They MAY have a good idea, but we won't know until alot of other people try to break their encryption and fail.
Which is not going to happen because the authors haven't given any reason why anyone should care. We have lots of widely-deployed ciphers which are fast and secure. No one attacks modern cryptographic security systems by breaking the ciphers, they do it by exploiting peripheral flaws in implementation, key management, etc.
If you want to offer a new symmetric cipher, it needs to offer something more interesting than security. I think the most powerful characteristic that could be provided is simplicity, particularly if it not only makes the design transparent, but also facilitates verification of hardware and software implementations. Designed-in resistance against side channel attacks might be mildly interesting. Speed might be, but current ciphers are already very fast.
And, actually, we already have another approach which uses special hardware at each end, Quantum Cryptography, which can absolutely guarantee security, unless our understanding of the Uncertainty Principle is wrong. Or unless there are bugs in the physical implementation, which there have been...
Uh, those "bugs" you so conveniently dismiss here would be called the NSA.
Huh? None of the QC bugs so far discovered and reported appear to have any relationship with the NSA. I see a common temptation to attribute near-mystical powers to the NSA, and the resulting assumption that any security defect was caused by the agency. There's no doubt the NSA has done much to compromise available cryptographic security options, but they aren't everywhere, and -- more to the point -- good security is hard enough that plenty of mistakes are made without any NSA influence.
I don't know whether or not this idea actually works, or what level of security it may or may not provide, but it's addressing an already thoroughly-solved problem. It appears to provide a symmetric key cipher, which means -- regardless of how radical the approach may or may not be -- it's in direct competition with algorithms like AES and the multitude of other well-respected and heavily-researched block and stream ciphers. The abstract and summary mention "an unlimited number of possibilities for a shared encryption key", but existing algorithms already provide enormous key spaces.
Of course, some cryptanalytic breakthrough could provide a way to break all existing ciphers, but who's to say the same breakthrough wouldn't impact systems based on this idea. And, actually, we already have another approach which uses special hardware at each end, Quantum Cryptography, which can absolutely guarantee security, unless our understanding of the Uncertainty Principle is wrong. Or unless there are bugs in the physical implementation, which there have been, and I see no reason that this "Dynamic Systems Coupling" approach wouldn't be subject to the same kinds of problems.
Link to the video? I'll see if there's a way to escalate this issue internally. No guarantees, but it's worth a shot. Also, can you provide a succinct and factual summary of the sequence of events and the relationship with the publisher? Something I can include in the bug report.
There are two distinct part of SSL/TLS; encryption and authentication. In this case it's only the authentication portion that has an issue, not the encryption portion.
Unauthenticated public key encryption is useless against an active attacker (one able to modify traffic, rather than just eavesdrop on it).
There are several places in which GnuTLS is used for encryption but not authentication such as MTA (email) transfers over TLS (at least most of the time).
Huh? Even for SSMTP, certificates can -- and must! -- be checked.
Google believes in a panopticon world in which anonymity and the right to privacy has disappeared.
This is false. Yes, yes, Eric Schmidt said things to that effect a few times; perhaps he does believe it. But Larry Page does not, nor do the vast majority of Google engineers who actually make the decisions about what Google does. It's also worth pointing out that the Buzz mistakes led to Google signing an FCC consent decree which includes regular third-party privacy audits, with serious penalties for failing.
It 's a cute toy but I don't see how anyone would want to juggle devices with it to watch tv for any length of time.
Because most people don't have a smartphone nearby when they're watching TV? For me, using Chromecast reduces device juggling because I don't need a remote -- and my phone is always on me anyway.
Chromecast needed a "source" to transfer video from, like a tablet, smartphone or computer.
Casting from a Chrome tab means the computer is acting as a video source, but in most usage modes the tablet or phone is just acting as a controller; the Chromecast streams the content from the Internet.
I saw a guy text-walking in a parking lot, he nearly hit by a prius which was in low speed electric mode. (yeah that is a user problem, but the guy wouldn't have walked in front of a glass-packed V8 mustang.)
This is why my Nissan LEAF has a speaker in the driver's side wheel well, which makes noise whenever the car is moving at less than 20 mph. The noise isn't engine noise, it's a better noise that sweeps a broader spectrum of the audible range to help ensure that even people whose hearing misses certain frequencies can hear it. It also sounds space-agey, which tends to get peoples' attention even better than engine noises.
It is a simple thing to teach your children that actions have consequences.
Certainly it is simple to teach. That doesn't mean they'll learn.
Getting a child that's "an angel" may sometimes happen by luck, but happens much, much more because parents taught good lessons at an early age.
This does not match my observation, at all. I know lots of great parents with troubled kids, and lots of terrible parents with great kids. And a lot of parents (like me) with some of each, even though all were taught the same. Not that it in any way reduces parents' responsibility to teach, but I've come to the conclusion that nature has a lot more influence than nurture.
There's a very simple path to take with disobedient children
I see you're also not a parent. Not that parents shouldn't teach their children, but there's nothing simple at all about it. Each child is different and needs to be understood and taught appropriately. Parenting is the most difficult thing you'll ever do. Unless you luck out and get an angel, as the GP says... which does happen from time to time, but luck is what it is.
But it asks for the test to be made at the output.
No, the text you quoted asks for the test to be made at n-bit block generation, not output. And I'd say for n greater than, say, 40, any incidence of consecutive identical blocks indicates, with very high probability, that the RNG is broken. I do think the clause is odd, though, and can't think of any good reason to have it in there.
low speed is not a virtue in a RNG like it is in a crypto alg
FYI, low speed isn't a virtue in a crypto algorithm, either. This is true whether by "crypto algorithm" you mean "cipher" or "secure hash". Really, the only context in which poor performance is a virtue is password hashing, and you can always make a slow hash out of a fast one by iterating it.
I have two friends, one who worked for Google and another for Apple. Both left Engineering and went into the Accounting sector because they were untouchable by anyone.The only jobs they would get interviewed for were paying half what they used to make at small shops with virtually no health benefits.
I don't buy it. I work for Google and not only am I headhunted to an almost ridiculous degree by firms large and small, I know plenty of other Google engineers who've left the company to work for others, including a couple who didn't arrange a new job before they left, choosing instead to just take a few months off. I also know a number of Apple engineers and none of them have any trouble finding other jobs, either.
Likely they wouldn't. Doing the statistics properly would be extremely expensive.
Yes, it is. On the other hand, it's just as expensive to employ all of those high-priced actuaries and not have them do the statistics properly. And they have them on staff, lots of them. I have a few friends who work in that industry -- doing the statistics you say don't get done.
They may have done the statistics a long long time ago, for at least the last several decades, they have been adusting their policy rates of pure gut instinct.
This would imply there's a ripe opportunity for an insurance company to use actual numbers to set their rates, and be more profitable, at lower premiums, than their competitors. But I'm sure none of them would want to do that.
I'm not sure if it's a majority, but I do have a fundamental problem with anyone who puts their own religious freedom in front of anyone else's rights.
I'm not really interested in debating this deeply, so I'll let you have the last word, but the above is a remarkably shallow characterization of the views of many of the opponents of gay marriage. In general, I find that is the way that most really strongly held views on common disputes arise: by not only failing to understand the other's position, but actually misinterpreting it, effectively setting up a strawman which is simple and hateful enough to be easily despised.
I don't think we're talking about a simple difference of opinion here.
That's your opinion.
Okay, I'm being a little snarky, but, seriously, if it's not a difference of opinion what is it? We're talking about an issue about which the nation is pretty deeply divided, and it's not really a boolean question, either. There is a whole range of opinions. The implication of your statements is that you consider opposition to gay marriage such a hateful position that those who hold it must be bad people, with whom you cannot associate in any capacity, even if the association has nothing to do with that question. That means that you consider a majority of Americans to be said "bad people". Perhaps you should reconsider your various relationships with all of them? Perhaps you shouldn't be a resident of the United States (assuming you are) since the majority nationwide opposes gay marriage?
FWIW, I opposed prop 8 and think the fight against gay marriage is silly and doomed, because there's simply no justification for it under the 14th amendment. Personally, I'd rather just get government out of the business of recognizing marriage in any form, but if we're not going to do that there's no way to refuse homosexual marriage. Nor polygamy, for that matter.
Modern currencies usually are not backed by anything except the force of billions of people and nation states that have all decided that these are a way to store value.
And, at the end of the day, even the opinion of the nation states is meaningless if the people stop believing.
I guess the population could wake up tomorrow and decide funny green artwork on paper is not worth a thing, but odds are very very low for that happening.
Agreed.
As for BitCoin, this is a weird niche idea that could evaporate any second.
While the odds of that are hugely greater than the odds of people deciding dollars are no longer worth anything, I don't think evaporation is at all likely. Time will tell.
Gold is something I can hold in my hand. It will NEVER be worth nothing - it has value in industrial processes and making wedding rings.
Sure, but on the other hand, how would you like to exchange your gold for an equal weight of aluminum -- which is also not worth nothing, but until the late 19th century was more valuable than gold. . Or silicon, which is also valuable in industrial processes, particularly in the manufacture of semiconductors, but only after tremendous work has been done to purify it?
The fact that some physical substance always has some utility doesn't mean all that much. The actual industrial value of gold is not nothing, but neither is it all that large. Further, it's possible that in the not too distant future we could be mining gold from asteroids and shipping millions of tons of it per year to Earth. Or we could find a cost-efficient and safe way to manufacture gold, by transmuting other metals. Or we could just become better at finding it and digging it up. In any of those scenarios, dramatically-increased supply will cause the value to fall, probably even more dramatically, since much of gold's current price is driven by the expectation that it will always be valuable and evidence that that is untrue will quickly erase the speculative drivers of gold's current high price.
About the only thing I can think of which truly has intrinsic value is energy, since it is the necessary input to all productive processes. It's hard to store in a vault, though, physical or electronic.
They MAY have a good idea, but we won't know until alot of other people try to break their encryption and fail.
Which is not going to happen because the authors haven't given any reason why anyone should care. We have lots of widely-deployed ciphers which are fast and secure. No one attacks modern cryptographic security systems by breaking the ciphers, they do it by exploiting peripheral flaws in implementation, key management, etc.
If you want to offer a new symmetric cipher, it needs to offer something more interesting than security. I think the most powerful characteristic that could be provided is simplicity, particularly if it not only makes the design transparent, but also facilitates verification of hardware and software implementations. Designed-in resistance against side channel attacks might be mildly interesting. Speed might be, but current ciphers are already very fast.
Yes, and simplistic one-liners are the fool's tool.
Many snark. Few information.
And, actually, we already have another approach which uses special hardware at each end, Quantum Cryptography, which can absolutely guarantee security, unless our understanding of the Uncertainty Principle is wrong. Or unless there are bugs in the physical implementation, which there have been...
Uh, those "bugs" you so conveniently dismiss here would be called the NSA.
Huh? None of the QC bugs so far discovered and reported appear to have any relationship with the NSA. I see a common temptation to attribute near-mystical powers to the NSA, and the resulting assumption that any security defect was caused by the agency. There's no doubt the NSA has done much to compromise available cryptographic security options, but they aren't everywhere, and -- more to the point -- good security is hard enough that plenty of mistakes are made without any NSA influence.
I don't know whether or not this idea actually works, or what level of security it may or may not provide, but it's addressing an already thoroughly-solved problem. It appears to provide a symmetric key cipher, which means -- regardless of how radical the approach may or may not be -- it's in direct competition with algorithms like AES and the multitude of other well-respected and heavily-researched block and stream ciphers. The abstract and summary mention "an unlimited number of possibilities for a shared encryption key", but existing algorithms already provide enormous key spaces.
Of course, some cryptanalytic breakthrough could provide a way to break all existing ciphers, but who's to say the same breakthrough wouldn't impact systems based on this idea. And, actually, we already have another approach which uses special hardware at each end, Quantum Cryptography, which can absolutely guarantee security, unless our understanding of the Uncertainty Principle is wrong. Or unless there are bugs in the physical implementation, which there have been, and I see no reason that this "Dynamic Systems Coupling" approach wouldn't be subject to the same kinds of problems.
So... meh.
Link to the video? I'll see if there's a way to escalate this issue internally. No guarantees, but it's worth a shot. Also, can you provide a succinct and factual summary of the sequence of events and the relationship with the publisher? Something I can include in the bug report.
There are two distinct part of SSL/TLS; encryption and authentication. In this case it's only the authentication portion that has an issue, not the encryption portion.
Unauthenticated public key encryption is useless against an active attacker (one able to modify traffic, rather than just eavesdrop on it).
There are several places in which GnuTLS is used for encryption but not authentication such as MTA (email) transfers over TLS (at least most of the time).
Huh? Even for SSMTP, certificates can -- and must! -- be checked.
Google believes in a panopticon world in which anonymity and the right to privacy has disappeared.
This is false. Yes, yes, Eric Schmidt said things to that effect a few times; perhaps he does believe it. But Larry Page does not, nor do the vast majority of Google engineers who actually make the decisions about what Google does. It's also worth pointing out that the Buzz mistakes led to Google signing an FCC consent decree which includes regular third-party privacy audits, with serious penalties for failing.
It 's a cute toy but I don't see how anyone would want to juggle devices with it to watch tv for any length of time.
Because most people don't have a smartphone nearby when they're watching TV? For me, using Chromecast reduces device juggling because I don't need a remote -- and my phone is always on me anyway.
Chromecast needed a "source" to transfer video from, like a tablet, smartphone or computer.
Casting from a Chrome tab means the computer is acting as a video source, but in most usage modes the tablet or phone is just acting as a controller; the Chromecast streams the content from the Internet.
This is quite old news, why is slashdot only picking up on it now?
Slashdot picked it up on March 4th, actually. This is a dupe.
The impact of this bug does not compare to the goto fail bug.
Agreed.
I saw a guy text-walking in a parking lot, he nearly hit by a prius which was in low speed electric mode. (yeah that is a user problem, but the guy wouldn't have walked in front of a glass-packed V8 mustang.)
This is why my Nissan LEAF has a speaker in the driver's side wheel well, which makes noise whenever the car is moving at less than 20 mph. The noise isn't engine noise, it's a better noise that sweeps a broader spectrum of the audible range to help ensure that even people whose hearing misses certain frequencies can hear it. It also sounds space-agey, which tends to get peoples' attention even better than engine noises.
So... how do you explain parents who have some well-behaved and some ill-behaved children, even though they were all taught the same?
You were lucky.
It is a simple thing to teach your children that actions have consequences.
Certainly it is simple to teach. That doesn't mean they'll learn.
Getting a child that's "an angel" may sometimes happen by luck, but happens much, much more because parents taught good lessons at an early age.
This does not match my observation, at all. I know lots of great parents with troubled kids, and lots of terrible parents with great kids. And a lot of parents (like me) with some of each, even though all were taught the same. Not that it in any way reduces parents' responsibility to teach, but I've come to the conclusion that nature has a lot more influence than nurture.
There's a very simple path to take with disobedient children
I see you're also not a parent. Not that parents shouldn't teach their children, but there's nothing simple at all about it. Each child is different and needs to be understood and taught appropriately. Parenting is the most difficult thing you'll ever do. Unless you luck out and get an angel, as the GP says... which does happen from time to time, but luck is what it is.
But it asks for the test to be made at the output.
No, the text you quoted asks for the test to be made at n-bit block generation, not output. And I'd say for n greater than, say, 40, any incidence of consecutive identical blocks indicates, with very high probability, that the RNG is broken. I do think the clause is odd, though, and can't think of any good reason to have it in there.
low speed is not a virtue in a RNG like it is in a crypto alg
FYI, low speed isn't a virtue in a crypto algorithm, either. This is true whether by "crypto algorithm" you mean "cipher" or "secure hash". Really, the only context in which poor performance is a virtue is password hashing, and you can always make a slow hash out of a fast one by iterating it.
I have two friends, one who worked for Google and another for Apple. Both left Engineering and went into the Accounting sector because they were untouchable by anyone.The only jobs they would get interviewed for were paying half what they used to make at small shops with virtually no health benefits.
I don't buy it. I work for Google and not only am I headhunted to an almost ridiculous degree by firms large and small, I know plenty of other Google engineers who've left the company to work for others, including a couple who didn't arrange a new job before they left, choosing instead to just take a few months off. I also know a number of Apple engineers and none of them have any trouble finding other jobs, either.
I'd be a months pay that no one at Google has any intention of using this anywhere in the real world
I'll take that bet. What proof of intention would you accept?
Likely they wouldn't. Doing the statistics properly would be extremely expensive.
Yes, it is. On the other hand, it's just as expensive to employ all of those high-priced actuaries and not have them do the statistics properly. And they have them on staff, lots of them. I have a few friends who work in that industry -- doing the statistics you say don't get done.
They may have done the statistics a long long time ago, for at least the last several decades, they have been adusting their policy rates of pure gut instinct.
This would imply there's a ripe opportunity for an insurance company to use actual numbers to set their rates, and be more profitable, at lower premiums, than their competitors. But I'm sure none of them would want to do that.
I'm not sure if it's a majority, but I do have a fundamental problem with anyone who puts their own religious freedom in front of anyone else's rights.
I'm not really interested in debating this deeply, so I'll let you have the last word, but the above is a remarkably shallow characterization of the views of many of the opponents of gay marriage. In general, I find that is the way that most really strongly held views on common disputes arise: by not only failing to understand the other's position, but actually misinterpreting it, effectively setting up a strawman which is simple and hateful enough to be easily despised.
I don't think we're talking about a simple difference of opinion here.
That's your opinion.
Okay, I'm being a little snarky, but, seriously, if it's not a difference of opinion what is it? We're talking about an issue about which the nation is pretty deeply divided, and it's not really a boolean question, either. There is a whole range of opinions. The implication of your statements is that you consider opposition to gay marriage such a hateful position that those who hold it must be bad people, with whom you cannot associate in any capacity, even if the association has nothing to do with that question. That means that you consider a majority of Americans to be said "bad people". Perhaps you should reconsider your various relationships with all of them? Perhaps you shouldn't be a resident of the United States (assuming you are) since the majority nationwide opposes gay marriage?
FWIW, I opposed prop 8 and think the fight against gay marriage is silly and doomed, because there's simply no justification for it under the 14th amendment. Personally, I'd rather just get government out of the business of recognizing marriage in any form, but if we're not going to do that there's no way to refuse homosexual marriage. Nor polygamy, for that matter.
Charisma is a dump stat...
... in games designed by people with low Charisma.
Modern currencies usually are not backed by anything except the force of billions of people and nation states that have all decided that these are a way to store value.
And, at the end of the day, even the opinion of the nation states is meaningless if the people stop believing.
I guess the population could wake up tomorrow and decide funny green artwork on paper is not worth a thing, but odds are very very low for that happening.
Agreed.
As for BitCoin, this is a weird niche idea that could evaporate any second.
While the odds of that are hugely greater than the odds of people deciding dollars are no longer worth anything, I don't think evaporation is at all likely. Time will tell.
Gold is something I can hold in my hand. It will NEVER be worth nothing - it has value in industrial processes and making wedding rings.
Sure, but on the other hand, how would you like to exchange your gold for an equal weight of aluminum -- which is also not worth nothing, but until the late 19th century was more valuable than gold. . Or silicon, which is also valuable in industrial processes, particularly in the manufacture of semiconductors, but only after tremendous work has been done to purify it?
The fact that some physical substance always has some utility doesn't mean all that much. The actual industrial value of gold is not nothing, but neither is it all that large. Further, it's possible that in the not too distant future we could be mining gold from asteroids and shipping millions of tons of it per year to Earth. Or we could find a cost-efficient and safe way to manufacture gold, by transmuting other metals. Or we could just become better at finding it and digging it up. In any of those scenarios, dramatically-increased supply will cause the value to fall, probably even more dramatically, since much of gold's current price is driven by the expectation that it will always be valuable and evidence that that is untrue will quickly erase the speculative drivers of gold's current high price.
About the only thing I can think of which truly has intrinsic value is energy, since it is the necessary input to all productive processes. It's hard to store in a vault, though, physical or electronic.