Oddbean new post about | logout
Max Hillebrand | 3 months ago (raw) | root | parent | reply | flag +13 
 The level of attack against freedom tech is escalating, brace yourself.

nostr:nevent1qqsqqqyr9kq6ajn7srdwmkdzqsupanw82l9qeyrpknxz0hkv08l0haspzpmhxue69uhkummnw3ezumt0d5hsygy7xr55qguvm847h33js9md6ngsnqfp99zz72nv8pe8l3n05l4fpgpsgqqqqqqs0hpm5q
LeoWandersleb | 3 months ago (raw) | root | parent | reply | flag 
 I'm very curious to learn how this happened but good thing it was caught so quickly. They say a contributor key was compromised. Do they know which one? How many contributors can make releases? That's kind of a sensitive issue.

Is the installer not signed? Who has access to these signing keys?
Marnix | 3 months ago (raw) | root | parent | reply | flag +1 
 > They say a contributor key was compromised

This is an assumption:

A binary was replaced with a malicious one, this should only be possible to do by people with write access.
So far of those people, nobody's account seems compromised.

And GitHub doesn't let you know who performed that action.

> How many contributors can make releases?

The release itself, I think everyone could do it. But the creation and signing of the binaries with the zkSNACKs key of course only by people with the key.

> Is the installer not signed?

It is. And the signature file wasn't replaced. 
People who verify signatures should have noticed it and not be a victim
LeoWandersleb | 3 months ago (raw) | root | parent | reply | flag 
 And then there is the possibility of a GitHub engineer. It would really be important to figure it out and a log of who did this would be essential to narrow down what happened and also for criminal investigations as the official account holder would be the first to ask. We cannot rule out people getting greedy or being psychopaths trying something funny to begin with.