Monthly Archives: August 2016

Not Quite News Roundup Xtend 2 (TM)(R)

Posted on by

Welcome to the second edition of the Qntra Not Quite News Roundup Xtend (TM)(R). These events of the past week happened, but didn't quite qualify as news on their own merits.

  • On Thursday following their acquisition by Univision, Gawker media announced that their former flagship Gawker.com would be shuttered next week.
  • RBS, the largest and most Anglo bank yet to do so announced it would be imposing negative interest rates on select major commercial depositors. Loss happens.
  • Following the news of a serious RNG bug affecting all GPG versions a low energy shitgnome campaign of apologetics and "not that bad" followed.1
  • Ethereum Huffing wank continues. It also was discovered that the "Robin Hood" group of Ethereum scammers dumped their classic ethereum tokens raided from the corpse of the DAO, which definitionally is empty.
  • Darkcoin, a minor altcoin notable for containing a rapid inbuilt hard fork mechanism, is going through another round of pumping in the hotsheets. There has been insufficient interest in this altcoin for anyone to care to challenge any of its past hard forks.
  • Trees near good looking soybean fields2 continue their decline. As harvest nears many corn fields are looking awfully weedy.
  • At the moment all is quiet on the BitfinExodus front.

Sorry for your loss.

  1. Edit: The existene of Phuctor and its factoring of numerous PGP keys of course likely has nothing to do with this, because if the shitgnomes don't talk about Phuctor it must not exist.  

  2. Qntra's favorite altcorn  

RNG Whitening Bug Weakened All Versions of GPG

Posted on by

Werner Koch, maintainer of Libgcrypt and GnuPG, announced today:

"Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions. … All Libgcrypt and GnuPG versions released before 2016-08-17 are affected on all platforms. A first analysis on the impact of this bug in GnuPG shows that existing RSA keys are not weakened."

However, in the text of one of the patches (archived) which accompanied this announcement, we find a slightly different statement:

"This bug does not affect the default generation of keys because running gpg for key creation creates at most 2 keys from the pool: For a single 4096 bit RSA key 512 byte of random are required and thus for the second key (encryption subkey), 20 bytes could be predicted from the the first key. However, the security of an OpenPGP key depends on the primary key (which was generated first) and thus the 20 predictable bytes should not be a problem. For the default key length of 2048 bit nothing will be predictable."

In effect, this means that no key created with GPG to date carries more than 580 bytes of effective entropy (e.g., all 4096-bit and above RSA keys have 'subkeys' which – we now find – mathematically relate, in a possibly-exploitable way, to the primary key.)

It should be remembered that, due to the structure of the OpenPGP format, breaking a GPG subkey is often quite nearly as good as breaking the primary key – i.e. it will allow the attacker to create valid signatures, in the case of a signature-only subkey, or else to read intercepted ciphertext, or both.

And thus we find that, due to the staggeringly-braindamaged design of the protocol and of this implementation, GPG users who elected to use longer-than-default GPG keys (Phuctor presently contains 1,090,450 RSA moduli which exceed 2048 bits in length1) ended up with smaller-than-default effective cryptographic strength.

Likewise noteworthy is the fact that this bug was contained in an RNG 'whitening' routine. The popular but wholly-pseudoscientific practice of RNG 'whitening' creates the appearance of an effective source of entropy at times when – potentially – none exists2, at the cost of introducing a mathematical relationship (sometimes, as in the case at hand, a very exploitable one) between RNG output bits, which by their nature are intended to be wholly uncorrelated.

  1. Not all of these moduli were generated using GPG. 

  2. A whitened (walked over with, e.g., RIPEMD – as in GPG, or SHA2, or AES) stream of zeroes, will typically pass mathematical tests of entropy (e.g., the Diehard suite) with flying colors. While at the same time containing no meaningful entropy in the cryptographic sense. 

Github Enforces USG.NSA Copyright And Other Lols, Roundup Xtend'd

Posted on by

Following the initial announcement of "Shadow Broker's" (WOT:nonpeople) planned auction of alleged NSA surveillance tools and miscellanea, further lulz emerged. Here they are Roundup Xtend'd:

  1. Github effectively and proactively enforced a potential copyright claim by the United States National Security Agency by booting the information off their platform.
  2. Numerous media outlets are skirting around where the goods came from by tenaciously using the "Equation Group" moniker for the group with which the tools originated.
  3. The issue of whether the teasers offered of the goods for sale are novel or rehashes of previous leaks has not yet been definitively established given the sheer amount that has been leaked already.
  4. A suggested price of One Million Bitcoin has been floating around. The price, which represents a substantial percentage of the best money's monetary mass, reeks of insanity and a deep povertree of the sort that makes a supposed person incapable of market participation.

Sorry for your lols.

Buterin's Previous Waterfall Exposed

Posted on by

Today's altcorn report is brought to us by Gregory Maxwell, who earlier today in a reddit post outed Vitalik Butterin as mastermind of a quantum computer simulation scam. (archived) Maxwell stated

Vitalik's project immediately before Ethereum is that he was collecting investments from people to fund building a computer program to solve NP-complete problems in polynomial time.

No flaming tire in a shipit ever ascended from investor monies, furthering proof that Buterin worked hard at producing vaporware long before pushing the Ether huffing scam.

There May Be Lulz

Posted on by

A hacking group known as Shadow Brokers announced Monday they were going to auction an assortment of stolen surveillance tools purportedly used by NSA hackers. The group released code samples to boost veracity of their claims, the National Security Agency naturally witholding comment on the subject. Security experts offered mixed opinions on the existence of the malware, and the hackers only said the auction would end at a specified time. (archived) Peace in our specified time.

FDA Prepares To Regulate Literal Shitware

Posted on by

Despite small-scale studies indicating that poo replacement treatment – known as Fecal Microbiota for Transplantation (FMT) – can be more effective than vancomycin at combatting Clostridium difficile infections, USG.FDA is preparing to regulate the emerging market in order to protect its Big Pharma supporters. Also, given that highly antibiotic resistant C. difficile pathogens are the leading cause of nosocomial infections in American community hospitals, that USG.Hospital wants to solve the problems it made itself is largely par for the course.

Intent on entangling FMT treatment in a bureaucratic quagmire to rival AML/KYC,1 USG.FDA's proposed regulations would deprive needy Americans of doctor-facilitated avenues for treatment, pushing even more folks into the smelly back alleys of the dark web, if only 10.5g at a time.

Sorry for your loose2

  1. APL/KYB anyone ? 

  2. stool, c. diff is a bitch.  

Dicamba Disaster Continues Destruction

Posted on by

As the story of the Dicamba Disaster in the United States begins finally reaching mainstream media outlets, the St Louis Post Dispatch brings us news that Dicamba Drift has threatened Missouri's largest peach orchard (archived). Two hundred and fifty acres of the orchard's peach trees are already irreparably harmed and as the damage continues to show that number could double by next spring as the injury progresses.1

Dicamba has been around since 1942. Until this year it had largely survived in its humble role as that thing you add as a tiny fraction of a percent to your tank mix as a little kicker to beat back broadleaf weeds. What it did, what it didn't do, and why it stayed that tiny fraction were established. Why it stayed the tiny fraction is that dicamba is volatile and the dicamba that doesn't get absorbed and bound will vaporize and spread.

The ascendancy of Roundup Ready in the 1990's inspired much panic. "Genetic modifications AND a super herbicide?" Glyphosate however turned out to be a kitten with the surfactants mixed with it carrying a greater hazard to fauna than the herbicide itself, flora was still fucked though.2

Monsanto opened a pandora's box with their latest offering, because when you offer desperate farmers soybeans that won't suffer any losses with two herbicides those farmers are getting as much mileage out of those two herbicides as they can. Bad behavior becomes mandatory, because fuck that other family's peach orchard which took a generation to grow. Also no one cares about the other stands of mature trees yellowing, defoliating, and in clear decline.3

It would likely have not made things much better even if Monsanto released their "less volatile" dicamba with the seeds4 so long as other people were selling classic Dicamba preparations for less. The competition between agriculture and chemistry is leaning decidedly in chemistry's favor with crops outside of the limited Monsanto supplied corns and alt-corns becoming environmentally impracticable. US agriculture at this point appears to on track to become a fiefdom of tort law in the same way US medicine is by this time next year. This is the story of your loss and imazapyr resistant crops can't come soon enough (archived).

  1. And even in the absence of further dicamba applications nearby it will continue to progress.  

  2. But only if the glyphosate solution actually made contact with foliage.  

  3. This phenomena is pointedly NOT limited to the portions of the Ozarks that US based media is suggesting it to be. 

  4. It seems likely they anticipated the destruction and didn't want their preparation taking the blame.  

The "Your Loss" Playbook

Posted on by

Before we at Qntra can be sorry for your loss, someone else has to bake your loss first.When a "business" decides to live at the intersection of Bitcoin money and fiat currencies your loss tends to follow the same few steps. There may be a few variation on these steps depending on whether your chosen loser is BitInstant, MtGox, Mcxnow, Homero Garza, Buterin,1 or Bitfinex.

  1. Make, buy, or steal a thing to be calling your business. If you are a true pioneer like Intersango you make it. You buy it if you are Mt Gox or Butterfly Labs. If you are Bitfinex you just straight up steal it.2
  2. You start making noise. If you are Trendon Shavers you recruit "privileged insiders" to do your selling. If you are Butterfly Labs you buy a bunch of advertising. If you are Homero Garza you buy advertising from all the media outlets and do a bit of the privileged insider thing.
  3. You build some history for either spectacular returns and reliability. You paper over the complaints with lies and declarations of "This is just how we do things" to justify the insanity. You lean on your loyal bought and paid for noisemakers3 to toe your party line.
  4. Your Loss, we are sorry.4
  5. When the complaints get too loud the payment processor and all manner of accessories to the scheme start getting scapegoated. Mt Gox had Dwolla. BitInstant had numerous payment processors to blame. At this point the existence of the loss is clear, but some effort is made to conceal the loss is yours.
  6. Tokens! A market for them! See MtGox Bitcoins on Bitcoin Builder, BFX Tokens on Bitfinex, and the entire Paycoin scheme that emerged when GAW could no longer hold up the pretense of mining.
  7. The pretense is suddenly lifted. Every one is sorry for your loss.

History rhymes and this is the story of your losses. Just like the various color revolutions, your loss follows a pattern. We're sorry.

  1. The various altcoin scams invariably end up actually being fiat/Bitcoin interface scams when the scammers need to eat off of customer deposits and pimp their rides. 

  2. preferably from another scam that too moribund to care at the time  

  3. Roger Ver and Andreas Derpolopolis are very popular and affordable choices.  

  4. The steps following this case can be skipped in the event of Trendon Shavers