Re: [Bitcoin-development] Fake PGP key for Gavin

author: Troy Benjegerdes <hozer@hozed.org> 2014-03-23 17:12:21 -0500
committer: bitcoindev <bitcoindev@gnusha.org> 2014-03-23 22:12:32 +0000
commit: f143edabfe522104a72b7f2114f96bc57b81983d (patch)
tree: fb260a57cef0a48e87c97da27bb1d9635603f7ed
parent: 1b18e5e26ebf508646f84a4078bed4738e8d9a37 (diff)
download: pi-bitcoindev-f143edabfe522104a72b7f2114f96bc57b81983d.tar.gz
pi-bitcoindev-f143edabfe522104a72b7f2114f96bc57b81983d.zip
1 files changed, 84 insertions, 0 deletions
diff --git a/90/948b643bfa47cd7315df5b345ac5163fe48122 b/90/948b643bfa47cd7315df5b345ac5163fe48122
new file mode 100644
index 000000000..84086a6ac
--- /dev/null
+++ b/90/948b643bfa47cd7315df5b345ac5163fe48122
@@ -0,0 +1,84 @@
+Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
+	helo=mx.sourceforge.net)
+	by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
+	(envelope-from <hozer@grid.coop>) id 1WRqd6-0003n8-Cf
+	for bitcoin-development@lists.sourceforge.net;
+	Sun, 23 Mar 2014 22:12:32 +0000
+X-ACL-Warn: 
+Received: from nl.grid.coop ([50.7.166.116])
+	by sog-mx-4.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
+	id 1WRqd3-0001kc-CK for bitcoin-development@lists.sourceforge.net;
+	Sun, 23 Mar 2014 22:12:30 +0000
+Received: from localhost (localhost [127.0.0.1]) (uid 1000)
+	by nl.grid.coop with local; Sun, 23 Mar 2014 17:12:21 -0500
+	id 000000000006A342.00000000532F5C45.000012C3
+Date: Sun, 23 Mar 2014 17:12:21 -0500
+From: Troy Benjegerdes <hozer@hozed.org>
+To: Mike Hearn <mike@plan99.net>
+Message-ID: <20140323221221.GK3180@nl.grid.coop>
+References: <CANEZrP0NeDetSLXjtWnCaYYjYcdhsa=ne=a6NJOnvEp8yr7YaA@mail.gmail.com>
+Mime-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline
+In-Reply-To: <CANEZrP0NeDetSLXjtWnCaYYjYcdhsa=ne=a6NJOnvEp8yr7YaA@mail.gmail.com>
+User-Agent: Mutt/1.5.21 (2010-09-15)
+X-Spam-Score: -0.5 (/)
+X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
+	See http://spamassassin.org/tag/ for more details.
+	-0.5 RP_MATCHES_RCVD Envelope sender domain matches handover relay
+	domain
+X-Headers-End: 1WRqd3-0001kc-CK
+Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
+Subject: Re: [Bitcoin-development] Fake PGP key for Gavin
+X-BeenThere: bitcoin-development@lists.sourceforge.net
+X-Mailman-Version: 2.1.9
+Precedence: list
+List-Id: <bitcoin-development.lists.sourceforge.net>
+List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
+	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
+List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
+List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
+List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
+List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
+	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
+X-List-Received-Date: Sun, 23 Mar 2014 22:12:32 -0000
+
+On Sat, Mar 22, 2014 at 06:03:03PM +0100, Mike Hearn wrote:
+> In case you didn't see this yet,
+> 
+> http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html
+> 
+> If you're using PGP to verify Bitcoin downloads, it's very important that
+> you check you are using the right key. Someone seems to be creating fake
+> PGP keys that are used to sign popular pieces of crypto software, probably
+> to make a MITM attack (e.g. from an intelligence agency) seem more
+> legitimate.
+
+I find it more likely that fake PGP keys are from corporate industrial 
+espionage and/or organized crime outfits. Intelligence agencies will stick
+to compromised X509, network cards, and binary code blobs.
+
+Besides, why would an intelligence agency want your bitcoin when they can 
+just intercept ASIC miners and make their own?
+ 
+> I think the Mac DMG's of Core are signed for Gatekeeper, but do we codesign
+> the Windows binaries? If not it'd be a good idea, if only because AV
+> scanners learn key reputations to reduce false positives. Of course this is
+> not a panacea, and Linux unfortunately does not support X.509 code signing,
+> but having extra signing can't really hurt.
+
+Uhhmm, real operating system use package managers with PGP instead of pre-
+compromised X.509 nonsense. https://wiki.debian.org/SecureApt
+
+
+-- 
+----------------------------------------------------------------------------
+Troy Benjegerdes                 'da hozer'                  hozer@hozed.org
+7 elements      earth::water::air::fire::mind::spirit::soul        grid.coop
+
+      Never pick a fight with someone who buys ink by the barrel,
+         nor try buy a hacker who makes money by the megahash
+
+
+
author	Troy Benjegerdes <hozer@hozed.org>	2014-03-23 17:12:21 -0500
committer	bitcoindev <bitcoindev@gnusha.org>	2014-03-23 22:12:32 +0000
commit	f143edabfe522104a72b7f2114f96bc57b81983d (patch)
tree	fb260a57cef0a48e87c97da27bb1d9635603f7ed
parent	1b18e5e26ebf508646f84a4078bed4738e8d9a37 (diff)
download	pi-bitcoindev-f143edabfe522104a72b7f2114f96bc57b81983d.tar.gz pi-bitcoindev-f143edabfe522104a72b7f2114f96bc57b81983d.zip