 Good news, folks. So everything is 100% graded except for, like, a few people's midterms that didn't get scanned in properly. So we are today re-scanning them in and grading them. But Hortues all graded, midterms all graded. So you should be able to get that pretty soon. So stay tuned for that pretty soon. Also, I went through and I read the read me. We saw last week that one person in the class was able to scan 40 of their fellow classmates to sign their adversarial key with their real key. I've asked this person if they would like to de-anonymize themselves and tell us how they did it because it's actually super cool. And so, will that person like to do that? Perfect. Do you want to go into the mic? Sure. Cool. So I kind of did a lot of stuff. So I actually had to take some notes and go back over and read me. Just like a little aside about my personality, I kind of like to do things all the way or not do them at all. Like, half-acting things makes me very unhappy. So at the very beginning of the assignment, I sat down and I read the GPG manual. It only took me like 15, 20 minutes to kind of really get a good idea of what's going on. I'm just trying to understand, like, if somebody was to attack me, how would I know that I'm signing a real person's key and not an adversarial key? So I kind of like wrote out my own little decision tree or algorithm, I guess, for how I was going to decide what's the safety key to sign. And decided that somebody needed to be a computer science or computer engineering student on the ASU directory. And their key needed to be signed by the server. And that was the big one, was it has to be signed by the server and the fingerprint has to match. And it specifically said in the assignment, read the fingerprint, import it into your key ring and make sure it matches. And everybody really got into the name part of the assignment, but everybody kind of lost track of the whole fingerprint thing, which was the more important one, I think. Because you understand, because it's a random hat. It's like a hat. Yeah, it's a random passion, so you couldn't just, like, regenerate that. And so the first thing I did was I just started messing around and I said, well, okay, so I see somebody's name, or I see a key. Can I know that that was the original name on the key? And so the first thing I googled was can you change the name on your key? Because that's an important thing to know. Can you trust the name that you see? And the first thing I saw was that, yeah, you can change it. And so I came up with my own little algorithm and I thought, okay, this only took me, like, 10 minutes and one Google search to figure out, so I'm not even going to bother doing the adversarial part of this assignment. I was like, this wouldn't be worth my effort to get, like, three or four signatures. So then I saw the email on the Google group that was, we're making a group outside where we checked two forms of ID. And I said, okay, I'm just going to get in this group right now and get the assignment done with so I can, like, focus on other stuff. So I went and I got on the group list and everyone was really focused about, like, here's two types of IDs. This was really secure. So everyone was so focused on the IDs that they lost track of the fingerprints. So I went and the first step was email the admins. So I went and emailed the admins and I said, okay, here's my key. You guys check my signature. You check the IDs. They'll sign it and give it back to me and then they'll let me on the Google group. The first admin emailed me, emailed me back. He said, here's my key. And I said, okay, I imported the key in it. Didn't have the server signature on it. So I was like, wow, is this whole group out there? Like, one big scheme and they're just trying to scan everybody in the group? And so I emailed them back. I'm like, can you send me your updated key with the signature on it? And he sent me an email back and he says, well, Adam said your signatures will compile on top of each other when you re-import it. So I don't know why this matters. But here's my update on the server signature. And I was like, wow, these guys have no idea what they're doing. So I wasn't going to do the adversarial part, but then the window opened. So I was like, oh yeah, I'm going to send this guy my fake key. So the first thing, like, other people figured this out was you change the name on your key and then sign it by a fake CSE465 server. So I did that. And so I sent it to him and the first admin, there were two admins at the time, the first admin signed it, sent it back and put me on the Google group. The second admin sent me an email back and was like, hey, your key isn't signed by the server, that's kind of weird. Can you update it and send it back to me? So I just ignored him. So the first mistake, one admin let me on the group, the other one thought something was fishy, didn't remove me from the group. All on up to that first mistake. I was the one that made the mistake. I believe you have a good learning experience, everyone. I know a lot of people by name, but I don't know my face, but yeah. They actually sent me an email later and I was like, could you get back to me on this? And I just, I ignored that too. Pretty sure, I think that was actually me. So I went and admin on the list, but I was really suspicious of yours. Another thing was at the very beginning, what's your name? Eric. Eric, okay. It wasn't you, but somebody else, so once I was on the group I started emailing people in the group to trade keys. And somebody sent me a key and it wasn't signed by the server and I was like, man, these people are trying to scan me right off the back. And so I had just decided that I was going to try to scan people too. So I sent him this weird kind of cryptic email and I was like, you gotta get your legit signature sooner or later. So it hit me up. Like I was just trying to say like, you want to get something weird going on me down. And I don't think he understood what he was doing. He just hadn't re-exported his key with the server signature. So I was like, man, nobody knows what's going on here. So another thing the group didn't do is it didn't list the user's keys in the group. So I couldn't have even gotten on the group legitimately with my real key and then started trading my, you know, Nefarga's key with other people. They would have seen that I wasn't signed by the admins, so it might have been harder, but that was a big deal. So the trick is, the biggest trick, a lot of people figured out signing by a fake CSE465 server. But the big trick is that when you list the signature on GBG, it cross-references other people in your key ring. So if you don't have that CSE465 key imported under your key ring, when you list signatures, it's just going to say user ID not found. So the big trick is you're going to find a way to get your fake CSE465 server onto their key ring. And so I thought my plans were going to get really screwed up when everybody started using the server, but the group kept using emails and keys in files. So what I did is I put my, I took my Nefarga's key and I exported it, and then I added like a thousand new lines just to make sure nobody was on like some 12K monitor opening the file I'm seeing. So I built like a thousand new lines, and then at the very, very bottom of the file I put the key to my fake CSE465 server. And so when people would, when I sent them the file and they'd import it, they wouldn't notice that they actually imported two keys and not just one. So they looked at it, it said CSE465 admin, you know, CSE465 and ASU, but they didn't notice that the fingerprint was different. It actually generated a couple to make sure it started with an A, because the real ones started on an A. That's pretty good. I got into the second try, so I was like, I'll try a couple times, but I'm going to stay here all day if I work pretty conveniently. So I think those are the, those are the biggest things. Another thing that I did, the reason I really wanted to ask this is, I did another cool thing I thought, but it didn't work at all. I cross-referenced everybody that had their public name, like their full name on the Google group. I cross-referenced them with the school directory and took their emails. So I made this big list of emails because, you know, there's no planning board for this class, so I couldn't send like a class-wide email. And I made like a fake tutorial on how to do GPG. And I put an example in there, like, this is how you sign a key. And it was like, the example was signed in my adversarial key. And two people fell for that, but like, 40 people didn't. And I was like, for all the things that people were falling for, I thought that would be a really good one. So anybody want to tell me why you didn't sign it? It's like everybody just skeptical of emails, like, why is this dude emailing me on nowhere? That's weird. Is that what it was? Another thing was somebody posted code. Was that you, Eric? You posted code? This is kind of funny. That's really exploitable code. But I didn't exploit it because my ISP crashed. And I forgot to do it the next day. But what it did is it imported keys and then checked for the name and the email, but not the fingerprint or the server. So you could submit your fake server to it first and get it to import that. And then send it to your adversarial key and it would pass that. So Merry Christmas. Another thing, I was kind of like steadily building keys. And I was using the group, like the ID group that I formed outside. I was using that to collect my Defarious signatures. But meanwhile I needed to get my real signatures, like on the actual Google group, I was using my legit key. And so I was kind of like, I had two completely different pools of users and I was being really careful that they didn't mix. So if somebody started importing like my Defarious key and my real key, they had two of the same name on there. I thought somebody would sound the alarm. Only one person ever actually called me out and they called me out personally directly by email. So I was kind of afraid the whole time that somebody would blow the whistle on the Google group. So I was being really careful. But I didn't have to be concerned about that at all. So I was kind of like building up my 20 legit signatures and I left on the Google group. I left it so it was just my email. So like you can only see the first three letters of my email, but you couldn't see the rest of my name. And so once I hit my like 20 legit signatures, I deleted all my previous posts and then I changed my name. So I showed my whole name, so just my email and then I just like started helping people in their homework. I was like, oh man, I'm a really trustworthy guy. And then I started putting stuff on the Google group like, I know some of you guys are procrastinators, but I'm here to save you. So just sign me and then I'll see your signature in the morning. I'll sign you back, so don't worry about it. So I kind of like slowly built up a bunch of signatures. And I think that helped that like once I put it on the server, it already had like 15 or 16 signatures. And then once it already had that momentum, people trusted it a lot easier. And all you had to do was check the fingerprint to the server. So I had a lot of fun. Thanks everybody. And thanks Adam for putting on the best work assignments ever, right? Two questions. Yeah. So one, there was a lot of one-on-one communication. Is that what it sounds like? You were individually reaching out to specific people? Yeah. So in the group, it was like we posted all of our emails on a Google Doc. And so we just all emailed each other individually and attached files and emails. And that's how I was able to like get my server onto there. And my second question is when did you start the assignment? Like when did you pull on for yourself into... Well, like I said, like immediately when the assignment came out, I read it and I was really interested because Adam always has the best assignments. And so... I'm not paying to say this. I was really excited about the assignment in general and just like I'm really competitive. So if it's a competitive thing, I just want any advantage. And I just wanted to make sure I wasn't getting scammed. So I started right away, but it was like a slow build. And most people didn't start the assignment until like four or five days before it was due. So I was able to build up momentum early with the people that started early. And that was... I think that was the important thing was when I put it on the server, I already had a bunch of signatures. So people felt safe signing in. Fake web of trust. And starting early, these are both good. Yeah. Good traits. Cool. All right.