Re: [Sks-devel] sks.daylightpirates.org is staying...again

[Alin Anton]

Hey Yegor and all,

Do you happen to have a long-term patch also, or just the hardcoded poison key?

I wonder why nobody thought about this possibility before.. so any lasting fix besides hardcoded blacklisting?

It is very easy to test for vulnerabilities if you actually install sks on your own machine first, and try to also fix it before publishing/exploiting it. Many have tutorials on this subject and all you need is a copy of a key dump.

There are other ways of bringing an sks server down, and BDB might not be the best idea for a server, still the network is important for both free software and individuals using it.

Blockchain technology has larger issues when it comes to GDPR yet we don't see blockchain nodes going away for this very reason.

The SKS network is even more important after the recent privacy incidents that everybody knows about, and I wonder how safe is PGP done in _javascript_, or sks key generation on Raspberry PI:) . There were issues for ssh key pairs.

I should try it, just to see how predictible the RPI key pair is. Btw I tried out these two commands on GNU/Linux (ffmpeg and drivers are necessary):

1) If you have a webcam on GNU/Linux just copy and run this line at the command prompt: echo `ffmpeg -t 5 -f video4linux2 -i /dev/video0 -f ogv - | sha512sum - | cut -f1 -d' '` > /dev/random; echo "You may run gpg --gen-key now"

2) For audio only random input with noise run this: echo `ffmpeg -f alsa -i hw:0 -t 10 -f ogv - | sha256sum | cut -f 1 -d' '` > /dev/random; echo "You may run gpg --gen-key now"

As far as I know anything you write into /dev/random on GNU/Linux is getting SHA1 with whatever was there already in the buffer, so the more data you copy into /dev/random the "better" it is in terms of random seed initialization. I think this observation is also important for Android e-mail clients and other embedded devices.

The noise provided by the webcam seems to be sufficient for initializing /dev/random so when the webcam is covered with plastic foil the command is still useful, maybe at boot/reboot time.

SKS seems to have a -seed parameter.


Alin Anton

On 11/19/2018 05:14 PM, Yegor Timoshenko wrote:

Howdy all,

Hey!

I'm constantly in-and-out of the pool due to issue #61*, but so
what? I can be of service to people needing to use pool when
I'm in and my CPU always calms back down after a few minutes
and get back into the pool.

If you want to momentarily fix the issue, rebuild SKS with the
following patch applied:
https://lists.nongnu.org/archive/html/sks-devel/2018-07/msg00053.html

However, mind that anyone can build another poison key by
following instructions in
https://bitbucket.org/skskeyserver/sks-keyserver/issues/60,
meaning underlying issue is not fixed.

_______________________________________________
Sks-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/sks-devel

-- 
Sl.univ.dr.ing. Alin-Adrian Anton
Politehnica University of Timisoara 
Department of Computer and Information Technology
2nd Vasile Parvan Ave., 300223 Timisoara, Timis, Romania