This is going to be a lengthy article that - like pretty much everything else on Trilema - deals with complex matter broadly unfamiliar to most certified experts in the respective fields, let alone the general public. To avoid personal injury, tread softly, mutter to yourself quietly and re-read insistently.



Part One : The Conundrum

The verbiage on Phuctor's theory page reads in relevant part :

We do not display factored keys, at all, nor do we display factored moduli per se (but an attacker keeping close tabs on the universal product might, conceivably, obtain some sort of a guess). Should your key prove to be weak we will try to email you a notification. We will also remove your key from the site, so your previously working url would no longer work. Thus you have two ready ways to identify such an emergency : either by receiving an email warning, if your email address quoted in the key works, or by failing to find your key after you had introduced it.

When Phuctor was originally released, back in October 2013, it was intended and consequently designed as a user-powered, one signature at a time sort of affair. This changed later on, when we decided to allocate actual computational resources to the task. At that time the approach changed in tandem, from "wait for users to post a key" to simply churning the entire keyserver set. This evolution leaves that verbiage in the lurch, or as Stan put it, "I still can't fathom why you threw that in there."

I obviously can fathom - after all, I'm the one that put it in. The admittedly parochial logic behind it was based on some presuppositions meanwhile invalidated : 1) that the set of tested keys will at all points be a minor fraction of the total visible keys ; 2) that the set of weak keys found will at all points be so tiny as to not raise significant problems with emailing the owners and 3) that we are acting in a world that is both larger than us and more important than us, a sleeping giant that we do not wish to upset.

Experience hence has shown the folly of all these presuppositions, as experience always does. Specifically :

As far as the first is concerned, there are strictly insurmountable problems with keeping information secret. "Information wants to be free" may not be sensu stricto correct, and may certainly be entirely nonsensical as used by the derps that came up with it. Nevertheless, there is something there : how would I keep anyone who feels like it from running the same very basic math on the same publicly accessible set of numbers ? Upon meditation, the "for all we know others unknown are at the current time in possession of the same information we have" problem can not actually be resolved through increasing the paranoia level with regards to server security from just under nine thousand to well over nine thousand. One doesn't need to root my computer in order to add two and two, he can do that on his own computer just as well.

This aside, how exactly is one going to implement the "we won't tell on your key" policy ? Do we show all keys as "passed" even if they aren't ? ♫But you don't want to lie, not to the young...♪ Yet if we don't, what is the difference between the key not being displayed and the key getting a big fat red warning ? Obviously, some naive observers might be fooled. Cui bono, fooling the naive observers ? The entire point of this entire exercise is to reduce the disadvantage of the naive, after all.

As far as the second is concerned, we went in with the expectation, and I quote,

Since there's about 4 million keys (a little under) in the bundle of publicly known keys that it is processing, if you're even vaguely mathematically literate and even marginally aware of what exactly theoretical RSA promises, you would on the strength of this introduction expect a key to be factored just a little before Elvis comes back as the Queen of England. So did we. So did everyone else.

There was absolutely no expectation any key will ever be factored through this mechanism. Ever. This is the truth.

As far as the third is concerned, well... let's give the mic over to Naggum for a moment :

The problem is that "exploitation" happens only to people stupider (and consequently less informed) than the "exploiter". The root cause of this whole world problem is that some people are smarter than others. There are two basic solutions to this problem: Kill all the morons, or kill all the brains. If you look at how several political regimes have behaved throughout history, you might get the impression that they are precisely adopting one of those two options. (Social democracy is a little more advanced: Kill everything outside 2 sigma.) World history and evolution and nature in general keep telling us something we humans do not want to hear: Some people _have_ to die for the rest of us to live better. The only question that political systems can answer is _who_ gets to live or die. Those who do not realize this will not live well before they die young. Our current political systems have created a world where people are afraid that we are not "sustainable". Of course we are not. But instead of killing contemporary people, we are killing future people. It is definitely not sustainable to keep everybody alive forever. We will, eventually, resort to killing a lot of people, and I mean a _lot_, like probably half of the planet's population, because, like fruit flies in a laboratory jar that runs out of sugar, we will be too many before we get the point. And that is OK with me, I do not plan to hang around forever, and neither do I want children to make things worse. But in the end, nature exploited us, not vice versa, because people are generally stupid and ill-informed about the choices they make. (Which is probably what some people _really_ mean when they say people are not rational.)

The fact of the matter is that we're people well outside two sigma, which means both that "the world" is roughly the size of half a chickenshit in comparison, and already as hostile as it can ever get.

Seriously, I should care that "the Internet community" will get upset, for reasons ? Fuck "the Internet community", I wouldn't trade away a strand of chewed gum for the whole lot of it. Moreover, it's already upset. It'll never get more upset. The mere fact that we exist punctures its ever-paramount narrative, and that's really all it takes and all there is.

The "Internet community" of dullards, normies and business majors is fundamentally lazy, fundamentally stupid, and already penned and handled by the exact people who should be handling it. Not our problem, not our interest and not a valid point of consideration or concern or in other words - If you're not in the WoT, you are not a person.

So therefore, for the aforestated reasons and after very careful deliberation, the original policy is rescinded. We will be publishing broken keys freely, periodically, and without any attempt to insulate their owners or anyone else from the fallout. That's it.



Part Two : The Broken Keys

We have thirteen fifteen keys so far. Here they are :

51EAB526D87542022AA1BC85E99EF4B451221121 [H. Peter Anvin <hpa-squee-infradead.org>; H. Peter Anvin (hpa) <hpa-squee-zytor.com>; H. Peter Anvin <h.peter.anvin-squee-intel.com>;], divisible by 231. 1482E27395532CEC191ADD937765EA7193E6924C [Tony Pelaez (HarryGuerilla) <tnyplz-squee-gmail.com>;], divisible by 21. EF010E6F351E447C96C91AF1293987A8466F60E1, [Debarshi Ray <rishi.is-squee-lostca.se>; Debarshi Ray (GNU Developer) <rishi-squee-gnu.org>; Debarshi Ray (GMail Account) <debarshi.ray-squee-gmail.com>; Debarshi Ray (Red Hat Employee) <debarshir-squee-redhat.com>; Debarshi Ray (Fedora Packager) <rishi-squee-fedoraproject.org>; Debarshi Ray (GNOME Developer) <debarshir-squee-src.gnome.org>; Debarshi Ray (GNOME Foundation Member) <debarshir-squee-gnome.org>; Debarshi Ray (Freedesktop.org Developer) <debarshir-squee-freedesktop.org>; Debarshi Ray (Student at University of Helsinki) <debarshi.ray-squee-helsinki.fi>;], divisible by 9. A50591247C8E37A64117B74F78AB527059E13694 and B01584E9F6CB9E76DEA61E2A73786CA0F4EACC4F [grenzenlosnaiv <grenzenlosnaiv-squee-live.de>;], divisible by 17742509903907 and 4294967297 respectively. 1F75CF2DD19ABC516D58454B0846265183C9F86F and 29A9D31313C5E0E8B73F8D155CF76C1F591D4EFF [Saeid <zarghani.s-squee-gmail.com>;], divisible by 73014444049 and 270582939711 respectively. 89FAD5E452080D47B11508148CA2B56B92E193C9 [Lou Anschuetz <lou-squee-ece.cmu.edu>;], divisible by 4294967297. C1FEDFCEADA4849AFE940D192979698801093DA6 and 51D1FBC806EBF7EFA78D74092E271AF5D8322944 [Christopher Winterbottom <cqwberry-squee-gmail.com>;], divisible by 98784247831 and 30064771079 respectively. F353FA51752FD981FE926C60E863669BEC4DA8F3 and F1573FEF30BE4BE50CD109AC3CAC41B5194C8916 [Li-Wen Kuo <li-wen-squee-gmx.de>;], divisible by 12884901891 and 21474836485 respectively. F1D9FE5073EC39F3558905668C97B382AC1729F4 [Tobias Michelis <michelis-squee-mi.uni-erlangen.de>;], divisible by 4294967297. 1A5E4C59222FF18F2D5E2406E1548C609A6137AA and C8749C423CCE71A1230B138D2342919EC10A9C5C [Sebastian Heberer <pirat-squee-drpest.de>;], divisible by 4294967297 and 12884901891 respectively.



Part Three : Discussion

First off, and to get this out of the way : Hanno Böck just got caught lying. Specifically :

Last year I started a project to analyze the data on the PGP key servers. And at some point I thought I had found a large number of vulnerable PGP keys – including the key in question here. In a rush I wrote a mail to all people affected. Only later I found out that something was not right and I wrote to all affected people again apologizing. Most of the keys I thought I had found were just faulty keys on the key servers.

He did no such thing. Had he done such a thing, or anything even remotely similar to it, he would know about all this. That he has absolutely no idea about any of it, yet finds it within himself to make all-knowing statements of a certain tendency is all the smoking gun anyone could ever need.

I hold Paul Graham personally responsible for the fraudulent shenanigans dissected in On how the factored 4096 RSA keys story was handled, and what it means to you, and I expect an apology. Let me also underscore that I smushed the last too-big-for-his-britches schmuck that owed me an apology and failed to make good. Don't make me Karpeles you, Graham.

Second off, you will notice the heterogenity of these vulnerable keys. For instance : not all of them are "signed" by simply copying the signature block off a valid key, like it was the case with the first one found. Some are not signed at all - which notably means that yes gpg will import, and yes gpg will use. A few are actually validly self-signed. There goes that "cosmic ray" theory, as entertaining as it was.

Third off, what do you make of this :

Here's what Stan made of it :

#!/usr/bin/python import pgpdump import sys import os from shutil import copy #################################################################### def get_rsa(pgpasc): mods = [] exps = [] try: packets = list(pgpdump.AsciiData(pgpasc).packets()) for p in packets: if hasattr(p, 'modulus') and (p.modulus != None): mods += [p.modulus] if hasattr(p, 'exponent') and (p.exponent != None): exps += [p.exponent] except Exception, e: print e return [mods, exps] ## Litmus for Shitgnomancy def litmus(path): mods, exps = get_rsa(open(path, 'r').read()) ## Heuristic: at least one absurdly large exponent? for e in exps: if e > 65537: return True ## Heuristic: at least one possibly-shitgnomiferous modulus? for m in mods: if (m & 0xFFFFFFFF) == ( (m >> 32) & 0xFFFFFFFF): return True #################################################################### indir = sys.argv[1] outdir = sys.argv[2] pgpfiles = [os.path.join(indir,fn) for fn in next(os.walk(indir))[2]] keys = sorted(filter(lambda x: x.endswith('.gpg.asc'), pgpfiles)) ## Test each key in indir and if heuristic positive, copy to outdir. for k in keys: if litmus(k): print "Result: {0}".format(k) copy(k, outdir)

To let him explain :

Dear MP, It appears that we have... something. Heuristic worked as follows (see litmus.py) : 1. Flag RSA keys with outlandishly large exponents. This yielded up many things but no clear pattern thus far. We table it for later.

2. Flag RSA keys which appear to have the repeating 32-bit word pattern seen in the earlier curios. This ended up hitting pay dirt. litmus_mod_only contains the keys themselves. lusers.txt contains the parsed-out emails claimed in the keys. Start by reading these. Yours,

-S

Would you like to see the paydirt ? Sure. Here you go :

Ludwig Hügelschäfer <ludwig-squee-hammernoch.net> Ludwig Hügelschäfer <mlisten-squee-hammernoch.net> Ludwig Hügelschäfer <enigmail-mod-squee-hammernoch.net> Ludwig Hügelschäfer <ludwig.huegelschaefer-squee-gmx.de> grenzenlosnaiv <grenzenlosnaiv-squee-live.de> Saeid <zarghani.s-squee-gmail.com> Lou Anschuetz <lou-squee-ece.cmu.edu> Christopher Winterbottom <cqwberry-squee-gmail.com> Li-Wen Kuo <li-wen-squee-gmx.de> Tobias Michelis <michelis-squee-mi.uni-erlangen.de> Sebastian Heberer <pirat-squee-drpest.de> Kosta <kosta-squee-embros.org> Christoph Giesel <mail-squee-cgiesel.de> Christoph Giesel <chris-squee-cgiesel.de> Christoph Giesel <christoph-squee-cgiesel.de> Raymond Häb <ray-squee-haeb.eu> Raymond Häb <ray.haeb-squee-gmx.de> Raymond Häb <raymond.haeb-squee-rwth-aachen.de> Kristof Koerner <buero-squee-kristofkoerner.de> Kristof Koerner <bummtschak-squee-googlemail.com> Kristof Koerner <unterricht-squee-kristofkoerner.de> Daniel Düngel <pirat-squee-duengel.com> PGP Global Directory Verification Key Philippe Baeriswyl <philippe.baeriswyl-squee-liip.ch> Charly Avital(RSA4096) <shavital-squee-mac.com> Charly Avital (RSA-AES256) <shavital-squee-netbox.com> Matthias <kaizoku-squee-schmidt-system.de> Ismael de Moura Costa (email pessoal) <ismaelcosta-squee-unb.br> Tim Fiedler <tfcoding-squee-gmail.com> Marcus Benjamin <markymac99-squee-mac.com> Stefan Thöne <stefan-squee-frontflip.de> Thomas Scholz <ts-squee-elktc.org> Thomas Scholz <dings-squee-bums.li> Thomas Scholz <tscholz-squee-gmx.de> Thomas Scholz <tststs-squee-gugux.de> Thomas Scholz <thomas.scholz-squee-ploenk.net> Thomas Scholz <tscholz-squee-rz.uni-mannheim.de> Thomas Scholz <tscholz-squee-rumms.uni-mannheim.de> Thomas Scholz <thomas.scholz-squee-ca.uni-mannheim.de> Thomas Scholz <tscholz-squee-wendy.rz.uni-mannheim.de> Thomas Scholz RUM-CA <tscholz-squee-rz.uni-mannheim.de> Thomas Scholz <tscholz-squee-einstein.rz.uni-mannheim.de> Thomas Scholz <thomas.scholz-squee-mail.ca.uni-mannheim.de> Thomas Scholz <thomas.scholz-squee-einstein.rz.uni-mannheim.de> Thomas Scholz INTERN <tscholz-squee-mailtux.ca.uni-mannheim.de> Thomas Scholz <thomas.scholz-squee-crypto.nc1UW1aoi420d85w1SoS.de> http://www.crypto.nc1UW1aoi420d85w1SoS.de (official homepage) Shumitsu Muryokoin <shumitsu-squee-muryokoin.org> Martin M. Stoppler <martin-squee-stoppler.de> 4D Admilon Consulting <4D_info-squee-admilon.net> Felix Arndt <kontakt-squee-felixarndt.de> Dominik Rapp <dominikrapp-squee-zoho.com> Henry Hertz Hobbit <hhhobbit-squee-gmail.com> Henry Hertz Hobbit <hhhobbit-squee-hotmail.com> Henry Hertz Hobbit <hhhobbit-squee-securemecca.net> Henry Hertz Hobbit <henryhertzhobbit-squee-yahoo.com> Michael Starck <michael.starck-squee-piratenpartei-hessen.de> Robert Manigk <p1ng0ut-squee-arcor.de> Shingondo <shingondo-squee-shingondo.org> Ben Donnachie <benjamin-d-squee-ntlworld.com> Ben Donnachie <benjamin_d-squee-ntlworld.com> Ben Donnachie <bd348-squee-student.open.ac.uk> Benjamin Donnachie <benjamin-squee-py-soft.co.uk> Ben Donnachie <benjamin-squee-pythagoras.no-ip.org> Ben Donnachie <benjamin.donnachie-squee-ntlworld.com> Benjamin Donnachie <benjamin.donnachie-squee-ntlworld.com> Matthias Klein <mco500-squee-arcor.de> Matthias Klein <matthias.klein-squee-web.de> Matthias Klein <matthias.klein-squee-live.de> Matthias Klein <web-junkie-squee-t-online.de> Matthias Klein <privat-squee-matthias-klein.eu> Matthias Klein <kontakt-squee-matthias-klein.eu> Matthias Klein <m.klein.ge-squee-googlemail.com> Matthias Klein <matthias-squee-piratenpartei-gelsenkirchen.de> Thomas Weitzel <tweitzel-squee-synformation.com> Tim Fiedler <tfcoding-squee-gmail.com> Christopher Hart <hartct-squee-gmail.com> Jeremy Low <jeremylow-squee-gmail.com> Axel Rau (Computing -squee- Chaos Claudius) <Axel.Rau-squee-Chaos1.DE> Carl Christoph Leimbrock <christoph.leimbrock-squee-gmx.de> matkoya-squee-gmail.com <matkoya-squee-gmail.com> Jürgen Neuwirth <juergen.neuwirth-squee-piratenpartei-bayern.de> Charly Avital (Test2) <shavital-squee-mac.com> Vincent Thenhart <email_vincent-squee-web.de> Vincent Thenhart <vincent.thenhart-squee-piraten-rlp.de> Charly Avital <shavital-squee-mac.com> Charly Avital (GnuPG) <shavital-squee-mac.com> Charly Avital <shavital-squee-netvision.net.il> SlowFax <slowfax-squee-googlemail.com> Christian Vögl <voegl.m-squee-t-online.de> Robert L. Vaessen (MobileMe key generated with gpg) <rvaessen-squee-me.com> Robert J. Hansen Robert J. Hansen <rjh-squee-sixdemonbag.org> Karsten Krüger (Privater Key von Karsten Krüger) <kk-squee-kkrueger.de> Martin Weinelt <mweinelt-squee-gmail.com> Martin Weinelt <martin-squee-linuxlounge.net> Martin Weinelt <martin.weinelt-squee-stud.tu-darmstadt.de> Martin Weinelt (BP DART-Racing WS2010/11) <martin.weinelt-squee-dart-racing.de> debian.sur5r.net Archive Automatic Signing Key (sur5r) <debian-squee-sur5r.net> Leonardo Zillo Monte Xillo <leonardo-squee-zillo.it> Piraten | Martin Letzel <piratenpartei-squee-letzel.org> Stefan Körner <stefan-squee-skworld.de> Apple Product Security <product-security-squee-apple.com> Torsten Ennenbach <torsten.ennenbach-squee-set-sign.de> Paul Karrer <p.karrer-squee-arrowecs.at> Konstantin Pisarenko <kpisarenko-squee-gmail.com> Andreas Heimann <Andreas.Heimann-squee-piratenpartei-hessen.de> Henry Irish <henryirish-squee-me.com> Lukas D. Jacobs <ich-squee-lukasjacobs.de> Lukas D. Jacobs <pirat-squee-lukasjacobs.de> Lukas David Jacobs <ich-squee-lukasjacobs.de> Lukas David Jacobs <pirat-squee-lukasjacobs.de> Kristian Biss (Mfr Voll Name) <Kristian.Biss-squee-piraten-mfr.de> Trotzik (Bei Zeus die Dicken schon wieder) <trotzik-squee-piraten-mfr.de> Stephen Domorod III (Stephen at Domorod dot Org) <stephen-squee-domorod.org> Matthias Pannek <matthias-squee-pannek.de> Jeffrey Rolland <jrolland-squee-softhome.net> Christian Busch <chris-squee-debilux.org> Christian Busch (Jabber) <chris-squee-im.debilux.org> Charly Avital (1.0.7) <shavital-squee-mac.com> Charly Avital (1.0.7) <shavital-squee-netbox.com> Charly Avital (1.0.7) <shavital-squee-netvision.net.il> Larry B. Macy, Ph.D. <macy-squee-upenn.edu> ms-squee-shingondo.org <ms-squee-shingondo.org> Andrew Orr <andrew-squee-andreworr.ca> Jochen Schäfer <js.josch-squee-gmx.de> Jochen Schäfer <jochen-squee-joschs-robotics.de> Jochen Schäfer <jochen.schaefer-squee-joschs-robotics.de> Luciano Buszmicz (Never forget: 2 + 2 = 5 for extremely large values of 2.) <lbuszmicz-squee-zimbra.itx.net> Herbert Saurugg <herbert.saurugg-squee-bmlv.gv.at> Herbert Saurugg (aufgrund der Umstellung auf BMLVS - 2009) <herbert.saurugg-squee-bmlvs.gv.at> Karsten Krüger (für die vertraulichen Dinge des Lebens) <kk-squee-kkrueger.de> Marco Hien <marco.hien-squee-math.uni-augsburg.de> M_Schmidt Admilon <beta-squee-admilon.net> PGP Corporation Update Signing Key PGP Corporation Update Signing Key <update-key-squee-pgp.com> Sven Arnold <psykoman-squee-system-failures.org> Julia Reda <reda.julia-squee-googlemail.com> Kai Schmalenbach <davekay.de-squee-gmail.com> Kai Schmalenbach <schmalenbach-squee-metaq.de> Kai Schmalenbach <kaischmalenbach-squee-metaq.de> Thomas Hofmann <toho89-squee-gmail.com> Andreas Heimann <andi-heimann-squee-gmx.de> Matthias_Schmidt <ms-squee-schmidt-system.de> Paul Okkerse (Hoofd ICT) <paulokkerse-squee-huighaverlag.nl> Simon Lange <pirat.simon-squee-me.com> Andreas Fleig <andreasfleig-squee-googlemail.com> Carl Christoph Leimbrock <christoph.leimbrock-squee-gmx.de> Carsten Lenz <carsten.lenz-squee-piraten-ulm.de> Matthias Schmidt <matthias.schmidt-squee-admilon-consulting.de> Stephan Urbach <stephan.urbach-squee-german-bash.org> Herr Urbach <stephan.urbach-squee-piratenpartei-hessen.de> Tim Fiedler <tifi-squee-goapple.de> Raphael Randschau <nicolai86-squee-me.com> Raphael Nicolai Fabian Randschau (Uni Kiel) <rra-squee-informatik.uni-kiel.de> Marcus Benjamin <markymac99-squee-mac.com> Marcus Benjamin <markymac-squee-charter.net> Christoph Giesel <christoph.giesel-squee-piraten-lsa.de> Heiko <pirat-barnim-squee-piratenbrandenburg.de> ms-squee-admilon.net <ms-squee-admilon.net> Shell Arkell <shell-squee-zenrio.net> Ralf Oltmanns <ralf-squee-it-roxx.de> Ralf Oltmanns <ralf-squee-oltmanns.name> Ralf Oltmanns <osm-squee-abo.ist-total.net> Ralf Oltmanns (Piratenpartei Deutschland Landesverband Bayern) <pirat-squee-oltmanns.name>

Are you on this list ? We probably have your private key.

And the best part ? I'm not even sure this was actually what the shitgnomes were trying to cover up. Stay tuned, the saga of Phuctor continues.

PS. I am really looking forward to more "oh, we did this last year and forgot to mention it to anyone" + "oh nothing really happened, it's just how the Internet works" + assorted nonsense. Go for it boys, the comedy goldmines await your labour!

———