.png "back to home page")
One of the best post I've read in the infosec community for a long time – the "feelings" part made it even better, I've never so much wished being a bus driver in my life. @robertjhansen, you and dkg are heroes. Don't give up.https://t.co/ftrbMcADPj
— Sébastien BAUDRU (@cowreth) July 2, 2019
This (from https://t.co/KpPkiUokJo) is just genuinely awful. There is nothing new about this attack. It demonstrated nothing unexpected. The time to tell people to stop using infrastructure is the moment you know it's vulnerable, not after someone's taken advantage of it. pic.twitter.com/50bCjvuBZE
— Matthew Garrett (@mjg59) June 29, 2019
The thing about this OpenPGP/SKS/GnuPG attack is that it's nothing sophisticated.
— Filippo Valsorda (@FiloSottile) June 29, 2019
Like, at all.https://t.co/h0WYWpkdKS
My nephew DKG is one of the people who works hardest to keep people safe and secure online, and he's under attack by someone who's basically showing how to wreck a key part of GnuPG infrastructure. This sucks in so many ways. https://t.co/L8Cc1XOhgE https://t.co/vPELaQpAb8
— Dan Gillmor (@dangillmor) June 29, 2019
New: someone is spamming a core component of PGP's ecosystem, the SKS network, breaking people's installations and showing a weakness that's existed in the ecosystem for decades.https://t.co/4bUjx5ZsCX
— Lorenzo Franceschi-Bicchierai (@lorenzofb) July 3, 2019
Fellow infosec nerds: my OpenPGP certificate is effectively unusable due to malicious attack. Daniel Kahn Gillmor, who was also hit in the same attack, has a good writeup.https://t.co/wPhM1TbKL3
— Robert J. Hansen (@robertjhansen) June 28, 2019
Ouch, PGP keyserver signature DoS is interesting - decades old flaw in PGP keyservers when exploited can prevent users using PGP e.g. when downloading updates. The @torproject was targeted during the attack and has a poisoned certificate. https://t.co/6VuKJJ4Iw3
— Hacker Fantastic (@hackerfantastic) July 2, 2019
OpenPGP is being attacked. Check out this blog for more information. Protect yourself!https://t.co/j6Rrxffdt7
— Josh Ellithorpe (@zquestz) June 30, 2019
Don't use the GPG keyserver, and I think they need a maintainer who knows OCaml.https://t.co/gUjFlTRbzk and https://t.co/5KPBATTOld
— ISC (@ISCdotORG) June 29, 2019
How many times have I seen this before... “the software was written in an obscure language by a PhD student for his thesis. Because of that, there is literally no one in the keyserver community who feels qualified to do a serious overhaul on the codebase.” https://t.co/20WgPzMSwZ
— Christopher Woods (@chryswoods) July 4, 2019
I remember when you could only use OpenSSL and PGP for everything because it was written by "real cryptographers". Now we see that, no actually, it was written by people who jumped on the cypherpunks bandwagon early on and established social dominance:https://t.co/X05Tex98QA
— progmofo (@progmofo) July 4, 2019
Someone Is Spamming and Breaking a Core Component of PGP’s Ecosystem: A new wave of spamming attacks on a core component of PGP’s ecosystem has highlighted a fundamental weakness in the whole ecosystem. ? VICE https://t.co/PKTdfiPWKs
— ReconSecureComputing (@SecRecon) July 3, 2019
PGP SKS key network poisoned by unknown hackers https://t.co/Gfovp5z2MF by @SecurityCharlie
— ZDNet (@ZDNet) July 4, 2019
The thing about this OpenPGP/SKS/GnuPG attack is that it's nothing sophisticated.
— Filippo Valsorda (@FiloSottile) June 29, 2019
Like, at all.https://t.co/h0WYWpkdKS
The PGP (SKS) net server network is under attack, and it seems pretty damn bad. https://t.co/8XrOX759tf
— Matthew Green (@matthew_d_green) June 29, 2019
SKS Keyserver Network Under Attackhttps://t.co/JxpqA0kI65#GPG #infosec
— Alexis Grillon (@P4rs3c) July 1, 2019
I have more to say on the certificate spamming that's been directed against Daniel Kahn Gillmoor and myself. The executive summary is attached here as a screenshot: click the link to see the whole thing.https://t.co/P7OSVmLixZ pic.twitter.com/dRCJOwZKoK
— Robert J. Hansen (@robertjhansen) June 29, 2019
Reading up on the SKS Keyserver network attack at https://t.co/3UU6VOvJx7, I came across this paragraph. I am very surprised. Key functionality [pun intended] was apparently not fully understood or at least not maintainable by anyone but the original author (POC for PhD thesis). pic.twitter.com/GtjuyhjvFK
— Michael G. Noll (@miguno) July 1, 2019
If you are running any #Andrioid Apps like #APG or #OpenKeychain this impacts you too!#SKS #Keyserver Network Under Attackhttps://t.co/nVIvI5a8aM#Infosec #OpSec#OpenPGP#GnuPG
— TheMagus (@MagusNet) July 2, 2019
wow i am absolutely shocked that a decentralized append-only log that has been basically unmaintained since the 90s is susceptible to DoS attacks https://t.co/avwYkpvTb7
— yan (@bcrypt) July 1, 2019
Next time some nerd tries to shovel some tech into your project that makes it difficult to hire maintainers off-the-shelf, remember the #openpgp crisis https://t.co/tM7hLONzvG pic.twitter.com/MuUSIfRbCH
— Martín Obiols (@olemoudi) July 2, 2019
As an open source maintainer, this makes me feel so sad ?! As someone using GPG keys allover the place & who knows how many distribution systems rely on them, this really scares me. Please everyone, follow the instructions, offer help if you can. https://t.co/2JgaCuGYn1
— Holger Woltersdorf (@hollodotme) June 30, 2019
I'm irritated how badly the OpenPGP community reacts to problems. Their reactions are basically what we'd consider the worst if a corporationd would do it https://t.co/9XL6QEeruy
— hanno (@hanno) July 1, 2019
And there may be no way to stop them. https://t.co/K2EiDzI2Ye
— Motherboard (@motherboard) July 5, 2019
From https://t.co/Zph7O9a8Wz: "[SKS is] written in an unusual programming language called OCaml, [...] we need expertise in obscure programming languages and strange programming customs"#OCaml is in no way an unusual obscure programming language but a successful mainstream one.
— Christophe Calvès (@chrilves) July 4, 2019