this encryption is only theoretical. By the time we can implement it, we may already be able to break it.
Actually, this has become considerably less theoretical over the last decade. Working models proving that this is possible have been constructed. Norway is one example.
As well, mathematically it is equivalent to a one-time pad. So I don't think there will be any "obvious" way to break it. IE. a mathematically sound way. There might be social engineering way s of doing it, or perhaps even ways of taking over the target machine and just reading the decrypted data.
But the encryption itself, since it is basically a one-time pad, is unbreakable.
Of interest though, the only major problem preventing large-scale implementation of this system is the distance the "key" can travel successfully with a respectable error rate. As well, if a way were discovered to do this without fiber-optics. I can guarantee you that the satellites in orbit would use this system since it can't be "captured" easily.
Identity fraud is a big ticket business, and while I agree that everyone should be able to track their history, etc online. I know for a fact that credit cards etc usually only ask for birthdates and mother's maiden names as passwords. Even then, If your whole tree, and initimate details of your life are available online for anyone to see. Then you are a prime and easy target for identity fraud.
If you want to be a target, in the name of the "free internet." All power to you. I personally would rather keeping some privacy and security to my life.
Everyone here is freaking out because this is another way to track people, and man it's a blatantly obvious one. But do you really believe that the techies and people working at the RIAA are that stupid? Like really?
The RIAA wouldn't do something so obviously usable as a tracking method and then deny it. They didn't in the past. When they were violating your rights, they were up right and in your face about it. That's why so many people despise them. They don't try to hide what they do.
I think this may be a legit way for them to just track for internal records and all, and yes, I am pretty sure they as well as you have thought about the possibility of tracking individual downloaders with this. But like someone already said.
MP3 -> Wave -> MP3 , no more tracking code.
Or even better
Clean CD -> MP3 , No tracking code.
I think that logic would be clear to anyone. Including the RIAA.
The sky isn't falling, the RIAA is just playing some games.
Re:Get Facts Straight.
on
XML Turns 5
·
· Score: 1
Well, I guess it all depends on how you "add" up the numbers, eh?
If you address each letter individually, or vaguely attempt to address it as a whole.
Yet, if I say IIIV , it is not 2 in Roman numerals. It's just a really messed up number.
The problem is with Quantum that you can't really tell when that photon arrives since it will appear to be like any other photon that randomly arrives at that location, as well as soon as you "observe" that photon, it is destroyed.
The photon is not instantly teleported. All that is happening is that you can create a perfect replica of the original (so much so that it is indistinguishable from the original, and thus is the original) at that location. You need the information though obtained when you observe the original and thus destroy the original.
I know what you are saying, I thought the same thing when I first read about quantum teleportation. Yet, when I read more about it, I discovered, like most things in QM, that my intuition was wrong. The photon may "instantly appear" at that location, but since you don't have the proper information, you cannot observe it. It's weird, but it's just QM.
If you want I can direct you to some more primary source material related to this. If so, just tell me and I'll dig up some old bookmarks and journals of mine.
If Iraq just runs those networks off of the common infrastructure (Ie. Not on the Internet as a whole). What the hell is the States going to do to hack it? They could use SocEng to get numbers and passwords, etc. But at that point they may as well use SocEng to acheive their objectives.
I think some people think Hackers can do far more than they really can. They are just technically adept, and (sometimes) quality social engineers, nothing more. They can't change the laws of physics. If the network isn't connected to anything you can connect to (and if you owned an entire country that wouldn't be too hard to set up.), then you can do dick from the states to that infrastructure.
If the network is wired up to the internet and these holes exist that could be taken advantage of, then the people setting up the network need to seriously consider wtf they are doing. You don't put primary infrastructure on the internet even with high security. You are just asking for trouble at that point.
Canada shouldn't be in that list. We have not officially supported the US led war for Oi/H/H/H/H/H/H on Iraq thus far. It is going to be voted on in the HofC soon though.
The other nations have declared their support. We are kinda waffling, even though the polls show that the population is severely against war, and our PM even said himself that w/o a UN resolution we aren't going to war.
Ironically, the premier of Alberta (one of the largest sources of oil in the world) seems to support the war... not sure why though...:-P
I loved SQ, and PQ and LLL, but my first adventure gaming experience was with KQ. This GOA site for some reason forgot to include the king and his crew.
Oh well... It's still uber cool. (Man, I miss those old games. If anyone knows a port of them or how to port them or if it's possible to port them to Linux, let me know. I'd really love to play them all again. Heck, I'd pay for it.)
A lot of people don't want a family. They will die a miserable death, alone. People who do what they want to do, which happens to not be the same as what you want, will be miserable doing what they want
I will say that if you get old, and your family passes away and your friends pass away before you pass away. You will die a lonely miserable death. Yet, I know that now that my sisters have children, and I have a close relationship with them, that I am not going to pass away a lonely man, whether or not I have children of my own.
The bigger point is that when you grow old, the people around you that you love and care will start to die. If you have children, you are more of a chance that some will survive beyond you, as well you have the knowledge that some part of you will continue to survive. I know many old people (85+). Some are very happy, and some are miserable. A good number of them are happy, but the ones that are miserable though, are a mix. They are ones who's families have abandoned them for some reason or another, or ones that have no one left, and are just "existing".
Our roles have been ingrained into us after so much evolution. We multiply.
I hate to say this, but it's true. The human species is like all other creatures on the Earth. Our primary goal is to multiply. This is just plain evolution. I may be bleak to some, and glorious to others, but that's the way it is, and there isn't much you can do about it (Well, other then killing yourself.)
Gender IS relevant. It's naive to think otherwise. And these pre-determined gender roles are definitely not how you determine what will make any individual happy.
I agree with both of these statements... Gender is relevant, Gender Roles are not. We define for ourselves our role in society... based on the experiences we have.
Biology, evolution, the innate desire to multiply, these things make us efficient creatures. They do not make us happy human beings. Sadly, we're too intelligent and advanced a species for that.
Actually, I think it's the other way around. Our intelligence alone does not make us unhappy. It's our ability to make the decision whether or not our lives are happy that affects it. If it was pure biology, than the previous person is telling the absolute truth. happiness = reproduction. Since it isn't though, at least hopefully it isn't, our ability to decide comes into play.
Happiness from reproduction.. well, sex is still there, but there are many "higher" levels of happiness we can achieve. Unfortunately, the ways to reach these differ for each person. So, really, no one can comment to anyone else on how to be happy, unless they luck out and that person is the same as them.
I remember someone told me once that they don't think hell is fire and brimstone, but rather a place where you are not happy, and yet you will work your hardest to stay there.
Sounds similar to the lives a lot of people live. They are unhappy, but darn it, they will not leave their jobs or try to change things.
The speed of the teleportation is meaningless. The fact of the matter is that the photon isn't teleported until the classically sent information (read, v c) is received and then the photon is "teleported."
Thus, the speed of the teleportation could be instant, just you would never be able to guage it because you have no clue what you are looking at. In essence, you didn't receive anything. Yet, when you get the classical information and the "teleported" photon, then you have enough to have in essence teleported.
Yet, that classical information still needs to be received at speeds less than c.
Also of interest, the classical measurement required destroys the photon.
What if they just send you the wrong MD5? They have full power to do that. They don't upload their files to any specific computer.
So they reprogram their client to give out faulty MD5s. That wouldn't be too hard to do. Or program their client to give the "right" MP3 information when that's requested, but the "wrong" MP3 when it's downloaded.
Whoops, your download is now totally messed up, and you lose.
If (1) > (2), then your design's not done. If you can find no way to reverse that inequality, then the answer is: Don't do it. Of course, there's a huge amount of guesswork in the terms of that inequality but, again, you have to do the best you can. Oh, and (1) and (2) are vectors, not scalars; you have one term for each type of hypothetical attacker.
Exactly! That's the key thing I always keep in mind with my security, and I have found when I do security evaluation of products, it's something most people don't consider. (You do not know how many products I have found with keys in the code, or 1 or 2 byte entropy on the keys.) I do acknowledge though that smart cards are making the software more secure. As well, as a few other interesting techniques. Overall though, I find most people who program security software are not as aware of this point, and assume that their enemy isn't as prepared as they think, just from lack of experience.
How about you?
Actually, I am a pure mathematics student at the University of Waterloo (with a in-depth CS background) who has worked as a co-op student recommending security to portions of the Canadian Space Agency, as well been involved in cryptographic research, internet design and security evaluation with other jobs.
Well to fill you in... I will introduce you to metric.
What is 1/4 of a centimeter?
Well, let's see, that would be.25 centimeters right. So, since the centimeter is divided into 10 ticks, then it would be right between 2 and 3 ticks. Since the ticks are so small, the error estimate is equivalent to the error estimate on an ordinary imperial rule.
Oh, you say it's 2500 micrometers? Well, let's test this one out.
1 cm = 10 mm 1 mm = 1000 micrometers.
So, in our head we have...25cm = 2500 micrometers. So, yep you are correct.
And isn't a micrometer some sort of measuring instrument?
Yep, you use it for very exact measurements. Here's a site on it if you want. It allows for far more precise measurements of that.25 cm that you are looking for.
How fast can you multiply by 2?
faster then most people can multiply. But most people multiply faster by ten.. Ready let's test it. I'll do 10 and you do the by 2.
Actually no.. we can be more accurate too. ready...
It's "32.43" WHOA! that's amazing.
we ready for this one.. Then there's the fact that you can measure things in imperial measurements without need of a ruler.
Centimeter is the width of your pinky. A meter is approximately one stride. (more accurate then the yard in most cases.) A kilometer is 1000 meters. Walk for 1000 strides and you'll have a kilometer + or - a natural error.
Wow, now is Metric really that hard? Or have the scientist confused you again?
large-scale implies for me so many users that if a bug is found, it would be near impossible to "patch" all of the machines.
As well, large-scale also implies that key-distribution must be reliant on PK, since all other methods are too difficult to do or easy to intercept (ie. the opponent may have a copy of your code and can just "look up" the key).
Excellent point on this
"And there's never any point in keeping your algorithms or protocols secret. Publish them far and wide."
This I agree with fully, and is what I mean by obscurity not being that useful. Some companies use obscurity to cover for bad algorithms or bad implementations. This is what I agree is very bad.
I'm not sure what you could do in a situation where patching and obscurity are both impossible.
To be honest, there's not much you can do at all in this situations. (I have been in one.) It's very difficult to set up a key on two computers with a high enough entropy that both sides know, and isn't distributed in an easily interceptable way. Examples of doing this include asking the user for a long password that is used to randomly generate a key, but the password's entropy just isn't really that high for most users. (Unless you put incredible controls on it.) As well, if the system is ever compromised, you have to redistribute a key, and well.. it's just not fun at all.
PK provides a way around this, but even then, the requirement of TTPs and other methods to handle MITM attacks makes the whole ordeal very very painful.
Patching is possible, but as soon as you allow for patching, you allow for other types of attacks that are again not very good to have around (incl. variations on MITM attacks).
The most important fact about security I have realized with my experience is that if the enemy wants your information enough, they'll get it, and there isn't much you can do to prevent it. So, you have to make a "risk assessment" or as I put it a "judgement call" on whether or not the risk of losing that data is too high. If so, then alternatives need to be thought up.
I am interested to hear where you've got all of your experience in cryptography and security, as you obviously are very experienced in the field.
I am emphasizing with cryptography on the internet (which uses mainly PK systems), as well I am emphasizing products which are distributed on a large scale basis.
Very true about the threat models, etc. Personally though, I believe that the algorithms or protocols are vital for a system to be secure. As well, as policies relating to the software on the system. Obscurity is good if the system isn't distributed large scale.
So, with my viewpoint of a large scale distribution of a software product that requires security over a medium such as the internet. My initial statement that security through obscurity is useless is accurate.
But, with your viewpoint of more smaller scale distributions, it does make sense to use these other techniques to improve the security of the system.
You are accurate in that I think as an academic, but I have worked in the security field as well, and I am well aware of the "less interesting stuff" that is definitely needed to maintain a high enough level of security. I am just of the group of thought that tries to make the system secure, even if the worst case scenario happens. (Which includes the "opposition" acquiring the software and thus destroying the obscurity of the product.)
Obscurity is good in the sense that you shouldn't go out and advertise exactly what you do, but you shouldn't just assume the opponent doesn't know. That's my feelings on the situation.
MITM attacks are easy to mount under many, many scenarios. If you data isn't worth the effort of a MITM attack, it's probably not worth the effort of reading. If your system isn't secure againt MITM, it's not secure. Period.
Again, very true. I am just commenting on how common and easy MITM attacks are and how often people don't consider them as part of the "equation" so to speak.
A secure system has to be secure again MITM, using TTPs or any other methods. But, I just say that in the absolutely worst case scenario, if you might lose the data due to a MITM attack (even with TTPs, or other types, look at the IE bug that allowed a MITM attack on SSL), and it is important that the data isn't lost. You should completely reconsider the system you are setting up, and see if there is a better way to do it.
Very true, but my point was more on the fact that using security through obscurity is not the most effective way for security, and that rather you need to use proper algorithms. If you decide to obscure this after the point, that's your own business, but a determined opponent will _always_ be able to break through your obscurity.
On the MITM point...
ah... yes... I hate these bugger MITM attacks, they are so hard to protect against. So, this is where common sense comes into play. You still have to assume that the key can be easily discovered, and then judge from there whether or not the data you are protecting is worth setting up a MITM attack on (for your enemies.) If it is, then you should reconsider the security as a whole.
Won't even be at this show. They are too busy elsewhere.
Personally, the idea of a hacking competition is interesting, but it would have to be done over a long period of time, and set up more like a war game than a boxing match.
Skr1p7 k1dd13s treat hacking as a boxing match. Real hackers are far more efficient and skilled at it.
An idea for a real hacking competition (Almost like capture the flag): Two sides to the fight, different locations for both. One side will have multiple targets, the other side will have multiple attackers.
The goal of the attackers will be to get specific files from the targets, using any technique desired. (Including Social Engineering) The goal of the defenders will be to catch/name/etc the attackers, and thus completely neutralize them.
Do this over a course of a month or a year, and make a TV show with the highlights of battle. Now that would be excellent viewing.
** NOTE: the term hacker above can also be translated as cracker for those who are offended by this use of the term hacker, thank you **
Slashdot Mirror
this encryption is only theoretical. By the time we can implement it, we may already be able to break it.
Actually, this has become considerably less theoretical over the last decade. Working models proving that this is possible have been constructed. Norway is one example.
As well, mathematically it is equivalent to a one-time pad. So I don't think there will be any "obvious" way to break it. IE. a mathematically sound way. There might be social engineering way s of doing it, or perhaps even ways of taking over the target machine and just reading the decrypted data.
But the encryption itself, since it is basically a one-time pad, is unbreakable.
Of interest though, the only major problem preventing large-scale implementation of this system is the distance the "key" can travel successfully with a respectable error rate. As well, if a way were discovered to do this without fiber-optics. I can guarantee you that the satellites in orbit would use this system since it can't be "captured" easily.
Identity fraud is a big ticket business, and while I agree that everyone should be able to track their history, etc online. I know for a fact that credit cards etc usually only ask for birthdates and mother's maiden names as passwords. Even then, If your whole tree, and initimate details of your life are available online for anyone to see. Then you are a prime and easy target for identity fraud.
If you want to be a target, in the name of the "free internet." All power to you. I personally would rather keeping some privacy and security to my life.
Everyone here is freaking out because this is another way to track people, and man it's a blatantly obvious one. But do you really believe that the techies and people working at the RIAA are that stupid? Like really?
The RIAA wouldn't do something so obviously usable as a tracking method and then deny it. They didn't in the past. When they were violating your rights, they were up right and in your face about it. That's why so many people despise them. They don't try to hide what they do.
I think this may be a legit way for them to just track for internal records and all, and yes, I am pretty sure they as well as you have thought about the possibility of tracking individual downloaders with this. But like someone already said.
MP3 -> Wave -> MP3 , no more tracking code.
Or even better
Clean CD -> MP3 , No tracking code.
I think that logic would be clear to anyone. Including the RIAA.
The sky isn't falling, the RIAA is just playing some games.
Well, I guess it all depends on how you "add" up the numbers, eh?
If you address each letter individually, or vaguely attempt to address it as a whole.
Yet, if I say IIIV , it is not 2 in Roman numerals. It's just a really messed up number.
I am under attack by a massive army of acronyms! No more! No more!
ummm...
X = 10
M = 1000
L = 50.
10 + 1000 + 50 = 1060
That's not 1040... Maybe if you do a permutation, you'd have
MXL or XLM both of which could add up to 1040... but X + M + L = 1060.
Sorry, it just doesn't work.
P2P with PGP...
;-)
I mean, like I could see in a corporate fax how 2 looks like G, but really...
The problem is with Quantum that you can't really tell when that photon arrives since it will appear to be like any other photon that randomly arrives at that location, as well as soon as you "observe" that photon, it is destroyed.
The photon is not instantly teleported. All that is happening is that you can create a perfect replica of the original (so much so that it is indistinguishable from the original, and thus is the original) at that location. You need the information though obtained when you observe the original and thus destroy the original.
I know what you are saying, I thought the same thing when I first read about quantum teleportation. Yet, when I read more about it, I discovered, like most things in QM, that my intuition was wrong. The photon may "instantly appear" at that location, but since you don't have the proper information, you cannot observe it. It's weird, but it's just QM.
If you want I can direct you to some more primary source material related to this. If so, just tell me and I'll dig up some old bookmarks and journals of mine.
If Iraq just runs those networks off of the common infrastructure (Ie. Not on the Internet as a whole). What the hell is the States going to do to hack it? They could use SocEng to get numbers and passwords, etc. But at that point they may as well use SocEng to acheive their objectives.
I think some people think Hackers can do far more than they really can. They are just technically adept, and (sometimes) quality social engineers, nothing more. They can't change the laws of physics. If the network isn't connected to anything you can connect to (and if you owned an entire country that wouldn't be too hard to set up.), then you can do dick from the states to that infrastructure.
If the network is wired up to the internet and these holes exist that could be taken advantage of, then the people setting up the network need to seriously consider wtf they are doing. You don't put primary infrastructure on the internet even with high security. You are just asking for trouble at that point.
Canada shouldn't be in that list. We have not officially supported the US led war for Oi/H/H/H/H/H/H on Iraq thus far. It is going to be voted on in the HofC soon though.
:-P
The other nations have declared their support. We are kinda waffling, even though the polls show that the population is severely against war, and our PM even said himself that w/o a UN resolution we aren't going to war.
Ironically, the premier of Alberta (one of the largest sources of oil in the world) seems to support the war... not sure why though...
Articles with general thoughts on Can/US Relations and Iraq in particular:
PM approves vote on Iraq
Friend today, foe tomorrow
Where my good ol' King?
I loved SQ, and PQ and LLL, but my first adventure gaming experience was with KQ. This GOA site for some reason forgot to include the king and his crew.
Oh well... It's still uber cool. (Man, I miss those old games. If anyone knows a port of them or how to port them or if it's possible to port them to Linux, let me know. I'd really love to play them all again. Heck, I'd pay for it.)
I put in $50CAN to the first person to get it functioning completely in DHTML.
A lot of people don't want a family. They will die a miserable death, alone.
People who do what they want to do, which happens to not be the same as what you want, will be miserable doing what they want
I will say that if you get old, and your family passes away and your friends pass away before you pass away. You will die a lonely miserable death. Yet, I know that now that my sisters have children, and I have a close relationship with them, that I am not going to pass away a lonely man, whether or not I have children of my own.
The bigger point is that when you grow old, the people around you that you love and care will start to die. If you have children, you are more of a chance that some will survive beyond you, as well you have the knowledge that some part of you will continue to survive. I know many old people (85+). Some are very happy, and some are miserable. A good number of them are happy, but the ones that are miserable though, are a mix. They are ones who's families have abandoned them for some reason or another, or ones that have no one left, and are just "existing".
Our roles have been ingrained into us after so much evolution. We multiply.
I hate to say this, but it's true. The human species is like all other creatures on the Earth. Our primary goal is to multiply. This is just plain evolution. I may be bleak to some, and glorious to others, but that's the way it is, and there isn't much you can do about it (Well, other then killing yourself.)
Gender IS relevant. It's naive to think otherwise.
And these pre-determined gender roles are definitely not how you determine what will make any individual happy.
I agree with both of these statements... Gender is relevant, Gender Roles are not. We define for ourselves our role in society... based on the experiences we have.
Biology, evolution, the innate desire to multiply, these things make us efficient creatures. They do not make us happy human beings. Sadly, we're too intelligent and advanced a species for that.
Actually, I think it's the other way around. Our intelligence alone does not make us unhappy. It's our ability to make the decision whether or not our lives are happy that affects it. If it was pure biology, than the previous person is telling the absolute truth. happiness = reproduction. Since it isn't though, at least hopefully it isn't, our ability to decide comes into play.
Happiness from reproduction.. well, sex is still there, but there are many "higher" levels of happiness we can achieve. Unfortunately, the ways to reach these differ for each person. So, really, no one can comment to anyone else on how to be happy, unless they luck out and that person is the same as them.
I remember someone told me once that they don't think hell is fire and brimstone, but rather a place where you are not happy, and yet you will work your hardest to stay there.
Sounds similar to the lives a lot of people live. They are unhappy, but darn it, they will not leave their jobs or try to change things.
The speed of the teleportation is meaningless. The fact of the matter is that the photon isn't teleported until the classically sent information (read, v c) is received and then the photon is "teleported."
Thus, the speed of the teleportation could be instant, just you would never be able to guage it because you have no clue what you are looking at. In essence, you didn't receive anything. Yet, when you get the classical information and the "teleported" photon, then you have enough to have in essence teleported.
Yet, that classical information still needs to be received at speeds less than c.
Also of interest, the classical measurement required destroys the photon.
What if they just send you the wrong MD5? They have full power to do that. They don't upload their files to any specific computer.
So they reprogram their client to give out faulty MD5s. That wouldn't be too hard to do. Or program their client to give the "right" MP3 information when that's requested, but the "wrong" MP3 when it's downloaded.
Whoops, your download is now totally messed up, and you lose.
... and the bride and groom are blinded instantly by the hundreds of kids who shine it at their face.
If (1) > (2), then your design's not done. If you can find no way to reverse that inequality, then the answer is: Don't do it. Of course, there's a huge amount of guesswork in the terms of that inequality but, again, you have to do the best you can. Oh, and (1) and (2) are vectors, not scalars; you have one term for each type of hypothetical attacker.
Exactly! That's the key thing I always keep in mind with my security, and I have found when I do security evaluation of products, it's something most people don't consider. (You do not know how many products I have found with keys in the code, or 1 or 2 byte entropy on the keys.) I do acknowledge though that smart cards are making the software more secure. As well, as a few other interesting techniques. Overall though, I find most people who program security software are not as aware of this point, and assume that their enemy isn't as prepared as they think, just from lack of experience.
How about you?
Actually, I am a pure mathematics student at the University of Waterloo (with a in-depth CS background) who has worked as a co-op student recommending security to portions of the Canadian Space Agency, as well been involved in cryptographic research, internet design and security evaluation with other jobs.
Well to fill you in... I will introduce you to metric.
.25 centimeters right. So, since the centimeter is divided into 10 ticks, then it would be right between 2 and 3 ticks. Since the ticks are so small, the error estimate is equivalent to the error estimate on an ordinary imperial rule.
.25cm = 2500 micrometers. So, yep you are correct.
.25 cm that you are looking for.
What is 1/4 of a centimeter?
Well, let's see, that would be
Oh, you say it's 2500 micrometers?
Well, let's test this one out.
1 cm = 10 mm
1 mm = 1000 micrometers.
So, in our head we have..
And isn't a micrometer some sort of measuring instrument?
Yep, you use it for very exact measurements. Here's a site on it if you want. It allows for far more precise measurements of that
How fast can you multiply by 2?
faster then most people can multiply. But most people multiply faster by ten.. Ready let's test it. I'll do 10 and you do the by 2.
8463764534743657834658734534*2 = ???????
8463764534743657834658734534*10 = 84637645347436578346587345340
What about division by 2?
Let's try again..
2875483278578347684367834674/2 = ?????
2875483278578347684367834674/10 = 287548327857834768436783467.4
I think I beat you on both counts.
You simply say "32."
Actually no.. we can be more accurate too. ready...
It's "32.43" WHOA! that's amazing.
we ready for this one..
Then there's the fact that you can measure things in imperial measurements without need of a ruler.
Centimeter is the width of your pinky.
A meter is approximately one stride. (more accurate then the yard in most cases.) A kilometer is 1000 meters. Walk for 1000 strides and you'll have a kilometer + or - a natural error.
Wow, now is Metric really that hard? Or have the scientist confused you again?
Just as a clarification.
large-scale implies for me so many users that if a bug is found, it would be near impossible to "patch" all of the machines.
As well, large-scale also implies that key-distribution must be reliant on PK, since all other methods are too difficult to do or easy to intercept (ie. the opponent may have a copy of your code and can just "look up" the key).
Excellent point on this
"And there's never any point in keeping your algorithms or protocols secret. Publish them far and wide."
This I agree with fully, and is what I mean by obscurity not being that useful. Some companies use obscurity to cover for bad algorithms or bad implementations. This is what I agree is very bad.
I'm not sure what you could do in a situation where patching and obscurity are both impossible.
To be honest, there's not much you can do at all in this situations. (I have been in one.) It's very difficult to set up a key on two computers with a high enough entropy that both sides know, and isn't distributed in an easily interceptable way. Examples of doing this include asking the user for a long password that is used to randomly generate a key, but the password's entropy just isn't really that high for most users. (Unless you put incredible controls on it.) As well, if the system is ever compromised, you have to redistribute a key, and well.. it's just not fun at all.
PK provides a way around this, but even then, the requirement of TTPs and other methods to handle MITM attacks makes the whole ordeal very very painful.
Patching is possible, but as soon as you allow for patching, you allow for other types of attacks that are again not very good to have around (incl. variations on MITM attacks).
The most important fact about security I have realized with my experience is that if the enemy wants your information enough, they'll get it, and there isn't much you can do to prevent it. So, you have to make a "risk assessment" or as I put it a "judgement call" on whether or not the risk of losing that data is too high. If so, then alternatives need to be thought up.
I am interested to hear where you've got all of your experience in cryptography and security, as you obviously are very experienced in the field.
ah, okay. I see where our confusion lies.
I am emphasizing with cryptography on the internet (which uses mainly PK systems), as well I am emphasizing products which are distributed on a large scale basis.
Very true about the threat models, etc. Personally though, I believe that the algorithms or protocols are vital for a system to be secure. As well, as policies relating to the software on the system. Obscurity is good if the system isn't distributed large scale.
So, with my viewpoint of a large scale distribution of a software product that requires security over a medium such as the internet. My initial statement that security through obscurity is useless is accurate.
But, with your viewpoint of more smaller scale distributions, it does make sense to use these other techniques to improve the security of the system.
You are accurate in that I think as an academic, but I have worked in the security field as well, and I am well aware of the "less interesting stuff" that is definitely needed to maintain a high enough level of security. I am just of the group of thought that tries to make the system secure, even if the worst case scenario happens. (Which includes the "opposition" acquiring the software and thus destroying the obscurity of the product.)
Obscurity is good in the sense that you shouldn't go out and advertise exactly what you do, but you shouldn't just assume the opponent doesn't know. That's my feelings on the situation.
MITM attacks are easy to mount under many, many scenarios. If you data isn't worth the effort of a MITM attack, it's probably not worth the effort of reading. If your system isn't secure againt MITM, it's not secure. Period.
Again, very true. I am just commenting on how common and easy MITM attacks are and how often people don't consider them as part of the "equation" so to speak.
A secure system has to be secure again MITM, using TTPs or any other methods. But, I just say that in the absolutely worst case scenario, if you might lose the data due to a MITM attack (even with TTPs, or other types, look at the IE bug that allowed a MITM attack on SSL), and it is important that the data isn't lost. You should completely reconsider the system you are setting up, and see if there is a better way to do it.
Very true, but my point was more on the fact that using security through obscurity is not the most effective way for security, and that rather you need to use proper algorithms. If you decide to obscure this after the point, that's your own business, but a determined opponent will _always_ be able to break through your obscurity.
On the MITM point...
ah... yes... I hate these bugger MITM attacks, they are so hard to protect against. So, this is where common sense comes into play. You still have to assume that the key can be easily discovered, and then judge from there whether or not the data you are protecting is worth setting up a MITM attack on (for your enemies.) If it is, then you should reconsider the security as a whole.
Won't even be at this show. They are too busy elsewhere.
Personally, the idea of a hacking competition is interesting, but it would have to be done over a long period of time, and set up more like a war game than a boxing match.
Skr1p7 k1dd13s treat hacking as a boxing match. Real hackers are far more efficient and skilled at it.
An idea for a real hacking competition (Almost like capture the flag): Two sides to the fight, different locations for both. One side will have multiple targets, the other side will have multiple attackers.
The goal of the attackers will be to get specific files from the targets, using any technique desired. (Including Social Engineering) The goal of the defenders will be to catch/name/etc the attackers, and thus completely neutralize them.
Do this over a course of a month or a year, and make a TV show with the highlights of battle. Now that would be excellent viewing.
** NOTE: the term hacker above can also be translated as cracker for those who are offended by this use of the term hacker, thank you **
The RSA problem is reduceable to the factoring problem.
The discrete logarithm problem is related to the diffie-hellman key exchange.
Almost all of these problems though reduce to a simple NP problem, in which case, if one is possible to do efficiently, they'll all be likely solved.