on communication - gpg's el gamal and debian's openssl
Steve Kinney
admin at pilobilus.net
Wed Sep 21 01:48:37 PDT 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/21/2016 03:56 AM, Georgi Guninski wrote:
> On Tue, Sep 20, 2016 at 05:57:59PM -0400, Steve Kinney wrote:
>>> search the interwebz for references.
>>
>> TL;DR
>>
>
> Here are some links of the more important screwups IMHO.
Below: The kind of content people bitch about CPunks not having near
enough of. Really annoying stuff, in the sense that now I have to
look at the whole thing of this happy horse shit.
Gee thanks.
;o)
>
> Suspect zero or more of (spec) backdoors, social engineering,
> gross incompetence:
>
> https://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000160.html
>
>
gpg
> GnuPG's ElGamal signing keys compromised Thu Nov 27 09:29:51 CET
> 2003
>
>
> https://www.debian.org/security/2008/dsa-1571 13 May 2008 Debian It
> is strongly recommended that all cryptographic key material which
> has been generated by OpenSSL versions starting with 0.9.8c-1 on
> Debian systems is recreated from scratch. Furthermore, all DSA keys
> ever used on affected Debian systems for signing or authentication
> purposes should be considered compromised; the Digital Signature
> Algorithm relies on a secret random value used during signature
> generation.
>
> [1] http://seclists.org/fulldisclosure/2011/Sep/221 Thu, 22 Sep
> 2011 Ubuntu Importing trusted apt gpg keys uses "--list-sigs",
> which doesn't check the signatures. Also trivial keyid collisions.
>
>
> https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128
> 2012-06-14 Ubuntu Trivial import of trusted apt gpg keys via easy
> collision of the long keyid (probably spec backdoor). Circumvents
> the pseudo fix for [1].
>
> https://lwn.net/Articles/22991/ (not crypto), Debian, micq February
> 18, 2003 Mr. Kuhlmann decided that enough was enough, and he was
> going to take some action. As of mICQ 0.4.10.1, the code will, when
> built for the Debian distribution, print out a message which says
> some unflattering things about Mr. Loschwitz and encourages use of
> a different version; the program then exits. In other words, when
> built for Debian, mICQ thumbs its nose at the user and refuses to
> run. To help ensure that this code got into the official Debian
> version, it was written in an obfuscated manner, set to trigger
> only after February 11, and only if it was not being run by Mr.
> Loschwitz. For the curious, here is a posting containing the code
> in question.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJX4kllAAoJEECU6c5XzmuqIuwH/0MCyoCkcjXa50TDb1jbQ/lV
3muyhnnFjhEWwyzNg89ECrv/KQ2tcXljebc1c0nH3LA8lQZsl6kuJ//ki7mSsvDx
yCp44/gbPh5cSOgI0+LH+4HWpKtzPn9httiaOhCnQGE3qpqSX/fKoSu6XOKoyL2a
ZBNypCEdITugcUsIgW1k2GdVzZ7pV8BpV/bEAZHeAhWJC/6JYnjN2nPyvYidVkbB
FmQuz1DC4il4+OLqI0xfgGuFS3FM/MGnfrG8oEvgq7zREWwXWW9/riOBoNEHgEew
s5DL0uVt7i2Zdoj0GD1Bipu9XEvPKfcMQ5vsaa9ZUSSWUouWt5itKWyW+LgE280=
=LU1x
-----END PGP SIGNATURE-----
More information about the cypherpunks
mailing list