MPEx - Status Report
I. The news. Last night when I announced this article on irc this particular chapter didn't yet exist, so I had to re-do the numbering of all the others. I guess that's the definition of news.
Anyway, the final segment of optic fiber connecting my private NOCi to the world at large was cut, physically, sometime around noon today. This has caused no end of hassle because guess what ? GPG doesn't work so well through phones, at least not yet. It especially works poorly the day after the culmination of a two day aggravation programme about security and social engineering everyone I know went through. Basically every remote operator arrayed into one of two camps : the "you're kidding me right ? what is this, a bit ?" camp or the "oh he's pretending to be attacked to test me har har" camp. I have been methodicallyii rebuilding access which is why you even get to read this in the first place. It may not look like much, but it is a worked-for victory.
Tempting as it may be to suspect reptilian conspiracy and the gubbinment, the much more likely explanation is the guys with the excavators and assorted heavy equipment at the corner of the street acting of their own free will such as it is, and being hard working, productive members of society after a fashion. They're building a gas station, which likely won't make in its entire short, unhappy existence enough profit to justify my cursing. The local Internet people are giving themselves one pm tomorrow as the deadline for fixing the thing, which is probably remarkable given that it's Friday night and Romania.
Notwithstanding the annoying inconvenience, this is not particularly serious or threatening an event. I will in due time get my connectivity and credentials all sorted out, meanwhile MPEx servers are still being tested independently, backups of everything still got, Bitcoin still got, you no come to disturb!
II. The new MPEx key is 4096RSA/4096RSA, fingerprint 3FF3 65E9 0FF6 B246 5841 E819 2EE9 3869 A57D 509A keyid A57D509A. You can copy/paste it from here :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.0
-----END PGP PUBLIC KEY BLOCK-----
or else you can pick it up off the Internet. You know it's right because as you can see it's signed by me.
The larger signature will mean an estimated 35 to 45% increase in bandwidth consumption by MPEx for the same traffic volumeiii. This is not the end of the world. I briefly considered making a custom 8k bit key, but in the end discarded the idea as overkill. Nevertheless, it remains an open possibility : in spite of all MPEx keys to date being marked as "never expires", none of them function like that or indeed are intended to be used like that. They remain revokable as circumstances demand and at my discretion. While I generally try to avoid multiple revocations in the same year, you never know what the next Snowden is going to be telling us.
If you are using MPEx independently, please update its key. You won't be able to use it otherwise. If you are using MPEx through a script such as pyMPEx, make sure you either edit it accordingly or download an updated copy from the script's maintainer. If you are using MPEx through a broker you should be fine.
III. Public keys. This is perhaps the strangest part of the entire affair. We have detected differences in a few user public keys as cached on the disk of the attacked server when compared to what should be more authoritative copies of same on different servers. This circumstance is yet unexplained. It may be some sort of data corruption, either intended by the hacker for some yet obscure purpose or accidental. Either explanation seems improbable.
The variant keys do not work, ie, neither the affected machine nor clean machines can encrypt to them.iv Nevertheless, in the interest of paranoia MPEx will require resubmitting your public key. This procedure is trivial for the user, as described in the FAQ. You will have to submit the exact key we have on record for your account, substitutes will not be accepted. Should we receive multiple variants for the same fingerprint you will be asked to satisfy a signature test. There is no deadline for this process, but you won't be allowed access to your account until you have satisfied it.
IV. Back online. Internet access to MPEx is to be restored Sunday, Sept 29th, at noon GMT. This is mostly intended to give most people a chance to import MPEx' new key and send over their public key. Trade will continue under supervision for the rest of the day.
In general I don't expect trouble - it is and remains the case that to date MPEx has been harassed through social rather than technical means. Be it DDoS or password begging, neither really have all that much to do with computers.———
- No, it's not in a sauna tyvm. [↩]
- Which is to mean : slowly. Ironically, I actually prophesied this ;/ [↩]
- Short one liner orders are impacted significantly but long STAT responses and DB dumps not nearly as much. [↩]
- Although I confess mentally preparing for the surprise of my life as we were testing this the first time. [↩]
Saturday, 28 September 2013
MPEx.rb 0.6.1 released with updated new MPEx key (https://rubygems.org/gems/mpex and https://github.com/fawuxi/mpex). No need to upgrade if you're user of 0.6.0 already, just edit the mpexkeyid in ~/.mpex/config.yaml
Saturday, 28 September 2013
Nice going there F!