From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WRqd6-0003n8-Cf for bitcoin-development@lists.sourceforge.net; Sun, 23 Mar 2014 22:12:32 +0000 X-ACL-Warn: Received: from nl.grid.coop ([50.7.166.116]) by sog-mx-4.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1WRqd3-0001kc-CK for bitcoin-development@lists.sourceforge.net; Sun, 23 Mar 2014 22:12:30 +0000 Received: from localhost (localhost [127.0.0.1]) (uid 1000) by nl.grid.coop with local; Sun, 23 Mar 2014 17:12:21 -0500 id 000000000006A342.00000000532F5C45.000012C3 Date: Sun, 23 Mar 2014 17:12:21 -0500 From: Troy Benjegerdes To: Mike Hearn Message-ID: <20140323221221.GK3180@nl.grid.coop> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Score: -0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.5 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain X-Headers-End: 1WRqd3-0001kc-CK Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Fake PGP key for Gavin X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2014 22:12:32 -0000 On Sat, Mar 22, 2014 at 06:03:03PM +0100, Mike Hearn wrote: > In case you didn't see this yet, > > http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html > > If you're using PGP to verify Bitcoin downloads, it's very important that > you check you are using the right key. Someone seems to be creating fake > PGP keys that are used to sign popular pieces of crypto software, probably > to make a MITM attack (e.g. from an intelligence agency) seem more > legitimate. I find it more likely that fake PGP keys are from corporate industrial espionage and/or organized crime outfits. Intelligence agencies will stick to compromised X509, network cards, and binary code blobs. Besides, why would an intelligence agency want your bitcoin when they can just intercept ASIC miners and make their own? > I think the Mac DMG's of Core are signed for Gatekeeper, but do we codesign > the Windows binaries? If not it'd be a good idea, if only because AV > scanners learn key reputations to reduce false positives. Of course this is > not a panacea, and Linux unfortunately does not support X.509 code signing, > but having extra signing can't really hurt. Uhhmm, real operating system use package managers with PGP instead of pre- compromised X.509 nonsense. https://wiki.debian.org/SecureApt -- ---------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' hozer@hozed.org 7 elements earth::water::air::fire::mind::spirit::soul grid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash