their own? I think the Mac DMG's of Core are signed for Gatekeeper, but do we codesign the Windows binaries? If not it'd be a good idea, if only because AV scanners learn key reputations to reduce false positives. Of course this is not a panacea, and Linux unfortunately does not support X.509 code signing, but having extra signing can't really hurt. Uhhmm, real operating system use package managers with PGP instead of pre- compromised X.509 nonsense. https://wiki.debian.org/SecureApt -- Troy Benjegerdes 'da hozer' ho...@hozed.org 7 elements earth::water::air::fire::mind::spirit::soulgrid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Fake PGP key for Gavin
On Sat, Mar 22, 2014 at 1:03 PM, Mike Hearn m...@plan99.net wrote: do we codesign the Windows binaries? Yes, the -setup.exe installers are Authenticode (or whatever Microsoft is calling that these days) code-signed. -- -- Gavin Andresen -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Fake PGP key for Gavin
On Sat, Mar 22, 2014 at 06:03:03PM +0100, Mike Hearn wrote: In case you didn't see this yet, http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html If you're using PGP to verify Bitcoin downloads, it's very important that you check you are using the right key. Someone seems to be creating fake PGP keys that are used to sign popular pieces of crypto software, probably to make a MITM attack (e.g. from an intelligence agency) seem more legitimate. Note that Bitcoin source and binary downloads are protected by both the PGP WoT and the certificate authority PKI system. The binaries are hosted on bitcoin.org, which is https and protected by a the PKI system, and the source code is hosted on github, again, https protected. A MITM attack would need to compromise the PKI system as well, at least provided users aren't fooled into downloading over http. -- 'peter'[:-1]@petertodd.org 657de91df7a64d25adfd3ff117bc30d00f5aa3065894f4a5 signature.asc Description: Digital signature -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Fake PGP key for Gavin
Am 22.03.2014 18:03, schrieb Mike Hearn: In case you didn't see this yet, http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html If you're using PGP to verify Bitcoin downloads, it's very important that you check you are using the right key. Someone seems to be creating fake PGP keys that are used to sign popular pieces of crypto software, probably to make a MITM attack (e.g. from an intelligence agency) seem more legitimate. From the user's perspective: In the beginning I found it difficult to find the keys. At last I have made this side for documentation: https://www.olivere.de/blog/archives/2013/06/02/install_bitcoin_client/ Okay, is outdated meanwhile ... Normally people fetch the keys by key-id from a well known key server. Not because they are paranoid, but because it is the most convenient method under Linux. A Google search for Gavin+Andresen+gpg brings me herein: http://sourceforge.net/p/bitcoin/mailman/message/30551147/ Key-Id? Nevertheless, I'm glad that you guys signed anything. That makes me sleep better. I really check this. - oliver GPG: https://olivere.de/gpg -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development