Canaries

What is “canary”

To confirm that DeepTech group is not compromised by any attacker and that administrators are not under arrest we publish so-called canaries. This is a message containing

  1. The statement about situation
  2. Clear indication of date when this message was created as well as confirmation that it was not created beforehand. For example, includes recent news
  3. Digital signature made by group administrator’s private key

How to verify a canary

To verify use our public key. Here is a guide for console GnuPG: import our public key

gpg --import key.asc

or receive it from key server

gpg --recv-keys 0x8B2EAB50FFCF63CD

It has subkeys, one of them, 0x359C97B6B05E5A41, is used for signing the canaries:

$ gpg -k deeptechgroup@tutanota.com
pub   4096R/0x8B2EAB50FFCF63CD 2018-06-05 [expires: 2020-06-04]
uid                 [ultimate] Deep Tech Group <deeptechgroup@tutanota.com>
uid                 [ultimate] Deep Tech Group <deeptechgroup@protonmail.com>
sub   4096R/0x5A5F4E77BAC8D911 2018-06-05 [expires: 2020-06-04]
sub   4096R/0x359C97B6B05E5A41 2018-06-05 [expires: 2020-06-04]

Copy the canary’s text (including the signature part) into a file, e.g. canary1.txt, then run

gpg --verify canary1.txt

If the signature is correct you should see something like

gpg: Signature made Wed 06 Jun 2018 00:00:02 AM GMT
gpg:                using RSA key 0x359C97B6B05E5A41
gpg: Good signature from "Deep Tech Group <deeptechgroup@tutanota.com>"
gpg:                 aka "Deep Tech Group <deeptechgroup@protonmail.com>"

Limitations of our canaries

As all DeepTech administrators work using pseudonyms we cannot use normal PGP’s web of trust to confirm our identities. So an attacker who takes control of all our public resources can replace the key to his own and issue fake canaries that will pass the verification steps above.

Recommended defense: save our public key early and use it to verify all subsequent canaries. In future we may use multiple keys and may join web of trust.

Also please remember that canaries can be compromised if attacker gains access to our private key.

Canary #1 from 6 of June, 2018

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[ Deep Tech Group Canary #1 ]

Publishing website of Deep Tech Group.

This canary is issued on 6 of June, 2018.
Proof of freshness: Linux kernel 4.17 was released on
Sun, 3 Jun 2018 14:58:57 -0700
https://lkml.org/lkml/2018/6/3/142

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJbFyQCAAoJEDWcl7awXlpBT/0P+wSf4oLBlmNvulgGz3Dmms6s
U65jUvpWtHIr7L93YsOf5y5hnxj3H7+Aj3L0Wr/KiPD+HOlzABha2ynE09agN14F
gHpVWrYCOz/cUdWhJZkWE8aq0nFYrojQnqiGeLxvBdgvDCLg03zngLbL/iowqi31
HpCeu9UPbIi/w2RG5i9MlOrbElaSB3tVVwgSDCnYmeNV5W0dw8xAKU/u+OXVgTZi
HNn7o7lMHSR2FGu3UJq/JnPy0b1dLp40q4AfMtfbvhulQt8j8EAcjLCe83aOlzlA
jcvpVURtpnKPrrmolV9tzaKLe7M0VwiM1eP1oQSwkR3yUy98iA3nI0HRcvH1/Yqv
o0MTFJKtM+/WB/gsx0IahDxfUZQrGjlc79F5T4olJishg5I3PC/mxuV7dGw8CfYl
z9FbQyxpk8u1cd2muFxjOnvRGccnqMVnMEd0vL5tL5vw25qfL6wRI+XVjq3ELWbj
9RZImjgP1zWn849gfb5RLXlLU1jROqadH9N0S7i6PCVnlsTO0OkB6/a4uYvidJJb
M4sXOE6ReKCkvddAVz7gQbQ8AmiIFIwrLt1Qy2T6AkTllJyQEgtqBUxXy2PNDpxz
0e95K6AtC/28SBVJEvJznIKTIQSDLJt1Yd4fGAYpisqkeOCOaZfywWTIWZQ2XC5E
dU791hUrzI3H1SR4NQFO
=m2NJ
-----END PGP SIGNATURE-----

Canary #2 from 8 of January, 2019

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[ Deep Tech Group Canary #2 ]

Publishing git services of Deep Tech Group.

This canary is issued on 8 of June, 2018.
Proof of freshness: Linux kernel 5.0 was announced on
Sun, 6 Jan 2019 18:14:15 -0800
https://lkml.org/lkml/2019/1/6/178

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEECSxmi6XNcjtnmvyQNZyXtrBeWkEFAlwz6AAACgkQNZyXtrBe
WkHDqQ/9GcHkE7r8QY1dXkBJ+Mmam7xMqqOJ4E+fmLj9hbSIW3w22meVcW3gX/G5
tXec1fAZ2/jw5Yt2kAXoBe8Km4FUBEjbm071oHFyXSBqPB8mnSSl7yRwj0DKCyCt
cfwUBN4V5DJcrbftm5i2mWERT0HKYPFAj0dks5zkuSP6OC9kdONxDPN/oiby60Qe
siCAxc9zztq6Kd7ONnKh+LyVaRwaw4/haCSNSmCcgVmIowGxXuyzMjPu0Bsj1aDE
4gj0AxpUuZV+B3WCNMpEhcVQsGC/JoD8BzYrknDdOhWTCCU0tObUW99MlXDn4WgT
+Ii6V1A4Jc6osuiNKnNJEf5o5JmFB3Yfv2DsV0fO7x9uggA1zzjI5AqNKp+RCfFZ
LNV7xPa8LRKyO1DK2+hMexXE+QmJTd3R+t7J/W5XSM8QTiaEqBY6T6kIakqHFVzm
N4tQRXOqtjiSP/7jJJvANTNLbl0YxZiFNLIGotNzZRvUIyMdkSKvc67tIf74/gkm
DKy3FAITJHpGuhSZPXUWPIK62HpgCg8VduaKJVrG2aU2C7/gq+jHlGdv7k30gDeo
2YaKoUHGUUbp2FSwUGl0AZJd6HOhhek9PjkmWReCXNMjXpQNGyIiImb6o7Qq0eOS
kpBn5gBp2tVIGTu4R2nOGbGyz8dyH58ULZxIepIfh806fu5KIiU=
=n1gd
-----END PGP SIGNATURE-----

Canary #3 from 6 of June, 2019

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[ Deep Tech Group Canary #3 ]

Celebrating one year of public operations of Deep Tech Group.

This canary is issued on 6 of June, 2019.
Proof of freshness: Linux kernel 5.1.6 was released on
Fri, 31 May 2019 08:53:53 -0700
https://lkml.org/lkml/2019/5/31/617

Next canary is to be released in early January, 2020.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEECSxmi6XNcjtnmvyQNZyXtrBeWkEFAlz4V4IACgkQNZyXtrBe
WkF9Vw/9HaO3b/rKdpK2J2UEjRmIz00ad5HCjHEzp8ZGKVuvcq0gGfsgSyH4p1Jm
mxP/xheSIk/aPz4TuWRkp2AzfS63NpsGMkTE4K60VtagIuQylEC+WDo0Rq6W7iBW
2iAhr5ztFTjlxQnTyvVP/Ou28ZIYXZVCQD62JyHZZi9OjqVWUUcmdZ5AkBVovzD6
/Ay3r1WReeMcEm7eo/z0ABHkqyai3zxW+pqsg8qqNCikFiVJDQKQrCceOwORCt3j
XmHqy/yWv2L7bhct8TqwCa7Hd3+XXB9iCkyQ/bCv2iCPKJ7QFNGd07BJPSBc+DYN
/bVEKyoO/wBMVc0E6rIo3ew0VZDKf6CaeRbYSV00Up2K0jJMne42p40qVBqpmhiK
PzSHtGm2ZPMHwk90vxqoFeRjF2WKgFdNX8Ll6HO3fTDqQ1Ui5sStMMpIkiHxu4ed
7IUoCHAP7PgWmZbGWQG2ns0K/6BcjRx/XU4PNjHPBwDw9NSjqqBotTBCpMH8I5oM
8BEu64mA2LEjIYu1cvhlNka1fzUglX+d8VQzQlUypc1MewsVo+M3mb4rJOqtomWj
uIikZOnoJq8P9yfhZIeikdNA0yI36G0WM/GXshVld5YMh1j9RWLEdoUCMmd0AeY/
F++uVvmj4AMyxip6awFikmakX5wYUDkgWLwiJwhFJBs6javZU8g=
=mr3t
-----END PGP SIGNATURE-----