10 comments

[ 3.2 ms ] story [ 53.8 ms ] thread
Always super interested in hearing from sources about cryptography who feel the need to call Hanno Bock a "deceitful shitbag". You all keep having fun with whatever it is you're all doing, now. Sounds exciting!
Calling 'a spade - a spade.'
Whatever important thing you have to say, you sap your own credibility deeply with this. I know who Hanno is and what work he's done. You I know only as the author of an incoherent post about RSA keys. Perhaps, if you believe so strongly in this project you're embarking on, whatever it is, you'd have the courage to sign your name to it?
Mr. Böck's squid ink comes out every time we find a diddled key or two, and it is somehow 'coherent' to you folks; while the result, right there in front of your eyes and testable with 3 seconds' sweat in your favourite bignum calculator, is 'incoherent'. Go figure.

Oh and,

http://mpex.site/?mpsic=S.NSA << names.

You're welcome.

What you appear to have documented so far is "insecure keys not accepted by GPG posted somewhere on Internet". Since that's obviously not a very interesting story, you then continue to talk about --- I don't know, something about Muslim advocacy organizations?
Mr. Khadeer's key was sourced from SKS:

https://sks-keyservers.net/pks/lookup?op=vindex&search=mhkha...

And appears to be the only search result for the name Khadeer.

If I were him, I would certainly like to know this.

And whatever process produced this key, is of interest to all PGP users, whatever NSA shills' squid ink to the contrary.

According to GnuPG (more specifically "gpg (GnuPG/MacGPG2) 2.0.28"), that key does not contain any valid user IDs. Is there some widely used PGP implementation that does accept that? Have you found any other similarly weak keys that GPG will consider valid? If so, I'd find it very interesting as a PGP user, but if it is limited to keys that GPG, at least, recognizes as invalid, I'm not sure what impact it has for me.
GPG 1.4 didn't eat it. 'pgpdump', fwiw, did.

I have not tested any of the extant proprietary (e.g., MS-Win) PGP clients, quite possibly these items was meant for one such.

Neither I nor - afaik - anybody else, at least publicly, have any notion as to who generated the keys, on what, and for what purpose.

I'll probably earn a few more insults from the authors of this, but I had a quick look.

I only skimmed over it, but it seems as before these results are defect keys.

All these keys seem to have an invalid self signature and cannot be imported into gnupg. And looking at the key: https://pgp.mit.edu/pks/lookup?op=get&search=0x7FB82C851C5F7... It has a lot of repeating "A"s.

This doesn't really explain what exactly is going on here, but safe to say it's probably not some sophisticated magic attack, because these keys are unusable, therefore nobody will encrypt with them.

"Phuctor Finds Seven Keys Produced With Null RNG, And Other Curiosities" is the actual title. Why did you change it to point out one specific key, asciilifeform?

This raises an interesting question. The submitter, asciilifeform, also appears to be the author of the submitted article. Does the rule that submitters should use the title from the article still apply when the submitter is the author?