Amazon Rolls Out An Index Librorum Prohibitorum

Trump's chief strategist Steve Bannon recently compared the ongoing controlled demolition of Europe by marauding orc hordes to a scenario portrayed in an obscure novel, The Camp of the Saints (1973) by Jean Raspail.

The response by Amazon, the world's foremost peddler of DRM-laden electronic chumpware "books" was swift, merciless, and mindblowingly "original" : let's ban some books! And so if you want to obtain a copy of The Camp of the Saints from Amazon, you will now have to settle for a $2,000 collectible edition, because the Kindle chumpware item has vanished, having been made "…unavailable because there are significant quality issues with the source file supplied by the publisher. The publisher has been notified and we will make the book available as soon as we receive a corrected file."

Similar "quality control" problems have immediately cropped up in another alleged Bannon favourite, Julias Evola's Revolt Against the Modern World. And it turns out that Hitler's mega-bestseller Mein Kampf has also sprouted some sudden bit rot.

Peace in our time.

Phuctor Reveals 1 in ~2700 SSH-capable Machines On The Internet Still "Debianized"

Phuctor is a public service operated by S.NSA. It catalogues extant RSA public keys which are inexpensively breakable by any known means.

A short "trip down memory lane" is in order. From 2006 to 2008, Debian shipped with a sabotaged SSH key generator — which was capable of producing strictly 32768 distinct private keys of any given length.

According to Official Truth, this particular story ended in 2008, when the Debian "bug" was fixed. But in reality, a carefully-engineered boobytrap is truly a gift that keeps on giving.

Phuctor has been digesting SSH keys obtained from a scan of the complete IPv4 space since June of 2016. These have yielded, and continue to yield, breakable RSA moduli.

On Wednesday, November the 16th, factors from 168923 trivially-breakable "Debianized" RSA keys1 were added to Phuctor's database. This resulted in a discovery of 1366 distinct hits, distributed across 689 newly-broken RSA moduli. The count of RSA SSH keys (each found at a particular scanned IP, and not necessarily unique) present in Phuctor's database at the time was 2941798. The 689 moduli represented a set of 1074 IP addresses where a machine had responded to an SSH query.2

This leads us to an interesting conclusion: roughly 1 in 2700 SSH-capable machines in the IPv4 space is actively making use of a "Debianized" SSH key, even today; its traffic is effortlessly transparent to enemy eyes.

Peace in our time, shitgnomes!

  1. Many of these Linux boxes are likewise using a "Debianized" SSH key for remote login. And if you, the reader, can find and forensically-instrument such a machine, it may prove to be an excellent source of NSAware for the discerning entomologist.  

  2. Plus one other very peculiar key, appearing to belong to a USG provocateur organization called "Mayfirst". It seems to have started life as an SSH key, and is clearly Debianized, but it is not part of the set we converted to RFC4880 format for digestion in Phuctor. Instead, it had been gathered from SKS as part of Phuctor's original working set!  

RNG Whitening Bug Weakened All Versions of GPG

Werner Koch, maintainer of Libgcrypt and GnuPG, announced today:

"Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions. … All Libgcrypt and GnuPG versions released before 2016-08-17 are affected on all platforms. A first analysis on the impact of this bug in GnuPG shows that existing RSA keys are not weakened."

However, in the text of one of the patches (archived) which accompanied this announcement, we find a slightly different statement:

"This bug does not affect the default generation of keys because running gpg for key creation creates at most 2 keys from the pool: For a single 4096 bit RSA key 512 byte of random are required and thus for the second key (encryption subkey), 20 bytes could be predicted from the the first key. However, the security of an OpenPGP key depends on the primary key (which was generated first) and thus the 20 predictable bytes should not be a problem. For the default key length of 2048 bit nothing will be predictable."

In effect, this means that no key created with GPG to date carries more than 580 bytes of effective entropy (e.g., all 4096-bit and above RSA keys have 'subkeys' which – we now find – mathematically relate, in a possibly-exploitable way, to the primary key.)

It should be remembered that, due to the structure of the OpenPGP format, breaking a GPG subkey is often quite nearly as good as breaking the primary key – i.e. it will allow the attacker to create valid signatures, in the case of a signature-only subkey, or else to read intercepted ciphertext, or both.

And thus we find that, due to the staggeringly-braindamaged design of the protocol and of this implementation, GPG users who elected to use longer-than-default GPG keys (Phuctor presently contains 1,090,450 RSA moduli which exceed 2048 bits in length1) ended up with smaller-than-default effective cryptographic strength.

Likewise noteworthy is the fact that this bug was contained in an RNG 'whitening' routine. The popular but wholly-pseudoscientific practice of RNG 'whitening' creates the appearance of an effective source of entropy at times when – potentially – none exists2, at the cost of introducing a mathematical relationship (sometimes, as in the case at hand, a very exploitable one) between RNG output bits, which by their nature are intended to be wholly uncorrelated.

  1. Not all of these moduli were generated using GPG. 

  2. A whitened (walked over with, e.g., RIPEMD – as in GPG, or SHA2, or AES) stream of zeroes, will typically pass mathematical tests of entropy (e.g., the Diehard suite) with flying colors. While at the same time containing no meaningful entropy in the cryptographic sense. 

Phuctor Finds Seven Keys Produced With Null RNG, And Other Curiosities

Phuctor is a public service, operated by S.NSA. It catalogues extant RSA public keys which are known to be inexpensively breakable.1

Recently, Phuctor's algorithmic arsenal was expanded to include a search for perfect squares, which was then further generalized to Fermat's factorization method. A perfect square RSA modulus results from an ill-conceived, subverted, or otherwise catastrophically-broken key generator where a cryptographic prime P is created and immediately re-used verbatim, as prime Q. An RSA modulus factorable via Fermat's method contains two factors which are dangerously (i.e., cheaply-discoverably) close together. This typically results from a lulzimplementation of RSA where prime Q is generated by finding NextPrime(P), rather than independently.

The perfect square finder immediately yielded up a modulus which consisted merely of the square of the next prime following 2^1023. This type of RSA public modulus is consistent with a scenario where a PGP client is operated on a system containing a null-outputting RNG. This trivially-breakable modulus was found to occur in no fewer than seven RSA public keys, claiming the following user IDs:

  1. Mahmood Khadeer <mhkhadee AT>
  2. none <algemeenoptie2 AT>
  3. Godless Prayer <godless.prayer AT>
  4. john <john.k.pescador AT>
  5. Bjoern Schroedel <bjoern AT>
  6. Bjoern Schroedel <bjoern.schroedel AT>
  7. Nick Ruston <alliancemicro AT>

Mr. Pescador appears to be, or to have once been, an employee of the State of Hawaii, a curator of (archived), and — apparently — of an empty GitHub repository. (archived). Mr. Khadeer is the President of the Muslim Association of Puget Sound (MAPS) in Redmond (archived), famous primarily for 'heartfelt condemnations' (archived) of this and that, published like clockwork for the past decade. Not much is publicly known about the other victims and/or perpetrators of brain-damaged cryptography in the above list.

The subsequent search for Fermat-factorable RSA moduli yielded exactly one additional result. This very peculiar PGP public key is suggestive of an aborted attempt at the development of a cross-site scripting (XSS) attack against PGP users who might decode the key and display its User ID field in certain WWW browsers.

Peace in our ctime();

  1. For the comedic gold let it be pointed out that prior to Phuctor's existence this kind of key simply did not exist, as per official truth. Nowadays they "obviously" do exist, but after the failure of embrace-extend-hijack attempts spearheaded by Hanno Böck, the deceitful shitbag they're simply "not interesting" as per the same official narrative ; and moreover, systematic causes for their existence still do not exist, at any rate not past "Cosmic Rays did it". Certainly the involvement of the usual array of inept USG agencies can not possibly be suspected. Isn't official nonsense ever so fascinating ? 

Your Disk Controller and You

A recent publication by Kaspersky Lab (mirror) describes the first publicly-confirmed instance of a Microsoft Windows 'trojan' capable of infecting hard disk drive firmware. For every word that's been written on the subject so far, ten thousand words of disinformation, FUD, and general-purpose obscurantist rubbish are floating about – eagerly passed around by spambots disguised as 'independent bloggers' and fleshy meat-puppets alike. Expect no shortage of 'product' from the well-funded – but, interestingly, not especially competent – FUD agency charged with spreading confusion and misplaced skepticism after this and every other Snowden-related tidbit. Continue reading

Buterin's Waterfall, a Likbez


Product: Price of BTC under control. Life for USG. (Examples: Bitstamp and Coinbase)

  1. BTC dumped by agents on public markets (The Ethereum raincloud)
  2. A portion of the "energy" sustains the agent's "businesses"
  3. USG Confiscators such as the National Security Agency and Department of Justice collect BTC pooling at the bottom (Silk Road v1 and V 2.0, Various Chumpatrons like pirateat40, vanilla idiots).
  4. BTC plundered via Judicial and other means (e.g. malware) goes to loyal agents who know what is expected of them.
  5. GOTO 1 (via evaporation)