If Bytemaster account is compromised how can we trust Stan's confirmation or anyone's ?
You can't trust me ....
Seriously though was BM compromised via the server (which means everyone should change passwords) or his own stuff...
If Bytemaster account is compromised how can we trust Stan's confirmation or anyone's ?
You can't trust me ....
If Bytemaster account is compromised how can we trust Stan's confirmation or anyone's ?
You can't trust me ....
This. It would be nice to know more details on what happened.
I'm always astounded by people's inability to use basic GPG services. For being in the cryptocurrency scene, you'd think you might know a bit more about it.
Anyway, a quick verification of the message signed by Dan indicates that it is a valid signature, i.e. signed with the private key associated to the public key he posted.
You can also see that the public key is the same one that is on MIT's public key server, and you can also note that the key was generated on 02-02-2016.
Unless you believe that BM's account was compromised, and prior to the gaining control of the account, had already generated a public / private key pair on 02-02-16 and then, waiting all that time, the attacker then uploaded the key to MIT's public key server and then posted it on the forum, while at the same time knowing full well that MIT doesn't have a field for 'uploaded to server', you can take off your makeshift tinfoil hat.
If you want to wear that tinfoil hat on that theory, I'll sell you a professionally made one, and not a DIY created one. 10k BTS. If you need hats for the whole family, I do discounts, too. Buy 4 get 1 free.
I'm always astounded by people's inability to use basic GPG services. For being in the cryptocurrency scene, you'd think you might know a bit more about it.
Anyway, a quick verification of the message signed by Dan indicates that it is a valid signature, i.e. signed with the private key associated to the public key he posted.
You can also see that the public key is the same one that is on MIT's public key server, and you can also note that the key was generated on 02-02-2016.
Unless you believe that BM's account was compromised, and prior to the gaining control of the account, had already generated a public / private key pair on 02-02-16 and then, waiting all that time, the attacker then uploaded the key to MIT's public key server and then posted it on the forum, while at the same time knowing full well that MIT doesn't have a field for 'uploaded to server', you can take off your makeshift tinfoil hat.
If you want to wear that tinfoil hat on that theory, I'll sell you a professionally made one, and not a DIY created one. 10k BTS. If you need hats for the whole family, I do discounts, too. Buy 4 get 1 free.
Obviously *you* haven't understood how the GPG web of trust works. The fact that the given public key matches the signature doesn't prove anything, and the fact that the key is also available on a public key server doesn't prove anything either.
That the key is only 4 weeks old makes it more suspicious IMO (or perhaps less, because an attacker might want to fiddle with that...).
The only thing that *would* prove the authenticity of the key is a signature from a known-good key on it, or possibly a different kind of signature (like authenticated information in a blockchain).
I'm always astounded by people's inability to use basic GPG services. For being in the cryptocurrency scene, you'd think you might know a bit more about it.
Anyway, a quick verification of the message signed by Dan indicates that it is a valid signature, i.e. signed with the private key associated to the public key he posted.
You can also see that the public key is the same one that is on MIT's public key server, and you can also note that the key was generated on 02-02-2016.
Unless you believe that BM's account was compromised, and prior to the gaining control of the account, had already generated a public / private key pair on 02-02-16 and then, waiting all that time, the attacker then uploaded the key to MIT's public key server and then posted it on the forum, while at the same time knowing full well that MIT doesn't have a field for 'uploaded to server', you can take off your makeshift tinfoil hat.
If you want to wear that tinfoil hat on that theory, I'll sell you a professionally made one, and not a DIY created one. 10k BTS. If you need hats for the whole family, I do discounts, too. Buy 4 get 1 free.
Obviously *you* haven't understood how the GPG web of trust works. The fact that the given public key matches the signature doesn't prove anything, and the fact that the key is also available on a public key server doesn't prove anything either.
That the key is only 4 weeks old makes it more suspicious IMO (or perhaps less, because an attacker might want to fiddle with that...).
The only thing that *would* prove the authenticity of the key is a signature from a known-good key on it, or possibly a different kind of signature (like authenticated information in a blockchain).
Hence why I offered to sell anyone professionally-made tin-foil hats. I agree that that it is still very circumspect. I never said that it wasn't. Indeed, I pointed out exactly the issues with trusting the key -- which you even bring up and use, the date of key creation, etc.
But yes, I completely agree that there is no way to prove the authenticity of the public key that was posted. All I said was that the public key posted matches the private key with which the message was signed with. And then proceeded to give date details and offered a theory that still gave reasonable doubt to the authenticity of the key -- hence the PROFESSIONALLY made tinfoil hat jest.
I don't think I ever once said it was a legitimate key. Before you begin accusing me of not understanding how basic encryption and public key signatures work and the web of trust works, read what I write and don't make assumptions. As the old adage goes ... when you assume ...
Unless, of course, you're a mathematician, then assuming is your day job.
I was mainly kidding about the Stan thing, etc, but I think I sort of had a point even if I don't mess with PGP nor have I ever been to a key signing party.