on communication - [zen at freedbms.net: Re: [geany/geany] fails to open Microsoft UTF-16LE file (MSO Word CUSTOM.DIC dictionary file) (#1238)]
Sean Lynch: we already knew social skills weren't [Zen's] strong suit.
Cecilia Tanaka: Zen will say you are "bullying". I [don't] care about his opinion.
Because you two do more than cry and use lots of useless words. Stupid fuckers. Bullies XD
On Sep 20, 2016 8:46 AM, "John Newman" <jnn@sigaint.org> wrote:
Sean Lynch: we already knew social skills weren't [Zen's] strong suit.
Cecilia Tanaka: Zen will say you are "bullying". I [don't] care about his opinion.
Because you two do more than cry and use lots of useless words.
Stupid fuckers.
Bullies XD
Hmm... Why are you using John Newman's name, please? I am a cute "stupid fucker" and I really like him very much. This e-mail address isn't his, dear, and his writing style is different... :P Answers in private, if you wish. Bullying kisses! :* Ceci
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There's a lot to be said for signing messages to lists like this. It makes impersonation way more difficult. It provides a visual reminder that "signing exists" and thus promotes the use of basic crypto tools. Also, if list archives contain /many/ specimens of your signature, that enables people to have /some/ limited confidence that it "really is your key" in the absence of direct personal contact or a trusted introducer. On the downside, it makes denying that you wrote something all but impossible - "somebody stole my signing key and its pass phrase" is not what someone who is trying to avoid embarrassment would like to say. And the signatures annoy many people whose mail readers are not set up to interpret them - possibly the best reason of all. :o) On 09/20/2016 10:05 AM, Cecilia Tanaka wrote:
On Sep 20, 2016 8:46 AM, "John Newman" <jnn@sigaint.org <mailto:jnn@sigaint.org>> wrote:
Sean Lynch: we already knew social skills weren't [Zen's] strong suit.
Cecilia Tanaka: Zen will say you are "bullying". I [don't] care about his opinion.
Because you two do more than cry and use lots of useless words.
Stupid fuckers.
Bullies XD
Hmm... Why are you using John Newman's name, please? I am a cute "stupid fucker" and I really like him very much. This e-mail address isn't his, dear, and his writing style is different... :P
Answers in private, if you wish. Bullying kisses! :*
Ceci
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJX4WYTAAoJEECU6c5XzmuqoGIH/2hyJTq2Gl1NzYI5ZOknopF/ wpaXuDU7G2ww1aQtbDFiSt3dDcDkKXJB3pl6ykCOZue7GVK6hAolkvaBJojpPDMF m9aG88bUQpb3ztpUcUSKMnueLGceDwazjMoVDLEohmT2Tn6O8Xq1M9d9Jb8QsDAt pQRG7fZexvbjn2RQ4eMuDOsKrRTM3PwJENQH0+xxAqi16IigWiS/lTyJYpv3h5Wx lQWmfqUxWSCOv2Ts8UOnqSBVIDjPG3Wh9bdeazc9QAwFjQjLj0WyIauL8BJsu8xk BjFIgwRikGcl1hRyWASGESygoUUE8kr4Vz+5fhxQAvTcZsv8HA5BRwWa8UqXWMU= =Rkjm -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Agreed - I've signed intermittently with the same key from my first posts. Generally I don't sign messages, but I think I may start making a habit of it... John On September 20, 2016 12:38:43 PM EDT, Steve Kinney <admin@pilobilus.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
There's a lot to be said for signing messages to lists like this. It makes impersonation way more difficult. It provides a visual reminder that "signing exists" and thus promotes the use of basic crypto tools. Also, if list archives contain /many/ specimens of your signature, that enables people to have /some/ limited confidence that it "really is your key" in the absence of direct personal contact or a trusted introducer.
On the downside, it makes denying that you wrote something all but impossible - "somebody stole my signing key and its pass phrase" is not what someone who is trying to avoid embarrassment would like to say.
And the signatures annoy many people whose mail readers are not set up to interpret them - possibly the best reason of all.
:o)
On 09/20/2016 10:05 AM, Cecilia Tanaka wrote:
On Sep 20, 2016 8:46 AM, "John Newman" <jnn@sigaint.org <mailto:jnn@sigaint.org>> wrote:
Sean Lynch: we already knew social skills weren't [Zen's] strong suit.
Cecilia Tanaka: Zen will say you are "bullying". I [don't] care about his opinion.
Because you two do more than cry and use lots of useless words.
Stupid fuckers.
Bullies XD
Hmm... Why are you using John Newman's name, please? I am a cute "stupid fucker" and I really like him very much. This e-mail address isn't his, dear, and his writing style is different... :P
Answers in private, if you wish. Bullying kisses! :*
Ceci
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJX4WYTAAoJEECU6c5XzmuqoGIH/2hyJTq2Gl1NzYI5ZOknopF/ wpaXuDU7G2ww1aQtbDFiSt3dDcDkKXJB3pl6ykCOZue7GVK6hAolkvaBJojpPDMF m9aG88bUQpb3ztpUcUSKMnueLGceDwazjMoVDLEohmT2Tn6O8Xq1M9d9Jb8QsDAt pQRG7fZexvbjn2RQ4eMuDOsKrRTM3PwJENQH0+xxAqi16IigWiS/lTyJYpv3h5Wx lQWmfqUxWSCOv2Ts8UOnqSBVIDjPG3Wh9bdeazc9QAwFjQjLj0WyIauL8BJsu8xk BjFIgwRikGcl1hRyWASGESygoUUE8kr4Vz+5fhxQAvTcZsv8HA5BRwWa8UqXWMU= =Rkjm -----END PGP SIGNATURE-----
- -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -----BEGIN PGP SIGNATURE----- iQFBBAEBCgArJBxrZXliYXNlLmlvL25peGVuIDxuaXhlbkBrZXliYXNlLmlvPgUC V+FwNwAKCRDjJCC+1Hp4xzZgB/9whtvG15eUXXmOXA2qP0deE6kcSXhyKwwM5pKk NuJJ38Gd1oIUrxVVFTDiQ4gsdDy7WedSbth/BBM9FSCGinKWbM9LFBD0f6huJPzG AfdKGgmGbl2IqOnlVtmZVb4TMk+OR97lLb/YZnpEqJeyxgt8jmqYAYRteRskclJv 3BaN854op/b3sYv3w0vyE4Bq4rskzfo9RLuM6GXt/6RZVhotq9n69cHUQVOOlOeU la5yyKiPTK8/4/V4YaVT0d7/sNBquul3P36yKLo7p0OTKEmX0maGhqhuf/4KQmFV sHVp3y6tB4bHG5Ksc7MiV93tymRN7+N1w7uWmoJglFS4nKdH =a5/r -----END PGP SIGNATURE-----
On Tue, Sep 20, 2016 at 12:38:43PM -0400, Steve Kinney wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On the downside, it makes denying that you wrote something all but impossible - "somebody stole my signing key and its pass phrase" is not what someone who is trying to avoid embarrassment would like to say.
lol, tell this to the gpg's guys and gals, who completely compromised the El Gamal's signing keys and to debian, who memset() what they read from /dev/random. search the interwebz for references.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/20/2016 02:19 PM, Georgi Guninski wrote:
On Tue, Sep 20, 2016 at 12:38:43PM -0400, Steve Kinney wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On the downside, it makes denying that you wrote something all but impossible - "somebody stole my signing key and its pass phrase" is not what someone who is trying to avoid embarrassment would like to say.
lol, tell this to the gpg's guys and gals, who completely compromised the El Gamal's signing keys
Oh dear. That implies that the DEB and RPM package managers are blown wide open, as both use GPG for integrity checks. At least this explains why everybody gets rooted all the time. We gonna have to compile and install from source signed by the devel... um, heh heh, signed with what? Houston, come in? Anybody down there?
and to debian, who memset() what they read from /dev/random.
Sounds like a personal issue to me...
search the interwebz for references.
TL;DR teh intertubes has too big, probably over 9000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJX4bDnAAoJEECU6c5XzmuqPqcIALe915KwejZB6uNapRyaR2bh UvCO/Obw+qiBlVBXn5kJJPUWWmF0pi8H3q1q+THWbuGJUnXojzFR3lpQYIf/z5Iz QqdSQr0mbbA4ffRncpBXwtMH9Yh//NHSHxJ4wimg4RmDuunNgJyLosWvXCaFSZaC mlKuf71P8CsL5Yxx/5ze9APa7B8FFygL/Z7PMaT7WtVGD3rUh++E0hBmB8DEEYjG PlPfI5oeoAuTQpDEOv0aH8Hn4mIPhPhR7OP3Dz6TSvki6sYkDb0HPlR6WxANiVO3 K1GVYTMydR1xAlB4wpHsRJPdZ5nhWAnCb3fFRFqRunHmEbi74WTMFarC7hyFhjE= =P36O -----END PGP SIGNATURE-----
On Tue, Sep 20, 2016, 14:58 Steve Kinney <admin@pilobilus.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/20/2016 02:19 PM, Georgi Guninski wrote:
On Tue, Sep 20, 2016 at 12:38:43PM -0400, Steve Kinney wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On the downside, it makes denying that you wrote something all but impossible - "somebody stole my signing key and its pass phrase" is not what someone who is trying to avoid embarrassment would like to say.
lol, tell this to the gpg's guys and gals, who completely compromised the El Gamal's signing keys
Oh dear. That implies that the DEB and RPM package managers are blown wide open, as both use GPG for integrity checks. At least this explains why everybody gets rooted all the time.
We gonna have to compile and install from source signed by the devel... um, heh heh, signed with what? Houston, come in? Anybody down there?
No. The Debian maintainers revoked all their ElGamal signing keys. It was a big fuck up, but it's been dealt with. The problem is the larger issue of writing secure software and building services/processes that depend on that software. There needs to be more defense in depth, where a single broken primitive can't compromise the whole chain. Signing commits, publishing them in multiple independent places, reproducible builds, extensive test suites. Of course, this is all unglamorous work that's hard to get volunteers to do unless they're really passionate about end-to-end security, i.e. the hard, dirty stuff that requires interacting with other humans, as opposed to individual security primitives which tend to be more standalone and thus easier for someone to work on in their spare time.
and to debian, who memset() what they read from /dev/random.
Sounds like a personal issue to me...
search the interwebz for references.
TL;DR
teh intertubes has too big, probably over 9000
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJX4bDnAAoJEECU6c5XzmuqPqcIALe915KwejZB6uNapRyaR2bh UvCO/Obw+qiBlVBXn5kJJPUWWmF0pi8H3q1q+THWbuGJUnXojzFR3lpQYIf/z5Iz QqdSQr0mbbA4ffRncpBXwtMH9Yh//NHSHxJ4wimg4RmDuunNgJyLosWvXCaFSZaC mlKuf71P8CsL5Yxx/5ze9APa7B8FFygL/Z7PMaT7WtVGD3rUh++E0hBmB8DEEYjG PlPfI5oeoAuTQpDEOv0aH8Hn4mIPhPhR7OP3Dz6TSvki6sYkDb0HPlR6WxANiVO3 K1GVYTMydR1xAlB4wpHsRJPdZ5nhWAnCb3fFRFqRunHmEbi74WTMFarC7hyFhjE= =P36O -----END PGP SIGNATURE-----
On Tue, Sep 20, 2016 at 05:57:59PM -0400, Steve Kinney wrote:
and to debian, who memset() what they read from /dev/random.
Sounds like a personal issue to me...
I deny this and actually use debian. Their disclaimer cover their asses. Still criticizing publicly OS vendors for major screwups (say for ditching Appelbaum because of allegations) and other major technical nonsense.
On Tue, Sep 20, 2016 at 05:57:59PM -0400, Steve Kinney wrote:
search the interwebz for references.
TL;DR
Here are some links of the more important screwups IMHO. Suspect zero or more of (spec) backdoors, social engineering, gross incompetence: https://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000160.html gpg GnuPG's ElGamal signing keys compromised Thu Nov 27 09:29:51 CET 2003 https://www.debian.org/security/2008/dsa-1571 13 May 2008 Debian It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation. [1] http://seclists.org/fulldisclosure/2011/Sep/221 Thu, 22 Sep 2011 Ubuntu Importing trusted apt gpg keys uses "--list-sigs", which doesn't check the signatures. Also trivial keyid collisions. https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128 2012-06-14 Ubuntu Trivial import of trusted apt gpg keys via easy collision of the long keyid (probably spec backdoor). Circumvents the pseudo fix for [1]. https://lwn.net/Articles/22991/ (not crypto), Debian, micq February 18, 2003 Mr. Kuhlmann decided that enough was enough, and he was going to take some action. As of mICQ 0.4.10.1, the code will, when built for the Debian distribution, print out a message which says some unflattering things about Mr. Loschwitz and encourages use of a different version; the program then exits. In other words, when built for Debian, mICQ thumbs its nose at the user and refuses to run. To help ensure that this code got into the official Debian version, it was written in an obfuscated manner, set to trigger only after February 11, and only if it was not being run by Mr. Loschwitz. For the curious, here is a posting containing the code in question.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/21/2016 03:56 AM, Georgi Guninski wrote:
On Tue, Sep 20, 2016 at 05:57:59PM -0400, Steve Kinney wrote:
search the interwebz for references.
TL;DR
Here are some links of the more important screwups IMHO.
Below: The kind of content people bitch about CPunks not having near enough of. Really annoying stuff, in the sense that now I have to look at the whole thing of this happy horse shit. Gee thanks. ;o)
Suspect zero or more of (spec) backdoors, social engineering, gross incompetence:
https://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000160.html
gpg
GnuPG's ElGamal signing keys compromised Thu Nov 27 09:29:51 CET 2003
https://www.debian.org/security/2008/dsa-1571 13 May 2008 Debian It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.
[1] http://seclists.org/fulldisclosure/2011/Sep/221 Thu, 22 Sep 2011 Ubuntu Importing trusted apt gpg keys uses "--list-sigs", which doesn't check the signatures. Also trivial keyid collisions.
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128 2012-06-14 Ubuntu Trivial import of trusted apt gpg keys via easy collision of the long keyid (probably spec backdoor). Circumvents the pseudo fix for [1].
https://lwn.net/Articles/22991/ (not crypto), Debian, micq February 18, 2003 Mr. Kuhlmann decided that enough was enough, and he was going to take some action. As of mICQ 0.4.10.1, the code will, when built for the Debian distribution, print out a message which says some unflattering things about Mr. Loschwitz and encourages use of a different version; the program then exits. In other words, when built for Debian, mICQ thumbs its nose at the user and refuses to run. To help ensure that this code got into the official Debian version, it was written in an obfuscated manner, set to trigger only after February 11, and only if it was not being run by Mr. Loschwitz. For the curious, here is a posting containing the code in question.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJX4kllAAoJEECU6c5XzmuqIuwH/0MCyoCkcjXa50TDb1jbQ/lV 3muyhnnFjhEWwyzNg89ECrv/KQ2tcXljebc1c0nH3LA8lQZsl6kuJ//ki7mSsvDx yCp44/gbPh5cSOgI0+LH+4HWpKtzPn9httiaOhCnQGE3qpqSX/fKoSu6XOKoyL2a ZBNypCEdITugcUsIgW1k2GdVzZ7pV8BpV/bEAZHeAhWJC/6JYnjN2nPyvYidVkbB FmQuz1DC4il4+OLqI0xfgGuFS3FM/MGnfrG8oEvgq7zREWwXWW9/riOBoNEHgEew s5DL0uVt7i2Zdoj0GD1Bipu9XEvPKfcMQ5vsaa9ZUSSWUouWt5itKWyW+LgE280= =LU1x -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 It seems I have a doppelganger. How flattering. John - -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -----BEGIN PGP SIGNATURE----- iQFBBAEBCgArJBxrZXliYXNlLmlvL25peGVuIDxuaXhlbkBrZXliYXNlLmlvPgUC V+FOGwAKCRDjJCC+1Hp4x+v4B/9x7G+sH3tHpXhv/t3KIBSJOmIneHk5e7+YsJIk A/oUY9+7+qUNJRhxUWokFM1OajROpmcinhTXtr6WoxTkQlOyU3IvT57vwNNNuzQR 1Q9X/rsgTVWwoBB29bw4gyLwwYzfkjQXN8oVCPCBMqIe3s1HvvrTVxm/CqRd8GC6 O61fFy3u/7iejWReCaFZU/impPx5m8+hX2QRzhGVnDxIVoPe0/Lo58AokNRorsNK K+ESUhIO4FAhxOnh89xBgAx1JzkIa3ou65tVCQwLm8/+KnmWDAhXtdJSLeKvKc8V 0cN6E6CK/tmPVvey9QG6ECi8d4p2ceOlbfGc2/VqC7h/GqGo =ou2t -----END PGP SIGNATURE-----
participants (6)
-
Cecilia Tanaka -
Georgi Guninski -
John -
John Newman -
Sean Lynch -
Steve Kinney