[PATCH] avoid publishing the GnuPG version by default
ilf
ilf at zeromail.org
Mon Aug 8 00:04:30 CEST 2016
Werner Koch:
> You are right, the "Version:" has no technical meaning.
> I just pushed dkg's patch to master.
Thanks again for this. Even after the decision, I want to add a
real-world example of why this change helps against de-anonymization:
> Both "French Maid" and Force (operating as "Nob") used the exact same
> brand of PGP software, a free brand called GnuPG. There are different
> brands of PGP software so it is noteworthy that both Force (operating
> as "Nob") and "French Main" used the same brand. Not only did Force
> and "French Maid" both use the same brand of PGP software, they also
> both used the same outdated version of that software, 1.4.12. Version
> 1.4.12 was released on January 2012, and was replaced with a new
> version by December 2012, and was one of several versions of GnuPG
> software. As such, both "French Maid" and Force (as Nob) were using
> the specific, older version of the GnuPG software, and neither of them
> replaced it with the other (free) version of GnuPG that came out
> thereafter. […]
> There are also additional similarities between Force's (Nob's) and
> "French Maid's" PGP patterns. Both "Nob" and "French Maid" left
> certain default settings on their PGP software. For one thing, both
> "French Maid" and Force (Nob) left a "tag" that appeared on every
> message authored from their PGP key revealing the brand and version of
> PGP software they were using. This is akin to, for example, leaving
> the phrase "sent from my iPhone" on the bottom of one's emails but
> with greater detail: it would be akin to leaving a phrase like "sent
> from my iPhone 6 iOS 8.0.1." Leaving this "tag" on typically reveals
> that one is dealing with a fairly inexperienced user of PGP, because
> someone that regularly uses PGP to communicate would normally have
> changed their settings to omit this tag.
http://www.justice.gov/sites/default/files/opa/press-releases/attachments/2015/03/30/criminal_complaint_forcev2.pdf
http://www.networkworld.com/article/2904395/microsoft-subnet/mistakes-that-betrayed-anonymity-of-former-dea-agent-and-silk-road-investigator.html
--
ilf
Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
-- Eine Initiative des Bundesamtes für Tastaturbenutzung
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: </pipermail/attachments/20160808/9f166755/attachment.sig>
More information about the Gnupg-devel
mailing list