Re: [Bitcoin-development] Fake PGP key for Gavin

[Troy Benjegerdes <hozer@hozed.org>]

On Sat, Mar 22, 2014 at 06:03:03PM +0100, Mike Hearn wrote:
> In case you didn't see this yet,
> 
> http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html
> 
> If you're using PGP to verify Bitcoin downloads, it's very important that
> you check you are using the right key. Someone seems to be creating fake
> PGP keys that are used to sign popular pieces of crypto software, probably
> to make a MITM attack (e.g. from an intelligence agency) seem more
> legitimate.

I find it more likely that fake PGP keys are from corporate industrial 
espionage and/or organized crime outfits. Intelligence agencies will stick
to compromised X509, network cards, and binary code blobs.

Besides, why would an intelligence agency want your bitcoin when they can 
just intercept ASIC miners and make their own?
 
> I think the Mac DMG's of Core are signed for Gatekeeper, but do we codesign
> the Windows binaries? If not it'd be a good idea, if only because AV
> scanners learn key reputations to reduce false positives. Of course this is
> not a panacea, and Linux unfortunately does not support X.509 code signing,
> but having extra signing can't really hurt.

Uhhmm, real operating system use package managers with PGP instead of pre-
compromised X.509 nonsense. https://wiki.debian.org/SecureApt


-- 
----------------------------------------------------------------------------
Troy Benjegerdes                 'da hozer'                  hozer@hozed.org
7 elements      earth::water::air::fire::mind::spirit::soul        grid.coop

      Never pick a fight with someone who buys ink by the barrel,
         nor try buy a hacker who makes money by the megahash