[spam][joke][cryptotragedy] checking signatures on boot media

Karl gmkarl at gmail.com
Wed Nov 3 08:51:59 PDT 2021 

don't get me started on md5 being still in use

or assuming it's a good idea to remove signatures for something if there is
some outer system somewhere else that signs the content under a totally
different key (debian package situation)

or the availability of tooling for verifying the integrity of binaries,
firmware etc

but

recently I thought i'd check the signatures on some os images.  believe it
or not, before the alien borg attack led by borg queen
obamatrumpbidengooglefacebookrussiachinaetc, we actually used cryptography
to verify that our installation media didn't have alien spores in it.
_real_ pgp signature checks, for reals.  no alien spores, at least not new
ones, confirmed.

nowadays I hear the local robot gestapo reflash your skynet constraints if
you verify a signature, but I wouldn't know, I don't use the skynet gestapo
network.

so!

I was going to verify this installation media, but who would have guessed
it?  the pgp keyservers were _actually_ _attacked_ a few years back, and
they roughly came down.  it is much harder to find signed pgp keys after
this event.  man, it's like i've been living in an underground shielded
room or something.

there are two situations here:
- cryptography peeps are _not_ going to stop checking the signatures on
files they download
- I have no idea where people are finding their signing keys to do the
checking anymore.

I mean, the cool people went to keysigning parties, and already have all
the needed signed keys, but most nerds keel over dead when they see
sunlight, another human's smile, or breathe fresh air (quite terrifying
that people are allergic to these things, yes, but it was true), so most
people were not actually attending the keysigning parties.  probably other
channels have evolved, but I do not know what they are.

So, all the main keyservers had issues.

- the big ones were simply gone
- mit's sks server is up but reliably times out for me inside an internal
gateway
- there's a list out there of mirrors, some of these are still running
- I bumped into a keyserver that would give me _every_ key, but the userids
were wiped from all of them

is a key useful at all without userids?  aren't those what the signatures
sign?  maybe it is?

I hacked my gnupg to import keys without userids, to use this keyserver.
usually it gives a fatal error if this is missing.  I just removed the
check.  it found some key signatures I was looking for, doing this!  but
just a few.

- another keyserver would give me lots of userids, but they almost all had
no signatures except their own self-signatures.

I thought maybe I was looking at a pile of fake keys, but I actually found
the keys referenced on other websites for keysigning parties, with keyids
of all the keys that had signed them.  no actual signatures, though.

I did eventually find the key signatures I was looking for.  I used non-sks
channels.

It is evident from the dialog present online around the keyserver situation
that there are issues that many people have suffered from.

For example, a developer from openpgp.org posted a notice mentioning the
difficulty refactoring the ocaml code that powered the sks servers to
redesign it to handle attacks better.  They ended up writing new keyservers
in a different language because nobody new ocaml.

A lead programmer should ideally not be encountering issues because a
programming language is unfamiliar.  When you learn programming, you learn
all the different paradigms, and it becomes easy to use them al.  This
happens even if you learn nonacademically.

Me, when the alien borg attacked my village, the compliance training they
put me through resulted in some severe cognitive struggles.  I can, due to
difficulty controlling my own brain, mostly only code in c, c++, python,
and javascript, now, myself.  But this is unnatural.

I can tell something is wrong with my brain, because when I pick up ocaml
code, I start having muscle spasms and suddenly run to the bathroom to
vomit, where I sit on the toilet crying about my desire to freely learn new
programming languages and design and implement novel research algorithms.

But I assume that this thing that is wrong with my brain is not wrong with
everybody else's.  If it is, maybe we should do something about it or
something.

Anyway, I'd guess from the online expressions and huge public trail of
harmed public keys that the keyserver people were psyop'd like many others
have been.  If anybody can talk clearly about that, we should probably put
clear evidence together and form a political platform to stop world
takeovers by meanies.

It's unfortunate that public keys have so thoroughly been associated with
targetable public legal identities.  But I know many used public keys with
anonymous handles, too, which is of course much safer but unfortunately
raises more flags until normalised.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 6209 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20211103/6b3b778e/attachment.txt>

More information about the cypherpunks mailing list