Domain: itconsult.co.uk
Stories and comments across the archive that link to itconsult.co.uk.
Comments · 23
-
Re:Blockchain did NOT originate with bitcoin
Long before Bitcoin, blockchains have been used in "eternal log files", "digital notaries" and "timestamping service" for at least 20 years. Torvald's first name is Linus.
-
Re:Open or Close Blockchain
Blockchains without the mining aspect have existed for a long time, but the concept is better known as "eternal log file" (sorry, there is no English Wikipedia article), cryptographic timestamping service or digital notary.
Bitcoin solves some of the problems with these services very elegantly. At the core of the solution is the work-proof, which in turn requires an incentive (a "mining" reward). It will be interesting to see if the banks just want to go for another eternal log file or if they're essentially aiming to replace Bitcoin with a clone.
-
Re:Reminds me of the old UK Timestamper
That service is still operating. I used it over 10 years ago to establish priority for a business concept that I then presented to my employer.
All that is needed is a detached digital signature -- via an OpenPGP application, such as PGP or Gnu Privacy Guard (GPG) -- for the file in question. The signature file is E-mailed to the PGP Digital Timestamping Service as described at http://www.itconsult.co.uk/stamper.htm. The service digitally signs the signature file, creating another detached signature that is E-mailed back to the user. Contained in that returned signature file is the date-time it was signed.
Test files can be sent to the PGP Digital Timestamping Service. The return is still a detached signature that is E-mailed back to the user. The date-time can then be checked to verify that the clock at the PGP Digital Timestamping Service is current.
In the meantime, your own detached digital signature file establishes proof that you possessed the signed file prior to the date-time in the PGP Digital Timestamping Service's detached digital signature file.
-
Re:Reminds me of the old UK Timestamper
For those who are interested, the service you're referring to is likely http://www.itconsult.co.uk/stamper.htm.
-
Re:Better approach
If doing email, be sure to run it some of them through a timestamper and forwarder to a different address. You want not just a trial, but they could easily delete their email logs/emails. But if it went through a stamper then they will have to answer for it. In general, little guy has the edge.
http://www.itconsult.co.uk/stamper.htm -
Re:Not accurate, not new
Relatively safe?
No.
MD5 is completely utterly broken. Sites like http://www.itconsult.co.uk/stamper.htm are now useless. Actually they are worse than nothing: this can fool people.
The fact that I can create good and bad version of programs is very bad: I can put the good, wait for scrutiny and then change to the bad. People have no easy way of knowing which one they downloaded (and are using).
It is very apparent it is only matter of year or two before someone can replace any file with another. Why wait for that? Why not replace MD5 as signing method now - before the shit really hits the fan? -
Online timestamper
If you need to unambiguously datestamp it, utilize a unbiased third party notary-like service such as http://www.itconsult.co.uk/stamper/stampinf.htm to sign the detached signature of the material and publish that signature. By signing it yourself, you are showing that you possessed the material. Employing the third party to sign your detached signature of the material provides a reliable timestamp of when you possessed the material. A challenge could be met by providing the material along with the relevant signatures. Logically it makes perfect sense, but legally it might be harder to explain it to a judge/jury, or bring the owner of the site to come and attest to his methods.
Employing a real world Notary to witness you signing a copy of the material would probably be easier to get admitted in a legal process (IANAL), but that is outside your 'digital world' stipulation.
(The reliability of that third party signature is reinforced since the date/time is evident not only in the signature, but also the time at which it was posted to usenet, which is archived by various parties.) -
Use a digital timestamping serviceSuch as this one.
I found this in 30 seconds through Google, did you even look before submitting your question to Slashdot?
-
Re:Don't Build Your Own Device
A variation on one I have seen is daily logs which are signed, the signature and last ID are inserted in to the top of the next days logs. The signature and last ID were then published publicly (website, newsgroup, etc).
Altering old logs means that you have to alter all the sub-sequential logs as the signature changes, which obviously chains down the logs. As the signatures / ID's are public it becomes extremely unlikely to go undetected.
Obviously you could decrease the "rotate" interval.
I read about this on Stamper at http://www.itconsult.co.uk/stamper/stampinf.htm -
use PGP digital timestamping service
If students would use
http://www.itconsult.co.uk/stamper/stampinf.htm/ the digital timestamping service,
they can prove at what time they created a given document. -
Re:In a word: yes
To cover yourself for really important things, use something like the PGP timestamper at http://www.itconsult.co.uk/stamper.htm. You send it a digital signature of something and it signs the signature, giving you really good proof that you had written it on a certain date.
-
Re:freefall
Another very serious problem is that it is so difficult to maintain a chain of evidence in an electronic world. Will the ISPs take proper precautions to secure their data and logs from attackers and forgeries? If the DoJ drags you into court claiming you uploaded an illegal file two years ago, how do you defend yourself? Logs are just data, data is easily edited. Without electronic signatures on every log entry, it is easy to just add a new one or modify an existing entry. Who would be able to tell?
A digital timestamping service like stamper lets me prove I did something at a particular time, but how do I prove a negative?
Why would the government do something like this? Silencing political enemies, dealing with "inconvenient" people, chilling free speech, and stopping investigations into corruption when they do not have any real charges to use. (corrupt) Police now will sometimes follow and harass individuals looking for dirt; how much easier when it can be created, complete with convincing audit trail. Hand a jury an "exploited child" and they won't listen to a defense.
-
Re:Checksums are always going to be vulnerable
The MD5 is fatally broken and should not be used for anything, it gives wrong impression at best and horribly broken results at worst.
Check e.g. http://www.itconsult.co.uk/stamper.htm for an example of horribly broken one. -
Re:I wonder
What stops your correspondent from sending your messages to something like Stamper before you publish the temporary key? After the temporary key is published it will be possible to forge messages signed by that key, but it won't be possible without the collaboration of the timestamping service to forge messages signed by that key and dated before it's publication.
-
Re:How you could make it look really bad.
If his boss really played solitare all day, a log of applications would show it and the percentage time it was active. Even still, it would be difficult for him to prove as he could manipulate the logs manually.
Although I don`t think admins do smart in playing big brother and having others know they do I can help bofh`s around the world avaid at least this particulair problem. With the new big brother task forced uppon fellow bofh`s we can get problems and various new work related illneses. But if we really do want to document someones solitaire highscore, pornographical preferences over time or maybe even a serious brakein attempt then stamper will help prove the time and date of our evidence... Just email secure hash (md5sum log* or md5sum screenshot*.png) of the stuff and you get it back dated and signed. Now anyone with gpg or pgp can verify the at least the earliest time/date the evidence excisted thus proving it wasn manufactured say after a big conflict. Now if the evidence includes like in this example screenshots of stock moves noone predicted or a news site you know at least the earlyest time time this part of evidence could have been created.Ofcourse if you do this to document others browsing and then confront people/brag about it you deserve what you get. However if you document a brakein (firewal log, found altered/unexplained binaries etc) then maybe the one behind it gets what he/she deserves...
-
Re:Registering your code..
Great idea! Because you could "mail" the code directly to a a third party secure server and have some legal backup.
The timestamp only uses the hash -- which prevents your precious tradesecrets from leaking.
OK...can I mail this post so this can't be patented out from under us?
The PGP timestamping service is ample prior art for the timestamping of hashes. But some random geek is more likely to be doubted in court than the USPS (or a tech savvy notary public for that matter), which is why it's good they're getting in on this..
As for automatically backing up code.. CVS? -
PGP Timestamping service (free)This was mentioned in one other post, but doesn't seem to have been noticed and modded up:
PGP Digital Timestamping Service
Stamper is a free digital timestamping service which uses PGP and operates via Internet email. Launched in 1995, it remains my intention that this will be a reliable quality service which will remain in operation for a number of years.
Signatures are available through the website, on a mailing list they run, and weekly to the usenet group comp.security.pgp.announce. Make sure any company you use does some sort of public announcement like this, or if they go out of business you're screwed.
-
External authorities
http://www.itconsult.co.uk/stamper.htm -- really, there comes a point where a trusted authority is just required. I know scientists just keep hand-written logbooks, and date each entry and keep it in pen. Nice and old-fashioned, the courts like it. Alternativly, if we don't want to go old-fashioned, you could sign your mails with the above service (but how do you prove that service can be trusted?)
Trust is a really nasty recursive problem. I'd just keep a paper logbook, and other records. It should work well enough. -
PGP Timestamping Service
Well, since this is crypto related, I think an even better way would be to use the PGP Timestamping Service.
It has several different modes, but basically you just encrypt your ideas, send an email to the timestamper with the encrypted files and it will sign the file, and the signature will contain a timestamp and a serial number.
The signatures are available on a daily basis and are posted weekly at alt.security.pgp for all the world to see.
-
authentication, pgp
One thing that might help a bit is to pgp sign your messages, or even use a timestamping service but I don't know of any way to prevent someone from backdating their copy of your work to circumvent copyright, or even claim that they authored it. I'm reminded of a passage in one of the Hitchhiker's Guide to the Galaxy books where the Guide blatantly ripped some info off the side of a cereal box, then sent the article (about how really big space is) back in time, and sued the cereal company for copyright infringement!
-
Re:REGISTER YOUR COPYRIGHTS!
You can always use the PGP Timestamping Service, which *does* prove you sent it at a particular time and that the contents existed in the original form.
-
Re:PracticalityAlready done: The PGP Digital Timestamping Service will let you email it anything, (such as just a hash, or the whole file if you are brave) and will return a timestamped hash of it. It posts the hashes (never the original) to usenet and keeps them in it's own archive for historical tracking.
You can also use it to send the equivalent of a 'certified' email, whereby it will give you a proof-of-posting certificate for a given email. It doesn't guarentee the email was ever received or read, but it could be better than nothing.
-
Re:Lawsuits, copyright, notices.
A signed timestamp might be good evidence, though I can't assure you any court will find it absolutely convincing.