tycoon

If I understand correctly, this hack wasn't discovered by auditing any source code, right? I heard the Microsoft guy just had a weird feeling about SSH executing his command for a few too many CPU cycles and was curious enough to investigate. Does anyone knows if it could've been easy to spot this by reading the source code or if it's hidden very well?

@LowLevelLearning Please revisit 2:36

Are there more videos to come on the topic?

is there a specific version of liblzma.so.5 or liblzma5.4.1 ?

The problem is this attack was done during the build process.... so you need the source to build it to verify it ... but its tainted ... so .... its valid? yea... this one was a wild one

@@mitchellmnr This is what the comment is talking about. The source of the build script must be part of the git repo.

@@khai96x they are .... The way this attack works is when it runs tests on the source...

at that point, you should generate the binary on the fly. not that that would help when the build process itself is infected

It's a decent idea but what do you mean in practice? Do you run your build in a way that refuses to give it access to any of the test data? That's not too crazy. Is it enough? Do you verify that others can produce your build without any of the test data? How do you ensure that the build process doesn't have a side channel running in both cases introducing other logic? What i'm saying is this idea has to be mapped to concrete practices and tools.

Pretty much. I dont think it could of even been hidden any better. The main reason anything was looked into, is because someone noticed their SSH login taking half a second longer lol.

Except arch (due to how arch doesn’t patch sshd to connect to systemd-notificationd.)

@@draken5379 Oh but it could be... What if your billion, no trillion $ chip - board makers are embedding hidden algorithms as such but as undetectable hardware roms that the OS, the user, etc. doesn't know about. Then with that only a handful of elite personnel coming from these giant corps as well as limited personnel within some government agencies have direct remote access into these hidden systems. Think of it this way; some of these newer systems you can load the entire Original Doom Source Code and Assets directly into Modern Cache and never have to go back out to RAM or to the Hard Drive. If you go back to the days of the sneakernet with the good ole floppy disks, people used to sneak malicious code into their 512 byte boot sectors. They can literally miniaturize a 6502, and 8086, or even a basic Pentium these days into a chip so small it would look like a little controller on the motherboard or even onto some peripheral card that one would have no idea what it is or was truly designed, intended for. This doesn't even account for modern UEFI systems compared to obsolete CMOS Bios type systems. And now with the advancement of A.I. and designated A.I. chips showing up... The sky's the limit. Well, skynet is the limit according to some... They can always hide it somewhere that is least expected. How about within a button on your polo shirt? You have to realize that we aren't just in the age of digital we are also in the early stages of Quantum Processing, A.I. Systems sure, but we are also on the stage of Nanotechnology. They can literally make programmable machines that are 1,000th the width of one strand of your hair. You can't even see them with your eyes. So if they truly want to hide something they surely can! And they can hide it just about almost anywhere they want. Even in the foods you eat and the liquids you drink! And this is not science fiction either!

His name is Andres Freund

...that feels like a paranoia syndrome waiting to happen because their fears have been proven so much more horrifically right than they thought. That's going to mark them, considering you already have to be pretty paranoid to check code over half a second. ​@@draken5379

yeah its really sad :(

@@mayshackwe don't know that Jia is one person or an identity being used by a group of people coordinating the attack

​@@channelgogrvk I'd guess, it's the latter...

@@eight-double-three NSA, Google, CIA … ?

@@franzlyonheart4362 Probably some asian/russian threat actor. My guesses are North Korea, China or Russia. Maybe Lazarous Group? Killnet is out of question since they do mostly DDoS.

It's frustrating because I deal with people every day who don't like Open Source, but have no problems using SolarWinds!

Imagine this happening with a closed source company. Somebody applies, silently checks this in with the binary files, and there's nobody outside of the company that even has a chance at catching these backdoors. How many of these backdoors already exist in commercial software? How many does the company owning the code know of?

@@dascandy THIS. Every time i see somebody talking about how this is "an issue with open source", i think this exact thing. What if this happened in a closed source software? AT LEAST with open-source you're able to find out. With closed-source there's a good possibility that piece of code will never be looked at again because "it just works".

@@justacat3639Thinking back to some part of Windows NT4 shipping with a thing called "NSAKEY" (en.wikipedia.org/wiki/NSAKEY) and nobody knowing what it does or how it got there.

@@justacat3639It is the well known selection bias.

We all know who it is, we just can't say who it is.

@@zirize Three letter agency funded by a big brother?

​@@zirizeit's not the NSA they have Intel management engine and AMD PSP

@@saddish2816 Why would they stop at a hardware backdoor? Ideally you want to control every step of the computer's stack from bare metal to the user

​@@Superchunk-k2hNSA isn't gonna do that FIB or IAA might tho

While I agree with you in spirit, if you're running RHEL and paying for it, IBM isn't giving the maintainers of xz a cut of it, so just paying for FOSS in a corporate setting doesn't exactly solve the problem either.

I totally agree. Corps generate hundreds of dollars per tool used, but they don't even donate a dollar. Then we get a core-js or faker.js situation and people lose their minds

I'm sure I'm not the only one who was reminded of Clifford Stoll's "The Cuckoo's Egg" (1989), where a 75-cent computer usage accounting error ultimately revealed a remote attacker with superuser access.

to be fair the attacker had to disable and ignore several address sanitization features and test checks. Hence why stuff like valgrind was already setup to catch stuff out for this particular project.

so it does make me wonder how many of these backdoors are already out there, just not discovered?

And the attacker was working with one distro contributor to help fix the valgrind errors. And the said contributor, AFAIK, was helping in good faith.

@@AeduoI don’t really know jack about software dev and I was still able to use valgrind to find a memory leak in some important software and report it

The real question now is: how many times have we not gotten so lucky?

just curious.... why would large organizations be using operating systems that get updates from open source git repositories? maybe im understanding this attack wrong just curious if you dont mind educating me

@@Noname23489 A sizable portion of servers on the internet run some version of Linux. There's no good data, but I've seen stats that are well over 50%. And everything based on Linux is at least partially relying on open-source code.

/cries/ I use arch BTW :(

@@Noname23489 that's basically asking "why would large organizations run linux", and there's lots of reasons to do so.

My takeaway is that open source is only as strong as its weakest link. So many projects go to the graveyard because of the lack of maintainers, and there's a lack of maintainers because people need to eat, need a roof over their heads, so they work their 9-5 as software engineers, which is draining in of itself. So when a crucial piece of software has a solo maintainer, it's a prime target for attacks. If there was more compensations for open source maintainers, maybe some of them could afford to maintain the software full time, and as a result would not burn out and be less prone to social engineering attacks. Or we could just create a foundation for those crucial projects, so that there are always developers able to maintain the software, and need to reach a consensus before anything gets merged.

@@Dogeek I think all the companies that used open source software in their commercial projects on a massive scale that command massive profits should be obligated to divert a fraction of a percentage towards maintaining these things. Or better yet when there's a massive fork and that fork goes on to make billions of dollars, leaving the original project in the dust and penniless there should be something that allows maintainers to continue doing what they love to do. I love open source but the (un)ethics of business undermines such a great ethos it really becomes disgusting. Sucks to see such openness taken advantage of again and again, and even more now since technology companies rule as the market leaders in today's world.

Not even that, he knew the attacker for YEARS before he let him into the project. nearly 4 years. And the guy was nothing but nice and helpful until a month ago. Nobody, not a single person on this planet, would have not trusted him by that point.

​@@ichigo_nyankoI wouldn't trust him until I saw how he handled LE or drugs/alcohol. Being internet based, I don't trust nobody.

Many projects do not need active contributors. Just stop adding more features.

Agree 100% with this, the fact that open source code is evaluated and run by so many independent people is a strength that leads to things like this being found. If this change was to a closed-source tool it could sit in a repo for a decade and no one would notice :/

It was more luck and that the new version caused half a second delay that a person was doing performance tests at the time most other people probably wouldn't have noticed unless they was doing performance testing, this was pure luck as it wasn't that Mutiple people picked up on this it was just 1 person if they fixed the delay part it wouldn't have been noticed until a couple of years later on when some high profile targets got compromised and don't know how

It does some really complicated/shady things like altering the Global offset table and character recognition, I wonder if we ever get to find out who was behind this

systemd was transitioning to dlopen

What's that and how is it relevant to the topic?

@@smnomad9276you should read it. It’s about “how can you trust your own trust chain” and what can happen if that trust chain is broken. “You can not trust code you did not compile yourself”.

@@smnomad9276 go read about it, you have the entirety of the internet at your hands.

@@smnomad9276 A famous speech/presentation he gave as part of an award acceptance speech. It's basic premise is "what if I maliciously modified the compiler included with the UNIX system to do two things - 1) if compiling a system component, insert a backdoor that allows me full access, and 2) if compiling a compiler, modify the output compiler to perform these two steps." Basically saying, "how far do you trust what's been given to you?"

Trusting Trust is a much deeper concept, and the reaction to it was the practice of Diverse Double Compiling. This trust gap is way easier to deal with, and more analogous to the use of nothing-up-my-sleeve numbers in cryptography. Distributing binary blobs alongside source code should be treated with great suspicion. Let test data be programmatically constructed, and therefore auditable the same as code, or by some other means be provably incapable of hiding machine code (e.g. pi).

Large developers that depends on smaller OSS projects needs to contribute to maintain all the projects they depend on. Either man-power or money.

You could also mandate that test data must live in a separate repo, and must only be used while running the tests (in an isolated sandbox). Also the build system should be less flexible so that any weird stuff really stands out. But all of that is moot if it's the maintainer doing bad things and no one else actually reviews any of it.

@@ville_syrjalaAlso inspect binary blobs before they are uploaded to a repo.

Yeah even going through their commits the majority of them are benign improvements... And then this, with the seeds having been planted in the test files ages ago

More like a snake you sheltered finally showing its true color and biting you to the ground

@@nuke_parasitine nah, the contributer, before the backdoor, was only ever helpful and nice. If you knew someone for years and they were only ever lovely to you - and it turned out they were a serial killer - it would be a horrible thing for people to imply it was only ever obvious (they were a snake, you let them in) when it wasn't.

@@ichigo_nyankothe shit you nerds say lol.

​@@atticus2274 Nerd calling a Nerd a Nerd is peak irony.

phosphorescent, even

Stop being antisemitic

@@GelatinousSSnake i thought glowing is a fed reference, what does it have to do with semitism

@@GelatinousSSnake Glow = government agent, not anything relating to ethnicity.

@@GelatinousSSnake wtf 😂

Oh? You mean how this backdoor didn't affect any LTS distributions used in servers or production environments but only affected rolling release and testing distributions? That scale? In other words, only desktop users who are stupid and naive were affected.

@@adibemaxwell6111 My dude, what do you think 90% < of the internet runs on?

@@adibemaxwell6111 It targeted all Debian based distributions. The only reason only rolling distro's were affected is because that Freund dude just so happen to be benchmarking his PostgreSQL databases and therefore end up noticing the backdoor. If he didn't it could have been planted in LTS distro's as well after some time. Also, the bad actor has been committing to the repository for a few years and it's still being investigated if there's more malicious or at least sketchy code in there, which if there is it could mean that even older versions of the libraries could be compromised in some way, which would also mean compromised LTS releases. You have to be short sighted to think these sort of attacks is solely an issue for people running rolling release distro's...

​@@adibemaxwell6111 If it hadn't been discovered, it would be on like 80% of servers within 6 months. The only reason it didn't is because some Microsoft employee noticed high CPU usage from sshd and looked into it.

@@adibemaxwell6111 nice comment to generate engagement, go ahead dude.

I LOVE openttd. didnt realize it uses xz D:

S**t just got serious - no-one is touching my OpenTTD! 🤪

That's it!! I freaking knew I recognised xz from some ancient memory!

Not sure how OpenTTD would ever be affected, even if using xz with a backdoor, since it replaces RSA decryption function, and gets the payload from RSA key supplied to SSH.

@@DVSoftware OpenTTD may not be vulnerable to xz itself, but it certainly is vulnerable to GitHub taking down xz's repo and users getting pissed about potential malware being included with the game.

Guy? Or guys, plural? Or … state sponsored? NSA, CIA, ((Washington)), etc.?

@@franzlyonheart4362 its always a government conspiracy, eh?

@@MarBL23563 It does make sense in this case though

@@MarBL23563For you it's never one

@franzlyonheart4362 why is everyone in these comment sections assuming it's got to be an American agency? My money would be on China, Russia, or Mossad. Hell, Mossad's bread and butter is this kind of diabolical social-engineering into unnoticeable attack vector.

Little do you know that riscv could also have a backdoor. mwahahahaha. You must create a completely custom architecture and custom silicon to be sure.

and also blackjack and hookers

@@mineton1293oh but then there's backdoors built into your circuit design tools as well, so have fun arranging logic gates entirely by hand

​@@mineton1293 Easy AF, I'm taking my soldering iron and going to work :P

Dependency graphs give us the tools to fix problems once instead of over and over and over. They also allow us to be more effective and efficient in our work. They also let risks and failures cascade through our ecosystems in astonishing ways. Not all of the problems are even malicious. left-pad in nodejs was just someone unpublishing his work and it took down tons of sites. What's the answer? i have no idea. But if we focus on practical situations we can perhaps come up with practical mitigations that reduce harm, and improve.

@@_devilfish303 The point is Linux in its current state doesn't provide better protection than Windows. The slogan "you can always recompile everything locally to make sure the binary matches the source code" doesn't work anymore. Because every single Linux library is dependent on dozens of others. It's physically impossible to recompile everything on your own. And even if it was possible it would still give no guarantee as this attack was built directly with a hook to inject the binary malware during the compilation process without altering the source files. Yes Microsoft is not better. But it's not worse either. And this is the true issue here. Why bother with all the hassle of securing your linux if anyone can trash all your efforts with a single commit in some obscure source repo you never heard of?

curl | sudo is the one that terrifies me. Literally random code from internet run as root. Multiple attack vectors there from ip / DNS hijacking through to just straight up blobs in the install script... Plus potentially no evidence of what you just downloaded

​@@christianbarnay2499microsoft is not worse? If such a backdoor was installed in windows, it wouldnt get discovered EVER. Even a simple babckdoor wouldnt ever get discovered, which wouldnt even get merged if it was open source. Security isnt black and white. No system is ever completely secure. Its about reducing the attack vector. And the attack vector in open source or linux is extremely small compared to proprietary.

@@christianbarnay2499 Gentoo is from what I understand a distro where yes, recompiling everything is practical.

That, or install an uncompromised xz on that server instead.

That's because everyone is under the impression that these kinds of things are rigurously checked by someone else, therefore no one checks them. This should be a wake up call.

Who would win: A multibillion dollar government agency, or one giganerd noticing his ssh takes 0.5 sec longer to log in? That's a W for the nerds, boys.

@@TheOzumat Obsessive optimisation is the root of all evil - and that is why it also naturally finds it. Dude wanted to optimise performance and probably spent days untangling the mess he ran into - just because he wanted a near unnoticeable improvemet.

Everyone's calling it a W, but imagine all the projects that aren't being autistically benchmarked by someone with a unique problem.

this was found by chance more than anything, it's only because someone tried to get a good baseline for their system that they noticed that sshd was doing more work than it should and dug into it If that didn't happen then this would never have been found

Well yeah. But a lot of bad actors are now fear mongering so that people get scared of open source projects. We should doubt every project, for sure, but we have the ability to look at code and the whole build process and catch such exploits. But of course, as this example showed, there are simply too many projects for people to realistically screen with every commit. But we have to start being more cautious, starting with the most critical packages would be a good beginning.

⁠​⁠​⁠@@ratchet1freakBut on the other hand, if the library hadn't been open source, he wouldn't have been about to look into it as deeply as he did. He likely would've had to conclude that the developer introduced a bug, and at most reach out to them, which would've only served to tip the bad actor off that their backdoor was still too detectable. So overall, open source did "win" here.

​@@helipad_huck1543as it happens, someone else actually did exactly that from my understanding, and that was the patches that the second version of the backdoored version of xz fixed, some valgrind issues that were found by a maintainer of a different distro, so that's xz 5.6.1 :P

@7DuRd3n In the shower

I've heard something like that, I thought it was common

@7DuRd3n geniuses that have specific domain knowledge sharing ideas with others in their domain knowledge. this most likely was a state operation. you think this is wild, imagine the concepts and ideas in modern mathematics where you are not constrained by physical limitation. everything is abstracted and abstracted.

Small OSS projects like this usually have a very high bar for performance to meet, and they usually meet them no problem, so it makes sense that the valgrind performance anomalies were the reason why this one got discovered. Now imagine trying to discover "performance anomalies" in commonly used proprietary software...

Without question. This was a well-funded state-level attack, likely one of the 1st-world governments.

They spent years setting all this up, too.

And yet they managed to calmly disappear once it was discovered, instead of yelling insults at the xz mailing list. True professionals!

@@Uerdue As opposed to when they were setting this up where they (presumably this was them) were quite rude.

I have a feeling that it's not just a simple uber haxor kid, this is too big and the setup is too perfect in the way it was being set up slowly. I don't want to sound like a conspiracy theorist but I just have a feeling that the guy who we all saw as a co-maintainer is not the sole brain behind this attack. It had to be a group who would greatly benefit from having this backdoor available.

@@Cavi587I think most people consider a state-level actor (like some intelligence agency) the most likely behind this. It's not just the amount of time/work spent on it, it's also the likelihood of failing which was too high for the average cyber criminal without government funding to risk so many resources on it. What if systemd drops its xz dependency 2 years into the project? Or another contributor shows up who likes to do his own improvements to the tests or build system (that touches your manipulated files, so you have to turn down all of their PRs for made-up reasons)? Or the original maintainer is just stubborn and says "no binary blobs of unknown source as test files, period"? Or some person simply finds the backdoor before it makes its way to stable distros? There are so many ways for such an operation to go wrong. You either have to be able to scale it, working on a bunch of these in parallel and hoping for one to succeed - or you have to just be ok with the operation failing and the only thing gained from it being the insight that it's quite a hard thing to pull off successfully.

the latter is very viable, given that there are botnets pinging every single public IP address right now in hopes of hitting something

Attacker prob patiently waiting for their code to be published with stable release then do crazy stuff. Remember it got exposed just because of 1 dude noticed ~500ms delay on his ssh connection.

After the hard part is done, the attacker just hopes the biggest targets are infected.

@@gie4830 500ms is crazy delay, no way this backdoor will come to stable

@@gie4830 I don't know. I'm pretty sure actual big actors don't have SSH servers directly addressable through the public internet, you most likely need to jump through some enterprise VPNs to get access. So the targets were mid-sized. At least now he's vulnerable to getting honeypot'd. Wonder if someone will attempt to catch him like that. Though it would have been easier to not alert everyone if he really was targeting only a few actors.

Just so impractical :( I just want to use my system and write things that jave some power to alter things. A big stack of sandboxes and passwords is so frustrating

@@kapytanhook then we need to make that easier. I hated the idea of 100s of passwords (for example), but a password manager has made that easy.

@@hellowill yeah, honestly. But this is deeper, it's that you can't trust your own machine or things running on it. People put backdoors in everything. We need well funded open source hardware and software but we are moving away from that

You can find any arbitrary sequence of digits inside of Pi if you search long enough. Meaning you can find a sequence you like because it's vulnerable, then pretend like you rolled a dice.

That's just silly. They're test files.

@@alexnoman1498 Indeed, which is why you would want to use digits starting from the very beginning. (I think the Wikipedia article on "nothing-up-my-sleeve-numbers" also notes this in one of the first paragraphs.) I just left that part out in the initial comment because it was already long enough. Anyway, my point is: Binary (test) files of which you cannot explain how you created them are inherently suspicious. They may contain a rickroll link stored in low order bits of some pixel values, the mighty flag if you're playing a CTF challenge, or a secret backdoor to-be-extracted by the build script, as in this case.

The starting point would be its own magic number which should be a 'nothing-up-my-sleeve-number'@@alexnoman1498

That concept exists because of stuff like Dual_EC_DRBG (although Blowfish predates it).

It wasn’t a few milliseconds, iirc it was 500ms

he didn't investigate because of slow down, "FWIW, I didn't actually start looking due to the 500ms - I started looking when I saw failing ssh logins (by the usual automated attempts trying random user/password combinations) using a substantial amount of CPU. Only after that I noticed the slower logins."

All thanks to a bored and curious Microsoft engineer who was running a timing test on the SSH login process. The time difference between a normal and infected login was less than 500 milliseconds , and that's what tipped him off. It's pretty remarkable.

@@BillAnt That's a story of human evolution haha.

Also, code freezing or "don't fix what isn't broken" was not so bad idea after all.

Perhaps the popularity of BSD is about to increase!

This has nothing to do with "simplicity of software" but whatever

@@DaveBucklin I hope, BSD is such a great system

not necessarily. Many OSS projects have only single maintainers, which makes this kind of attack easier. Large software developers have extensive code reviews with many eyes looking over changes before commit, meaning that a malicious actor (other than the company itself) would have to fool or corrupt many developers to sneak in the backdoor. I am not saying that Closed-Source is in any ways better, what I am saying is please don't try and make it seem that OSS is always better able to withstand these attackers. OSS is much better on average than closed source, but lets not get complacent, but try and figure out processes to prevent something like this in OSS in the future.

@@MrSmokinDragon I agree, that this wakeup call should encourage everyone to be more on the lookout for such things. My point is, that you can ONLY do that in open source software. With closed source software, you never know. Sure, large companies also do code review, but not all widely used software is written by large companies with good practices in place. And good practice sometimes get thrown under the bus when time or money is short. If you can't see the git repo, the build scripts, the test files, then you have no way find out why your your program is suddenly slower by a factor of 4, or if some malicious employee committed some questionable binary blobs some time in the past. *shrugs*

@@MrSmokinDragon Yes, but the makers of closed software can put these things in on purpose with no one knowing. We know governments are the biggest cartels in the world and can get your cooperation.

Heard about the nist recommend crypto standards.... Quite a few have mysterious issues. Check out en.m.wikipedia.org/wiki/Nothing-up-my-sleeve_number (the counter examples section). Why subvert the code when you can subvert the committee defining the crypto algorithms everyone has to implement. Espionage predates computers.

No lol ? How exactly are you going to get your code, anywhere near, lets say, KZbin or Photoshop`s source code ? I mean sure, you could try get a job at said place, work your way up, and etc etc. But that is vastly more work/time and secure than letting people who created a github account a week ago to contribute to key aspects of the worlds infrastructure. Like jesus.

He's talking about a digital signature, which is achieved by encrypting the message hash with the private key. The idea is anyone with the public key can decrypt the hash, and if it matches their own hash of the message, then it proves two things: 1. Whoever/whatever encrypted the hash (signed the message) has the private key, which serves as authentication, and 2. The message has not been altered since it was signed.

@@brandyballoon Alright, thanks for clearing that up :)

I mean sshd can already hand off to libpam for authorization iirc, and realistically, authenticating requests and launching a shell is kinda the whole point of sshd.

sshd _does_ support privilege separation though. I assume the backdoor activates on the secure side of it though (or disables it entirely).

LOIC INCOMING

Enjoy your new cupholder *ejects CDROM drive*

I don't know enough about crypto to know whether "encryption" and "decryption" are the correct terms to use for signing, but it is the private key that "encrypts" (generates) the signature and the public key that "decrypts" (verifies) it. Which is the opposite of how public/private keys are used for encryption purposes.

@@LykaiosFlux you can use public key to encrypt

@@andreujuanc You can, but he's talking about signing, not encryption.

more likely the chinese

As if that was the only attempt - it's the only one that failed, but numerous others have succeeded

Yeah, this isn't a lone actor. It shows you how much more complicated it is to compromise an open source project.

@@outtakontroll3334 both

Would the NSA really be silly enough to try and backdoor an open-source project?

Yeah, I don't understand this 'argument' ... You have absolutely no way to verify anything about closed code other than nebulous claims made by whoever released the software ... and blackbox testing. It's not like code review is any different for closed-source code than for open -- a trusted contributor who violates that trust could just as well have sneaked this backdoor into a closed project ... and it would be nearly impossible to detect beyond seeing some sus network traffic.

You could say he is a freund to us all

There's an Encryption course from UC San Diego on Coursera that gets into the implementation details of RSA.

Yeah.... In this way you just kill all the appeal of being Open Source. You may as well just rollback to being a closed source walled garden. ReactOS has done this for years (yes, they require KYC for commit access) and check how well goes to them. At least I would never contribute anything or support in any way any project which forces on me any sort of KYC scheme. Embrace, extend, extinguish.

Historically many countries have done many unethical things many times...

​ @hyoenmadan No, the entire issue was only discovered thanks to open source. Closed source projects are much easier to infiltrate for organized adversarial actors. ​@@eight-double-three Even for a whataboutism, this one is kind of lazy.

​@@hyoenmadanI think that just increases the chances of stuff like this being missed. This was caught early enough damage potential is low, solar winds from a couple of years back had much bigger impact

You are welcome!

*GCHQ hackers sighing with relief*

He was talking about signing not regular encryption. He got it the right way round!

Not for signatures, he is right.