MPEx - Status Report

I. The news. Last night when I announced this article on irc this particular chapter didn't yet exist, so I had to re-do the numbering of all the others. I guess that's the definition of news.

Anyway, the final segment of optic fiber connecting my private NOCⁱ to the world at large was cut, physically, sometime around noon today. This has caused no end of hassle because guess what ? GPG doesn't work so well through phones, at least not yet. It especially works poorly the day after the culmination of a two day aggravation programme about security and social engineering everyone I know went through. Basically every remote operator arrayed into one of two camps : the "you're kidding me right ? what is this, a bit ?" camp or the "oh he's pretending to be attacked to test me har har" camp. I have been methodicallyⁱⁱ rebuilding access which is why you even get to read this in the first place. It may not look like much, but it is a worked-for victory.

Tempting as it may be to suspect reptilian conspiracy and the gubbinment, the much more likely explanation is the guys with the excavators and assorted heavy equipment at the corner of the street acting of their own free will such as it is, and being hard working, productive members of society after a fashion. They're building a gas station, which likely won't make in its entire short, unhappy existence enough profit to justify my cursing. The local Internet people are giving themselves one pm tomorrow as the deadline for fixing the thing, which is probably remarkable given that it's Friday night and Romania.

Notwithstanding the annoying inconvenience, this is not particularly serious or threatening an event. I will in due time get my connectivity and credentials all sorted out, meanwhile MPEx servers are still being tested independently, backups of everything still got, Bitcoin still got, you no come to disturb!

II. The new MPEx key is 4096RSA/4096RSA, fingerprint 3FF3 65E9 0FF6 B246 5841 E819 2EE9 3869 A57D 509A keyid A57D509A. You can copy/paste it from here :

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.0

mQINBFJE9SgBEADmoQkiACzQojTnY6+87SMvIAupdtmPdrcTBcWOnck5RwwbipQDumi52QP9
r4ChSFYO1g6UE40FwtBQuDHbGmQtNvZZnBncPmUuvCCYyAab55FK0vP3mA2I65YLpRdTsB9F
D+ZxDrgFjXpF/vELVgvIibAsIS92jHkMuzN2slXq8r8WP/Q+/ds+BoFsgb39eOKAy+FHeALO
NqU0h9s0RwJVfqNpP/NRtFXsoPstkWFrXA2zgbS5mroQadxcGqNaiyZl8AqphfP6uUUzUSTG
mdW21LDFao7JISz3uhM4hcge36hWD18H8fcc+NHQvtyOBbwOPC8dAt8R0s+kz6jGDVUmNyr2
ppoWRy88VZ/nOrBmdNm2jWNAcS79mW51tRkFIt60fGSvs8hrHlnupGUJjJYzeNRlJ+0mwRmc
4rMYUg1ogQFprdBeLzQYg+4SX7BA4/l+qI9xrkmeLfNy96ctv1pV5K40+d4FANpLVtqn5dZX
6Jn537L5RE7UKof5NwbItaEEzemByiSr2CUwyHn+PZTZ1HqgDAOUw9TT44DQ9wiIxXXtIjy5
FrrsxKSpY0VIKihS5RbS254qun/YKoAgvLzT+AsQ7Iz+arQ4Bcx05oDdBi7Cv1IK1Wop8mKs
jbrVwZFr8hHak2/81tVie3hNmaBtIbNTL3v7j3hXwWXSVCVv+wARAQABtDxNUEV4LCB0aGUg
Qml0Y29pbiBTZWN1cml0aWVzIEV4Y2hhbmdlICh2aXNpdCBodHRwOi8vbXBleC5jbymJAjgE
EwECACIFAlJE9SgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEC7pOGmlfVCasukP
/0/5KFLWj7Ol5GE1WaVx+RNhnD9pfQUM3xbqFHj7nPglpBwJaVE0PEFymcIV4ambotWah1ry
476ZG1mU0IIhDWVgmMbr62617x25x9EjQsvmeIUsPxhd1VZQAA6TmlM79Y0Dol/RUfWCHQ9Z
j+Jh7+6L+D2rLiX98y/D9Tuu7HbWV98fhp6qzO7hlMwM02I2gIyFv6w2hEiEnTYqgjgwEIm6
1077TYJbPj3RXh3IDaJu2O1DONRyl3rc/p+Xof0hkGa74H4HTUuG3NGps46LB0evPYxML942
bPdX+1uhF0ZHlN1lKE2EEUA4LBREDhLljsUp1A17pe4+GJPvBjDgc9h9InOxAnVCIlNbp56x
lxQGTwxmPXHl+rrki0S/m4lmDbFYa6iZArUq238RTElydvWZrNahIJa6gbYmp1BZx2ThgA7Y
bZsp1v+MSqnkB5kbTV9W9qz0+ldEgF95wmu7EdTWkFtHypjYlEcKkdknV96aDb6FRabFYBv5
EACgxJWX9IEe1B50eonqiS8xmOQ1TlSBlEQgM+V8fpMMVD/U+rEAvt68haWGwUdkcRFHq/no
PvlNt9feBTgxWrS9dAX4YIa3u+BHYK1tvRMTPyTGkHQSq3h6Xrgs2eCCom8pXreGh6noj655
wTvob0LPTvjWYtXNKkBURsqCMeLxPlXDqWquiQIcBBABAgAGBQJSRQLZAAoJEIpzbw4vt7RS
TDUQAINq0Fug4rzca92NwqQkEaXqTZ2aoMcnfE9joFbJSyWl/H3UvtOKOH2gXA71tLi2unVi
sO/qJgOkv8H+ZOA1C5/EyDYRR4F4NKffb50LU3m0z0aTsn2Gd4CJT9/1raJv4zBgwlsJxajB
f31IPJgCqfTzNIN1LXMZp90olbcfsSsNCqg3hfywSV2SuX1WpUs8cbM1gmiNTq8uXOq20vUg
Tk/MOYHwA7a69b2eqJGwf33Xf1xwwFMMLToV9kr3/FMysnUmHg+qk5SRIrCZVuMPNW8dLoQ/
xw+/WeijltRKxCR6tDTGOKbUfprLuo5p7uLaxT68/rSRY0pBYt5f4K6akSneV9OCuqjSJoKn
+WzQM9+zaQFWuGc8O3b1un60NxHB4XYc78whzV72luRnx5vBfr1A5EUNpu2vASrI7LgZ7Ask
0+tmCFvvebkgPK9384rQB1ma3tZgXTe+6YWA8WWfwCz1o5hyWwXqWaOZ4I2vu+WTDKvSuxqE
LyB8bnFfikxIiQPSjMGPVuh1r9NVRCz38t3GhC5Z5b9Tl5aW6y2nkF0k6a4Q2dbGeA47fgCG
Q0EiU/JZCjmcWMAuPzutC52odUua/xFzR+Fkq2HcCsScbq93D21abd6WNCDmROUQZEcJONqn
AS6YaHMGqyV3BOetoKfRiRzeQ08RY+DeIkUJlI03uQINBFJE9SgBEADEC3jiJAoF90czf08Z
OodaFedkHvifwhlp+jEtc+CgmvNIUBU2ZbfImjsZa0qaK00kB1aeMdSHLsl9BlGycNGolZqr
lZd/M6esnIY0oI1HDzzRWfVYD4aF3PBZK8P6DlqKrPyDnY1ooQvq5jiAf6Iz5tUJpP718IGg
cRtOvxdOuz1bm5DL+aLb0zAUML6W91zTdB2wmE1EnsMGyVoqnFSgZC5a0dDDo/TMAe6r5sJN
vWMNMHem0+zeS5eZWKJD0BmuRFZ3ylakjAYltzbPrtRMT4VdIap6zfxRqTifgCDw4n/UqKqB
Q9bKY+IRvDXQXZRsp0QVemN2zlf7PkqOgU2+cKNt1PzjiSnYcDXcEUEN1mpPzfJJGZagY3wz
wltZO2YzYMGiRiEwx9OALGAgL+0cmzOPlYBPUXhmzq4N0cvjtQ2XwxzoO4sAHk8OTwcwcAXj
ObOaEY798EUX0A1LOGjc3tKko1hM1EURAaxZ/UkMdthtYXolb7OvuoFA18MWFvjJfZMmkTt3
/nJdBvYo0cA+kbOwphdVbUJLFGA+kHxNYlpdTaOr+PDpM43imAst6rAmGaGo9pH+M9CYiiO9
WCQHFajLxRW/Whlwsem60fPye42EBDltFzcoGzTsjKV8c+IzwltRMO+Ud0Z4g8jM5kdCLfL9
S3u1DIioERtSF0WjawARAQABiQIeBBgBAgAJBQJSRPUoAhsMAAoJEC7pOGmlfVCaO1EP93Le
PkR/IDuAAhMq9QT20Hg5xIqUpYJrEbdx6vmMltspa3J1x2gxBllDCcxATQ3sFb4UXXUkl9Mk
34SpOE5sHNg3tErluztP1GxJ5lurP+m99vjzl4XA0KVRPDo2DL/v6qbgJV6Bv+Ebmw9xmCJl
ZirRjBKS5VqWEUFZre894zWqhdXxXsG1AxspGpv56XopCY7nnX1yo7pRffdkhr06tZkgQ/dv
4m7FkkseibQygJd6OHH9sZgO4AfD0qrTeC298bBQ0YovuHOQeW3EKwSnTYcGn2CGqOAIKlVh
4Uv30FYQY/PPY6ZbjoVtGsr4LYQCuV57ZteOjTHctQhoMZY0yyKKE6Me6jIQwIoo0cARqfrw
KYbHWoYPUWrCv3RAFJsOlU+F51OWSUVjrzGlprAyGo5GRdUMh7rvaoxa6LVDiX19I3G2oLmB
J4ZDTRnkvmMmUNbu6eNNi5om747O49iuGa8kKQnWaEK1AbzgKpOKifcGQjIAGVcsNIYRZ+E6
0uGuv5pDBGVqTgDPZypF8ih1Dm9Ik9ndWbQVpHMAgMyicdy0JxyNwahZ3NFmErdT2ICDPp89
rj8bUOQjtS+aCCz1+b4yypsaBN7XoCVwEJTfMCBiAgVgwqm/pYFcncrepe9Ql4YBZ3UfCrKS
WLM7hsJ7Cx76sQ6OFviaYvZgc9MJtfc=
=TeDs
-----END PGP PUBLIC KEY BLOCK-----

or else you can pick it up off the Internet. You know it's right because as you can see it's signed by me.

The larger signature will mean an estimated 35 to 45% increase in bandwidth consumption by MPEx for the same traffic volumeⁱⁱⁱ. This is not the end of the world. I briefly considered making a custom 8k bit key, but in the end discarded the idea as overkill. Nevertheless, it remains an open possibility : in spite of all MPEx keys to date being marked as "never expires", none of them function like that or indeed are intended to be used like that. They remain revokable as circumstances demand and at my discretion. While I generally try to avoid multiple revocations in the same year, you never know what the next Snowden is going to be telling us.

If you are using MPEx independently, please update its key. You won't be able to use it otherwise. If you are using MPEx through a script such as pyMPEx, make sure you either edit it accordingly or download an updated copy from the script's maintainer. If you are using MPEx through a broker you should be fine.

III. Public keys. This is perhaps the strangest part of the entire affair. We have detected differences in a few user public keys as cached on the disk of the attacked server when compared to what should be more authoritative copies of same on different servers. This circumstance is yet unexplained. It may be some sort of data corruption, either intended by the hacker for some yet obscure purpose or accidental. Either explanation seems improbable.

The variant keys do not work, ie, neither the affected machine nor clean machines can encrypt to them.^iv Nevertheless, in the interest of paranoia MPEx will require resubmitting your public key. This procedure is trivial for the user, as described in the FAQ. You will have to submit the exact key we have on record for your account, substitutes will not be accepted. Should we receive multiple variants for the same fingerprint you will be asked to satisfy a signature test. There is no deadline for this process, but you won't be allowed access to your account until you have satisfied it.

IV. Back online. Internet access to MPEx is to be restored Sunday, Sept 29th, at noon GMT. This is mostly intended to give most people a chance to import MPEx' new key and send over their public key. Trade will continue under supervision for the rest of the day.

In general I don't expect trouble - it is and remains the case that to date MPEx has been harassed through social rather than technical means. Be it DDoS or password begging, neither really have all that much to do with computers.

1. No, it's not in a sauna tyvm. [↩]
2. Which is to mean : slowly. Ironically, I actually prophesied this ;/ [↩]
3. Short one liner orders are impacted significantly but long STAT responses and DB dumps not nearly as much. [↩]
4. Although I confess mentally preparing for the surprise of my life as we were testing this the first time. [↩]