-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/21/2016 03:56 AM, Georgi Guninski wrote:
On Tue, Sep 20, 2016 at 05:57:59PM -0400, Steve Kinney wrote:
search the interwebz for references.
TL;DR
Here are some links of the more important screwups IMHO.
Below: The kind of content people bitch about CPunks not having near enough of. Really annoying stuff, in the sense that now I have to look at the whole thing of this happy horse shit. Gee thanks. ;o)
Suspect zero or more of (spec) backdoors, social engineering, gross incompetence:
https://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000160.html
gpg
GnuPG's ElGamal signing keys compromised Thu Nov 27 09:29:51 CET 2003
https://www.debian.org/security/2008/dsa-1571 13 May 2008 Debian It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.
[1] http://seclists.org/fulldisclosure/2011/Sep/221 Thu, 22 Sep 2011 Ubuntu Importing trusted apt gpg keys uses "--list-sigs", which doesn't check the signatures. Also trivial keyid collisions.
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128 2012-06-14 Ubuntu Trivial import of trusted apt gpg keys via easy collision of the long keyid (probably spec backdoor). Circumvents the pseudo fix for [1].
https://lwn.net/Articles/22991/ (not crypto), Debian, micq February 18, 2003 Mr. Kuhlmann decided that enough was enough, and he was going to take some action. As of mICQ 0.4.10.1, the code will, when built for the Debian distribution, print out a message which says some unflattering things about Mr. Loschwitz and encourages use of a different version; the program then exits. In other words, when built for Debian, mICQ thumbs its nose at the user and refuses to run. To help ensure that this code got into the official Debian version, it was written in an obfuscated manner, set to trigger only after February 11, and only if it was not being run by Mr. Loschwitz. For the curious, here is a posting containing the code in question.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJX4kllAAoJEECU6c5XzmuqIuwH/0MCyoCkcjXa50TDb1jbQ/lV 3muyhnnFjhEWwyzNg89ECrv/KQ2tcXljebc1c0nH3LA8lQZsl6kuJ//ki7mSsvDx yCp44/gbPh5cSOgI0+LH+4HWpKtzPn9httiaOhCnQGE3qpqSX/fKoSu6XOKoyL2a ZBNypCEdITugcUsIgW1k2GdVzZ7pV8BpV/bEAZHeAhWJC/6JYnjN2nPyvYidVkbB FmQuz1DC4il4+OLqI0xfgGuFS3FM/MGnfrG8oEvgq7zREWwXWW9/riOBoNEHgEew s5DL0uVt7i2Zdoj0GD1Bipu9XEvPKfcMQ5vsaa9ZUSSWUouWt5itKWyW+LgE280= =LU1x -----END PGP SIGNATURE-----