ctf-like WKD challenge (was: WKD proper behavior on fetch error)

Stefan Claas spam.trap.mailing.lists at gmail.com
Thu Jan 21 08:02:42 CET 2021

On Thu, Jan 21, 2021 at 12:25 AM Ángel <angel at pgp.16bits.net> wrote:

> Last night, I prepared the domain wkdtest.pgp.16bits.net It is a valid
> wkd server. I have just created and uploaded there a new pgp key, and
> you have to obtain it:
> «We have intercepted the following communication sent to an spy using
> an undisclosed openpgp implementation. Based on the detected network
> traffic, we are sure the key itself was downloaded using wkd, and the
> domain of the userid to be ‘wkdtest.pgp.16bits.net’
> Your mission, should you choose to accept it, is to find out the name
> of the spy to which this communication was addressed:

Well, I am not in the spy business, but according to the meta data
of the message it is addressed to key owner 0xCD2687BFBB7D2624,
if I see it right.

Since you write that you have intercepted the comms, you are aware
about the following phrase: 'people get assasinated by meta data ...'

I guess this is true, because last year China, for example, executed
24 CIA agents.

The nice things about OpenPGP amored messages is also that
procmail and friends can be used at providers to filter -----BEGIN blah

So in the end, I would say when one intercepts the communications
and according how MTAs work the involved parties should have it
not to difficult to figure out to whom the message(s) is intended for.

My motto is :TCP/IP where C stands for me for *Control* and P
for Protokoll, e.g. protokoll or log everything. ;-)

Best regards

More information about the Gnupg-users mailing list