Logs for #asciilifeform

Go to: #trilema #pizarro #asciilifeform #trilema-mod6 #chainstate #eulora

2018-8-31 | 2018-10-1

kristof: Can anyone tell me about how many broken keys phuctor has found?
kristof: And also, separately, how many of those are properly self signed?
kristof: This is a good faith question
mats: kristof: http://phuctor.nosuchlabs.com/stats
kristof: Oh. Uh. That's a lot.
mats: and it hasn't even processed tls keys yet.
BingoBoingo: A good chunk of them on there are wild caught ssh keys
kristof: I only just found out about this particular thing even though I remember the original loper-os post and just glossed over it. I saw some criticism that keyservers don't validate their keys and anyone could put anything on them
kristof: but wild caught ssh keys sink that criticism, right?
mats: no one can invalidate that specific claim about key servers
kristof: I guess a good question is, has anyone caught the naughty implementation yet?
mats: http://phuctor.nosuchlabs.com/factors
mats: in some cases, like the debian rng bug, or the ROCA vuln, yes
mats: i don't think phuctor has the ROCA keys, but i have them and plan to include eventually
kristof: am I wrong to think that, you know, a responsible journalistic community would pick up on this, and the security community would henceforth start a widespread auditing effort of existing toolchains, right?
kristof: Oh, man, look at all the Huawei ones. Figures
mats: how many people have that expertise?
BingoBoingo: Well, there's stooges like @hanno that they "responsible journalists" would rather derp around with
mats: there are many more willing to dismiss this as a non-issue, ie, 'keyservers don't validate, results don't matter', or, 'this is just an embedded device with entropy exhaustion, doesn't matter'
kristof: Has there been communication with the owners of these keys? I know phuctor sends out an email
mats: people with broken pgp keys got an email, i don't think anyone else ever did
kristof: And were there any responses from people who were surprised their keys were faulty?
mats: asciilifeform can answer that; i don't specifically recall anybody writing in
kristof: Ok
kristof: It's weird finally reaching out when I've been reading stanislav's blog for five years now. His posts have had a large influence on me.
mats: you can read more of him in the #trilema logs, http://btcbase.org/log/
kristof: Oh, haha, I just thought to ask, are you guys all millionaires now after the bitcoin bubble? :P
mats: i encourage you to register a gpg key with deedbot http://deedbot.org/help.html and read the #t logs
asciilifeform: mats: aside from the 'seclab incident' derp, nobody ever answered
asciilifeform: we stopped mailing.
asciilifeform: kristof: i can't speak for others, i personally am a pauper
asciilifeform: ( or at any rate, closer to pauper than 'millionair' )
mats: can't email owners of ssh keys, but could do it with the tls set that has the field (i don't think its required)
kristof: asciilifeform: Then that means you haven't hit anyone important, yet
asciilifeform: kristof: elaborate ?
kristof: It's one thing to factor keys no one cares about, it would be another entirely to get someone who cares at all about their security to learn that they are not wearing any clothes.
asciilifeform: kristof: these more often set you on fire ( or at least ignore and pay 'media' to stay mum ) than throw money, in my experience.
asciilifeform: but you mileage may vary.
mats: mp has tried the PR approach by writing about owners of github keys http://trilema.com/2018/and-in-things-that-didnt-happen-today-heres-192-cracked-github-keys-some-hotties-in-tech-included-yes
asciilifeform: kristof: for instance, take http://qntra.net/2016/04/phuctor-the-rsa-super-collider-discovers-vulnerability-in-northrop-grumman-pgp-root-ca/
mats: at this point i give credence to the theory that hn, /., r/netsec, etc, are actively ignoring the situation
kristof: Oh, that's a big fish indeed.
asciilifeform: kristof: visit #trilema, i'll voice you
asciilifeform: http://btcbase.org/log/2018-09-01#1846648 <<
adlai wonders what ben_vulpes meant by "fp bankruptcy", and whether somebody needs to reread "The Crucible"
Mocky: is deedbot working normally? doesn't seem to be answering my messages
asciilifeform: Mocky: seems to be working, e.g. answers !!help
mats: mm, also unresponsive here
mats: nvm
TomServo: asciilifeform: have you had any success with cuntoo on the rockchip?
asciilifeform: TomServo: not tried yet
TomServo: Ah, I must have misread http://btcbase.org/log/2018-08-04#1839289
asciilifeform: TomServo: i shelved it until trinque coughs up the release ver
asciilifeform: ( with cuntootronic 'portage' etc )
TomServo: I get a '[ 2.511243] devtmpfs: error mounting -2' after mounting root.
TomServo: trinque mentions no intramfs, wasn't sure how to tell if your kernel config I'm trying to use includes this.
asciilifeform: pretty sure my config doesn't initramfs at all
TomServo: k, thanks. I'll look forward to release ver as well.
mats: when will phuctor restart adding new keys?
asciilifeform: mats: pretty soon
asciilifeform: mats: i'm in the process of getting moar disks
mats: cool
mats: how did you find the routeros version for the mikrotik pops? nmap?
asciilifeform: mats: in ssh, telnet, (sometimes) ftp hellostring

2018-8-31 | 2018-10-1