Dear Fake Debian Developers, shoo.

Another post about the Valve/Collabora free games thing. This time, the bad bit – people trying to scam free games from us.

Before I start, I want to make one thing clear – there are people who have requested keys who don’t meet the criteria, but are honest and legitimate in their requests. This blogspam is not about them at all. If you’re in that category, you’re not being complained about.

So. Some numbers. At time of writing, I’ve assigned keys to 279 Debian Developers or Debian Maintainers – almost 25% of the total eligible pool of about 1200.

I’ve denied 22 requests. Of these 10 were polite requests from people who didn’t meet the conditions stated (e.g. Ubuntu developers rather than Debian). These folks weren’t at all a problem for us, and I explained politely that they didn’t meet the terms we had agreed at the time with Valve. No problem at all with those folks.

Next, we have the chancers, 7 of them, who pretended to be eligible when they clearly weren’t. For example, two people sent me signed requests pointing to their entry on the Debian New Maintainers page when challenged over the key not being in the keyring. The NM page showed that they had registered as non-uploading Debian Contributors a couple of hours previously. A few just claimed “I am a DD, here is my signature” when they weren’t DDs at all. Those requests were also binned.

Papers, Please screenshot - denied entry application

DENIED

And then we move onto the final category. These people tried identity theft, but did a terrible job of it. There were 5 people in this category:

From: Xxxxxxxx Xxxxxx <xxxxxxxx.xxxxxx@ieee.org>
Subject: free subscription to Debian Developer
8217 A205 5E57 043B 2883 054E 7F55 BB12 A40F 862E

This is not a signature, it’s a fingerprint. Amusingly, it’s not the fingerprint for the person who sent my mail, but that of Neil McGovern – a co-worker at Collabora. Neil assured me he knew how to sign a mail properly, so I shitcanned that entry.

From: "Xxxxx, Xxxxxxxxx" <x.xxxxx@bbw-bremen.de>
Subject: Incoming!
Hey dude,

I want to have the redemption code you are offering for the Valve Games

mQGiBEVhrscRBAD4M5+qxhZUD67PIz0JeoJ0vB0hsLE6QPV144PLjLZOzHbl4H3N
...snip...
Lz8An1TEmmq7fltTpQ+Y1oWhnE8WhVeQAKCzh3MBoNd4AIGHcVDzv0N0k+bKZQ=3D=3D
=3Du/4R

Wat? Learn to GPG!

From: Xxxxxx-Xxxx Le Xxxxxxx Xxxx <xx.xxxxxxxxx@gmail.com>
Subject: pass steam
Hey me voila

Merci beaucoup

valve

2069 1DFC C2C9 8C47 9529 84EE 0001 8C22 381A 7594

Like the first one, a fingerprint. This one is for Sébastien Villemot. Don’t scammers know how to GPG sign?

From: "Xxxxxxxxx Xxxxxxx" <xxxxxxxx@web.de>
Subject: thanks /DD/Steam gifts us finally something back
0x6864730DF095E5E4

Yet again, a fingerprint. This one is for Marco Nenciarini. I found this request particularly offensive due to the subject line – the haughty tone from an identity thief struck me as astonishingly impertinent. Still, when will scammers learn to GPG?

From: Sven Hoexter <svenhoexter@gmail.com>
Subject: Valve produced games
I'm would like to get the valve produced games
My keyring: 0xA6DC24D9DA2493D1 Sven Hoexter <hoexter> sig:6

Easily the best scam effort, since this is the only one which both a) registered an email address under the name of a DD, and b) used a fingerprint which actually corresponds to that human. Sadly for the scammer, I’m a suspicious kind of person, so my instinct was to verify the claim via IRC.

31-01-2014 16:52:48 > directhex: Hoaxter, have you started using gmail without updating your GPG key? (note: significantly more likely is someone trying to steal your identity a little to steal valve keys from collabora)
31-01-2014 16:54:51 < Hoaxter!~sh@duckpond6.stormbind.net: directhex: I do not use any Google services and did not change my key

So… yeah. Nice try, scammer.

I’m not listing, in all of this, the mails which Neil received from people who didn’t actually read his mail to d-d-a.

I’m also not listing a story which I’ve only heard second ha… actually no, this one is too good not to share. Someone went onto db.debian.org, did a search for every DD in France, and emailed every Jabber JID (since they look like email addresses) asking them to forward unwanted keys.

All in all, the number of evildoers is quite low, relative to the number of legitimate claims – 12 baddies to 279 legitimate keys issued. But still, this is why the whole key issuing thing has been taking me so long – and why I have the convoluted signature-based validation system in place.

Enjoy your keys, all 279 of you (or more by the time some of you read this). The offer has no explicit expiry on it – Valve will keep issuing keys as long as there is reason to, and Collabora will continue to administer their allocation as long as they remain our clients. It’s a joint gift to the community – thousands of dollars’ worth of games from Valve, and a significant amount of my time to administer them from Collabora.

11 Responses to “Dear Fake Debian Developers, shoo.”

  1. This reminds me of the RSA number factoring bounty. It’s an acid test for Debian’s authentication systems.

    Maybe someone, somewhere has a cluster of machines trying to factor weak keys from the Debian keyring, just to steal some free computer games. Or is trying to break into DSA infrastructure.

    Or realistically here, social engineering, which is a great awareness exercise. Obviously there are serious reasons why Debian needs to maintain security. We can’t be confident the systems are safe unless tested occasionally.

    [reply]

  2. I love that you used a screenshot of Papers Please for this.

    [reply]

  3. Obviously we aren’t supposed to give our redemption code to someone else. Though after using it I now seem to have “gift copies” of Half-Life 2 and Half-Life 2: Episode One. I suppose that’s because I had already previously bought them? So no problem giving those away (if I can even find someone that is interested in video games who doesn’t already own them), right?

    That’s for administering this!

    [reply]

  4. Then Valve is actually giving away all their games to Debian Developers? That is a really nice thing to do!

    Well done Valve!

    [reply]

  5. I think I just leveled my geekyness because I really enjoyed this post :-)

    [reply]

  6. I’m not a DD or interested in getting games, but follow Planet Debian and some related lists out of interest. Thank you for taking time to act as a serious blocker to scammers.

    [reply]

  7. Isn’t the Valve pack worth just some 35€ during steam sales?

    [reply]

    directhex Reply:

    Sure.

    Assuming no Valve games are ever made again, you’re correct. If Valve *do* make a new game, then every key recipient gets it automatically.

    [reply]

    oiaohm Reply:

    @meh,

    Lets take into account that out of that 279 developers some will never ever play the games. Only reason some have got their key is to benchmark and bug hunt. They would not spent 35€ in the first place.

    Yes there are valid reasons to give maintainers access to particular software for free. If developers go out and buy every application they will not have any money.

    With the wine project demo access is normally enough but sometimes the full game has features the demo does not.

    [reply]

  8. just verify the signature of all the mails against the keyring of the debian project?

    rsync keyring.debian.org::keyrings/keyrings/

    you probably only want debian-keyring.gpg and debian-nonupload.gpg

    [reply]

  9. “When will scammers learn how to GPG?” uh, isn’t the whole point of asking for signed messages that they *can’t*? :) I mean, there’s no way for them to impersonate a real DD by sending you a valid signed message, so… so they have to try something else and hope that you’re too sleepy to notice.

    And yeah, thanks for sharing these stories :)

    [reply]

Leave a Reply