Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Monday August 15 2016, @01:45PM   Printer-friendly [Skip to comment(s)]
from the keys-to-the-kingdom dept.

Enrico Zini wrote:

There are currently at least 3 ways to refer to a GPG key: short key ID (last 8 hex digits of fingerprint), long key ID (last 16 hex digits) and full fingerprint. The short key ID used to be popular, and since 5 years it is known that it is computationally easy to generate a GnuPG key with an arbitrary short key id.

LWN.net wrote in June 3, 2016:

Gunnar Wolf urges developers to stop using "short" PGP key IDs as soon as possible. The impetus for the advice originates with Debian's Enrico Zini, who recently found two keys sharing the same short ID in the wild.

After contacted the owner, it turned out that one of the keys is a fake. In addition, labelled same names, emails, and even signatures created by more fake keys. Weeks later, more developers found their fake "mirror" keys on the keyserver, including the PGP Global Directory Verification Key. Gunnar Wolf wrote:

We don't know who is behind this, or what his purpose is. We just know this looks very evil. [...] In short, that cutting a fingerprint in order to get a (32- or 64-bit) short key ID is the worst of all worlds, and we should rather target either always showing full fingerprints, or not showing it at all (and leaving all the crypto-checking bits to be done by the software, as comparing 160-bit strings is not natural for us humans).

Now, a fake key (fake: 0x6211aa3b00411886, real: 0x79be3e4300411886) of Linus Torvalds was found in the wild, scroll the page and you'll see two. It looked like that every single key from the Linux kernel community have been forged successfully, another example is Greg Kroah-Hartman (fake:0x27365dea6092693e, real: 0x38dbbdc86092693e). LWN reader "rmayr" commented:

so it seems somebody is actually constructing a database of fake keypairs with "well-known" short IDs. Something is going on here...


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Funny) by Anonymous Coward on Monday August 15 2016, @02:07PM

    by Anonymous Coward on Monday August 15 2016, @02:07PM (#388181)

    Must be that new systemd-Pgp module.

    Soon systemd will start submitting patches with these fake keys. Harry pottering has already lost control.

    Next: sky net

  • (Score: 2) by takyon on Monday August 15 2016, @02:28PM

    by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Monday August 15 2016, @02:28PM (#388185) Journal

    Can this be used to spread bad code, or just impersonate Torvalds and others with sweary rants?

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    • (Score: 3, Interesting) by Scruffy Beard 2 on Monday August 15 2016, @02:35PM

      by Scruffy Beard 2 (6030) on Monday August 15 2016, @02:35PM (#388189)

      These are partial collisions.

      The problem is that gpg is loath to even show either the longer short keys, or the entire fingerprints.

      So with many duplicate "short" keys in the wild, the user has no good way to know which key they are being asked to trust. I have had people not tell me their full key fingerprint because they did not even know it (merely linking to their "long" short key on keybase.io).

      • (Score: 4, Informative) by frojack on Monday August 15 2016, @04:14PM

        by frojack (1554) Subscriber Badge on Monday August 15 2016, @04:14PM (#388241) Journal

        So with many duplicate "short" keys in the wild, the user has no good way to know which key they are being asked to trust.

        That's why you don't TRUST keys you get indirectly.

        Nobody trusts short IDs anyway. Short keys are nothing but a handle to import full keys, You merely use those to import the full key, Then you see who signed those full keys, (fetch the missing keys of those who signed it) and see if you can find some signers you recognize.

        You still don't trust it. You sure as hell don't sign it yourself.

        Maybe you decide to trust it at some level if it has signers that you previously trusted, buy when you do this you know you are living dangerously.
         

        --
        No, you are mistaken. I've always had this sig.
    • (Score: 3, Insightful) by FatPhil on Monday August 15 2016, @03:03PM

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Monday August 15 2016, @03:03PM (#388202) Homepage
      Nothing *cryptographic* will be fooled. Only people and software that think that a short hash is an identity will be fooled. Which should be nobody. Collisions on an 8-hex only need tens of thousands of ids due to the birthday paradox, which means that just naturally there is a decent probability of collisions just within linux kernel developers already (though most likely just amongst the relatively unimportant masses like myself, rather than high profile ones who actually need the crypto aspect - my patches were accepted on technical merit, not because of my identity).

      All the cryptographic stuff - such as signing a label on the repo - uses the full key, not a truncated hash of it.
      --
      I know I'm God, because every time I pray to him, I find I'm talking to myself.
      • (Score: 4, Informative) by Capt. Obvious on Monday August 15 2016, @04:22PM

        by Capt. Obvious (6089) on Monday August 15 2016, @04:22PM (#388242)

        The birthday matching math (I wouldn't call it a paradox) only applies if we don't care which two members intersect. As soon as you assign one of those to a known value, (e..g Linus's key) it aligns with normal intuition./p?

        • (Score: 2) by FatPhil on Tuesday August 16 2016, @07:38AM

          by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Tuesday August 16 2016, @07:38AM (#388602) Homepage
          Erm, did you skip my parenthetical comment where I say exactly the same thing?

          Anything counter-intuitive is paradoxical. The intuitive way of thinking leads you down a different path (and is thus "para") from the right way of thinking (the "dox").
          --
          I know I'm God, because every time I pray to him, I find I'm talking to myself.
          • (Score: 0) by Anonymous Coward on Tuesday August 16 2016, @08:48AM

            by Anonymous Coward on Tuesday August 16 2016, @08:48AM (#388618)

            Did you miss who you were replying to?

  • (Score: 0, Troll) by kurenai.tsubasa on Monday August 15 2016, @02:47PM

    by kurenai.tsubasa (5227) on Monday August 15 2016, @02:47PM (#388196) Journal

    Probably the Misogynerd Narrative getting ready to ramp up another wave. Expect to see a story hit the lamestream media with big names in FLOSS being exposed for sexual harassment/rape/you name it with one of these fake keys. Trying to argue against it when the Daily Show, Last Week Tonight, probably The Late Show etc start naming and shaming will be futile.

    Expect white knights to galumph out of the woodwork and triumphantly declare concrete proof that whoever they target (and it may not be one person) sent some really sleazy emails because they're signed with a key from some key server with the same short id. Expect a few feminist plants to scream and cry and make a big deal of being chased out of FLOSS. Expect nobody to even question why the hell somebody would bother signing a communication with sexual harassment with their key.

    Feminists: it doesn't need to be this way.

    All out of low hanging fruit? No more sexually frustrated misogynerds left to set up? Too many people wising up to the reality that a cisfemale claiming to be interested in FLOSS who starts putting the moves on (which I find sexually harassing, thank you, I'm flattered) may just have ulterior motives? Too many of us suspecting that MikeeUSA isn't who he claims to be?

    No, you never needed a man's help to get into tech. You're fully capable of it on your own. Well, you're on your own. Fool me over and over again and then fuck up my access to medical care and try to control my body, shame on me. Fool me for the umpteen billionth time? I'd rather flip burgers. Shame on me for letting it get past the first time.

    What is the fucking point of all this?

    No, I don't think this is some nefarious action on the part of the Ruskies unless of course we want to head down the tenuous connection between feminism and Marxism. The Misogynerd Narrative has really been quite something. Almost enough to make me think twice about writing off Trump because he's a nut and the Republican platform seems to have aligned itself with the homophobic and transphobic views of feminism this year.

    (I'd accept that some people who call themselves feminists are deluded, but being an assigned male I would have no way to know who are the true feminists. It has been made explicit to me that I am an incomplete being and a [bathroom] rapist. And I have no particular emotional need to use my advanced infiltrator woman suit powers to find out the truth once I'm able to start my life over again.)

    • (Score: 3, Informative) by Anonymous Coward on Monday August 15 2016, @03:14PM

      by Anonymous Coward on Monday August 15 2016, @03:14PM (#388205)

      Calm down, put it down, walk slowly backwards away from the crack pipe.

      • (Score: 1, Funny) by kurenai.tsubasa on Monday August 15 2016, @03:32PM

        by kurenai.tsubasa (5227) on Monday August 15 2016, @03:32PM (#388213) Journal

        Yeah, you're probably right. Doesn't really have anything to do with me personally, and one of the advantages of being just done with feminism is that it eliminates a lot of social attack surface. I'll keep on using Linux or a BSD no matter how much of a sexually harassing misogynerd that makes me.

        Nobody cares what OS a burger flipper runs at home.

        The only correct response to “I wanna be a programmer!” is “You should talk to a guidance counselor at $local_community_college or $local_university.” Just end it there. If somebody calls you on the carpet for being a sexist who doesn't think women should program computers, better to get that out of the way sooner rather than after investing a whole bunch of effort.

        Not all cisfemales are dangerous. Imagine a bowl of jelly beans. Now imagine 10% of them are poisoned. Do you think you'd be eager to eat a big handful?

        • (Score: 0) by Anonymous Coward on Monday August 15 2016, @04:58PM

          by Anonymous Coward on Monday August 15 2016, @04:58PM (#388266)

          Don't worry, the men in white coats are on their way. When they knock on your door, please go quietly, they'll take you to a place where you can be happier!

          • (Score: 0) by Anonymous Coward on Monday August 15 2016, @09:02PM

            by Anonymous Coward on Monday August 15 2016, @09:02PM (#388387)

            take you to... a nice padded Microsoft-sponsored think-tank in North Korea, where you can join other drones in creating more false keys.

          • (Score: 0) by Anonymous Coward on Tuesday August 16 2016, @03:38AM

            by Anonymous Coward on Tuesday August 16 2016, @03:38AM (#388535)

            The men in white coats are mikeusa too.
            He isn't what he claims to be.

        • (Score: 2) by Scruffy Beard 2 on Monday August 15 2016, @05:03PM

          by Scruffy Beard 2 (6030) on Monday August 15 2016, @05:03PM (#388269)

          Your post modded as troll reminds me of the time I assumed that every computer problem I came across was due to Digital Restrictions Management: until proven otherwise.

          Sometimes, never attributing malice to what can be adequately explained by incompetence, goes a long way.

          That is not to say that malice does not exist. Only that you may be wasting your time looking for malice where there is none.

    • (Score: 0) by Anonymous Coward on Monday August 15 2016, @05:05PM

      by Anonymous Coward on Monday August 15 2016, @05:05PM (#388271)

      No, you never needed a man's help to get into tech. You're fully capable of it on your own. Well, you're on your own

      I know you're going to go all rant-y about me reading into your words things you didn't intend, but then again, I did, here we are and I won't believe you when you say I'm reading things that aren't there because I really think that those things *are* there!
      But this quote above from your post tells me you really *are* a moron, someone who really thinks that women /are/ incapable of doing things and need men's aide at all times. You should seek help, or at least go outdoors a little more. You'll find the flowers smell nice!

      • (Score: 1) by kurenai.tsubasa on Monday August 15 2016, @05:24PM

        by kurenai.tsubasa (5227) on Monday August 15 2016, @05:24PM (#388280) Journal

        Ok, I will also try not to read something into what you wrote that is not there.

        But this quote above from your post tells me you really *are* a moron, someone who really thinks that women /are/ incapable of doing things and need men's aide at all times.

        I see that the correct thing to do when I was accused of sexism to my face because I was not assigned the same gender at birth as Ada Lovelace was to accept that “sexist” is something that was assigned at birth instead of mentoring and supporting cisfemales who wanted to learn programming—even sticking my neck out and reporting sexual harassment when it happened.

        I see that after all that effort, the conclusion is still the same as the accusation that motivated me to try to do something about the problem.

        Would you care to offer your theory about why there are no cisfemale in tech? Transfemales have no problem getting tech jobs, well, besides the other complaints that would apply to anybody such as H1Bs and ageism.

        Essentially, you're holding me accountable for the failure of cisfemales who are interested in tech jobs for purposes other than fabricating evidence that all assigned males in tech are sexual harassers to precipitate out of the aether. I tried to help. I tried to mentor. But those attempts were merely evidence of my sexist, moronic, misogynist attitudes.

        Am I understanding you correctly? Any attempt on the part of an assigned male to help cisfemales with this problem, whether it's fighting sexual harassment, being a mentor, connecting parts of a woman's existing academic experience to concepts in programming, is further evidence of their misogyny?

        • (Score: 0) by Anonymous Coward on Monday August 15 2016, @05:46PM

          by Anonymous Coward on Monday August 15 2016, @05:46PM (#388287)

          I see that the correct thing to do when I was accused of sexism to my face because I was not assigned the same gender at birth as Ada Lovelace was to accept that “sexist” is something that was assigned at birth instead of mentoring and supporting cisfemales who wanted to learn programming—even sticking my neck out and reporting sexual harassment when it happened.

          Incorrect, sexism is what you just displayed! It's got nothing to do with your or anyone else's gender whether or not you are a sexist, nothing to do with your birth, nothing to do with programming. However it has EVERYTHING to do with your (yes, you, you individually, you specifically) behavior.

          I see that after all that effort, the conclusion is still the same as the accusation

          well, your behavior hasn't changed... you're still doing the same thing. Why would the conclusion change if all the rest has remained equal?

          Would you care to offer your theory about why there are no cisfemale in tech?

          First off, you're one of the very few people that I know who actually throw around terms like 'cisfemale' but that's your choice, however know that it detracts from your message.
          Secondly, there are 'cisfemale' in tech. Like I said before: go outside once in a while. You'll find that the world isn't as scary as your on-line friends/acquaintances make it out to be. Get to know some actual people.

          Essentially, you're holding me accountable for the failure of cisfemales who are interested in tech jobs for purposes other than fabricating evidence that all assigned males in tech are sexual harassers to precipitate out of the aether.

          No, I'm trying to point out things that you say, claim or write. I have no idea what you did before, what you're doing now, heck, I don't even know who you are. And that doesn't matter to me.
          That being said, you make quite a claim there regarding the "fabricating evidence"... Are you sure that the evidence was fabricated and isn't just ... existing? Please, elaborate on these claims. Substantiate them and lay them out so that they can be verified. If you do, I may actually be swayed over to your side. Until that time, expect me to be on the opposite side of you.

          Am I understanding you correctly?

          No, no you did not...

          You know... sometimes it really isn't the big, bad, evil world that's holding you down. Sometimes it really is just your own fault! And while no-one like hearing that, in this case, I think it's time you hear it regarding yourself.

          • (Score: 2, Interesting) by kurenai.tsubasa on Monday August 15 2016, @07:50PM

            by kurenai.tsubasa (5227) on Monday August 15 2016, @07:50PM (#388362) Journal

            Incorrect, sexism is what you just displayed!

            Well fuck you then. I'd sure as hell love to not pay attention to everybody's gender. But HOW THE FUCK DOES THAT GET US ENOUGH WOMEN IN TECH?! Somebody's being sexist here, that's for sure.

            In fact, if what I wrote is sexist, then that is fucking proof that the stance I've come to adopt to never, ever mentor a woman again is the correct one. Maybe I'm not choosing the correct word with mentor. Maybe I should be calling what I do “remedial algebra tutor.” DO YOU THINK I FUCKING WASTE MY TIME ON GUYS THAT ARE DUMBFUCKS WHO ARE NEVER GOING TO GET IT? Do you know why I don't? BECAUSE NOBODY'S GOING TO CALL ME A SEXIST FOR SAYING A GUY JUST HAS NO FUCKING TALENT. I can beat guys up all day long and nobody will call me sexist for that. If a guy fails, he fails because of his own lack of merit/virtue/talent/whatever. If a woman fails, it's OMG Sexism!11!!eleven!!

            Fucking damned if you do, damned if you don't. FUCK YOU.

            Secondly, there are 'cisfemale' in tech. Like I said before: go outside once in a while. You'll find that the world isn't as scary as your on-line friends/acquaintances make it out to be. Get to know some actual people.

            Uh, I do? There clearly aren't enough cisfemales in tech to appease the Narrative, however the fuck many that needs to be.

            That being said, you make quite a claim there regarding the "fabricating evidence"... Are you sure that the evidence was fabricated and isn't just ... existing?

            Are you seriously trying to say that there is just some magickal force field that prevents women from making false rape accusations or false sexual harassment accusations? How does this work? Is it similar to the way a woman's body can just “shut down the whole thing” if she's rape-raped?

            Sometimes it really is just your own fault!

            If a woman is working as a technician in a computer store and somebody comes up to the counter asking to “talk to a technician,” am I to understand that the problem the woman is having is really her own fault?

            • (Score: 0) by Anonymous Coward on Monday August 15 2016, @09:06PM

              by Anonymous Coward on Monday August 15 2016, @09:06PM (#388390)

              Don't yell... it's never good form.
              I think you may just suck at 'being a tutor', I mean there's the yelling and there's the bold stuff... It's all so tiring to see someone cornered flail about wildly.
              The OP was not saying that it is "some nebulous person's fault", I think the OP was suggesting that the reason you (kurenai.tsubasa) are encountering experiences where you feel you are being wronged is because it is your (kurenai.tsubasa) fault. I think the OP was suggesting that there is something wrong with you, kurenai.tsubasa.

    • (Score: 0) by Anonymous Coward on Tuesday August 16 2016, @09:23AM

      by Anonymous Coward on Tuesday August 16 2016, @09:23AM (#388624)

      Unless you are drunk, or your intent is just to vandalize and troll the living shit out of the site, or you are doing an art-project or somesuch, let me make a following note:

      Spontaneous out-of-nowhere posting of long offtopic drivels to websites is not a sign of excellent mental health.

  • (Score: 2) by wonkey_monkey on Monday August 15 2016, @03:09PM

    by wonkey_monkey (279) on Monday August 15 2016, @03:09PM (#388204) Homepage

    Attacks Continued, Now Targeted Linus Torvalds

    Now targeted? Or then targeted? Or still targeting?

    --
    systemd is Roko's Basilisk
    • (Score: 3, Informative) by FatPhil on Monday August 15 2016, @04:05PM

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Monday August 15 2016, @04:05PM (#388234) Homepage
      Targetted by the evil32 experiment back in 2014. If a third one appears, it's probably malicious...
      --
      I know I'm God, because every time I pray to him, I find I'm talking to myself.
  • (Score: 3, Interesting) by FatPhil on Monday August 15 2016, @03:16PM

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Monday August 15 2016, @03:16PM (#388206) Homepage
    It would be interesting to see how big this taint spreads. Sign the real linus key with god's key, carrying infinite trust, and the fake linus key with satan's key, with infinite distrust, and let's see if any nodes in the graph and up ambigously weighted.

    I don't know if I'd be more surprised by there being two discrete cliques, or if there was an overlap - the possibility of someone at the fringes being duped by a fraud isn't that bizarre. NSA bods attend FLOSSy conferences all the time, I'm sure.

    I wanna know where these fake keys have actually been used in the wild - was it just an academic exercise, or has there been some concrete malice yet?
    --
    I know I'm God, because every time I pray to him, I find I'm talking to myself.
    • (Score: 3, Interesting) by FatPhil on Monday August 15 2016, @03:42PM

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Monday August 15 2016, @03:42PM (#388216) Homepage
      I IRC with a dozen or so people in Linus' web of trust, and one of them has proffered:

      18:35 <[elided]> FatPhil: the 2014-08-05 keys are from the evil32 experiment

      So these are all well known, and not malicious as such, exactly as foreseen in 2011.
      --
      I know I'm God, because every time I pray to him, I find I'm talking to myself.
  • (Score: 4, Interesting) by VLM on Monday August 15 2016, @04:04PM

    by VLM (445) Subscriber Badge on Monday August 15 2016, @04:04PM (#388231)

    as comparing 160-bit strings is not natural for us humans

    If you insist on old fashioned hexadecimal encoding.

    There are more modern expressions...

    Here's a stereotypical urbit 128 bit address outta the docs

    ~satnet-rinsyr-silsec-navhut--bacnec-todmeb-harwen-fabtev

    Its a little verbose compared to pure hex but easier to parse and type and compare.

    There are also UI issues where it "should be trivial" to have a display widget that does nothing interesting other than display difference between two strings or whatever.

    Even something text console compatible is interesting to think about. Rather than 0-F hexadecimal print out one of 16 colors for each hex "digit". people are tolerable good at color pattern matching, compared to matching glyphs anyway.

    • (Score: 1, Insightful) by Anonymous Coward on Monday August 15 2016, @06:24PM

      by Anonymous Coward on Monday August 15 2016, @06:24PM (#388311)

      That naming system looked interesting, so I tried to find what this "urbit thing" was.

      From https://urbit.org/posts/principles/ [urbit.org] "We believe that ownership, privacy and control don't need to be sacrificed in exchange for usability, accessibility and reliability." and then the page needs JS to render. Render, not give extra functions, just render the plain text. If you check the source code, the HTML is "wrapped" in JS. Oh, and there is google analytics snippets too.

      Yeah, right. Hollow words in their mouths.

      So from this all I got a nice encoding for 128 bits. Oh, well...

    • (Score: 0) by Anonymous Coward on Monday August 15 2016, @06:40PM

      by Anonymous Coward on Monday August 15 2016, @06:40PM (#388320)

      First of all, and this is irritating, the l should look different than the I. On some systems they insist on making them look exactly identical. The O should look different than the 0 or even the o. You can put a line through the number and maybe a dot in the middle of the lowercase variation for fast comparison.

      They could be placed on top of each other like so

      Test-1234-ASDF
      TesT-1324-ADSF

      By looking at them in this manner it's much easier to find differences.

      Maybe they should also be monospaced so I know which letter on top corresponds to which letter on the bottom.

      Also why can't you have the best of both worlds. You can have each character correspond to a specific color, especially characters that kinda look alike. Limit characters to characters that don't look alike, I thought that was the whole point of having hexadecimal limit what characters are used, for easier visual identification.

      Also you can include an identicon next to the each line as a hash of the hash. Or maybe two, one at the right and one at the left.

      Alternatively have multiple visual identicons per signature and place them on top of each other for easy comparison.

      Identicon1(signature1) - Identicon2(signature1) - Identicon3(signature1)
      Identicon1(signature2) - Identicon2(signature2) - identicon3(signature2)

      If things are placed right next to each other they're much easier to visually compare.

      • (Score: 0) by Anonymous Coward on Tuesday August 16 2016, @09:32AM

        by Anonymous Coward on Tuesday August 16 2016, @09:32AM (#388625)

        Or you could just print out "Keys match" in green text or "Keys don't match" in red. :)

        But I have to say I personally like it when people overengineer.