LKML: <1471274895@i2pmail …: Fake Linus Torvalds' Key Found in the Wild, No More Short-IDs.

It was well-known that PGP is vulnerable to short-ID collisions,
and many experiments were done to demonstrate that. [0]

Nevertheless, real attacks started in June, some developers found
their fake keys with same name, email, and even "same" fake signatures
by more fake keys in the wild, on the keyservers. [1]

All these keys have same short-IDs, created by collision attacks, led
with some discussions about the danger of short-IDs. Now, it is worth
to mention this issue again, since fake keys of Linus Torvalds, Greg Kroah-Hartman,
and other kernel devs are found in the wild recently.

> We don't know who is behind this, or what his purpose is. We just know this
> looks very evil.

Source: LKML: <1471274895@i2pmail …: Fake Linus Torvalds’ Key Found in the Wild, No More Short-IDs.

 

Raony Guimaraes