"Just saying "Everyone should use one time pads" is not very constructive."
Except I did NOT say that, anywhere. Please go back and read my comments.
I did not try to say that everybody should use it. I did say it can be useful. But what prompted this whole thing was my comment to the effect that people who say OTHER encryption schemes should be used by everybody, for everything, are just as wrong.
Well, I retract my original statement. Apparently energy is up slightly in the last few years, with the result that we are now in a 30-year low, no longer a 40-year slump.
Just two examples. It is pretty easy to google that, and the information is not somebody's "opinion", it is what the science says. BUT... while those particular sources are often attacked, keep in mind that they are presenting someone else's scientific studies, they are not "the source". You aren't likely to find that information on sites about "climate change" because they don't want to point it out to you; it weakens their arguments and apocalyptic prognostications.
Okay, folks, I admit that I shouldn't have said it was "great". This particular implementation is flawed, because it re-uses keys. But the basic concept of one-time-pad (using XOR or whatever; that part is less important) is still very sound and used every day by intelligence agencies around the world.
Yes, as I mentioned above this particular implementation is flawed, because it's apparently based on a one-time-pad scheme, but each key is actually used twice. Not good.
The basic idea of one-time-pad though is sound. You just need to use a better key management scheme, and use them only once. But there are so many ways to use GOOD keys, in practice the options are close to infinite. You just need to ensure that your key is "sufficiently random", the same as the other guy's, and used only once.
"Such techniques are overlooked because they have huge flaws. I you were to monitor the message exchange in the scheme the GP used you could recover both keys and the plaintext easily."
Yes, in that particular implementation you could, if you [A] captured ALL of the exchanges, and [B] knew that they are a sequence, and (C) knew the encryption method. But even if you knew all these things, that's an implementation flaw, not a flaw in either XOR or one-time-pad-type encryption. The problem with his scheme is that it isn't "one time". Each key is used twice. But ANY cipher that re-uses a key can become vulnerable, some just more so than others.
With proper key management, one-time pads (whether XOR or some other scheme) are the only class of ciphers that are in fact considered theoretically unbreakable. In practice, there can be vulnerabilities, but that ALWAYS comes down to inadequate management (including choice of) keys.
"If you have a milling machine, you can cut the blank itself and bypass the whole "get the blank from the store"."
You can, but in most cases you would be foolish to do so. If you have studied them, you would know that key blanks are deceptively complex beasts. You could spend many hours building something you could get in a few minutes at the local hardware store for $1.
But it certainly is useful to have a milling machine, because you CAN make anything like that if you want to spend the time and effort. Even these "high security" keys. Also, you can often use one to modify a key blank that almost fits, and make it fit, in many cases, in a few minutes. Usually, that would probably be a more productive use of your milling machine. You can do that with a file by hand, too... but it can take a lot of time.
"If you have a blank" is a very big IF for the types of keys they are talking about. Wal-Mart doesn't sell sidecut blanks."
Hello??? Did you actually READ my last paragraph? Or even the rest of it? Quote myself:
"This sounds easy but in fact can be quite difficult..."
I know this, full well. And look at the CONTEXT also... the specific comment to which I was replying.
"99% of locks use the common keyways for which you can get generic key blanks."
I wrote this, too. Or at least, it is implicit in what I did write. And I at least mentioned the other things you talk about here. Go back and read it again... because apparently you didn't the first time.
Total global cyclonic energy ("vicious storms") has been at a 40-year LOW. Yes, the Atlantic got some storms last year but they were only seemingly "more vicious" because they happened near cities. The overall rate of "vicious storms" is DOWN, not up.
I would thank you to stop spreading the alarmist BS. Look at the actual figures instead.
"It's Windows 8 Pro, not RT. For a tablet, it's far better than Windows 7 (and Android...), for a laptop, it's as good as Windows 7 (but with an obnoxious launcher). If you need a tablet for actual work, it's better than an iPad."
Apparently, a VAST majority majority of people out there disagree with you. They are busy NOT buying Windows 8, en masse. I didn't make that up, it's what the market actually says. I repeat:
"That would be the administrative person who signed off on this scheme, typically referred to as a judge. Not that it matters, since I'm sure like most secret courts and administrative oversight bodies, it was rubber stamped. But trust me, somewhere in the chain, there was a judge."
That would be a huge pack of assumptions, and I see no reason to trust you on this. I have not, in fact, seen any evidence anywhere that a judge actually authorized using a javascript hack to invade the computers of site visitors.
"In the words of Tyler Durden, "over a long enough time frame, everyone's life expectancy drops to zero." Of course, being the cheerful and optimistic sort, I'm sure you feel you'll live forever. The rest of us, however, read books, and are appropriately humbled and enlightened."
What an amazingly arrogant thing to say. So you read Toynbee, and that makes your opinion better than everyone else's? (More "humbled and enlightened", as you say?) Interesting.
Further, your assertion that some things are inevitable over time is not a support of your earlier argument, which clearly implied that the United States is in its "inevitable decline". To say that something is inevitable is no proof that it is happening NOW. That is merely your opinion.
"Yeah; A lack of validation of your cheerful and ignorant worldview probably does seem a bit... unclear."
A bit of a "whoosh" there, I think. I made no claims about my own worldview. Another assumption, and a bit of a distortion of what I actually did write.
"Well, you can scream it at the sky if you want, but it won't change how wrong you are."
Correct. I am not wrong, and screaming won't change that.
"well if you use double xor encryption with randoms keys as long as the massage (and a new one for each message) you can."
It's amazing to me how often such techniques are overlooked. A lot of people seem to think "public key" cryptography is the be-all and end-all solution to all things. But just because it has become prevalent on the internet (because it is currently "good enough" in most cases), that doesn't mean it's particularly good at doing what YOU want to do with it.
Seriously: a lot of cryptographers these days seem to have their heads stuck in asymmetric-key block ciphers as though they were the only thing in the universe.
If all you want to do is communicate with someone else, very securely, then a scheme like yours is great. Of course you have to come up with a good way to choose "sufficiently random" keys, but that is not so difficult once you know what you're doing.
"I my jurisdiction it is (or was, a decade ago) against the law* for a locksmith to copy keys that are both marked "do not duplicate" and which used blanks available only to locksmiths..."
But there are a couple of problems there. First, it's not actually illegal in most jurisdictions, and second, there are only a relative few key blanks that are actually "only available to locksmiths". Most of them have readily-available generic replacements, or can be made from readily-available generic replacements in a few minutes.
BTW: "building" a key from a mold is actually very difficult, unless you know exactly what you are doing. Both mold and key materials have to be almost perfect (and have certain properties I will not detail here), or what you get out of it won't be a usable key. Further, you need BOTH sides, not just one as usually shown in the movies, or your molded key (probably) won't fit the lock.
A key can be made from an impression, but it's usually far easier to use a different technique, and not actually "mold" a new key from the impression.
Nonsense. It did nothing of the sort. Not even close. I know, because I duplicated a lot of institutional keys with "Do Not Duplicate" on them, for "security" locks. (Disclaimer: I did not use them to steal anything, or invade residences, or anything like that. I won't go into why I did it but it wasn't to commit a crime spree.)
If you had an original key (or an accurate enough impression or 1x scale trace or photograph), all you then need is a key blank that will fit the lock. This sounds easy but in fact can be quite difficult, because there are A LOT of different variations on keyways out there. But in the case of Schlage, there were only a relative few, and you could often get "generic" knockoff blanks from your local K-Mart. If you already know the particular kind you are looking for, it's a matter of a few minutes to go into the store and buy a blank for $1.
Once you have the blank, you can duplicate the key accurately with hand tools in less than 15 minutes. I won't go into the details here but suffice it to say that this doesn't require genius-level puzzle solving and it isn't particularly difficult to do.
The only thing the specific "high security" keys OP wrote about brought to the table is the difficulty of cutting a copy. You aren't going to do it by hand with a file in a short period of time. But *IF* you had a blank, you could cut it with a milling machine or a drill press with a cutting head without too much trouble.
What judge? I read all three links given by OP and I saw no suggestion anywhere that a judge approved the javascript exploit.
"Not quite. Civilizations all go through phases; Romans chiseled out stone tablets lamenting that there were so many laws nobody could keep track of them all. Fifty years later, the Visigoths came over the 7th hill and ended that empire. And then the process started over. An overly-complex legal system is an indication that an empire has passed its peak and is in decline, nothing more, nothing less."
Wow. You believe in absolute determinism too? How really, really depressing. How do you stand it?
"A clear view of what is happening is not in itself a cause for optimism or pessimism."
I think if anything is clear, is that we disagree over whether what you are saying represents a "clear view of what is happening".
"I know that my attitude can be confusing to people so used to political and belief bias."
I'm not confused in the slightest. I simply disagree with you. And I repeat: you have repeatedly demonstrated a gloomy, fatalistic attitude.
"The laws are sufficiently complex and vague that you can readily make an argument both ways that would have legal standing."
In THIS CASE, if the situation has been described accurately, no, they aren't.
"The law has completely ceased to function either as a deterrent to crime, or as a guideline for moral and ethical conduct."
The logical extension of this is that there is no law at all, and therefore we are in a state of anarchy. I don't think it has gotten quite that bad. I sympathize with the feeling, though.
"So the argument that they were breaking, or following, the law, is now really a moot point."
Man... I know I've said this before but you sure have a depressing, fatalistic attitude. I do not believe the facts support such a gloomy outlook, and so I cannot honestly agree.
"The price cut lets it undercut every direct competitor by 100 bucks. This thing doesn't compete against a puny ARM tablet or even a puny $450 laptop. It competes against ultrabooks and especially ultrabook-tablet hybrids (Samsung Ativ Smart PC Pro, Sony Vaio Duo...)."
It doesn't matter how gorgeous you think the hardware is. It is only as good as what it will run, and nobody (relatively speaking) wants that OS.
Man, nobody wants the most powerful, most fuel-efficient car in the world, if the only place it will take you is Trenton, NJ.
Looks more to me like the 3-letter agencies have decided to BREAK THE LAW.
Unconstitutional surveillance is bad enough. But they don't have any more right to commit "unauthorized access to a computer system" than anybody else. (That is to say, their javascript hack of site visitors who may be innocent.) They can't break the law in order to enforce the law, unless they want to face criminal charges themselves. Aaron Schwartz faced 30 years in prison for far less. I say, let's see the FBI face the same thing.
And yes, it may well be enforceable. Look up 18 USC 242, "Deprivation of Civil Rights Under Color of Law". The civil rights in question here might be, just for example, the privacy of your own computer system, which legally requires a warrant or subpoena to access. Just my opinion, but I don't see how simply visiting a website could constitute probable cause, much less justify intrusion in the form of a "hack".
18 USC 242 IS fairly frequently prosecuted, and last I checked it has a conviction rate of about 98%, which is awesome for any law. And it specifically targets government agents and agencies. The President is not immune.
(P.S. After reading that law, many folks have been prone to conclude that it only applies to racial and other discrimination. That is because of the awkward wording [e.g., there is a strategically placed comma that makes a big difference]. In fact it applies to ANY Constitutional right. However, my mention of it here is not meant to imply that the law does apply here. Only that it might. IANAL and I don't pretend to be one, but I have researched this law and its application.)
You're assume Goldman Sachs cares about "is this legal?" or "is this right?". What they care is: "will this improve our PR?", "will this scare people from going against us?", "will this scare people from working for us?".
This is the whole reasons corporations worked to try to make "non-compete" agreements enforceable: to lock in their control of an employee.
And that is why non-compete clauses or agreements are no longer enforceable in California. California did a good thing for a change.
They need to get it through their heads that they do not control the contents of a mind. If they want somebody to "not compete", then the PROPER way to do it is to give them better pay and compensation than the other guy. That's called capitalism.
Hahaha. As usual, contradicting "mainstream" rhetoric -- no matter how correct I was -- got me modded "troll" again.
It's no longer even just sad. It has gotten to the point it's almost amusing.
"Just saying "Everyone should use one time pads" is not very constructive."
Except I did NOT say that, anywhere. Please go back and read my comments.
I did not try to say that everybody should use it. I did say it can be useful. But what prompted this whole thing was my comment to the effect that people who say OTHER encryption schemes should be used by everybody, for everything, are just as wrong.
Sure. They all have their problems. I think the question really is: what is it you are trying to do, and what scheme best fits those needs?
I just have a problem with those who seem to think PGP or similar is the one solution to them all. It isn't.
Well, I retract my original statement. Apparently energy is up slightly in the last few years, with the result that we are now in a 30-year low, no longer a 40-year slump.
Here is one source, and here is another.
Just two examples. It is pretty easy to google that, and the information is not somebody's "opinion", it is what the science says. BUT... while those particular sources are often attacked, keep in mind that they are presenting someone else's scientific studies, they are not "the source". You aren't likely to find that information on sites about "climate change" because they don't want to point it out to you; it weakens their arguments and apocalyptic prognostications.
Okay, folks, I admit that I shouldn't have said it was "great". This particular implementation is flawed, because it re-uses keys. But the basic concept of one-time-pad (using XOR or whatever; that part is less important) is still very sound and used every day by intelligence agencies around the world.
Yes, as I mentioned above this particular implementation is flawed, because it's apparently based on a one-time-pad scheme, but each key is actually used twice. Not good.
The basic idea of one-time-pad though is sound. You just need to use a better key management scheme, and use them only once. But there are so many ways to use GOOD keys, in practice the options are close to infinite. You just need to ensure that your key is "sufficiently random", the same as the other guy's, and used only once.
"Such techniques are overlooked because they have huge flaws. I you were to monitor the message exchange in the scheme the GP used you could recover both keys and the plaintext easily."
Yes, in that particular implementation you could, if you [A] captured ALL of the exchanges, and [B] knew that they are a sequence, and (C) knew the encryption method. But even if you knew all these things, that's an implementation flaw, not a flaw in either XOR or one-time-pad-type encryption. The problem with his scheme is that it isn't "one time". Each key is used twice. But ANY cipher that re-uses a key can become vulnerable, some just more so than others.
With proper key management, one-time pads (whether XOR or some other scheme) are the only class of ciphers that are in fact considered theoretically unbreakable. In practice, there can be vulnerabilities, but that ALWAYS comes down to inadequate management (including choice of) keys.
"If you have a milling machine, you can cut the blank itself and bypass the whole "get the blank from the store"."
You can, but in most cases you would be foolish to do so. If you have studied them, you would know that key blanks are deceptively complex beasts. You could spend many hours building something you could get in a few minutes at the local hardware store for $1.
But it certainly is useful to have a milling machine, because you CAN make anything like that if you want to spend the time and effort. Even these "high security" keys. Also, you can often use one to modify a key blank that almost fits, and make it fit, in many cases, in a few minutes. Usually, that would probably be a more productive use of your milling machine. You can do that with a file by hand, too... but it can take a lot of time.
"If you have a blank" is a very big IF for the types of keys they are talking about. Wal-Mart doesn't sell sidecut blanks."
Hello??? Did you actually READ my last paragraph? Or even the rest of it? Quote myself:
"This sounds easy but in fact can be quite difficult..."
I know this, full well. And look at the CONTEXT also... the specific comment to which I was replying.
"99% of locks use the common keyways for which you can get generic key blanks."
I wrote this, too. Or at least, it is implicit in what I did write. And I at least mentioned the other things you talk about here. Go back and read it again... because apparently you didn't the first time.
Enough with the exaggerated apocalyptic BS.
Total global cyclonic energy ("vicious storms") has been at a 40-year LOW. Yes, the Atlantic got some storms last year but they were only seemingly "more vicious" because they happened near cities. The overall rate of "vicious storms" is DOWN, not up.
I would thank you to stop spreading the alarmist BS. Look at the actual figures instead.
"It's Windows 8 Pro, not RT. For a tablet, it's far better than Windows 7 (and Android...), for a laptop, it's as good as Windows 7 (but with an obnoxious launcher). If you need a tablet for actual work, it's better than an iPad."
Apparently, a VAST majority majority of people out there disagree with you. They are busy NOT buying Windows 8, en masse. I didn't make that up, it's what the market actually says. I repeat:
"... nobody (relatively speaking) wants that OS."
"That would be the administrative person who signed off on this scheme, typically referred to as a judge. Not that it matters, since I'm sure like most secret courts and administrative oversight bodies, it was rubber stamped. But trust me, somewhere in the chain, there was a judge."
That would be a huge pack of assumptions, and I see no reason to trust you on this. I have not, in fact, seen any evidence anywhere that a judge actually authorized using a javascript hack to invade the computers of site visitors.
"In the words of Tyler Durden, "over a long enough time frame, everyone's life expectancy drops to zero." Of course, being the cheerful and optimistic sort, I'm sure you feel you'll live forever. The rest of us, however, read books, and are appropriately humbled and enlightened."
What an amazingly arrogant thing to say. So you read Toynbee, and that makes your opinion better than everyone else's? (More "humbled and enlightened", as you say?) Interesting.
Further, your assertion that some things are inevitable over time is not a support of your earlier argument, which clearly implied that the United States is in its "inevitable decline". To say that something is inevitable is no proof that it is happening NOW. That is merely your opinion.
"Yeah; A lack of validation of your cheerful and ignorant worldview probably does seem a bit... unclear."
A bit of a "whoosh" there, I think. I made no claims about my own worldview. Another assumption, and a bit of a distortion of what I actually did write.
"Well, you can scream it at the sky if you want, but it won't change how wrong you are."
Correct. I am not wrong, and screaming won't change that.
"well if you use double xor encryption with randoms keys as long as the massage (and a new one for each message) you can."
It's amazing to me how often such techniques are overlooked. A lot of people seem to think "public key" cryptography is the be-all and end-all solution to all things. But just because it has become prevalent on the internet (because it is currently "good enough" in most cases), that doesn't mean it's particularly good at doing what YOU want to do with it.
Seriously: a lot of cryptographers these days seem to have their heads stuck in asymmetric-key block ciphers as though they were the only thing in the universe.
If all you want to do is communicate with someone else, very securely, then a scheme like yours is great. Of course you have to come up with a good way to choose "sufficiently random" keys, but that is not so difficult once you know what you're doing.
"I my jurisdiction it is (or was, a decade ago) against the law* for a locksmith to copy keys that are both marked "do not duplicate" and which used blanks available only to locksmiths..."
But there are a couple of problems there. First, it's not actually illegal in most jurisdictions, and second, there are only a relative few key blanks that are actually "only available to locksmiths". Most of them have readily-available generic replacements, or can be made from readily-available generic replacements in a few minutes.
BTW: "building" a key from a mold is actually very difficult, unless you know exactly what you are doing. Both mold and key materials have to be almost perfect (and have certain properties I will not detail here), or what you get out of it won't be a usable key. Further, you need BOTH sides, not just one as usually shown in the movies, or your molded key (probably) won't fit the lock.
A key can be made from an impression, but it's usually far easier to use a different technique, and not actually "mold" a new key from the impression.
"Before the printing game this worked 100%..."
Nonsense. It did nothing of the sort. Not even close. I know, because I duplicated a lot of institutional keys with "Do Not Duplicate" on them, for "security" locks. (Disclaimer: I did not use them to steal anything, or invade residences, or anything like that. I won't go into why I did it but it wasn't to commit a crime spree.)
If you had an original key (or an accurate enough impression or 1x scale trace or photograph), all you then need is a key blank that will fit the lock. This sounds easy but in fact can be quite difficult, because there are A LOT of different variations on keyways out there. But in the case of Schlage, there were only a relative few, and you could often get "generic" knockoff blanks from your local K-Mart. If you already know the particular kind you are looking for, it's a matter of a few minutes to go into the store and buy a blank for $1.
Once you have the blank, you can duplicate the key accurately with hand tools in less than 15 minutes. I won't go into the details here but suffice it to say that this doesn't require genius-level puzzle solving and it isn't particularly difficult to do.
The only thing the specific "high security" keys OP wrote about brought to the table is the difficulty of cutting a copy. You aren't going to do it by hand with a file in a short period of time. But *IF* you had a blank, you could cut it with a milling machine or a drill press with a cutting head without too much trouble.
Not a problem. :o) I've done the same myself before.
"The judge, obviously, disagreed."
What judge? I read all three links given by OP and I saw no suggestion anywhere that a judge approved the javascript exploit.
"Not quite. Civilizations all go through phases; Romans chiseled out stone tablets lamenting that there were so many laws nobody could keep track of them all. Fifty years later, the Visigoths came over the 7th hill and ended that empire. And then the process started over. An overly-complex legal system is an indication that an empire has passed its peak and is in decline, nothing more, nothing less."
Wow. You believe in absolute determinism too? How really, really depressing. How do you stand it?
"A clear view of what is happening is not in itself a cause for optimism or pessimism."
I think if anything is clear, is that we disagree over whether what you are saying represents a "clear view of what is happening".
"I know that my attitude can be confusing to people so used to political and belief bias."
I'm not confused in the slightest. I simply disagree with you. And I repeat: you have repeatedly demonstrated a gloomy, fatalistic attitude.
"How can you say that? No one can say whether these TLAgencies have stepped over their mandates."
I didn't write anything about "mandates". I wrote about deprivation of Constitutional rights. While the former may be ambiguous, the latter is not.
In fact, the law I mentioned was specifically intended to address this kind of situation.
"The laws are sufficiently complex and vague that you can readily make an argument both ways that would have legal standing."
In THIS CASE, if the situation has been described accurately, no, they aren't.
"The law has completely ceased to function either as a deterrent to crime, or as a guideline for moral and ethical conduct."
The logical extension of this is that there is no law at all, and therefore we are in a state of anarchy. I don't think it has gotten quite that bad. I sympathize with the feeling, though.
"So the argument that they were breaking, or following, the law, is now really a moot point."
Man... I know I've said this before but you sure have a depressing, fatalistic attitude. I do not believe the facts support such a gloomy outlook, and so I cannot honestly agree.
"I think if you owned a company your opinion would change very rapidly."
No, I would not. Period.
Keep in mind that a "non-compete" agreement is NOT THE SAME as protection for your "intellectual property". They are 2 different things.
"What they state is if I work at Microsoft on search engine technology. I can't work at Google next week."
I know what they say. I'm not an idiot. I've signed them in the past... and refused to sign them, more recently.
Does this mean you can now go phishing in the toilets?
"The price cut lets it undercut every direct competitor by 100 bucks. This thing doesn't compete against a puny ARM tablet or even a puny $450 laptop. It competes against ultrabooks and especially ultrabook-tablet hybrids (Samsung Ativ Smart PC Pro, Sony Vaio Duo...)."
It doesn't matter how gorgeous you think the hardware is. It is only as good as what it will run, and nobody (relatively speaking) wants that OS.
Man, nobody wants the most powerful, most fuel-efficient car in the world, if the only place it will take you is Trenton, NJ.
" As far as I know, this is all untested legal ground."
I don't have any specific citations at hand, but I would be VERY surprised if this were "untested ground". I doubt that very much.
Looks more to me like the 3-letter agencies have decided to BREAK THE LAW.
Unconstitutional surveillance is bad enough. But they don't have any more right to commit "unauthorized access to a computer system" than anybody else. (That is to say, their javascript hack of site visitors who may be innocent.) They can't break the law in order to enforce the law, unless they want to face criminal charges themselves. Aaron Schwartz faced 30 years in prison for far less. I say, let's see the FBI face the same thing.
And yes, it may well be enforceable. Look up 18 USC 242, "Deprivation of Civil Rights Under Color of Law". The civil rights in question here might be, just for example, the privacy of your own computer system, which legally requires a warrant or subpoena to access. Just my opinion, but I don't see how simply visiting a website could constitute probable cause, much less justify intrusion in the form of a "hack".
18 USC 242 IS fairly frequently prosecuted, and last I checked it has a conviction rate of about 98%, which is awesome for any law. And it specifically targets government agents and agencies. The President is not immune.
(P.S. After reading that law, many folks have been prone to conclude that it only applies to racial and other discrimination. That is because of the awkward wording [e.g., there is a strategically placed comma that makes a big difference]. In fact it applies to ANY Constitutional right. However, my mention of it here is not meant to imply that the law does apply here. Only that it might. IANAL and I don't pretend to be one, but I have researched this law and its application.)
You're assume Goldman Sachs cares about "is this legal?" or "is this right?". What they care is: "will this improve our PR?", "will this scare people from going against us?", "will this scare people from working for us?".
This is the whole reasons corporations worked to try to make "non-compete" agreements enforceable: to lock in their control of an employee.
And that is why non-compete clauses or agreements are no longer enforceable in California. California did a good thing for a change.
They need to get it through their heads that they do not control the contents of a mind. If they want somebody to "not compete", then the PROPER way to do it is to give them better pay and compensation than the other guy. That's called capitalism.