Yeah, this type of misunderstanding sure seems to happen more online than in person. I think the lack of realtime feedback contributes to the problem, as well as a more confrontational environment.
This shouldn't be so hard. Let me give an illustration.
The problem is that we both think we're right. And we are. But we are both wrong as well.
We're in progress of an active MITM attack. Fraudulent key exchange has already been made, and the 2 parties think they're talking to each other. The sender sends 00110011, which is encrypted with his private key. You decrypt with his public key, encrypt with your private key, and send 11100011 to the recipient. You have to admit that 00110011 is different from 11100011. You have changed the data. You have to admit that. Data doesn't care if it is encrypted or not. Data is data.
You are right that the data on the wire is different. I am right that the data on the endpoints is unchanged; the data recieved at both ends (once unencrypted) is the same. The data is both modified and not modifed depending on when you look at it. Thus our confusion.
RE: the passive.vs active man in the middle attack. Again, I think we are both right and both wrong. We have different definintions of passive or active. The defintion I was using of active is a man in the middle that modifies the (unencrypted) data during transport. Your defintion of active is decrypting/reencrypting the data. I see that as "passive." The (unencrypted) data is not modified, thus it is a passive attack.
It is important to understand the difference between an active and passive MITM
I do - it's you who doesn't.:) We are both right and both wrong beacuse we are using different definitions. As is usually the case when people argue.
I was pointing out MITM needs to modify the data. It needs to perform key substitution. It is utterly unlike a standard phone tap. Just being able to evesdrop (sic) on the conversation is not enough. Your post was completely wrong.
How does key subsitution "modify the data"? The man in the middle decrypts the data (voice data). Saves it, listens to it, etc, then re-encrypts it (the exact same data) and sends it to the ultimate recipent. The data is not modifed at all, yet the man in the middle has overheard the traffic, "tapping" the line without the knowledge of either party. Sounds like a phone tap to me.
There were other comments talking about an active MITM attack, granted. This type of attack will work, although there are various countermeasures against it. Your comment was not talking about an active MITM. It was talking about a passive MITM, where no data modification is made.
I believe I know what my post refered to, I wrote it. Perhaps you are confused or reading something that is not there? Please show me where it "was talking about a passive MITM".
First you say it is not true, and yet you explain how it can be done, and that PKI is designed to solve this exact problem.
But PKI is not "public key cryptography"! PKI is a mechanism for ensuring that public keys are authenticated, that the public key that you use actually belongs to the person (or entity) that you think it does. If it was true that you could simply exchange public keys in the clear over an untrusted network, there would be no need for PKI. PKI exists because your assertion is false.
A passive MITM would only know both public keys, which are public. It wouldn't know either private key.
If you refer to the start of the thread, you'll see that we are talking about a man in the middle which intercepts the intial sharing of public keys (and subsitutes his own). In that case, he most certainly does have the private keys associated with the public keys - as they are his keys.
Heh. Yeah, that's good idea. And it would work, too. You'd have to be able to identify the person on the other end, though. Which means it would not be appliciable for strangers. What percentage of calls is that? I've no idea.
I don't know why this is modded informative when it is simply not true. Public keys cannot be exchanged in the clear over an untrusted communications channel securely. Public keys exchanged over an untrusted communications channel must be authenticated before they are used. This is the entire problem that PKI attempts to solve.
There is no reason the man in the middle needs to modify the data. Just being able to evesdrop on the conversation may be enough, just like a tap on a standard phone.
Let's say A goes to send B his key, but it's intercepted by C, and C sends B a modified key (man in the middle attack). Then B will not be able to initiate communication with A because the key won't match. This is how and why PKE works. If it was possible to capture and send a modified key and have the conversation still function then PKE wouldn't be very useful, would it?
But this is exactly what they are claiming. If you don't trust the network, you may not get A's key if you use the untrusted network to transmit the key. A sends the key to B via untrusted network. C intercepts A's key and inserts his own. B uses key to initate conversion with A, via the untrusted network. C intercepts the transmission and does a classic man in the middle: B -- C -- A where A and B think they arte talking to each other, but they are actaully talking to C.
You should not use an untrusted medium to deliver public keys. (Unless you confirm the key's fingerprint with the other party like ssh does.)
...all wear green, and Delta children wear khaki. Oh no, I don't want to play with Delta children. And Epsilons are still worse. They're too stupid to be able to read or write. Besides, they wear black, which is such a beastly colour. I'm so glad I'm a Beta. Alpha children wear grey. They work much harder than we do, because they're so frightfully clever. I'm really awfully glad I'm a Beta, because I don't work so hard. And then we are much better than the Gammas and Deltas. Gammas are stupid. They...
Do you have some reputable reference to cite in support of this statement?
Nope. Annoying, huh? It's not exactly an experiment I'd want to get scientific data on, either. I know that college is a generally stressful time though, and people under stress do irrational things. And with a gun it only takes a momentary lapse of reason, a momentary impluse, to do very bad things.
Hawkins' book On Intelligence is interesting reading.
Please go on.
There are a lot of good ideas in there.
Would you like it if they were not a lot of good ideas in there?
From my perspective as an AI / neuroscience researcher, the main weakness in his approach is that he only thinks about the cortex, whereas many other brain structures, notably the basal ganglia, are increasingly becoming implicated as having a fundamental role in intelligence.
Why do you say your perspective as an ai neuroscience researcher the main weakness in his approach is that he only thinks about the cortex whereas many other brain structures notably the basal ganglia are increasingly becoming implicated as having a fundamental role in intelligence?
This quote from the article is telling:
Please go on.
Well, my goal is to build machines that pass the Turing Test, so I have to think about more than cortex.
Why do you mention computers?
But more generally, one might wonder how much of intelligence it is possible to capture with a system that "doesn't have desires, motives, or intentions of any kind".
He framed the video as coming from Obama: the woman running to smash the screen has the Obama logo on her shirt. That was what caused people to believe it came from Obama, as it also says in the articles linked from the story summary.
If they are "offical", polictical ads are required by law to identify who paid for them. The video does not have that. Simply ending it with a web site address is not even close to looking like an offical ad. There would need to be "I'm politican Joe Q. Public and I apprive this message".
I'm willing to call the fired/quit as a toss up. It is, as you say, a "he said/she said" arugment which does not have enough data to prove either way.
So it's 1 to 1. But only 'cause I'm in a good mood.
De Vellis was fired because he made a video attacking Clinton, fraudulently crediting it to the Obama campaign, while the Obama campaign was an actual (if tangential) customer where he actually works.
He was not fired.
It did not pretend to be from the offical Obama campaign.
"Now Sen. Specter (R-PA) says his staff was responsible for inserting that US Attorney provision into the Patriot Act. He didn't know anything about it until Sen. Feinstein (D-CA) told him about it."
Slashdot Mirror
And just what the hell do you mean by that?
Heh.
The problem is that we both think we're right. And we are. But we are both wrong as well.
You are right that the data on the wire is different. I am right that the data on the endpoints is unchanged; the data recieved at both ends (once unencrypted) is the same. The data is both modified and not modifed depending on when you look at it. Thus our confusion.
RE: the passive .vs active man in the middle attack. Again, I think we are both right and both wrong. We have different definintions of passive or active. The defintion I was using of active is a man in the middle that modifies the (unencrypted) data during transport. Your defintion of active is decrypting/reencrypting the data. I see that as "passive." The (unencrypted) data is not modified, thus it is a passive attack.
I do - it's you who doesn't. :) We are both right and both wrong beacuse we are using different definitions. As is usually the case when people argue.
Meh.
Better is the enemy of good.
How does key subsitution "modify the data"? The man in the middle decrypts the data (voice data). Saves it, listens to it, etc, then re-encrypts it (the exact same data) and sends it to the ultimate recipent. The data is not modifed at all, yet the man in the middle has overheard the traffic, "tapping" the line without the knowledge of either party. Sounds like a phone tap to me.
I believe I know what my post refered to, I wrote it. Perhaps you are confused or reading something that is not there? Please show me where it "was talking about a passive MITM".
But PKI is not "public key cryptography"! PKI is a mechanism for ensuring that public keys are authenticated, that the public key that you use actually belongs to the person (or entity) that you think it does. If it was true that you could simply exchange public keys in the clear over an untrusted network, there would be no need for PKI. PKI exists because your assertion is false.
You seem pretty sure of yourself there mister.
If you refer to the start of the thread, you'll see that we are talking about a man in the middle which intercepts the intial sharing of public keys (and subsitutes his own). In that case, he most certainly does have the private keys associated with the public keys - as they are his keys.
Do try to keep up.
Err, ok - whatever. I guess they want to share with others as they are so proud of their own?
Heh. Yeah, that's good idea. And it would work, too. You'd have to be able to identify the person on the other end, though. Which means it would not be appliciable for strangers. What percentage of calls is that? I've no idea.
I don't know why this is modded informative when it is simply not true. Public keys cannot be exchanged in the clear over an untrusted communications channel securely. Public keys exchanged over an untrusted communications channel must be authenticated before they are used. This is the entire problem that PKI attempts to solve.
There is no reason the man in the middle needs to modify the data. Just being able to evesdrop on the conversation may be enough, just like a tap on a standard phone.
But this is exactly what they are claiming. If you don't trust the network, you may not get A's key if you use the untrusted network to transmit the key. A sends the key to B via untrusted network. C intercepts A's key and inserts his own. B uses key to initate conversion with A, via the untrusted network. C intercepts the transmission and does a classic man in the middle: B -- C -- A where A and B think they arte talking to each other, but they are actaully talking to C.
You should not use an untrusted medium to deliver public keys. (Unless you confirm the key's fingerprint with the other party like ssh does.)
...all wear green, and Delta children wear khaki. Oh no, I don't want to play with Delta children. And Epsilons are still worse. They're too stupid to be able to read or write. Besides, they wear black, which is such a beastly colour. I'm so glad I'm a Beta. Alpha children wear grey. They work much harder than we do, because they're so frightfully clever. I'm really awfully glad I'm a Beta, because I don't work so hard. And then we are much better than the Gammas and Deltas. Gammas are stupid. They...
How long will you be here? Say - can you recommend anything off the menu?
Nope. Annoying, huh? It's not exactly an experiment I'd want to get scientific data on, either. I know that college is a generally stressful time though, and people under stress do irrational things. And with a gun it only takes a momentary lapse of reason, a momentary impluse, to do very bad things.
Shootings would be much more frequent if eveyone carried guns, especially on school grounds.
My name is Eliza. Get it straight, dude.
Please go on.
Would you like it if they were not a lot of good ideas in there?
Why do you say your perspective as an ai neuroscience researcher the main weakness in his approach is that he only thinks about the cortex whereas many other brain structures notably the basal ganglia are increasingly becoming implicated as having a fundamental role in intelligence?
Please go on.
Why do you mention computers?
Does that question interest you?
Why do you mention computers?
Imagine a single Beowulf machine of this!
Shiny!
If they are "offical", polictical ads are required by law to identify who paid for them. The video does not have that. Simply ending it with a web site address is not even close to looking like an offical ad. There would need to be "I'm politican Joe Q. Public and I apprive this message".
I'm willing to call the fired/quit as a toss up. It is, as you say, a "he said/she said" arugment which does not have enough data to prove either way.
So it's 1 to 1. But only 'cause I'm in a good mood.
He was not fired.
It did not pretend to be from the offical Obama campaign.
0 for 2. Wanna try again?
The technical name for the phenomenon is John Gabriel's Greater Internet Fuckwad Theory.
"Now Sen. Specter (R-PA) says his staff was responsible for inserting that US Attorney provision into the Patriot Act. He didn't know anything about it until Sen. Feinstein (D-CA) told him about it."
linky linky linky