That could be made to work fine. Understand what you're protecting. In this case root keys in a HSM in a server in a secured room.
E.G. For a CA, the only things you need to ask of the server is "Sign this and return the cert". So have a wire protocol that only lets you ask that and limits side channel attacks, E.G. by quantizing ask and response timing.
The thing you're protecting is the thing that should be behind the limited interface. The UI can swim with the sharks. You need a different set of rules for humans, that are well matched to the needs and behaviors of humans.
But if the air gap is your first line of defense, don't put humans inside it. That's when air gaps are evil.
I've never seen air gaps done in a way that enhances security. They could be used well, but I simply don't see it happening.
Well there were lots of options. I clicked on the one with C++ in it.
Either way, $999 or $3999 is a barrier to me using their products. I could use it in production, but in production I'm going to use the tools that I'm fluent in because they're free and so I get to use them everywhere.
I was questioning TFA, because it implied that Embarcadero was cheap/free. It isn't.
I took a quick took at their website. It looks quite scammy, they only talk about how much you will save, not about how much it will cost. After clicking through the buy-now buttons twice, I found the C++ version was $4000.
>Do you even have the slightest idea how key signing works? I have deployed a real CA. The sort with an armed guard on the door. I also wrote the software. The fact I wrote the software (to verify the spec could work - I also wrote the cert profile spec and the security protocol that uses it) is what got me the deploying job. So yes.
I'm talking about establishing a root cert for a CA in an X.509 based PKI. Not GPG or any other sort.
>Those people are key signing parties? _Those_ people are not air-gapped, and 99% of the time they're downloading everyone's key off the internet and everyone's just wandering by and confirming their hash.
Not that. I'm talking about vendor, implementer and 'third parties' paid to oversee the process filing into the server room while someone installs the software on a blank server, runs the scripts to make the cert, runs a script to make the NofM unlock keys which are handed to the responsible parties, takes a copy of the root cert on some media and then every files out again.
PGP key signing parties are completely different and arguably a lot more resilient than X.509 PKIs.
1) Now, they do have to get the key from somewhere
Yes, a good RNG. I happen to know where you can find one of those.
>and now... 20+ years later on... do we still enjoy it?
That depends on what it is. When I'm developing new techniques in DFx, cryptography, automated code generation and other things, I'm happy as a pig in shit. When I'm messing around adapting my designs to yet another stupid variant of a bus interface, I would happily outsource it to Kazakhstan.
If you count each base pair as 2 bits, there is about 1.5GBytes in the human genome. But you also need to count the methylated base pairs, which it appears the worst case would add up to another 50%.
I'd like a copy of my full genome because 1) I'm a geek. 2) As new knowledge about new parts of the genome appears, I will be sure to have those parts sequenced. 3) The sequencing is a bit error prone (1% for the previous generation of sequencers according to by google search). With the full sequence it would be easy to correct errors with a couple more sequences when it gets cheaper.
>What are the procedures 23andme is supposed to use to calibrate and test their equipment?
Reference DNA sequences for humans are available.
To calibrate your sequencer you just need to observe that the delta rate with respect to a reference sequence is within expected limits for differences between any two humans and there isn't a systematic bias in the error rate.
When you buy a sequencer, calibration is part of the deal, like any expensive bit of test equipment.
People work around the system. I get my blood tests done for a fraction of the cost at the doctor's office by booking it at walkinlabs.com. A paid off doctor in nowheresville robosigns it and I walk into a testing lab nearby, where a woman who does nothing but pulls blood all day, pulls my blood. She never misses. I get the results emailed to me a few days later.
If I'm going to the doctor, I take my latest results in. However I follow the research and I get the tests I want (NMR lipoprofile, CRP and HbA1c) which tell me more useful things about my health than the standard cholesterol tests, like LDL size and number, glycation levels and inflammation status.
The only way that this is different is that Walk in labs decided to put a robosigning doctor in the loop so the FDA couldn't complain.
I'm going to have to build an OBD ii dongle to site between the dongle and the car, projecting and image of a perfect driver. It'll sell like hotcakes.
>How do you know that you weren't created 10 minutes ago, with your knowledge already in place? If you listened to the first half of the Sean Carroll talk on Boltzmann brains, why didn't you listen to the second half that explains why it isn't probable.
I'm better than my wife at cooking. But she's got a PhD and I haven't. Graduate studies impede culinary skill.
That could be made to work fine. Understand what you're protecting. In this case root keys in a HSM in a server in a secured room.
E.G. For a CA, the only things you need to ask of the server is "Sign this and return the cert". So have a wire protocol that only lets you ask that and limits side channel attacks, E.G. by quantizing ask and response timing.
The thing you're protecting is the thing that should be behind the limited interface. The UI can swim with the sharks. You need a different set of rules for humans, that are well matched to the needs and behaviors of humans.
But if the air gap is your first line of defense, don't put humans inside it. That's when air gaps are evil.
I've never seen air gaps done in a way that enhances security. They could be used well, but I simply don't see it happening.
Well there were lots of options. I clicked on the one with C++ in it.
Either way, $999 or $3999 is a barrier to me using their products. I could use it in production, but in production I'm going to use the tools that I'm fluent in because they're free and so I get to use them everywhere.
I was questioning TFA, because it implied that Embarcadero was cheap/free. It isn't.
I took a quick took at their website. It looks quite scammy, they only talk about how much you will save, not about how much it will cost.
After clicking through the buy-now buttons twice, I found the C++ version was $4000.
That makes sense. Thank you.
>Do you even have the slightest idea how key signing works?
I have deployed a real CA. The sort with an armed guard on the door. I also wrote the software.
The fact I wrote the software (to verify the spec could work - I also wrote the cert profile spec and the security protocol that uses it) is what got me the deploying job.
So yes.
I'm talking about establishing a root cert for a CA in an X.509 based PKI. Not GPG or any other sort.
>Those people are key signing parties? _Those_ people are not air-gapped, and 99% of the time they're downloading everyone's key off the internet and everyone's just wandering by and confirming their hash.
Not that. I'm talking about vendor, implementer and 'third parties' paid to oversee the process filing into the server room while someone installs the software on a blank server, runs the scripts to make the cert, runs a script to make the NofM unlock keys which are handed to the responsible parties, takes a copy of the root cert on some media and then every files out again.
PGP key signing parties are completely different and arguably a lot more resilient than X.509 PKIs.
1) Now, they do have to get the key from somewhere
Yes, a good RNG. I happen to know where you can find one of those.
>and now... 20+ years later on... do we still enjoy it?
That depends on what it is. When I'm developing new techniques in DFx, cryptography, automated code generation and other things, I'm happy as a pig in shit. When I'm messing around adapting my designs to yet another stupid variant of a bus interface, I would happily outsource it to Kazakhstan.
It was a real question.
If you count each base pair as 2 bits, there is about 1.5GBytes in the human genome. But you also need to count the methylated base pairs, which it appears the worst case would add up to another 50%.
I'd like a copy of my full genome because 1) I'm a geek. 2) As new knowledge about new parts of the genome appears, I will be sure to have those parts sequenced. 3) The sequencing is a bit error prone (1% for the previous generation of sequencers according to by google search). With the full sequence it would be easy to correct errors with a couple more sequences when it gets cheaper.
No one takes you seriously if you have a Yahoo email, even if you work for Yahoo.
The Yahoo staff need Eudora to get things done.
Missing link here.
http://www.genome.gov/images/content/cost_per_genome_apr.jpg
An NIH study shows the cost per genome for sequencing genomes with reference sets is about $8000 in 2013.
So what are they doing for $99?
>What are the procedures 23andme is supposed to use to calibrate and test their equipment?
Reference DNA sequences for humans are available.
To calibrate your sequencer you just need to observe that the delta rate with respect to a reference sequence is within expected limits for differences between any two humans and there isn't a systematic bias in the error rate.
When you buy a sequencer, calibration is part of the deal, like any expensive bit of test equipment.
Random number generators are super useful.
>In a doctor's office, the doctor receives some statistical training to aid in the interpretation and presentation of these error probabilities.
I can guarantee that my grasp of statistical inference is better than my doctor's. She couldn't anover herself out of a paper bag.
People work around the system. I get my blood tests done for a fraction of the cost at the doctor's office by booking it at walkinlabs.com. A paid off doctor in nowheresville robosigns it and I walk into a testing lab nearby, where a woman who does nothing but pulls blood all day, pulls my blood. She never misses. I get the results emailed to me a few days later.
If I'm going to the doctor, I take my latest results in. However I follow the research and I get the tests I want (NMR lipoprofile, CRP and HbA1c) which tell me more useful things about my health than the standard cholesterol tests, like LDL size and number, glycation levels and inflammation status.
The only way that this is different is that Walk in labs decided to put a robosigning doctor in the loop so the FDA couldn't complain.
>I've done the 23andMe testing and it has been of value.
Do they sequence your nuclear DNA and give you a 2Gbyte file? Or do they scan for a whole bunch of markers and tell you which ones hit?
I'd quite like the file.
Maybe it's how pigs communicate. Or this: https://www.facebook.com/pigradio
There isn't a lint for Slashdot.
It's a meat product made from pig.
I'm going to have to build an OBD ii dongle to site between the dongle and the car, projecting and image of a perfect driver. It'll sell like hotcakes.
Improbably things sometimes happen more frequently than expected, like Dragon Kings http://prl.aps.org/pdf/PRL/v111/i19/e198701
I should be writing code. Not farting around on Slashdot.
>How do you know that you weren't created 10 minutes ago, with your knowledge already in place?
If you listened to the first half of the Sean Carroll talk on Boltzmann brains, why didn't you listen to the second half that explains why it isn't probable.
You don't have to turn up the noise level. Just run quieter symbols for longer and add bucketloads of FEC.
Enough energy per bit to do what needs doing.
Two words: Walsh codes