[Bitcoin-development] Fake PGP key for Gavin
Troy Benjegerdes
hozer at hozed.org
Sun Mar 23 22:12:21 UTC 2014
On Sat, Mar 22, 2014 at 06:03:03PM +0100, Mike Hearn wrote:
> In case you didn't see this yet,
>
> http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html
>
> If you're using PGP to verify Bitcoin downloads, it's very important that
> you check you are using the right key. Someone seems to be creating fake
> PGP keys that are used to sign popular pieces of crypto software, probably
> to make a MITM attack (e.g. from an intelligence agency) seem more
> legitimate.
I find it more likely that fake PGP keys are from corporate industrial
espionage and/or organized crime outfits. Intelligence agencies will stick
to compromised X509, network cards, and binary code blobs.
Besides, why would an intelligence agency want your bitcoin when they can
just intercept ASIC miners and make their own?
> I think the Mac DMG's of Core are signed for Gatekeeper, but do we codesign
> the Windows binaries? If not it'd be a good idea, if only because AV
> scanners learn key reputations to reduce false positives. Of course this is
> not a panacea, and Linux unfortunately does not support X.509 code signing,
> but having extra signing can't really hurt.
Uhhmm, real operating system use package managers with PGP instead of pre-
compromised X.509 nonsense. https://wiki.debian.org/SecureApt
--
----------------------------------------------------------------------------
Troy Benjegerdes 'da hozer' hozer at hozed.org
7 elements earth::water::air::fire::mind::spirit::soul grid.coop
Never pick a fight with someone who buys ink by the barrel,
nor try buy a hacker who makes money by the megahash
More information about the bitcoin-dev
mailing list