How about top-of-the-line Pentium3 CPUs? 1.5GHz definitely means a P4 or a similar Celeron, but weren't the 1.x GHz P4 cpus actually slower than high end P3 CPUs?
So I'm wondering if DOOM3 would work on a high-end P3 system as I have a dual CPU P3 system with a GeForce FX 5200 card.
Even if you do have the public key for verification, you can not break the system if it is properly implemented as determining the public key to -make- that signature is a very hard problem.
Key pair encryption? Reverse engineer the software, and then do a man in the middle attack, poof, you've either got the encrypted data, or at least another key.
You can't just reverse-engineer the software as you say, or do a man-in-the-middle attack and get the -decrypted- data or keys.
Reverse-engineering of crypto-algorithms (by that I suppose you mean breaking/cracking them as if you want to know their implementation, the source code and algorithms of the popular crypto ciphers are widely published) such as RSA is an impossible problem as it stands today. It could also be implemented in hardware which will clear itself of its code and data if you try to open and find its contents.
I disagree with it TheGavster. It must have been some primitive form of signing firmware updates. With modern crypto you can't logic probe your way around and break crypto. It is a hard math problem. Even if you do have the public key for verification, you can not break the system if it is properly implemented as determining the public key to -make- that signature is a very hard problem.
What can be done is probably modify the firmware by programming the flash memory directly, which needs access to tools which the average consumer doesn't have. Even this is stopped in some implementations of hardware crypto today where the device is rendered unusable if tampering happens. Although this is used to protect keys in such devices it can be used for other reasons too.
It'll take some time for such hardware to become popular, but it'll happen sometime if digital rights management is taken up by corporations strongly.
DRM systems are broken in minutes, sometimes days. Rarely,
months. It's not because the people who think them up are stupid.
It's not because the people who break them are smart. It's not
because there's a flaw in the algorithms. At the end of the day,
all DRM systems share a common vulnerability: they provide their
attackers with ciphertext, the cipher and the key. At this point,
the secret isn't a secret anymore.
I am going to state a counterpoint purely from a technical stance (my stance on DRM is not pro- or anti- as I still have a lot to learn). It is possible for the key to remain a secret, even if it is in the hands of the consumer. Right now apps such as iTunes have it in software. You can generate keypairs and store keys in a medium analogous to that used in smart-cards, in the player hardware such that if it is ever tampered with to get the key, the key itself is destroyed. The hardware would probably be the sound-card or the speaker system if it is digital where the decoding of the compressed audio would take place. Yes this is not available now, but there's a good chance of such systems coming into operation.
Also like somebody in the MPEG committee recently said, the job of such DRM systems is not to put off the super clever guy who can break the system anyway... most systems are breakable. The plan is to put off the average consumer who may drag himself/herself into investigating the use of copyrighted content illegally if software and tools are available to *easily* circumvent such content-distrbution-restriction systems.
Right now, to crack iTunes songs using a software program is super-easy because of easy availability of easily-usable software. Hardware systems will likely be much harder to crack if implemented properly (every tried cracking an iButton?). The key-pair can be generated by the hardware in question and can be used only by that hardware and the user will have no access to the private key. Tampering with the hardware will destroy the key.
Unlike cracking the firmware (example: DVD firmware is 'patched' before update to play multi-region DVDs) the device may require the firmeware to be cryptographically signed by the vendor before it accepts it, hence voiding the ability to tamper with it.
Of course, we have a long way to go before such hardware is designed and adopted.
You have a point. There are devices however such as from iRiver which can play Ogg Vorbis and the winning encoder/codec in the Slashdot story AoTuV seems to be just an encoder fork which is bitstream compatible with Ogg Vorbis.
You are right. But it is very possible for this situation to happen where every one of the machines through which your data is routed is compromised, or rather controlled.. I am not trying to say it for argument's purpose or as a paranoid case:-).. but if some body (government or otherwise) is trying to track you, they can. It's possible to change a many-hop freenet route to a force-routed path if you have your implementation at the front compromised.
Re:Holy fuck.... this is stupid all around
on
Safe and Insecure?
·
· Score: 2, Insightful
Maybe we shouldn't draw analogies..
Think of a Windows PC as a home. The home has a door and the windows PC has some means of network administration. There's a vulnerability in it and viruses take advantage of it. Who are we going to hold responsible? The user may say that they didn't know such a vulnerability existed.. similar to saying that part of the door is broken and it just needed to be pushed in to open it but the person didn't know about it.. with things like default passwords, it's similar to having no-lock but just a handle to turn to open the door.
Computer networks are usually a different ballgame where people get away. Or every one of the infected windows networks which ever DoS other networks can be held liable.
Take access points for example.. every single access point which has 802.11b and uses WEP without 802.1x or something similar is vulnerable. The majority of access points are even setup to run opensystem.
How can you trust the software/network you know which is out there as "FreeNet" which actually keeps you anonymous as it is supposed to? It is not possible to trust that the software which others have got does what it is supposed to do.
This is one of the problems even DRM faces. Manufacturers can't trust their own deployed software as these can be patched/cracked to bypass restrictions.
Even with strong cryptography, it's just not possible to trust an implementation which is in another's hands.. with end-to-end encryption you can possibly protect the content of data, but you may not be able to protect its source/destination unless you trust each and every node out there and have absolute control over it to keep it trusted.
Even with strong encryption, there are a lot of ways of exploiting the implementation.
Like someone said, it's almost impossible to write anything these days without infringing on some patent or the other.
With JPEG 2000, they are atleast offering the use of all known and declared patents associated with the standard for use royalty-free. That's good enough for implementations except for purists.
We don't think those patent termination cases are inherently a bad idea, but nonetheless they are incompatible with the GNU GPL.
Patent termination is likely a good idea in these times although it is not technically compatible with version 2 of the GNU GPL license. This does not mean the ASF is in any way evil. It will make sense if you read the new Apache license. Maybe even the GNU GPL should adapt patent litigation based termination as a clause in the future.
Why does the USPS in this case have to authenticate each and every individual? It seems to be a timestamping service, which means they sign our documents' message digests. Doesn't this mean we have to authenticate the USPS (say as a stored trusted certificate in client software)? They don't need to care about the identity of each an every individual if they only want to say such a document existed at such a time and we verified it.
Slashdot Mirror
According to Microsoft, this limitation `helps [users] stay organized and reduces confusion.'
Microsoft's new product: MS-DOS Reloaded?
Charlie Chaplain?
So, it is the bad programmers' fault, eh?
Will it install Linux?
So where's the Frog?
How about top-of-the-line Pentium3 CPUs? 1.5GHz definitely means a P4 or a similar Celeron, but weren't the 1.x GHz P4 cpus actually slower than high end P3 CPUs?
So I'm wondering if DOOM3 would work on a high-end P3 system as I have a dual CPU P3 system with a GeForce FX 5200 card.
Remember what Boris the Blade did to Frankie Four-Fingers cause he attached the suitcase to his arm?
Does thee get tempted with EtherPEG or Driftnet?
Sorry I meant private key there.
You can't just reverse-engineer the software as you say, or do a man-in-the-middle attack and get the -decrypted- data or keys.
Reverse-engineering of crypto-algorithms (by that I suppose you mean breaking/cracking them as if you want to know their implementation, the source code and algorithms of the popular crypto ciphers are widely published) such as RSA is an impossible problem as it stands today. It could also be implemented in hardware which will clear itself of its code and data if you try to open and find its contents.
You have a good point that once a copy is cracked and in the open, it's already unprotected. I don't know how they would counter that.
Watermarking can be used to stamp content with the recipient's identity, but there are many counter-algorithms out there to destroy such watermarks.
I disagree with it TheGavster. It must have been some primitive form of signing firmware updates. With modern crypto you can't logic probe your way around and break crypto. It is a hard math problem. Even if you do have the public key for verification, you can not break the system if it is properly implemented as determining the public key to -make- that signature is a very hard problem.
What can be done is probably modify the firmware by programming the flash memory directly, which needs access to tools which the average consumer doesn't have. Even this is stopped in some implementations of hardware crypto today where the device is rendered unusable if tampering happens. Although this is used to protect keys in such devices it can be used for other reasons too.
It'll take some time for such hardware to become popular, but it'll happen sometime if digital rights management is taken up by corporations strongly.
I am going to state a counterpoint purely from a technical stance (my stance on DRM is not pro- or anti- as I still have a lot to learn). It is possible for the key to remain a secret, even if it is in the hands of the consumer. Right now apps such as iTunes have it in software. You can generate keypairs and store keys in a medium analogous to that used in smart-cards, in the player hardware such that if it is ever tampered with to get the key, the key itself is destroyed. The hardware would probably be the sound-card or the speaker system if it is digital where the decoding of the compressed audio would take place. Yes this is not available now, but there's a good chance of such systems coming into operation.
Also like somebody in the MPEG committee recently said, the job of such DRM systems is not to put off the super clever guy who can break the system anyway... most systems are breakable. The plan is to put off the average consumer who may drag himself/herself into investigating the use of copyrighted content illegally if software and tools are available to *easily* circumvent such content-distrbution-restriction systems.
Right now, to crack iTunes songs using a software program is super-easy because of easy availability of easily-usable software. Hardware systems will likely be much harder to crack if implemented properly (every tried cracking an iButton?). The key-pair can be generated by the hardware in question and can be used only by that hardware and the user will have no access to the private key. Tampering with the hardware will destroy the key.
Unlike cracking the firmware (example: DVD firmware is 'patched' before update to play multi-region DVDs) the device may require the firmeware to be cryptographically signed by the vendor before it accepts it, hence voiding the ability to tamper with it.
Of course, we have a long way to go before such hardware is designed and adopted.
Your wish just came true. Check out the JNode project.
You have a point. There are devices however such as from iRiver which can play Ogg Vorbis and the winning encoder/codec in the Slashdot story AoTuV seems to be just an encoder fork which is bitstream compatible with Ogg Vorbis.
You are right. But it is very possible for this situation to happen where every one of the machines through which your data is routed is compromised, or rather controlled.. I am not trying to say it for argument's purpose or as a paranoid case :-).. but if some body (government or otherwise) is trying to track you, they can.
It's possible to change a many-hop freenet route to a force-routed path if you have your implementation at the front compromised.
Maybe we shouldn't draw analogies..
Think of a Windows PC as a home. The home has a door and the windows PC has some means of network administration. There's a vulnerability in it and viruses take advantage of it. Who are we going to hold responsible? The user may say that they didn't know such a vulnerability existed.. similar to saying that part of the door is broken and it just needed to be pushed in to open it but the person didn't know about it.. with things like default passwords, it's similar to having no-lock but just a handle to turn to open the door.
Computer networks are usually a different ballgame where people get away. Or every one of the infected windows networks which ever DoS other networks can be held liable.
Take access points for example.. every single access point which has 802.11b and uses WEP without 802.1x or something similar is vulnerable. The majority of access points are even setup to run opensystem.
How can you trust the software/network you know which is out there as "FreeNet" which actually keeps you anonymous as it is supposed to? It is not possible to trust that the software which others have got does what it is supposed to do.
This is one of the problems even DRM faces. Manufacturers can't trust their own deployed software as these can be patched/cracked to bypass restrictions.
Even with strong cryptography, it's just not possible to trust an implementation which is in another's hands.. with end-to-end encryption you can possibly protect the content of data, but you may not be able to protect its source/destination unless you trust each and every node out there and have absolute control over it to keep it trusted.
Even with strong encryption, there are a lot of ways of exploiting the implementation.
The MD5SUMs are cryptographically signed using the Fedora project's PGP key.
Just why is the parent post marked flamebait? It makes perfect sense.
Like someone said, it's almost impossible to write anything these days without infringing on some patent or the other. With JPEG 2000, they are atleast offering the use of all known and declared patents associated with the standard for use royalty-free. That's good enough for implementations except for purists.
We don't think those patent termination cases are inherently a bad idea, but nonetheless they are incompatible with the GNU GPL.
Patent termination is likely a good idea in these times although it is not technically compatible with version 2 of the GNU GPL license. This does not mean the ASF is in any way evil. It will make sense if you read the new Apache license. Maybe even the GNU GPL should adapt patent litigation based termination as a clause in the future.
This's going to make a lot of those odd google-in-one hits :-)
I am sorry. It may be that the USPS is also verifying the identity of the "customer" who is getting the document signed.
Why does the USPS in this case have to authenticate each and every individual? It seems to be a timestamping service, which means they sign our documents' message digests. Doesn't this mean we have to authenticate the USPS (say as a stored trusted certificate in client software)? They don't need to care about the identity of each an every individual if they only want to say such a document existed at such a time and we verified it.