public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Troy Benjegerdes <hozer@hozed.org>
To: Mike Hearn <mike@plan99.net>
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Fake PGP key for Gavin
Date: Sun, 23 Mar 2014 17:12:21 -0500	[thread overview]
Message-ID: <20140323221221.GK3180@nl.grid.coop> (raw)
In-Reply-To: <CANEZrP0NeDetSLXjtWnCaYYjYcdhsa=ne=a6NJOnvEp8yr7YaA@mail.gmail.com>

On Sat, Mar 22, 2014 at 06:03:03PM +0100, Mike Hearn wrote:
> In case you didn't see this yet,
> 
> http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html
> 
> If you're using PGP to verify Bitcoin downloads, it's very important that
> you check you are using the right key. Someone seems to be creating fake
> PGP keys that are used to sign popular pieces of crypto software, probably
> to make a MITM attack (e.g. from an intelligence agency) seem more
> legitimate.

I find it more likely that fake PGP keys are from corporate industrial 
espionage and/or organized crime outfits. Intelligence agencies will stick
to compromised X509, network cards, and binary code blobs.

Besides, why would an intelligence agency want your bitcoin when they can 
just intercept ASIC miners and make their own?
 
> I think the Mac DMG's of Core are signed for Gatekeeper, but do we codesign
> the Windows binaries? If not it'd be a good idea, if only because AV
> scanners learn key reputations to reduce false positives. Of course this is
> not a panacea, and Linux unfortunately does not support X.509 code signing,
> but having extra signing can't really hurt.

Uhhmm, real operating system use package managers with PGP instead of pre-
compromised X.509 nonsense. https://wiki.debian.org/SecureApt


-- 
----------------------------------------------------------------------------
Troy Benjegerdes                 'da hozer'                  hozer@hozed.org
7 elements      earth::water::air::fire::mind::spirit::soul        grid.coop

      Never pick a fight with someone who buys ink by the barrel,
         nor try buy a hacker who makes money by the megahash




  parent reply	other threads:[~2014-03-23 22:12 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-22 17:03 [Bitcoin-development] Fake PGP key for Gavin Mike Hearn
2014-03-22 17:33 ` Gavin Andresen
2014-03-22 18:21 ` Peter Todd
2014-03-23  0:59 ` Oliver Egginger
2014-03-23 22:12 ` Troy Benjegerdes [this message]
2014-03-24 19:44   ` The Doctor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140323221221.GK3180@nl.grid.coop \
    --to=hozer@hozed.org \
    --cc=bitcoin-development@lists.sourceforge.net \
    --cc=mike@plan99.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox