[ale] Ouch Damnit. I am a victim of a gpg security attack
William Wylde
durtybill at gmail.com
Thu Dec 2 05:12:43 EST 2021
The millicents got nothing on me,, brother....!
On Tue, Nov 30, 2021 at 12:19 PM Charles Shapiro via Ale <ale at ale.org>
wrote:
> I've been preparing for a gpg key signing party at work. On checking
> my personal gpg key on , I discovered that it had been Revoked:
>
> pub unk(#0)0/a4a66548382d0f35f394881fefc2dfb41df36586
> Hash=c191ea816aea760f17bb30226e67a5bf
> sig revok efc2dfb41df36586 2016-08-16T05:12:19Z ____________________
> ____________________ [selfsig]
>
> I had no memory of doing this, so I investigated further. I was
> particularly intrigued by the "2016-08-16T05:12:19Z" timestamp. I
> don't do things like revoke my keys at midnight or so local.
>
> It turns out that someone had figured out a hash collision attack on
> 32-bit key fingerprints back in 2016, then published a list of all
> the vulnerable fingerprints. The list is 89 mb long and is still
> available ( https://evil32.com/ ). I downloaded it and verified that,
> alas, 1DF36586 was on that list. My wife's key ( B4E4FC10) was not.
> Someone _else_ then went ahead and Revoked every key on it, including
> mine but not my wife's.
>
> So now I need to generate a whole new key and get it signed by a bunch
> of people. I'm going to use this tragedy//opportunity to update the
> GPG Simple How To still available on the ALE site (
> https://ale.org/static_pages/gpgstepbystep.html ) (and still very
> close to a Web Whack ( or Hapax Legomenon ) if you search for
> "Millicent Arondofique" ! )
>
> Check your own keys and see if any of them were also Revoked without
> your knowledge.
>
> It's time for another ALE key signing party.
>
> -- CHS
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
--
--
“Keep away from people who try to belittle your ambitions. Small people
always do that, but the really great make you feel that you, too, can
become great.”
― Mark Twain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20211202/1bf9b017/attachment.htm>
More information about the Ale
mailing list