We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.
Uncategorized
3
Posts
2
Posters
0
Views
-
We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.
https://www.openwall.com/lists/oss-security/2025/12/29/9
Yes, and actually the only serious bug from their list.
Koch either didn't watch the talk, he is in such defense of his own ego that he can't see how serious the bugs were, or he's tacitly admitting that PGP is not a serious recommendation.
Can you distinguish between these three explanations?
Could it be all of them are true?
Impact
While this may allow remote code execution (RCE), it definitively causes memory corruption.Good research.
I think this sarcastic quip is what reveals Werner Koch's opinion about the security researchers and their work.
The rest of his email is measured (and partly responding to other mailing list participants rather than the disclosure directly).
-
We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.
https://www.openwall.com/lists/oss-security/2025/12/29/9
Yes, and actually the only serious bug from their list.
Koch either didn't watch the talk, he is in such defense of his own ego that he can't see how serious the bugs were, or he's tacitly admitting that PGP is not a serious recommendation.
Can you distinguish between these three explanations?
Could it be all of them are true?
Impact
While this may allow remote code execution (RCE), it definitively causes memory corruption.Good research.
I think this sarcastic quip is what reveals Werner Koch's opinion about the security researchers and their work.
The rest of his email is measured (and partly responding to other mailing list participants rather than the disclosure directly).
I think 2026 should be the year that we make PGP irrelevant.
Not just GnuPG (Koch's implementation), but the entire OpenPGP ecosystem.
Most cryptographers I talk to gave up on PGP over a decade ago.
(After seeing the arrogance and dismissiveness that bled through Koch's oss-security email, who can blame them?)
If you're a country whose government mandates the use of PGP, even in obscure places, let's talk about how to replace PGP.
-
I think 2026 should be the year that we make PGP irrelevant.
Not just GnuPG (Koch's implementation), but the entire OpenPGP ecosystem.
Most cryptographers I talk to gave up on PGP over a decade ago.
(After seeing the arrogance and dismissiveness that bled through Koch's oss-security email, who can blame them?)
If you're a country whose government mandates the use of PGP, even in obscure places, let's talk about how to replace PGP.
@soatok
Since OS repositories rely on gpg for validating package signatures I took the liberty to forward the talk to my support contact at SUSE. He called me half an hour later stating that he's half through the talk and had already forwarded it to their internal security maillist because it's like a bad car accident you know you shouldn't stare at but you just can't stop watching... and I'm pretty sure Red Hat is watching, too. -
undefined oblomov@sociale.network shared this topic on
Feed RSS
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Un articolo di Alessandro Robecchi sul Fatto Quotidiano. Robecchi scrive: "Pochissimi mezzi di informazione (tra quei pochissimi, questo giornale) hanno riportato la notizia secondo cui l’Unione europea avrebbe fortemente “consigliato” (praticamente un ordine) all’Autorità Nazionale Palestinese di riscrivere alcune pagine dei libri di scuola destinati agli studenti palestinesi in Cisgiordania". (25 FEBBRAIO 2026)
-
@genericperson Not a Thelio, but Mint Cinnamon works very well on my System76 Merkaat and handles all its hardware features, including power management. However, I found the hard way it's better not to install System76's hardware drivers and firmware updater as they may break APT package management.
-
@eventi votiamo NO al referendum e poi l'opposizione unita per cacciare meloni... bene abbandonare fasciobook a favore di mastodon
-
Dedica agli operatori dei Security Operation Center. A loro la medaglia al valore della cybersecurity!
#redhotcyber #cybersecurityawareness #cybersecuritytraining #ethicalhacking #dataprotection #hacking
-
Ex Ilva a rischio stop. Il Tribunale Milano chiede di adeguare prescrizioni ambientali della fabbrica - Il Sole 24 ORE
https://www.ilsole24ore.com/art/ex-ilva-tribunale-milano-ordina-stop-area-caldo-taranto-rischi-la-salute-AIoJWwdB
-
Attacchi con la GenAI offensiva, compromessi oltre 600 firewall: come proteggersi
@informatica
Amazon accusa criminali informatici russi di aver sferrato cyber attacchi via AI generativa offensiva al fine di violare oltre 600 firewall FortiGate di Fortinet. Ecco come mitigare i rischi di intrusione con la GenAI
L'articolo Attacchi con la
-
@coffeetomorrow eggbug is my friend
-
Bionode is Hand Truck Transformed into Mobile Computing Lab
[Steven K. Roberts] is the original digital nomad, having designed and built mobile computing for his own use since the 80s. His latest project is Bionode, a portable computing lab built into a hand truck that can accommodate a wide spectrum of needs for a person on the go.
Far more than just a portable computer with wheels and a handle, Bionode is an integrated collection of systems with power management, a sensor suite, multiple computers, NAS for storage, networking, video production tools, and even the ability to be solar charged. [Steven] also uses a laptop, and Bionode complements it by being everything else.
If one truly wishes to be mobile and modular as well as effective, then size and weight begins to be just as important as usability. Everything in Bionode has a purpose, and it currently contains a PC with GPU for local AI and machine learning work, a NAS with 14 TB of storage, an Ubuntu machine, a Raspberry Pi 5 running Home Assistant, another Raspberry Pi 5 for development work, a Raspberry Pi 3 for running his 3D printer, and a Raspberry Pi 4 for SDR (software-defined radio) work. A smart KVM means a single keyboard, mouse, and display can be shared among machines as needed and additional hardware in a thoughtful layout makes audio and video projects workable. Everything is integrated with sensors and Home Assistant with local AI monitoring, which [Steven] likes to think of as the unit’s nervous system.
Bionode is therefore more than just a collection of computers crammed into a hand truck; it’s a carefully-selected array of hardware that provides whatever [Steven] needs.
Give it a look if you want to see what such a system looks like when it’s been designed and assembled by someone who’s “been there, done that” when it comes to mobile computing. Bionode would complement something like a mobile workshop quite nicely; something [Steven] has also done before.
Thanks [Paul] for the tip!
