BingoBoingo: A good chunk of them on there are wild caught ssh keys
kristof: I only just found out about this particular thing even though I remember the original loper-os post and just glossed over it. I saw some criticism that keyservers don't validate their keys and anyone could put anything on them
kristof: but wild caught ssh keys sink that criticism, right?
mats: no one can invalidate that specific claim about key servers
kristof: I guess a good question is, has anyone caught the naughty implementation yet?
mats: in some cases, like the debian rng bug, or the ROCA vuln, yes
mats: i don't think phuctor has the ROCA keys, but i have them and plan to include eventually
kristof: am I wrong to think that, you know, a responsible journalistic community would pick up on this, and the security community would henceforth start a widespread auditing effort of existing toolchains, right?
kristof: Oh, man, look at all the Huawei ones. Figures