> The problem is in how email program plugins handle the mail after it's been decrypted, not in the underlying PGP/SMIME code.
Apparently thats wrong; it seems that core vulnerabilities lie inside the use of the gpg and smime protocol implementations themselves.
In particular, the lack of a valid message digest, and the default behavior of returning decryption results (or even attempting decryption) when the digest is invalid is the core problem.
If tampered encrypted payloads are detected, *decryption must not be attempted*
The main reason it took over was not french influence so much as the fact that most people were illiterate so it would be their first written language, and the fact that it was simple much more suited to their language than the chu nom.
> So, you're saying if the Feds with probable cause and warrants raid some organized crime's money-laundering front company, that company should be allowed to keep on operating until the case has gone to trial and the responsible individuals are found guilty?
Yes. Why should they get to destroy a legitimate business based on a hunch?
Do we issue the electric chair to murderers before they are found guilty?
Bruce; you would do well to actually read a bit about javascript before just guessing. Async/await is just synactic sugar over promises. Promises are just an easy to grok syntax for async FSMs.
Threading has been thoroughly trounced by async programming. It took a long time for people to realize it, but those of us who have been 100% async in C for decades know exactly why node.js is booming: because it does not offer threading or blocking so it forces people to write somewhat performant code. My biggest gripes with aysnc are that the local disk is still not truly aynsc down to the kernel level even with IO_NONBLOCK.
And fwiw, async IO is easier on JS because the entire pool of core and 2rd party libraries you find are all written to be async. JS never had to overcome the trauma of blocking and threading, and leaves no blocking landmines laying about. All the other popular scripting langs and java are burdened with synchronous programming concepts.
Not all of Schneier's works have been broken yet, and many crypto algorithms have only been broken due to small key sizes, and not due to cryptanalysis.
> Physicists call this "maximum entropy"
I suspect entropy actually favors the cryptographer. After all, there is more order in a message decoded than the random noise of a encrypted message never decoded.
> In cryptography, as in crime, one side has an almost insurmountable advantage.
Right now that advantage rests with the encrypter. Its far easier to devise a new crypto algorithm that wont be broken for a few years, than to break one. Each cryptanalysis is a work of brilliance, even if the crypto code itself is uninspired and simple.
In this case; we are talking about a historical attack: looking up old bitcoin or monero transactions some time after they had been used and trying to discern some order from them. If they have been used correctly, such as the way ssl does PFS, wherein the keys used at the time are only ever used once then forgotten, it becomes impossible to glean any record of past transactions unless you were party to them.
In the case of something like a crypto currency, for a sufficent number of nodes in the past, given sufficient graph connectivity, there is plausible deniability and connectivity to nearly all other active nodes.
That said, I do believe monero in particular is weak, but i expect upcoming maxwell's design for bitcoin will be stronger.
So you know better than the uber drivers, and you are a better human being than they are, so you should be able to tell them what they can and cannot do with their time?
If someone wants to drive for uber or lyft, that is their choice, and who are you to step in the middle and tell them its for their own good? What gives you the gall to do that?
What other relationships do you think you should get involved in? Perhaps people eating habits, you can go around to restaurants and tell people what they are allow to eat? Maybe you can interfere in dating next, and tell people what type of sex they can have ?
> I'm dubious that there is a legitimate need for cryptocurrency.
Most likely this means you know very little about how money works, and how the technology we use to track value has stagnated.
Remember when mr stoll wrote his famous essay about how there could be no possible application of the internet, since daily newspapers, TV, and the local stores did everything better ?
Maybe its not so bad; companies are supposed to solve problems and make money, not worry about some sort of silly virtue signaling. They should hire engineers who are a net positive value.
The truth is that there isnt much value in engineers below a certain level; they cost more to babysit than they are worth in terms of problem solved.
The good news is you can get to this elusive "senior" level all on your own. Software is an open book today: all the material to learn anything you want is out on the internet for free, and you can build a public portfolio on github easily.
There is a surplus of sub-par engineers who want to easy-mode through their careers doing the minimum. Its only basic economic logic that companies wouldnt hire for that. They want people who are going to earn money by creating value instead.
> If Rex is a chicken, then he is a bird. > Rex is not a bird. > Therefore, Rex is not a chicken.
Uh, that's actually the contrapositive. Its not only not a fallacy, its foundational logic.
Perhaps you should read the very top of the wikipedia page you linked:
> In propositional logic, modus tollens[1][2][3][4] (or modus tollendo tollens and also denying the consequent)[5] (Latin for "the way that denies by denying")[6] is a valid argument form and a rule of inference.
> Yes, of course a property that enourages distribution of computing resources is bad for a distributed system.
A system which resists the creation of effective hardware does not prevent centralization, it actually increases it in the long run.
There is no way to prevent ideal hardware from being created, but the barrier to entry is higher. It still happens in the end, and you get a far more centralized system in the end than you do with a very straightforward asic compatible PoW.
Crypto currency technology is like crack to the Dunning-Kreuger crowd. ASIC resistance in all its guises is a dead end, so is proof of stake and plenty of other pyrite technologies in this space. And yet you get so many people opining about them from a position of entrenched ignorance...
> Fractional reserve means they only have to keep (reserve) a fraction of the deposits on hand. A bank still cannot print and loan money it doesn't have
Reserve ratios are just a cap on exactly how much money they can print. If loans get repaid, they can create a theoretically infinite amount of money. Likewise, if a loan is forgiven, the limit is also easily broken, because the destruction mechanism is skipped and the loaned amount becomes permanent.
> And as human mostly base our capitalist endeaviour on pure greed and have as much as possible. That means that without rules you have only bad apple managing to stay afloat,
This is the stupidest thing ive ever seen on slashdot. That is the exaxt opposite of how capitalism works.
The funny thing is they are still missing the boat. The slashdot fogey skepticism is no different in the 10K range now than it was in the 1k range, nor than it will be in the 100K range.
Other than the total collapse of the dollar, i dont know what it will take to wake them up... the geeks of yesteryear became the luddites of the present day.
Javascript is actually much better for high performance back-end applications than many languages.
The core event loop and processing model is very much the way you would write a C/C++ process based libevent or similar epoll loops. This is extremely common for high performance programming, especially with interfaces where your process gets interrupted mostly on network or storage. Its far less important for blind batch jobs, but can be very important for response batch jobs.
so its far easier to write high performance JS than it is to do so in java or python. In fact, I would probably RAD in JS, and only re-implment in C if I absolutely had to squeeze out the most performance from the iron. There is almost no use case for java serverside anymore. Its just too slow.
Slashdot Mirror
slashdot is like a nocoiner HQ.. they really want bitcoin to go away and stop trammeling their lawn.
The problem you are facing is more that sysadmin as a career is fading away to be replaced by devops.
Linux is easy enough to admin that linux IT dept were always a fraction of the windows departments.
Now that most linux admin work is scripted/automated, Linux IT jobs are all but non-existent.
Windows IT jobs may last a bit longer, but as you can see, not much.
> is not PGP or GnuPG that is at fault here
They are at fault for violating the "enc then mac" principle.
They should not return decrypted content of tampered messages, and if they didnt the gadget weakness would not exist.
This is absolutely a crypto issue in addition to an email client issue.
> The problem is in how email program plugins handle the mail after it's been decrypted, not in the underlying PGP/SMIME code.
Apparently thats wrong; it seems that core vulnerabilities lie inside the use of the gpg and smime protocol implementations themselves.
In particular, the lack of a valid message digest, and the default behavior of returning decryption results (or even attempting decryption) when the digest is invalid is the core problem.
If tampered encrypted payloads are detected, *decryption must not be attempted*
It seems over gnupg is vulnerable to this attack.
Portuguese missionaries devised the quoc ngu.
The main reason it took over was not french influence so much as the fact that most people were illiterate so it would be their first written language, and the fact that it was simple much more suited to their language than the chu nom.
Lets make this is a fair comparison:
> So, if we keep raiding your bank account, that will make things better for you? Sounds like a good plan.
So long as when you are done raiding the same amount is left in the account as before.
Copyright is the same way: "copies" are made, originals are not damaged or removed.
"Money laundering" isnt even a crime on its own. Its a bull shit pile-on crime latched on to a normal crime.
* stealing
* breathing while stealing
* having a heartbeat while stealing
> Child sex trafficking: bad
> Prostitution: not bad. Get with the times USA, It's legal elsewhere.
If the feds suspected this why are the arresting website owners and not the sex traffickers?
> So, you're saying if the Feds with probable cause and warrants raid some organized crime's money-laundering front company, that company should be allowed to keep on operating until the case has gone to trial and the responsible individuals are found guilty?
Yes. Why should they get to destroy a legitimate business based on a hunch?
Do we issue the electric chair to murderers before they are found guilty?
Bruce; you would do well to actually read a bit about javascript before just guessing. Async/await is just synactic sugar over promises. Promises are just an easy to grok syntax for async FSMs.
Threading has been thoroughly trounced by async programming. It took a long time for people to realize it, but those of us who have been 100% async in C for decades know exactly why node.js is booming: because it does not offer threading or blocking so it forces people to write somewhat performant code. My biggest gripes with aysnc are that the local disk is still not truly aynsc down to the kernel level even with IO_NONBLOCK.
And fwiw, async IO is easier on JS because the entire pool of core and 2rd party libraries you find are all written to be async. JS never had to overcome the trauma of blocking and threading, and leaves no blocking landmines laying about. All the other popular scripting langs and java are burdened with synchronous programming concepts.
> Schneier
Not all of Schneier's works have been broken yet, and many crypto algorithms have only been broken due to small key sizes, and not due to cryptanalysis.
> Physicists call this "maximum entropy"
I suspect entropy actually favors the cryptographer. After all, there is more order in a message decoded than the random noise of a encrypted message never decoded.
> In cryptography, as in crime, one side has an almost insurmountable advantage.
Right now that advantage rests with the encrypter. Its far easier to devise a new crypto algorithm that wont be broken for a few years, than to break one. Each cryptanalysis is a work of brilliance, even if the crypto code itself is uninspired and simple.
In this case; we are talking about a historical attack: looking up old bitcoin or monero transactions some time after they had been used and trying to discern some order from them. If they have been used correctly, such as the way ssl does PFS, wherein the keys used at the time are only ever used once then forgotten, it becomes impossible to glean any record of past transactions unless you were party to them.
In the case of something like a crypto currency, for a sufficent number of nodes in the past, given sufficient graph connectivity, there is plausible deniability and connectivity to nearly all other active nodes.
That said, I do believe monero in particular is weak, but i expect upcoming maxwell's design for bitcoin will be stronger.
Thats exactly how markets are supposed to work; and it is a good thing.
So you know better than the uber drivers, and you are a better human being than they are, so you should be able to tell them what they can and cannot do with their time?
If someone wants to drive for uber or lyft, that is their choice, and who are you to step in the middle and tell them its for their own good? What gives you the gall to do that?
What other relationships do you think you should get involved in? Perhaps people eating habits, you can go around to restaurants and tell people what they are allow to eat? Maybe you can interfere in dating next, and tell people what type of sex they can have ?
All that given - they seem remarkably better at driving, amiability, and showing up on time than regular liveried taxis.
so legalize drugs and solve that problem.
> I'm dubious that there is a legitimate need for cryptocurrency.
Most likely this means you know very little about how money works, and how the technology we use to track value has stagnated.
Remember when mr stoll wrote his famous essay about how there could be no possible application of the internet, since daily newspapers, TV, and the local stores did everything better ?
Thats where you are now.
Maybe its not so bad; companies are supposed to solve problems and make money, not worry about some sort of silly virtue signaling. They should hire engineers who are a net positive value.
The truth is that there isnt much value in engineers below a certain level; they cost more to babysit than they are worth in terms of problem solved.
The good news is you can get to this elusive "senior" level all on your own. Software is an open book today: all the material to learn anything you want is out on the internet for free, and you can build a public portfolio on github easily.
There is a surplus of sub-par engineers who want to easy-mode through their careers doing the minimum. Its only basic economic logic that companies wouldnt hire for that. They want people who are going to earn money by creating value instead.
> Cryptocoins are burning cycles for the sake of it.
Nonsense; the fact that you dont understand the value is not the same as the value not existing.
I suspect crypto mining reduces energy use for finance, and does not increase it.
> If Rex is a chicken, then he is a bird.
> Rex is not a bird.
> Therefore, Rex is not a chicken.
Uh, that's actually the contrapositive. Its not only not a fallacy, its foundational logic.
Perhaps you should read the very top of the wikipedia page you linked:
> In propositional logic, modus tollens[1][2][3][4] (or modus tollendo tollens and also denying the consequent)[5] (Latin for "the way that denies by denying")[6] is a valid argument form and a rule of inference.
> is a valid argument form
is a valid argument form
> And the bank writing it off destroys money.
It does not., it only destroys the debt.
Think about it: the loaned dollars could be in cash form, converted to liquid commodities or simply deposited in another bank.
> Yes, of course a property that enourages distribution of computing resources is bad for a distributed system.
A system which resists the creation of effective hardware does not prevent centralization, it actually increases it in the long run.
There is no way to prevent ideal hardware from being created, but the barrier to entry is higher. It still happens in the end, and you get a far more centralized system in the end than you do with a very straightforward asic compatible PoW.
Crypto currency technology is like crack to the Dunning-Kreuger crowd. ASIC resistance in all its guises is a dead end, so is proof of stake and plenty of other pyrite technologies in this space. And yet you get so many people opining about them from a position of entrenched ignorance...
> Fractional reserve means they only have to keep (reserve) a fraction of the deposits on hand. A bank still cannot print and loan money it doesn't have
Reserve ratios are just a cap on exactly how much money they can print. If loans get repaid, they can create a theoretically infinite amount of money. Likewise, if a loan is forgiven, the limit is also easily broken, because the destruction mechanism is skipped and the loaned amount becomes permanent.
What is the obsession with ASIC resistance? That is an utterly pointless attribute of a crypto currency, and only makes them weaker.
> And as human mostly base our capitalist endeaviour on pure greed and have as much as possible. That means that without rules you have only bad apple managing to stay afloat,
This is the stupidest thing ive ever seen on slashdot. That is the exaxt opposite of how capitalism works.
The funny thing is they are still missing the boat. The slashdot fogey skepticism is no different in the 10K range now than it was in the 1k range, nor than it will be in the 100K range.
Other than the total collapse of the dollar, i dont know what it will take to wake them up... the geeks of yesteryear became the luddites of the present day.
Javascript is actually much better for high performance back-end applications than many languages.
The core event loop and processing model is very much the way you would write a C/C++ process based libevent or similar epoll loops. This is extremely common for high performance programming, especially with interfaces where your process gets interrupted mostly on network or storage. Its far less important for blind batch jobs, but can be very important for response batch jobs.
so its far easier to write high performance JS than it is to do so in java or python. In fact, I would probably RAD in JS, and only re-implment in C if I absolutely had to squeeze out the most performance from the iron. There is almost no use case for java serverside anymore. Its just too slow.