[semicolon_storm]

What evidence is there that this is actually the SolarWinds hackers and not someone who uploaded some random encrypted files and is hoping to trick people into sending them money?

There’s a PGP signature, but as far as I’ve head the attackers didn’t leave behind any other messages to prove it was signed with the same key.

[piracy1]

And it does not seem a very serious attempt either. The only way to make this deal is through a single listed protonmail address that if this gets any traction will be closed in all likelihood. Not like an onion site with a contact page or something.

[sudosysgen]

Not really.

The message is PGP signed. If the protonmail address is taken down, then another message will be put out with alternate means of contact that will have a correct PGP signature.

If you read the message there is indeed an onion address as backup in case things get taken down.

The PGP address is the important part. No matter what gets taken down, if they can get attention to another message with a valid PGP signature, then they can carry on easily.

EDIT: This is actually how Cicada3301 of all people operated. The PGP key allowed them to post a message even on Pastebin or /x/ and they would still be contactable and effectively uncensorable, because their identity was persistent and their messages were replicated.

[technion]

As a side note, with so much attention on replacing PGP, I've long though the turning point would be when a group like this uses something else. It's just a highly visible thing and it's a group that a lot of people assume know what they are doing.

[KirillPanov]

> with so much attention on replacing PGP

There actually isn't much attention on replacing PGP with anything specific.

What other completely decentralized alternatives exist with no single point of failure? libsodium? That's a good start but a long way from a complete alternative.

Plenty of quasi-centralized encrypted chat "apps" keep pretending they offer what PGP offers. The clueful ignore these gesticulations.

[xmodem]

Indeed, for a side project I have, I have a problem I want to be able to solve of "encrypt a file with a passphrase in a way that's secure and can be decrypted with standard tools". PGP is the best option for this, but I'm resisting implementing it in the hope I can find something better.

[technion]

You may wish to look at age: https://github.com/FiloSottile/age

[technion]

For the context right here minisign would be perfectly capable. The post on this thread is not encrypted, there's no "decentralized" relevancy. Minisign has smaller keys and forces modern technology with a far simpler format.

[brobdingnagians]

I've always wondered how effective this sort of info security is. Could a state actor track down there sorts of operations, or can infosec be good enough to really leave no trace?

[sudosysgen]

It's not that hard to do this kind of thing without leaving any solid trace at all.

A way to do it for example would be to use a stolen credit card to subscribe to a few VPN with hops on Tor in between and use that to set up a VPS that puts this up after a few weeks

The devil is in the details, but if you're careful you can leave absolutely no trace.

[bouncycastle]

Although, the more they interact with the internet, the more clues they leave behind. Things like Tor can be deanonymized, and even Tor has a warning. Quote: "Generally it is impossible to have perfect anonymity, even with Tor."

Source: https://support.torproject.org/faq/staying-anonymous/

[monsieurbanana]

> Although, the more they interact with the internet, the more clues they leave behind

Interacting with a tor browser would be amateurish at this point. Just connect to tor (not on a browser, tor directly), use a script to upload to some random pastebin, disconnect from tor.

[jojobas]

Let's say you followed all of the leads down to connection points.

Randomized MAC connecting to a MacDonalds free WiFi, cameras capture a masked guy in a hoodie or black Cutlass with unreadable plates. Now what?

[autoro]

I think we can't know for sure unless they will release some of it like the shadow brokers did. But the shadow brokers show that it is possible for hackers with high valuable leaks to post it for sale in the public Internet.

[malwarebytess]

Usually for this kind of thing samples are provided. This attacks feels too sophisticated for a mere sale. At best, if this is legitimate, it's misdirection.

[jinkyu]

needs proof of life. none of the "vendors" will consider it without proof. in-fact they would likely verify if they were real dumps.

[forgotmypw17]

Strange that there is no public key provided...

You can't verify a signature without a public key.

[sudosysgen]

You can extract the public key from the signature. This public key is E2C73BC53B9118A0.

If you want to have a go at it yourself, run gpg -vv and paste the entire message, it will give you the public key.

[forgotmypw17]

No, you cannot extract the public key from the signature. It is only telling you the fingerprint of the key the message claims to have been signed with, but there is no verification happening.

You can change part of the message or the encoded fingerprint (which is a bit longer than the portion you pasted), and it will still report it the same way.

However, you will not be able to mathematically verify that this message and another one was signed by the same key.

If you look carefully at what GPG is telling you, probably see a line like this, unless you have the key in keyring:

    gpg: Can't check signature: No public key

[sudosysgen]

Yes, you're right, this is only the ID, you'd need to get the actual key off a keyserver.