1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <pete@petertodd.org>) id 1WRQYA-0007Aj-3t
for bitcoin-development@lists.sourceforge.net;
Sat, 22 Mar 2014 18:21:42 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of petertodd.org
designates 62.13.149.81 as permitted sender)
client-ip=62.13.149.81; envelope-from=pete@petertodd.org;
helo=outmail149081.authsmtp.net;
Received: from outmail149081.authsmtp.net ([62.13.149.81])
by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
id 1WRQY8-00076r-LF for bitcoin-development@lists.sourceforge.net;
Sat, 22 Mar 2014 18:21:42 +0000
Received: from mail-c237.authsmtp.com (mail-c237.authsmtp.com [62.13.128.237])
by punt18.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s2MILXmc098991;
Sat, 22 Mar 2014 18:21:33 GMT
Received: from savin (76-10-178-109.dsl.teksavvy.com [76.10.178.109])
(authenticated bits=128)
by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s2MILO5O019552
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
Sat, 22 Mar 2014 18:21:27 GMT
Date: Sat, 22 Mar 2014 14:21:53 -0400
From: Peter Todd <pete@petertodd.org>
To: Mike Hearn <mike@plan99.net>
Message-ID: <20140322182153.GC21728@savin>
References: <CANEZrP0NeDetSLXjtWnCaYYjYcdhsa=ne=a6NJOnvEp8yr7YaA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="xo44VMWPx7vlQ2+2"
Content-Disposition: inline
In-Reply-To: <CANEZrP0NeDetSLXjtWnCaYYjYcdhsa=ne=a6NJOnvEp8yr7YaA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Server-Quench: c8741882-b1ee-11e3-94fa-002590a135d3
X-AuthReport-Spam: If SPAM / abuse - report it at:
http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
aAdMdAAUFVQGAgsB AmIbWlxeUlx7W2Q7 bAxPbAVDY01GQQRq
WVdMSlVNFUsrA2F4 emEbLRlzfgBDejB3 Yk9mECNTW0B7fU5/
XxxVQDgbZGY1a30W VBYJagNUcgZDfk5E aVUrVz1vNG8XDQg5
AwQ0PjZ0MThBJSBS WgQAK04nCWgCHTN0 fz86VTYiDAULQD97 ABU4K1h0
X-Authentic-SMTP: 61633532353630.1024:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 76.10.178.109/587
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
anti-virus system.
X-Spam-Score: -1.5 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
X-Headers-End: 1WRQY8-00076r-LF
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Fake PGP key for Gavin
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sat, 22 Mar 2014 18:21:42 -0000
--xo44VMWPx7vlQ2+2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Mar 22, 2014 at 06:03:03PM +0100, Mike Hearn wrote:
> In case you didn't see this yet,
>=20
> http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html
>=20
> If you're using PGP to verify Bitcoin downloads, it's very important that
> you check you are using the right key. Someone seems to be creating fake
> PGP keys that are used to sign popular pieces of crypto software, probably
> to make a MITM attack (e.g. from an intelligence agency) seem more
> legitimate.
Note that Bitcoin source and binary downloads are protected by both the
PGP WoT and the certificate authority PKI system. The binaries are
hosted on bitcoin.org, which is https and protected by a the PKI system,
and the source code is hosted on github, again, https protected. A MITM
attack would need to compromise the PKI system as well, at least
provided users aren't fooled into downloading over http.
--=20
'peter'[:-1]@petertodd.org
0000000000000000657de91df7a64d25adfd3ff117bc30d00f5aa3065894f4a5
--xo44VMWPx7vlQ2+2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQGrBAEBCACVBQJTLdS8XhSAAAAAABUAQGJsb2NraGFzaEBiaXRjb2luLm9yZzAw
MDAwMDAwMDAwMDAwMDAzOWRmNTA4OTU3YWI0YTU1YjljZjI5YWM5OGFlYzBiN2Rk
ZTEzMGRhYTViMzMzZjYvFIAAAAAAFQARcGthLWFkZHJlc3NAZ251cGcub3JncGV0
ZUBwZXRlcnRvZC5vcmcACgkQJIFAPaXwkfsPxAgAmBM1+CsyQ6WqDvIYHH6b/1ug
hSUM74wMePOixylhwOHb+y+aaFoSWvQyYbLqGp7IGLVm1LmmjVgJws99vcuBnWeq
GsUSMzMLb1Srkqgjqc1BOw8eIAyrxo5J9TzDOtjY3P8MmMmhXqR+X5pRjCGuCKb+
A6Ay0TDWNH9rXteN4x9DQ/zgVgsKZpKfg496WouPpK8V9YQ2NR7iQbESvtfF/Ian
lue1mE5sw0eTJe3NI5eDgjJYSIs6TOEYEGPg1XtA+x0GGoIOUD6nYHxXc0sA+ix5
19csnghQVBxCMlFd6/6rGxYgY4jHqpei7X9yM70chzbTH3X7gbLupsKzS6Cmcw==
=MyQJ
-----END PGP SIGNATURE-----
--xo44VMWPx7vlQ2+2--
|
