There are a couple of jurisdictions that managed it during the OWS protests last fall. And they still kind of annoyed people, but not really very much.
I can't remember exactly how they did it, but it was a combination of being nice to people and waging a bit of subtle psychological warfare by using people's expectations that they not be nice against them. It was clever, resourceful and it worked. I'm not entirely pleased that it worked, but I'm a heck of a lot more pleased than I am with the other police forces around the country who misbehaved in a way I consider intolerable.
I would agree with this assessment. I too have found it really difficult to concentrate on reading a book on a computer. It takes a lot more effort than a print one. While some of this is likely due to light-emitting (rather than light reflecting) displays being tiring to read, it also likely has to do with the menu of available distractions.
I don't find the lack of permanence particularly disturbing. I've long considered the data on my hard-drive to have greater permanence than the data I have scattered around on DVDs or CDs or even books. But I do admit that I like showing of the many bookshelves of books I've read.:-) And the fact that so many ebooks come with DRM that could potentially deprive me of the work at any time due to the whims of the publisher or bookseller does give me a sense of disturbing ephemerality.
Getting people to disperse in a matter that will piss them off will only work if they wake up in the morning and think "Gosh, I'm kind of embarrassed I was there at all.". Otherwise, it will just make them angrier. And it may not even get them to disperse and go home like you want them to in the first place.
The people who work at firms who make stuff like this should be ashamed of themselves for the world they help create.
But, of course, there are enough people on Slashdot who think that might makes right, and that authority is always correct (most of whome paradoxically are against 'big government') that I suspect these people feel not a glimmer of guilt.
This is no different from a consumer internet connection being used to run a business. If it goes down and you lose money, you're SOL.
If these individuals wanted protection, they should have paid a company that could provide it, rather than looking for the cheapest service possible. Yes, those options cost more. Wonder why?
Wrong. It's not the same. Loss of service is very different than having your stuff stolen. Of course, until now hosting companies didn't have to worry about anything with any value being stolen or otherwise destroyed. You should have backups. And copies of the data on your machine doesn't really have a very quantifiable value in most cases.
But now, it does. Changes the rules of the game a bit.
The conversations I enjoy having are on Google+. I've never enjoyed the way people interact on Facebook, and I've never wanted to be there. I have an account there that I pay attention to as little as I can manage.
LJ used to have those kinds of conversations. But that petered out after Six Apart bought them. Now it's Google+. And if it never becomes 'popular', I don't care, as long as it is popular enough that Google considers it worth having around. And of course, that's the rub.
I don't like this whole cloud business at all. It's a broken model.
After fixing the cable, they have not yet tried to reproduce their original results. I fully expect they will be able to, but they have not yet done so. They merely noted that under the prevailing model of how their system works, the faulty cable exactly accounts for the results they originally saw.
So, while I expect that testing to make sure that the cable really was the problem will indeed reveal that the cable was the problem, that testing has not yet been done, and so it's possible their model for how their system works is wrong and the cable really isn't the problem.
Of course, even afterward it might be possible that it's some other factor than the cable. But it (IMHO) becomes vanishingly unlikely.
It should read "Faulty Cable Most Likely To Blame For Superluminal Neutrino Results". They haven't proved anything yet. They just found a problem that's very suggestive and they need to re-run the experiment after fixing/accounting for the problem.
I didn't read the paper, just guessed at the contents. And it doesn't surprise me that it's not optimal. I was posting it because it seemed there was a lot of disinformation that was being highly rated. I feel that what I posted was significantly less wrong, and gave people a better idea of the problem than the stuff I responded to.
I believe though that I got the basic idea of what Lenstra is up to.
I often find posts about cryptography to be extremely frustrating to read because of the complete lack of any kind of basic understanding of what the articles say or the consequences despite the fact that it's often quite clear.
This is all because the random numbers were bad random numbers. Not very random. The chances of properly generated 1024-bit RSA keys colliding is extremely tiny. Much, much smaller that 0.2%.
Does this mean that every key generated has a chance of rendering a previously existing key totally compromised? If that's the case, RSA is actually broken. There are only so many prime numbers, so as more keys are created, more keys will potentially be compromised. Please, tell me I'm wrong (using a car analogy if possible).
It does indeed mean this. But if the keys chosen are really and truly random, the chances of this ever happening are astronomically tiny.
But there are an infinite number of prime numbers. There's even a mathematical proof of this fact.:-)
More practically speaking, the actual distribution of primes is one prime every x/ln(x) numbers. This means that for numbers that are 1024 bits long, one in every 1024 of them is prime. This effectively means that the space of possible 1024-bit primes is 2^1023 (the top bit must always be one) / 2^10 = 2^1013. The chances that any two randomly generated 1013 bit numbers are exactly the same is extremely small. So small that you'd have to generate one such number for every proton or neutron in the solar system before you even got close to entering the realm of writing it down the percentage chance reasonably in non-exponent notation.
So, no, this doesn't break RSA, even though what you say is true.
As an addendum, this means that anything that was encrypted with this public key may now be decrypted. It also means that any signature it's ever made is now suspect as anybody who knew about this problem could've made that signature.
Of course, if someone is a protocol that implements forward secrecy and just using the RSA key to sign a diffie-helman exchange and then using the resulting key from that to encrypt their communications with a block cipher, they might be safe. Of course, the same bug might result in predictable diffie-helman keys too.
But any of those conversations may still have had a man-in-the middle.
It doesn't affect the security of RSA overall, but it strongly affects the security of certain keys, rendering them totally compromised.
Think about it. A flaw in random number generation may well result in several people independently picking the same factor for their public key. Just run euclid's GCD algorithm on all pairs of public keys, which is O(n^2 * m) where n is the number of keys and m is their average length. Poof, all the ones that managed to 'accidentally' share a factor with another one pop out with their factors since a public key is just two big prime numbers multiplied together. Game over for those keys.
Steps to exploit:
1. You scoop up all the public keys you can find. People generally publish them. They're public keys.
2. You run GCD on each pair.
3. You find they share a common factor and you win! Both keys are now completely and totally compromised. You know the secret key for both of them.
4. Or... you find they share a common factor of 1. Oh, well, on to the next pair.
They did find the underlying numbers. The article basically tells you exactly what they did. They mention Euclid's algorithm and for anybody who knows how RSA works, it's obvious what they did. And what they did would result in them discovering the underlying numbers directly.
Steps:
1. You scoop up all the public keys you can find. People generally publish them. They're public keys.
2. You run GCD on each pair.
3. You find they share a common factor and you win! Both keys are now completely and totally compromised. You know the secret key for both of them.
4. Or... you find they share a common factor of 1. Oh, well, on to the next pair.
And, in case you're still confused, this means that anything that was encrypted with this public key may now be decrypted. It also means that any signature it's ever made is now suspect as anybody who knew about this problem could've made that signature.
Of course, if someone is a protocol that implements forward secrecy and just using the RSA key to sign a diffie-helman exchange and then using the resulting key from that to encrypt their communications with a block cipher, they might be safe. Of course, the same bug might result in predictable diffie-helman keys too.
But any of those conversations may still have had a man-in-the middle.
Flaw in random number generator + euclid's algorithm = known factors for public keys = totally broken public key.
Think about it. A flaw in random number generation may well result in several people independently picking the same factor for their public key. Just run euclid's GCD algorithm on all pairs of public keys, which is O(n^2 * m) where n is the number of keys and m is their average length. Poof, all the ones that managed to 'accidentally' share a factor with another one pop out with their factors since a public key is just two big prime numbers multiplied together. Game over for those keys.
But I'm not so comfortable with Google knowing that much about me. We need cheap home servers that are always Internet connected and relatively secure, and the software to allow us to make use of them. This stuff shouldn't be sitting on Google's servers, it should be on our own.
Why did the RIAA need them to be material objects under one law and not the other? What are the consequences if they are not considered 'material objects' under either law?
As an aside, the only people who believe that Anonymous is after money are people who have already sold out their ethics. Generally a big part of their self-justification for having done so is that 'everybody does it', and so the idea that Anonymous is in it for anything but the money would induce major cognitive dissonance.
The tactic of trying to get your target to believe you want to extort them is a fantastic tactic for discovering people who deserve the kind of publicity it generates when you publish their willingness (and oftentimes eagerness) to be extorted. Unfortunately, I think sometimes Anonymous tries a bit too hard at this and there have been a couple of people they really badgered about it who truly weren't interested in the deal.
Of course, anybody who's dealt with Anonymous knows they will try to get you to promise to sell out your customers or otherwise act in a way that's in your interests and detrimental to the interests of everyone you claim to 'protect'. They've done this multiple times. If I were an Anonymous target I would never agree to such a scheme because all that would happen would be that the conversation be published to make me look bad.
Of course, having it be a 'police sting operation' is a great way to make it look like you weren't really going to sell out your customers. And who knows, maybe it's even true. And maybe all that source code really is for 'old versions'.
But, the really incriminating evidence would be if there were emails showing that Symantec has been sponsoring or encouraging virus writers in some way. And I'm certain if Anonymous had that kind of evidence that it would be out in the open by now. So that means they don't. And maybe Symantec isn't as much of a sleaze bag company as I expected them to be.
That was my though exactly. This is really stupid. "People need food, if they are deprived of it for awhile, they will go to amazing lengths to get it, sacrificing all kinds of important stuff!". Well, learning that social connections are nearly as important as food or water is really no surprise at all.
If the study author has a problem with people's chosen forms of maintaining those social connections, maybe a study comparing and contrasting those might be in order. But to state "Oh, people go to amazing lengths to feed their need for social connection!" is about as insightful as noting that starving people crave food.
No... No matter what anybody thinks, hardly any of those are actually big-picture people. They like to make claims about it, but when it comes down to it, they're about how to manipulate people's motivations or micro-manage them. I've never seen a CEO who really understood their company as a large complex system.
For that type 'big-picture' means being able to see some advantage that can be gleaned out of a large scale inefficiency that nobody has noticed yet, or a novel new barrier to entry that can be created. Sometimes you see a glimmer of understand of the system as a whole, particularly in the inefficiency case, but it's not a persistent feature.
I think we need to start focusing on systems theory. Many large systems share some very similar characteristics. We need people who are big picture people, who can see the forest for the trees. Of course, without knowing about the trees, a forest is something of a mystery. We need both kinds of people. But the usefulness of pure reductionism is at its end, and we need to recognize that and start taking a different approach to understanding.
I used to own one of these. I soldered it together out of a kit when I was 11, with some help from my dad. I accidentally left the soldering iron against part of the case though, so there was a neatly melted hole there.:-)
When we added the 16k RAM pack, we discovered that the power supply was stretched to its limit providing the current for all that. So he designed a new case out of wood and aluminum and also reverse-engineered the keyboard hookup and got a keyboard with actual moving keys from a local electronics parts shop. Unfortunately, there is now something wrong with how the tape jack is grounded, and it can't record on tape anymore.:-(
I still have it though, 30 years later. The first computer I ever owned. I even have the sheets I made up collecting machine instructions by addressing mode (since they were listed by number in the manual) to make it easier to write machine language programs for it. I wrote my own binary multiplier since the ZX-80 chip doesn't have a multiply instruction.
This lego thing is vaguely interesting. It's neat to see the familiar shape again.:-)
Slashdot Mirror
There are a couple of jurisdictions that managed it during the OWS protests last fall. And they still kind of annoyed people, but not really very much.
I can't remember exactly how they did it, but it was a combination of being nice to people and waging a bit of subtle psychological warfare by using people's expectations that they not be nice against them. It was clever, resourceful and it worked. I'm not entirely pleased that it worked, but I'm a heck of a lot more pleased than I am with the other police forces around the country who misbehaved in a way I consider intolerable.
I would agree with this assessment. I too have found it really difficult to concentrate on reading a book on a computer. It takes a lot more effort than a print one. While some of this is likely due to light-emitting (rather than light reflecting) displays being tiring to read, it also likely has to do with the menu of available distractions.
I don't find the lack of permanence particularly disturbing. I've long considered the data on my hard-drive to have greater permanence than the data I have scattered around on DVDs or CDs or even books. But I do admit that I like showing of the many bookshelves of books I've read. :-) And the fact that so many ebooks come with DRM that could potentially deprive me of the work at any time due to the whims of the publisher or bookseller does give me a sense of disturbing ephemerality.
Getting people to disperse in a matter that will piss them off will only work if they wake up in the morning and think "Gosh, I'm kind of embarrassed I was there at all.". Otherwise, it will just make them angrier. And it may not even get them to disperse and go home like you want them to in the first place.
The people who work at firms who make stuff like this should be ashamed of themselves for the world they help create.
But, of course, there are enough people on Slashdot who think that might makes right, and that authority is always correct (most of whome paradoxically are against 'big government') that I suspect these people feel not a glimmer of guilt.
This is no different from a consumer internet connection being used to run a business. If it goes down and you lose money, you're SOL.
If these individuals wanted protection, they should have paid a company that could provide it, rather than looking for the cheapest service possible. Yes, those options cost more. Wonder why?
Wrong. It's not the same. Loss of service is very different than having your stuff stolen. Of course, until now hosting companies didn't have to worry about anything with any value being stolen or otherwise destroyed. You should have backups. And copies of the data on your machine doesn't really have a very quantifiable value in most cases.
But now, it does. Changes the rules of the game a bit.
Well, the bank loses a whole ton, and they spread that loss among all their customers.
In this case, none of Slush's customers are going to lose anything. So it's even better for them than if their Bank was robbed.
If someone breaks into your home and steals all your jewelry and computer equipment, how much do you lose?
The conversations I enjoy having are on Google+. I've never enjoyed the way people interact on Facebook, and I've never wanted to be there. I have an account there that I pay attention to as little as I can manage.
LJ used to have those kinds of conversations. But that petered out after Six Apart bought them. Now it's Google+. And if it never becomes 'popular', I don't care, as long as it is popular enough that Google considers it worth having around. And of course, that's the rub.
I don't like this whole cloud business at all. It's a broken model.
After fixing the cable, they have not yet tried to reproduce their original results. I fully expect they will be able to, but they have not yet done so. They merely noted that under the prevailing model of how their system works, the faulty cable exactly accounts for the results they originally saw.
So, while I expect that testing to make sure that the cable really was the problem will indeed reveal that the cable was the problem, that testing has not yet been done, and so it's possible their model for how their system works is wrong and the cable really isn't the problem.
Of course, even afterward it might be possible that it's some other factor than the cable. But it (IMHO) becomes vanishingly unlikely.
It should read "Faulty Cable Most Likely To Blame For Superluminal Neutrino Results". They haven't proved anything yet. They just found a problem that's very suggestive and they need to re-run the experiment after fixing/accounting for the problem.
I didn't read the paper, just guessed at the contents. And it doesn't surprise me that it's not optimal. I was posting it because it seemed there was a lot of disinformation that was being highly rated. I feel that what I posted was significantly less wrong, and gave people a better idea of the problem than the stuff I responded to.
I believe though that I got the basic idea of what Lenstra is up to.
I often find posts about cryptography to be extremely frustrating to read because of the complete lack of any kind of basic understanding of what the articles say or the consequences despite the fact that it's often quite clear.
This is all because the random numbers were bad random numbers. Not very random. The chances of properly generated 1024-bit RSA keys colliding is extremely tiny. Much, much smaller that 0.2%.
Does this mean that every key generated has a chance of rendering a previously existing key totally compromised? If that's the case, RSA is actually broken. There are only so many prime numbers, so as more keys are created, more keys will potentially be compromised. Please, tell me I'm wrong (using a car analogy if possible).
It does indeed mean this. But if the keys chosen are really and truly random, the chances of this ever happening are astronomically tiny.
But there are an infinite number of prime numbers. There's even a mathematical proof of this fact. :-)
More practically speaking, the actual distribution of primes is one prime every x/ln(x) numbers. This means that for numbers that are 1024 bits long, one in every 1024 of them is prime. This effectively means that the space of possible 1024-bit primes is 2^1023 (the top bit must always be one) / 2^10 = 2^1013. The chances that any two randomly generated 1013 bit numbers are exactly the same is extremely small. So small that you'd have to generate one such number for every proton or neutron in the solar system before you even got close to entering the realm of writing it down the percentage chance reasonably in non-exponent notation.
So, no, this doesn't break RSA, even though what you say is true.
As an addendum, this means that anything that was encrypted with this public key may now be decrypted. It also means that any signature it's ever made is now suspect as anybody who knew about this problem could've made that signature.
Of course, if someone is a protocol that implements forward secrecy and just using the RSA key to sign a diffie-helman exchange and then using the resulting key from that to encrypt their communications with a block cipher, they might be safe. Of course, the same bug might result in predictable diffie-helman keys too.
But any of those conversations may still have had a man-in-the middle.
It doesn't affect the security of RSA overall, but it strongly affects the security of certain keys, rendering them totally compromised.
Think about it. A flaw in random number generation may well result in several people independently picking the same factor for their public key. Just run euclid's GCD algorithm on all pairs of public keys, which is O(n^2 * m) where n is the number of keys and m is their average length. Poof, all the ones that managed to 'accidentally' share a factor with another one pop out with their factors since a public key is just two big prime numbers multiplied together. Game over for those keys.
Steps to exploit:
1. You scoop up all the public keys you can find. People generally publish them. They're public keys.
2. You run GCD on each pair.
3. You find they share a common factor and you win! Both keys are now completely and totally compromised. You know the secret key for both of them.
4. Or... you find they share a common factor of 1. Oh, well, on to the next pair.
They did find the underlying numbers. The article basically tells you exactly what they did. They mention Euclid's algorithm and for anybody who knows how RSA works, it's obvious what they did. And what they did would result in them discovering the underlying numbers directly.
Steps:
1. You scoop up all the public keys you can find. People generally publish them. They're public keys.
2. You run GCD on each pair.
3. You find they share a common factor and you win! Both keys are now completely and totally compromised. You know the secret key for both of them.
4. Or... you find they share a common factor of 1. Oh, well, on to the next pair.
And, in case you're still confused, this means that anything that was encrypted with this public key may now be decrypted. It also means that any signature it's ever made is now suspect as anybody who knew about this problem could've made that signature.
Of course, if someone is a protocol that implements forward secrecy and just using the RSA key to sign a diffie-helman exchange and then using the resulting key from that to encrypt their communications with a block cipher, they might be safe. Of course, the same bug might result in predictable diffie-helman keys too.
But any of those conversations may still have had a man-in-the middle.
Flaw in random number generator + euclid's algorithm = known factors for public keys = totally broken public key.
Think about it. A flaw in random number generation may well result in several people independently picking the same factor for their public key. Just run euclid's GCD algorithm on all pairs of public keys, which is O(n^2 * m) where n is the number of keys and m is their average length. Poof, all the ones that managed to 'accidentally' share a factor with another one pop out with their factors since a public key is just two big prime numbers multiplied together. Game over for those keys.
But I'm not so comfortable with Google knowing that much about me. We need cheap home servers that are always Internet connected and relatively secure, and the software to allow us to make use of them. This stuff shouldn't be sitting on Google's servers, it should be on our own.
Why did the RIAA need them to be material objects under one law and not the other? What are the consequences if they are not considered 'material objects' under either law?
As an aside, the only people who believe that Anonymous is after money are people who have already sold out their ethics. Generally a big part of their self-justification for having done so is that 'everybody does it', and so the idea that Anonymous is in it for anything but the money would induce major cognitive dissonance.
The tactic of trying to get your target to believe you want to extort them is a fantastic tactic for discovering people who deserve the kind of publicity it generates when you publish their willingness (and oftentimes eagerness) to be extorted. Unfortunately, I think sometimes Anonymous tries a bit too hard at this and there have been a couple of people they really badgered about it who truly weren't interested in the deal.
Of course, anybody who's dealt with Anonymous knows they will try to get you to promise to sell out your customers or otherwise act in a way that's in your interests and detrimental to the interests of everyone you claim to 'protect'. They've done this multiple times. If I were an Anonymous target I would never agree to such a scheme because all that would happen would be that the conversation be published to make me look bad.
Of course, having it be a 'police sting operation' is a great way to make it look like you weren't really going to sell out your customers. And who knows, maybe it's even true. And maybe all that source code really is for 'old versions'.
But, the really incriminating evidence would be if there were emails showing that Symantec has been sponsoring or encouraging virus writers in some way. And I'm certain if Anonymous had that kind of evidence that it would be out in the open by now. So that means they don't. And maybe Symantec isn't as much of a sleaze bag company as I expected them to be.
That was my though exactly. This is really stupid. "People need food, if they are deprived of it for awhile, they will go to amazing lengths to get it, sacrificing all kinds of important stuff!". Well, learning that social connections are nearly as important as food or water is really no surprise at all.
If the study author has a problem with people's chosen forms of maintaining those social connections, maybe a study comparing and contrasting those might be in order. But to state "Oh, people go to amazing lengths to feed their need for social connection!" is about as insightful as noting that starving people crave food.
No... No matter what anybody thinks, hardly any of those are actually big-picture people. They like to make claims about it, but when it comes down to it, they're about how to manipulate people's motivations or micro-manage them. I've never seen a CEO who really understood their company as a large complex system.
For that type 'big-picture' means being able to see some advantage that can be gleaned out of a large scale inefficiency that nobody has noticed yet, or a novel new barrier to entry that can be created. Sometimes you see a glimmer of understand of the system as a whole, particularly in the inefficiency case, but it's not a persistent feature.
I agree.
I think we need to start focusing on systems theory. Many large systems share some very similar characteristics. We need people who are big picture people, who can see the forest for the trees. Of course, without knowing about the trees, a forest is something of a mystery. We need both kinds of people. But the usefulness of pure reductionism is at its end, and we need to recognize that and start taking a different approach to understanding.
I used to own one of these. I soldered it together out of a kit when I was 11, with some help from my dad. I accidentally left the soldering iron against part of the case though, so there was a neatly melted hole there. :-)
When we added the 16k RAM pack, we discovered that the power supply was stretched to its limit providing the current for all that. So he designed a new case out of wood and aluminum and also reverse-engineered the keyboard hookup and got a keyboard with actual moving keys from a local electronics parts shop. Unfortunately, there is now something wrong with how the tape jack is grounded, and it can't record on tape anymore. :-(
I still have it though, 30 years later. The first computer I ever owned. I even have the sheets I made up collecting machine instructions by addressing mode (since they were listed by number in the manual) to make it easier to write machine language programs for it. I wrote my own binary multiplier since the ZX-80 chip doesn't have a multiply instruction.
This lego thing is vaguely interesting. It's neat to see the familiar shape again. :-)