This is something which arises so frequently that it's become a major annoyance to the Court. The Court will deny cert ("deny cert" == "refuse to hear arguments") on a case, and presto, the popular press and most of America thinks that means anything.
It means nothing.
Denying cert only means the Court won't hear arguments. It doesn't mean the Court thinks the legal reasoning is correct; it doesn't mean the Court is approving the lower court's decision; it doesn't mean anything.
Many cases are denied cert because their legal issues are not as clear as the Court would like ("bad cases make for bad law", as the axiom goes), or the Court wants to give it a few years to let legal scholarship tackle the issues, or the Court thinks this is an issue which Congress will soon issue "direction" (read: legislation) on, or... any of dozens of reasons.
It is tremendously unwise to think that the Court's denial of cert means anything, no matter what the Court says in their response.
Don't get happy; the Court hasn't done anything for us.
Uff da. You really have a thing with evil, don't you?
The simple fact is that the legal system is not evil. It can't be evil. Evil, if you believe in it (note that it's fairly unique to the Judeo-Christian-Islamic mindset), is a trait of living, conscious beings. The legal system is not alive; therefore, it cannot be evil.
Josef Stalin and Mao Zedong were evil, but their governments were not--they simply were.
Therefore, I've got to discount your entire argument about the legal system being evil. While I will readily agree that there are people in positions of power who become corrupted by their power, that does not translate to the system being evil.
There are a lot of very good people who work in the legal system, in case this has escaped your notice. And unlike evil people, the good people tend to work together. By completely discounting the selfless and devoted service given to us by legions of underpaid, underrecognized public servants, you do the entire field of public service a dishonor.
The "royal treatment that is given to judges" is a historical accident. Remember that our courts are direct descendants of English Courts, and that some of our oldest law is English Common Law. (I know one judge whose hobby is finding the oldest precedent possible for a case--his record is finding an English Common Law decision from 1672 which applied to a case. Common Law is older than our country is; and our court system, as an inheritor of the Common Law, dates back to medieval times.) In the English system of court, the judge is a representative of the monarchy and is thus referred to with an honorific to show respect to the Crown.
In American courts, the judge is a representative of the people, and is thus referred to with an honorific to show respect to the people. It's that simple. Outside of the courtroom, I refer to judges as "Mr." or "Ms.", the same as I do anyone else. The vast majority of them seem to be quite content with the simple honorific of "Mr.", and by and large they return the favor in kind.
Most contempt citations come when somebody shows a judge that the judge is wrong about something
Show me your reference for this fact, please. Most contempt citations I've heard of come as the result of a litigant trying to usurp judicial power from the judge. The proper way to show a judge that he's wrong is to approach the bench, quietly point out the judge's error and a reference to where the judge can find correct information, and then proceed from there. This happens a lot in courts.
Judges make mistakes. They make a lot of mistakes. Most of them understand this, and are amenable to courteous reproach. What they are not amenable to is a litigant saying "Judge, you're wrong, as this reference points out" in open court. That undermines the judge's authority, and that is something which is not allowed to occur.
While your message is worded quite reasonably and eloquently, I don't think you understand the judicial system very well. It is composed of human beings, and as such, it has human failings. It strives eternally towards perfection, as most well-adjusted human beings do, and occasionally has enormous blunders and errors of judgment, as all human beings do. But it is neither good nor evil, because it is neither conscious nor alive.
It is my resolute belief that people are essentially good at heart. You apparently believe otherwise. Due to this difference, we are never going to agree, not in the slightest, on the judicial system. If you believe that people are essentially good, then the democratic systems which essentially good people bring up will also be essentially serving the good (with the occasional spectacular blunder, due to human nature).
If you believe that people are evil, then the democratic systems which evil people bring up will also be essentially serving evil (with the occasional spectacular moment of good, which you will discount as "well, they just haven't gotten around to corrupting that yet").
I have no need of your fatalist and pessimist philosophy. I feel it's wholly invalid, and possesses absolutely nothing of worth to me.
It's a big field, if you didn't notice. Expecting me to keep track of the commercial dealings of the NSA and Cray Computers is like expecting a PhD physicist whose specialty is in physical chemistry to keep track of all the latest goings-ons in the world of superstring theory. Sure, the physical chemist can probably understand the majority of the theory, but only if he's given pointers in where to look for information.
Cryptography is a science. Science is inherently skeptical; it's the process of saying "I'm from Missouri; show me." I've been saying "show me" until I'm blue in the face, and all you can say is "I'm right". Sorry. Science doesn't work that way. Nor does cryptography.
You can't give me a single verifiable reference to back up your claims. You can't present me with any evidence that your supposed 2**78 attack against 3DES works. You can't present me with any evidence that there exist any prime number generators in commercial use which will pass on even numbers. You can't present me with a cryptanalysis of MD5, much less reverse it. You won't even accept a challenge to prove your claims, even when there's $1000 in it for "just a few seconds" of work on your part.
The court could have simply decided not to hear the case at all, in effect upholding the first level court's decision.
Yes, they could have. But why would they? Judges love to write opinions; they love to take laws and slice them apart, dissect them under a legal microscope and reassemble them. US v Microsoft is the biggest trial of this century (1901-2000), and it pits 21st Century business models against 19th Century laws.
To a legal scholar, this is like crack cocaine. There's no way they can put down this case. Every judge I know says that they're glad they're not Judge Jackson, due to all the scrutiny he's under... but every single one of them wishes he was Judge Jackson, just so that he could get to write the opinion in US v Microsoft.
Remember: this case is legal crack. Every judge simultaneously fears and lusts for this case.:)
The Supreme Court is psychologically incapable of giving this case a pass. It's not going to happen. It's going to go to the Court and they're going to write opinions left and right, putting flourish on them worthy of Papal encyclicals. This is another Roe v Wade, another Brown v Topeka School Board... it's big, very big.
So it's a given that SCOTUS is going to hear this case. The only question is when, and after how much legal scholarship? The decision to hand it back to Appellate court is entirely defensible. To continue with the drug analogy, right now they've got a dime bag of crack in the form of Judge Jackson's Findings of Fact, Findings of Law, and his breakup order. Once the Appellate Court is done with it, they're going to have a semi-truck filled with crack. SCOTUS is going to spend six months on a legal high smoking that stuff.:)
The only way a person ever gets an automatic appeal in a legal case is if they are convicted of a capital crime.
Yes. It's done this way for a reason; a lot of times, people don't want to go through the expense and trouble of an appeal. You only get an appeal if you want one. The exception is in capital crimes, which has a mandatory appeal just because the government wishes to make absolutely certain that innocent people are not wrongly convicted in capital cases.
This is another example of how the law is designed to look fair upon cursory examination...
The law is exquisitely fair. The same laws apply to both sides equally. That's the textbook definition of fair. Now, there are a lot of concerns about the competency of public defenders, et. al., and there's a lot of merit to those concerns--but the law is brutally fair. That's why so many people hate it.
Fair, in a legal context, doesn't mean everybody's happy. Fair means everybody gets screwed over equally. That's why smart people avoid trials whenever possible. While I like fairness, I'd rather avoid getting screwed over.
Think for a second about the symbol of justice that they give to us.
Who's they? Answer: they is us. We're the ones who gave that symbol of justice to the courts; they didn't give it to us.
If I were going to swing the sword of justice based upon the results of a weighing, would I wear a blindfold?
Wrong symbolism. The woman represents the judicial system. The blindfold represents judicial fairness (or, screwing over everyone equally); it's a metaphor for the courts not paying any respect to social class, position, political power or, for that matter, anything else save the law. The scales represent fair judgment; courts "weigh the evidence" to come to a decision, without once looking at who's well-dressed and who's homeless. The sword represents the screwing-over; while the court is fair (and screws everyone over equally), if you're deemed to be a naughty person who just murdered sixteen people because you were frustrated about finding walnuts in your brownie, buster, that sword is for you, and you are not going to like it.
That symbol is a little joke that the evil people couldn't resist.
Friend, I hate to tell you this, but the evil people are us.
We're the ones who gave the courts that symbol. If you think justice has been hoodwinked, then by God, man, act on it.
Write a letter to your Congressional representatives. Tell them to change the laws regulating the courts so that they make more sense. If they won't respond to you, run for office yourself.
Write a letter to your local judges, expressing your frustrations and asking them to exercise better judgment and discretion in the future. They won't write back to you--they're forbidden from doing so by ethics laws--but according to the Constitution, they must read your letter! (The right to petition the government for the redress of grievances is useless if the government is permitted to throw away petitions unread. Hence, the government is required to read your complaints.)
You have a lot of recourse here, as do I, as does everyone. Stop griping and start using your recourse. The government does not care about someone who sits on their couch, watches a little CNN and bellyaches about problems. Really, they don't care a damn.
The instant your feet hit the ground and your ass leaves the couch, Uncle Sam will tremble in fear and throw himself at your feet, begging for mercy. The government knows how powerful the people are when they're motivated to do something.
In 1998, I was hired by MCI (later MCI-WorldCom) as a mainframe QA engineer. This caused no end of consternation for my father; while he was happy that I'd found employment after college, it caused him a fair amount of legal trouble.
My father is Judge David R. Hansen, sitting on the United States Eighth Circuit Court of Appeals, and at the time MCI (and other long distance carriers) were challenging the Telecommunications Reform Act.
For a couple of weeks he was considering recusing himself from the trial just to avoid even the appearance of impropriety. While my financial future wasn't tied to the trial, nor my continued employment, there could have been the perception that there was, and as such, Dad would have been obligated to recuse himself. I volunteered to pass on MCI's employment offer and accept a (slightly inferior) position elsewhere, but Dad wouldn't hear of it.
He didn't want to recuse himself, because he felt it to be a fascinating trial and he wanted the opportunity to write the opinion on it. Nor did he want me to pass on a good job after college. Nor did he want even the appearance of impropriety to touch the Judiciary.
Dad decided that full disclosure was the best option. He fully informed all parties that I had accepted employment with MCI and volunteered to recuse himself if any parties involved objected to his presence.
In the end, none of them did, and Dad wound up writing an opinion which he was quite proud of--and then the Supreme Court overturned the Eighth Circuit, and there was much gnashing of teeth and wearing of sackcloth and ashes in Mom and Dad's house.:)
So, as you can see, these sorts of events have happened before. The procedures for dealing with them are well-known. While I'm not accusing Rehnquist of being biased (I feel he's far too professional for that), I do have to wonder exactly why he didn't make full disclosure to all parties long before.
If Moors law applied for performance, your desktop box would be about as useful as a calculator.
I'm not sure what you're meaning to infer there; my desktop box is a calculator. Just a really fast one with a large display. Moore's Law does apply to performance, and has applied for about the last 40 years.
It was designed in 1997... just cracking does not require such features as CBC modes...
Of course it doesn't. CBC mode is ECB that's been XORed with the previous ciphertext block. Breaking CBC mode is computationally equivalent to breaking ECB mode, especially since if you have N blocks of text, you've got N-1 cribs. Or N cribs, if the CBC mode is brain-damaged and has a known IV.
As far as the large primes go... they were building two computers for the NSA when they went folded.... They were paid for and the order was canceled after the machines were mostly complete. To me that says the NSA didn't need to do any more big prime number research since it would have not cost them any more money to have the machines completed.
Reference, please? Even assuming this is true and not urban myth, it still demonstrates nothing. They could just as easily have discovered a proof that P != NP, thus making the entire attempt to break large composite two-factor numbers moot. There's not enough information there to draw any sort of inference from. It is just as dangerous to overestimate your enemy's capabilities as it is to underestimate them.
I also know that some even numbers will pass many of the "prime" test used by many popular key generation programs.
Bullshit. The first step in selecting a probable prime is to see if it's divisible by 2. This is really, really simple; you just check one of the low-order bits in the number and if it's set, it's not prime.
If you've found a program which does prime generation and skips this step, please tell me, so that I can spread the word and trumpet from the mountaintop, "don't you dare even think of using this piece of crap".
But I don't think you've found one, otherwise you'd have mentioned it by name.
In other words, you had a set of cribs so extensive that you could've brute-forced it with pencil and paper. And you expect me to take that as evidence that MD5 is insecure?
No samples will be provided. As I said--no cribs. (Actually, I lied. I intentionally put lots of cribs in that challenge, if you're smart enough to pick up on them.)
Time to fish or cut bait, thogard. It's all up to you.
Show me the academic papers which show you can reduce 3DES to complexity 2**78. The same attack could be used to reduce DES to complexity 2**39, which would be the world's first strong cryptanalytic attack against DES.
Show me just one instance where someone used this attack against DES to break it by brute force in an average of 2**38 operations.
Your argument about computing hardware is (a) wrong and (b) irrelevant. Moore's Law says that we can expect it to roughly double every eighteen months; if it increased eightfold in a year, this is highly unusual and is likely not a trend. Please point out the academic reports which talk about chips capable of doing a billion keys a second by themselves, or that the field of brute-force crackers is increasing by eightfold a year. That's why it's wrong; it's irrelevant because no matter what, thermodynamic limitations still apply.
Please present me with a real analysis which backs up your claims, not some vague statement of potential attacks and a made-up number about hardware crackers.
Too bad the crypto only works with one to one keys if the numbers are prime, probably prime isn't close enough.
The odds of a good probable-prime being composite is less than the odds of you being struck by a meteor at the instant you read this post. If you're concerned about your probable-primes being composite, I would respectfully suggest that you should consider the threats to your life that meteor strikes, attack by killer bees, random violent stranglings with rabid wombats, etc., pose. To lament the likelihood of a composite probable-prime while not living in stark fear of death by slipping in the tub and breaking your neck is extremely irrational. The one is far more likely than the other, and has much more dire consequences.
I have already issued a challenge to you on one of your more outrageous claims. I hope you take me up on it.
I am very, very tired of hearing people say that they can break this-and-that, or that such-and-such is trivial, or what-have-you. Most of the time, these people are total incompetents who like to make themselves sound much more clued in than they really are.
The last time someone made claims like thogard did, I made a public challenge which was not accepted. Maybe this time will be different. So, without further ado:
THE 6-HOUR MD5 CHALLENGE
1. Rules.
The only rule is you can't bribe the judges. If you want to lurk around my workplace, bushwhack me when I come out and beat the answer out of me, feel free. Don't do the crime if you can't do the time, though. You can cryptanalyze this, you can attempt to coerce it out of me, you can send an attractive woman my way (free hint: I'm partial to tall redheads) to coax it out of me, you can try and eavesdrop on my phone lines and overhear me give it away, I don't care.
But you can't go after the judges, because then we don't have a fair contest. Fair?
2. The Challenge
If this challenge is accepted, I will submit to CmdrTaco (or another Slashdot employee, as he assigns) a credit card number. Specifically, my credit card number (with a few digits changed for my own self-preservation). I will also submit the MD5 hash of this (slightly modified) credit card number.
No cribs will be given. It will not be announced whether it's the credit card number by itself, whether my name is part of the data, whether the expiration date is included, etc. CmdrTaco will verify that I'm not cheating.
Once everything is set up, the MD5 hash will be put up on Slashdot. From the time it's put up, you'll have SIX HOURS to reverse the MD5 hash and get my credit card number.
3. The Reward
The reward is $1,000 cash. (Well, it'd actually be a cashier's check, but same difference.) If you can do it--especially if it's as easy as "a bit of code, a few computers, and I was generating the card numbers within seconds"--then this will be the easiest grand you've ever made in your life.
All monies will be deposited in advance with CmdrTaco (or others as he assigns). If I don't cough up the dinero up front, the contest doesn't go forward.
4. Frequently Asked Questions
Why only six hours?
Credit card numbers really aren't all that entropic; they're very predictable. The card I'm looking at right now has 16 digits, plus my name and two dates (valid-throughs). Brute-forcing 10**16 would take some time, even for an immensely large network, and that doesn't include the permutations of my name, the expiration dates, etc.
Breaking DES by brute force requires an average of about 3 * 10**16 operations. Thus, breaking my credit card is a little harder than breaking DES. It's possible some Slashdotters with access to extremely large networks would be able to brute-force this, but I don't find it likely.
If it's really as easy to break MD5 as thogard is claiming, six hours will be plenty of time.
Why are you changing the digits of your credit card? If you have such faith in MD5, shouldn't you leave it unaltered?
As I said, some Slashdotters may have access to extremely large networks which could brute-force it in a few days' time. I'm changing it just to cover my tail in case someone decides to spend weeks of processor time brute-forcing every possibility.
Isn't MD5 in disfavor nowadays? Wouldn't SHA-1 be better?
Yes, MD5 has a couple of potential attacks against it. I still have faith that it's very strong in practice, though.
If I get any more irate (see my other posts in response to this story) I'm going to get the Theo deRaadt Award...
It's fairly simple to write an encryrption scheme using the available algorhythms...
Yes. It's even simpler to screw it up. Any fool can make a system which they can't break. Making a system which nobody can break requires absolute genius.
If every government wants perfect security, they should have their own classified programs with classified keys.
No. Wrong. Go back to class and study some more. The Germans thought that Enigma was secure since the Allies didn't know how it worked, but Turing and friends did amazing work breaking the Enigma even before they had one of their own. The Japanese PURPLE cipher (?) was broken without ever knowing how it worked; they recreated it entirely from first principles.
Without exception, every cipher I know of which kept its internals a trade secret has been a failure. The most recent spectacular failure is the NSA's SKIPJACK, which for years had its internals protected as a national secret. It didn't do anything to preserve the integrity of its messages; Eli Biham invented an entirely new branch of cryptanalysis (impossible-differential) and used it to cryptanalyze all but one round of SKIPJACK.
The only systems which are worth trusting are those which have survived years and years of brutal peer review. I trust PGP and GPG; I trust Blowfish, IDEA and 3DES; I trust this, that and the other. I trust the PKCS-11 CRYPTOKI standard, I trust SSL when used properly. All of these have been peer reviewed extensively and exhaustively, and so far they're still standing.
I don't trust anything which hasn't been extensively peer-reviewed. History shows that systems which have not survived brutal peer review do not survive in the real world.
Some of my Marine friends are fond of saying, "Training ought to be so hard combat is a vacation." There's a lot of merit to that. In cryptography, peer review means that everyone is trying to break a system. Of all those people, odds are there are people with more skill and better resources than the people who are trying to break your system for-real. If a system survives peer review, it'll probably survive your enemies.
If it's not submitted for peer review, you take your chances.
... projected when 3des should be able to be broken in real time. Its about 10 years away.
Wrong. Amazingly, staggeringly wrong. The minimum amount of energy required to flip a bit is kT, which is 1.3 * 10**-23 joules per Kelvin. Multiply that by the ambient temperature of the universe, 3.2 K, and you get a minimum of 4.16 * 10**-23 joules per bitflip. This is a thermodynamic limitation of computers, and cannot be surpassed without shifting computation away from Turing machines.
Now, 3DES has an effective 112-bit keyspace. 2**112 is about 5.2 * 10**33. Multiply (5.2 * 10**33) by (4.16 * 10**-23) and you get 2.16 * 10**11 joules of energy required to break 112 bits by brute force.
2.16 * 10**11 is a huge amount of energy, on the order of 200 terajoules. But that assumes you have to exhaust the entire keyspace--considering you only have to search 50% of it, on average, you only have to apply 100 terajoules of energy.
Remember: there is no way around this that we know of. This is a thermodynamic limitation; as soon as you figure out how to get past this, I suggest waiting by the phone because the Nobel folks are going to be calling long-distance from Oslo soon.
I've got no choice but to completely and wholly discount your entire message. This analysis took me all of five minutes to conduct. It's not hard.
Insofar as the likelihood of pseudoprimes not actually being prime--do you have any idea what you're talking about? I hate to sound irate (it's only because I'm very irate), but the entire notion of pseudoprimes is that they are probably prime. The likelihood of a pseudoprime not being prime is less likely than you winning the lottery, getting into a car crash, and being struck by lightning while having a hot date with a supermodel. Really. No, I'm not kidding.
Like Yogi Berra said, "In theory, there's no difference between theory and practice. In practice, there is." No matter how stringent the testing, no matter how exacting the software development (up to and including provably-correct software), software cannot be secured. In theory, following a provably-correct software design (such as is possible in some Ada subsets) allows you to design software which is provably correct... but that's theoretical, not practical.
Sometimes, the buggiest thing in a system is a feature which is working exactly as it's designed to do. Provably-correct software is predicated on there being a correct assessment of what the software needs to do and needs to not do, and so far, nobody's come up with a way to do provably-correct brainstorming.:)
Auditing cannot, repeat, cannot make a piece of software secure. All it does is find errors, not all errors, and maybe even not all the major errors.
2. TRUSTED SYSTEMS ARE JUST THAT.
Trust. It's another way of saying "I have faith in you." Faith is the antithesis of proof. For years my Linux box was a haX0r's dream--I didn't bother to turn off services, my root password was fairly easy to guess, etc. That doesn't sound like a trusted box, does it?
Wrongo. It was very trusted, because it wasn't connected to any network and it was in my bedroom. I trusted it a lot--I had faith that it wasn't going to be compromised.
Whenever you see someone advertising a "trusted system", ask yourself: who trusts it? Why do they trust it? Should I trust it? "Trusted systems" are sometimes a lot of snake-oil; people who don't know beans about security buy "Trusted Solaris" because it says "Trusted", even though their incompetency as a UNIX sysadmin makes the box vulnerable.
(Note: I have a lot of respect for Trusted Solaris, even more than I do for OpenBSD. I'm just making the point that the word "Trusted" doesn't mean much.)
3. THE MOST IMPORTANT ELEMENTS IN SECURITY ARE THE USERS AND THE SYSADMIN, IN THAT ORDER.
Most people will reverse this around, claiming that the sysadmin is more important security-wise. There's merit to that (after all, root == God), but I reverse it. There's only one sysadmin, and an attacker more or less has to take his chances that the sysadmin is incompetent enough to fall for (a crack, a social engineering attack, a DDoS, etc.). But if there are hundreds of users, it's certain that at least one of them is going to be a complete fargin' idiot, which means attacks which involve users are more effective than those which go straight for root.
This is an important point. No matter how secure the box, no matter how trusted it is, the weakest link are the users. When companies get on a security kick, they tend to spend lots of money on software and very little on educating their users. This has always struck me as backwards.
4. USERS DON'T WANT SECURE SYSTEMS.
Have you ever tried to use Trusted Solaris, or OpenBSD in a particularly bondage-and-discipline configuration? Sure, they're locked up tight against intrusion, but this comes at a steep price in usability. People want computers to be easy to use more than they want them to be secure. If you make computers too secure, your own legitimate users will circumvent security. I regularly see passwords on Post-It notes stuck to monitors--not just in Corporate America, but in government offices which routinely handle extremely sensitive data.
5. FOR ALL THIS, SECURITY AUDITS ARE A GOOD IDEA.
Security audits do two things: first, they tend to ensure that software works the way it ought, and second, they tend to ensure that software doesn't work the way it oughtn't. The potential problem that's spotted and corrected due to a security audit may never have resulted in an exploit, but it may well have resulted in a Blue Screen of Death at some point down the line.
Security audits don't just make systems more secure; done properly, they make systems more reliable, which in turn makes them more usable.
In Surely You're Joking, Mr. Feynman! (are there two Ns or just one in his name? I always forget), Richard Feynman talks about the Trinity nuclear test. He was the only person to look at the nuclear bomb directly, and suffered no permanent eye damage.
According to Feynman (or at least, what's written in his book), it's the ultraviolet light which cooks your retinas, and that visible light simply won't do it no matter how intense it is. He took the simple precaution of watching the nuclear blast through a truck windshield, which is UV-opaque. While he had a big purple blotch in his visual field for several minutes afterwards, he did manage to watch a nuclear blast without permanent damage, which I think is pretty damn cool.:)
From my own experience, I can submit anecdotal evidence which supports Feynman's UV-is-the-problem hypothesis. Once, while working in a laser holography lab, I wound up getting an eyeful of HeNe. While I was damn near blind in that eye for ten minutes afterwards, I had no permanent effects.
ObWarning: I am not a competent eyecare professional, and don't try either of these stunts at home. Really. Especially not the nuclear one.:)
John von Neumann gave some formal mathematical proofs, years and years ago, that all programs were data and vice versa. Most people think that War and Peace isn't a program, but it is--go ahead, type./warandpeace at your terminal, or./brotherskaramazov if you feel like something a little different.
Of course, these programs are poorly written and will soon cause a core dump--but that doesn't change the fact that they're still programs.
Programs are data are programs. Thus spake John von Neumann, thus ever shall it be.
A lot, emphasis, a lot of people who work in InfoSec work for charity. Many of the people who do this stuff for a living do it out of a deep conviction that InfoSec is essential to a free society, and as such, they're not exactly motivated by money, power and hot chicks.;)
It helps to look for help in the usual places. Churches can often be incredible help; they're not only places of worship, but they're networks of people who are willing to help each other for free. Contact your local churches and ask them if they have any parishioners who are employed in the IT field; you might be very surprised. They probably don't have many, if any--but the one they do know probably has five or six like-minded friends, and so on, and so on.
Other good ideas are LUGs, if there's one in your area. Colleges, too: there are usually lots of community-oriented groups on college campus, and somewhere in them there have to be a couple of CS majors.
So call some priests and college chaplains, hit the local LUG homepage, put up posters in the Student Commons. There's lots of help to be found--good luck!
Simply put, there already existed other alternatives to RSA, provably just-as or more secure than RSA, which were unencumbered by patents. (The most notable would be El Gamal, which went into the public domain in 1997.)
While we'll see legal Free Software versions of SSL in the near future, I really don't think the expiry of the RSA patent is going to make that much of a sea change in the Free Software community. In the commercial community it'll make a big change, but not so much in the Free Software sector.
As I recall, the only thing "unusual" about Bork's viewing habits is that he has a penchant for Golden Age song-and-dance numbers--a lot of Sinatra and Astaire movies.
Saying that Bork has "unusual video watching interests" does nothing but slander a man's name. While intelligent people often disagree with Bork's politics, I would hope that we're all mature enough to shy away from slander.
Re:Digital signatures are not really signatures.
on
GPG vs. PGP?
·
· Score: 3
You're still missing the point. Certificate authorities don't really solve much of anything, if anything at all.
Let's say that I go to Trusted Certificates, Inc., "Where We Make Even Our Mother Show Six Forms of ID". I register my key, and lo and behold, I have "verified identity". Anyone who wants to can check my signature with the CA and discover it's valid.
Guess what? That's still not enough.
Let's say that I want to steal $10,000 from the bank. First, I need a conspirator--I hand over my keys, then go on vacation in Aruba. While I'm in Aruba, sipping mai-tais on the beach, my conspirator is posting innocuous messages, as me, to newsgroups.
I come home and send an email to the bank, asking it to transfer $10,000 from my account to the First Bank of Never-Say-Anything. The bank checks out my keys with the CA, and lo and behold, it checks out. Since they've "verified" that it's really me, they make the transfer. (In reality, they haven't verified anything--only that someone who knows a specific string of bits asked for a transfer.)
At that point, I raise holy hell and scream "What the hell is going on here? I didn't authorize anything!" The bank can't get the money back from the First Bank of Never-Say-Anything, and so they're stuck trying to prove that it really was me who sent the authorization.
At that point I just have to point out the various postings to alt.sex.hamsters, which were signed with my key. "Look! I was in Aruba, sitting on the beach drinking mai-tais! Someone compromised my keys!"
... and at that point, the only way, the only way, for the bank to show that I'm lying is to find my conspirator. And in the meantime, I get to repudiate every single message that bears my signature ever since the compromise date. The $10,000 transfer? I didn't do that. Sending incriminating emails to government officials? Wasn't me. This, that and the other? Unh-uh.
Compare this to a real signature, which--by its very physical nature--possesses forensic value. It isn't just a string of bits; it's evidence, and oftentimes is enough to get convictions in court. Real signatures are also not wholly invalidated simply by the appearance of forgeries, as opposed to digital signatures. If I send a paper letter to my bank authorizing the $10,000 transfer, they'll have a handwriting expert compare the signature to the signature on file. They'll compare everything from the shape of letters to the inks used in the paper. And even then, they won't trust it--they'll have a bank teller who knows me well give me a call and ask me, "Do you really want to do this?" If the bank teller recognizes my voice, then the transfer goes through.
We have extremely robust identification and verification mechanisms in real life which are composed of interlocking parts. We don't have anything like it in electronic life yet. We have things that bear a strong resemblence, but the devil is in the details.
Digital signatures are not real signatures. They're different beasts which serve a different purpose. As long as all parties involved are committed to using digital signatures honestly, digital signatures work.
The instant someone realizes that there's money to be made by false repudiation, things change.
Re:Digital signatures are not really signatures.
on
GPG vs. PGP?
·
· Score: 5
No--a paper signature is meaningful because verification is simultaneous with signing.
Let's say that I want to buy a new car. I go to the car dealership and ask about the rate I'll get from GMAC. The dealer and I quibble, he drafts up a loan agreement, and I sign it as Mordecai McWhirters.
At this point, the car dealer asks me for identification--a lot of identification. If any of these forms of identification fail, then the car dealer is within rights to say "no, you're not really that person; I'm not going to enter into this contract with you". And since my name isn't Moredecai McWhirters and I don't have the technical skills required to forge a passport and driver's license, well... my ID isn't going to check out.
Compare this to a letter that arrives in the emailbox PGP-signed. The return address on the email is billc@whitehouse.gov. You check the key database, and lo and behold, there's a key there for billc@whitehouse.gov. Does that mean you really received an email from Bill Clinton?
No--it means someone signed the email, and you have no idea who. This is why so-called "digital signature laws" scare the bejeezus out of me. Under most of them, if I want to take all the money from your bank account--legally--I just have to register a key in your name, write an email to the bank that's signed with this key authorizing a wire transfer of $10,000 to the First Bank of the Caymans, and then laugh all the way to Aruba. People mistakenly think that digital signatures are a verification of identity: they're not, and that's the biggest difference between digital signatures and real signatures.
Verification of identity is not a part of the current public-key infrastructure. Every single scheme which has been devised to give verification of identity to digital "signatures" is a dismal failure--certificates aren't a good solution, far less the CA+RA model which seems so common nowadays.
Signatures are forgeable, yes... but there's a good reason why people use them to enter legal agreements.
Digital signatures are not really signatures.
on
GPG vs. PGP?
·
· Score: 1
Signing a physical letter is in some ways insecure, in that a signature can always be forged--but by and large, signatures are always unique. My signature doesn't look anything like your signature, and bears only a slight resemblance to my father's signature and none to my brother's. In this way, a physical signature uniquely identifies me.
Digital signatures bear almost no resemblence to physical signatures. Not only can digital signatures be forged (check Applied Cryptography or Menezes' Handbook of Applied Cryptography), but a digital signature is not unique. It doesn't verify that I actually did anything--it only verifies that someone who has access to a very specific string of digits did something.
Now, if you can prove in a court that I am the only person who knows this very specific string of digits, then you might be able to prove to the Court's satisfaction that I signed the document. Still, that's a far cry from the inherent validity which a paper-and-ink signature possesses.
Realistically? No. Encrypting a "The system is going down in 15 minutes!" message, broadcast over a network for each user on a network, makes absolutely no sense--why would you want that message to be protected from eavesdropping?
There are two sorts of communications which go out over the Net: public and private. Private communications (email, Web pages, etc.) ought to be transmitted securely in order to ensure privacy; public communications ought to be transmitted in the clear to ensure they remain public.
RSA is built on the integer factorization problem; El Gamal is built on the discrete logarithm problem. If you can get a general solution for the discrete logarithm problem, then you're also going to get a solution for the integer factorization problem--but knowing how to factor arbitrarily large numbers doesn't help you with discrete logs.
Insofar as keysize goes, 2048 bits is plenty sufficient for every attack we can foresee. If you want to be truly paranoid, go for 3072 bits; even with quantum computation, it's still as hard as RSA-1536.
Personally, I don't think RSA is ever going to be cracked by brute force--so this trend among the cryptoparanoid towards larger and larger keys is somewhat silly. I think it's far more likely that either (a) a general solution to the factorization problem will be discovered which runs in polynomial time, utterly destroying RSA, or (b) an attack against RSA will be discovered which does not depend on factorization.
Remember that the integer factorization problem has never been proven to be difficult, only conjectured to be so--and as time goes on, it gets less and less difficult. More than that, while RSA is built on the integer factorization problem, nobody has ever proved that you need to factor very large numbers in order to break RSA.
My money is on El Gamal--it seems to be built on stronger mathematical foundations.
Do you think [E]thernet would have evolved to 1Gbps if that had been the case?
Hmm. Hardware engineering. Tell you what, let's repackage this in terms of more conventional engineering--civil engineering, to be exact:
"Now imagine a world in which 3com published the schematics for their [bridges] with instructions on how to build your own [bridge]..."
Okay, we already have this world. Whenever an engineer drafts a bridge, that blueprint is put on file somewhere and any engineer who wants to look at how it's made is free to do so. This engineer can then use anything they've learned from studying the design, provided it hasn't been patented, in their own designs.
How many times do bridges collapse? With the occasional glaring exception (Tacoma Narrows), not often at all. This model works extremely well for civil engineers.
"Now imagine the 3Com Public License which states that not only are they giving away the schematic [to their bridges], but you don't owe them anything... Make as many of these [bridges] as you want, give them to your friends and neighbors. No licensing fees, no royalties, etc."
Well, here's the real question: why would I want to? If I can study their bridge as much as I want, both by studying schematics and walking across it a few times, then I'll probably find things I'd do differently. I might not like the curve of this arch, or I might want to use a higher grade of steel, or any of a thousand other small changes. I wouldn't make a slavish copy, but an incremental improvement.
Again, this world is not hard to imagine. It's the world we live in today.
"Do you think [bridges] would have evolved to [the Golden Gate Bridge or other masterpieces of engineering] if that had been the case?"
Well, judging from the fact that we have a Golden Gate Bridge exactly because of this being the case? Yes, I do think the state of the art would have evolved to that point!
"Do you think 3Com would have survived 5 years in the [bridge-building] business?"
Sure. In fact, I think they'd have survived 17 years. They could patent the nonobvious and useful portions of their bridge design and deny other people the ability to duplicate it without permission. That gives them 17 years of profitability, provided their patent is a good and sound one. Hopefully, by the time 17 years are up, 3Com would have found a new and even better way to build bridges--and would have received another patent, and have another 17 years, etc..
Moral of the story: We already have all the intellectual-property protections we need, without needing to make things proprietary.
(Before the anti-IP crowd flames me to death here, let me say that patents need serious revision. 17 years for a nonobvious, useful invention that makes for safer bridges is one thing--17 years on XOR encryption is another!)
More accurately, the compiler doesn't erroneously complain about it. It's perfectly valid, syntactically correct C++.
There's no conceivable reason you would want to construct something like this anyway
On the contrary, it happens quite a bit. If you've got function F which calls function G, and G needs access to the internal state of F, you pass F's state to G as pointers and then cast them back to the appropriate type of variables. This is a little kludgy, but oftentimes makes for more readable code than if you'd inlined G into F.
I didn't mention that I'm a Java hacker, because I didn't see it was particularly relevant.:)
My general attitude on Java is "those who do not understand C++ are condemned to reinvent it, poorly" (sorry, Henry Spencer)--this is a reasoned opinion, one I've come to after some study of the issues involved; I only bring it up now to make sure that you're aware of my bias.;)
As a Java programmer, I [prefer] the C toolbox to the C++ toolbox. The C toolbox contains all your hammers, screwdrivers, chisels, etc. The C++ toolbox contains this lot and also sticks of dynamite, nooses of rope and [Gatling] guns.
Wholeheartedly agreed. Anyone who tries to sell C++ (specifically, object oriented C++) as being the One True Way is probably smoking too much ganja. At the same time, though, there are occasions when you need pure, unadulterated power, and for those times, C++ exists.
Java seems, to my mind, to almost be a subset of C++, one in which the most dangerous features of C++ have been removed--pointers, generic programming, multiple inheritance, etc. There's something to be said for this approach, in that very few C++ programmers can use multiple inheritance, generics and so on well. But those of us who can use them well get really annoyed that Java denies them to us.;)
My biggest objection to C++ is that it takes a very long time--on the order of years--to become a good C++ programmer. I think, though, that it's plenty worth the effort.
As usual, most people who say "language foo is better than language bar" don't understand foo, bar, or the problem they're trying to solve in languages foo and bar. The world is filled with interesting problems to be solved. Languages are tools; and there's a lot to be said for personal preference, and comfort level, with one's tools.
Slashdot Mirror
This is something which arises so frequently that it's become a major annoyance to the Court. The Court will deny cert ("deny cert" == "refuse to hear arguments") on a case, and presto, the popular press and most of America thinks that means anything.
It means nothing.
Denying cert only means the Court won't hear arguments. It doesn't mean the Court thinks the legal reasoning is correct; it doesn't mean the Court is approving the lower court's decision; it doesn't mean anything .
Many cases are denied cert because their legal issues are not as clear as the Court would like ("bad cases make for bad law", as the axiom goes), or the Court wants to give it a few years to let legal scholarship tackle the issues, or the Court thinks this is an issue which Congress will soon issue "direction" (read: legislation) on, or... any of dozens of reasons.
It is tremendously unwise to think that the Court's denial of cert means anything, no matter what the Court says in their response.
Don't get happy; the Court hasn't done anything for us.
Uff da. You really have a thing with evil, don't you?
The simple fact is that the legal system is not evil. It can't be evil. Evil, if you believe in it (note that it's fairly unique to the Judeo-Christian-Islamic mindset), is a trait of living, conscious beings. The legal system is not alive; therefore, it cannot be evil.
Josef Stalin and Mao Zedong were evil, but their governments were not--they simply were.
Therefore, I've got to discount your entire argument about the legal system being evil. While I will readily agree that there are people in positions of power who become corrupted by their power, that does not translate to the system being evil.
There are a lot of very good people who work in the legal system, in case this has escaped your notice. And unlike evil people, the good people tend to work together. By completely discounting the selfless and devoted service given to us by legions of underpaid, underrecognized public servants, you do the entire field of public service a dishonor.
The "royal treatment that is given to judges" is a historical accident. Remember that our courts are direct descendants of English Courts, and that some of our oldest law is English Common Law. (I know one judge whose hobby is finding the oldest precedent possible for a case--his record is finding an English Common Law decision from 1672 which applied to a case. Common Law is older than our country is; and our court system, as an inheritor of the Common Law, dates back to medieval times.) In the English system of court, the judge is a representative of the monarchy and is thus referred to with an honorific to show respect to the Crown.
In American courts, the judge is a representative of the people, and is thus referred to with an honorific to show respect to the people. It's that simple. Outside of the courtroom, I refer to judges as "Mr." or "Ms.", the same as I do anyone else. The vast majority of them seem to be quite content with the simple honorific of "Mr.", and by and large they return the favor in kind.
Most contempt citations come when somebody shows a judge that the judge is wrong about something
Show me your reference for this fact, please. Most contempt citations I've heard of come as the result of a litigant trying to usurp judicial power from the judge. The proper way to show a judge that he's wrong is to approach the bench, quietly point out the judge's error and a reference to where the judge can find correct information, and then proceed from there. This happens a lot in courts.
Judges make mistakes. They make a lot of mistakes. Most of them understand this, and are amenable to courteous reproach. What they are not amenable to is a litigant saying "Judge, you're wrong, as this reference points out" in open court. That undermines the judge's authority, and that is something which is not allowed to occur.
While your message is worded quite reasonably and eloquently, I don't think you understand the judicial system very well. It is composed of human beings, and as such, it has human failings. It strives eternally towards perfection, as most well-adjusted human beings do, and occasionally has enormous blunders and errors of judgment, as all human beings do. But it is neither good nor evil, because it is neither conscious nor alive.
It is my resolute belief that people are essentially good at heart. You apparently believe otherwise. Due to this difference, we are never going to agree, not in the slightest, on the judicial system. If you believe that people are essentially good, then the democratic systems which essentially good people bring up will also be essentially serving the good (with the occasional spectacular blunder, due to human nature).
If you believe that people are evil, then the democratic systems which evil people bring up will also be essentially serving evil (with the occasional spectacular moment of good, which you will discount as "well, they just haven't gotten around to corrupting that yet").
I have no need of your fatalist and pessimist philosophy. I feel it's wholly invalid, and possesses absolutely nothing of worth to me.
It's a big field, if you didn't notice. Expecting me to keep track of the commercial dealings of the NSA and Cray Computers is like expecting a PhD physicist whose specialty is in physical chemistry to keep track of all the latest goings-ons in the world of superstring theory. Sure, the physical chemist can probably understand the majority of the theory, but only if he's given pointers in where to look for information.
Cryptography is a science. Science is inherently skeptical; it's the process of saying "I'm from Missouri; show me." I've been saying "show me" until I'm blue in the face, and all you can say is "I'm right". Sorry. Science doesn't work that way. Nor does cryptography.
You can't give me a single verifiable reference to back up your claims. You can't present me with any evidence that your supposed 2**78 attack against 3DES works. You can't present me with any evidence that there exist any prime number generators in commercial use which will pass on even numbers. You can't present me with a cryptanalysis of MD5, much less reverse it. You won't even accept a challenge to prove your claims, even when there's $1000 in it for "just a few seconds" of work on your part.
You're a crypto poseur. Get a life.
The court could have simply decided not to hear the case at all, in effect upholding the first level court's decision.
:)
:)
Yes, they could have. But why would they? Judges love to write opinions; they love to take laws and slice them apart, dissect them under a legal microscope and reassemble them. US v Microsoft is the biggest trial of this century (1901-2000), and it pits 21st Century business models against 19th Century laws.
To a legal scholar, this is like crack cocaine. There's no way they can put down this case. Every judge I know says that they're glad they're not Judge Jackson, due to all the scrutiny he's under... but every single one of them wishes he was Judge Jackson, just so that he could get to write the opinion in US v Microsoft.
Remember: this case is legal crack. Every judge simultaneously fears and lusts for this case.
The Supreme Court is psychologically incapable of giving this case a pass. It's not going to happen. It's going to go to the Court and they're going to write opinions left and right, putting flourish on them worthy of Papal encyclicals. This is another Roe v Wade, another Brown v Topeka School Board... it's big, very big.
So it's a given that SCOTUS is going to hear this case. The only question is when, and after how much legal scholarship? The decision to hand it back to Appellate court is entirely defensible. To continue with the drug analogy, right now they've got a dime bag of crack in the form of Judge Jackson's Findings of Fact, Findings of Law, and his breakup order. Once the Appellate Court is done with it, they're going to have a semi-truck filled with crack. SCOTUS is going to spend six months on a legal high smoking that stuff.
The only way a person ever gets an automatic appeal in a legal case is if they are convicted of a capital crime.
Yes. It's done this way for a reason; a lot of times, people don't want to go through the expense and trouble of an appeal. You only get an appeal if you want one. The exception is in capital crimes, which has a mandatory appeal just because the government wishes to make absolutely certain that innocent people are not wrongly convicted in capital cases.
This is another example of how the law is designed to look fair upon cursory examination...
The law is exquisitely fair. The same laws apply to both sides equally. That's the textbook definition of fair. Now, there are a lot of concerns about the competency of public defenders, et. al., and there's a lot of merit to those concerns--but the law is brutally fair. That's why so many people hate it.
Fair, in a legal context, doesn't mean everybody's happy. Fair means everybody gets screwed over equally. That's why smart people avoid trials whenever possible. While I like fairness, I'd rather avoid getting screwed over.
Think for a second about the symbol of justice that they give to us.
Who's they? Answer: they is us. We're the ones who gave that symbol of justice to the courts; they didn't give it to us.
If I were going to swing the sword of justice based upon the results of a weighing, would I wear a blindfold?
Wrong symbolism. The woman represents the judicial system. The blindfold represents judicial fairness (or, screwing over everyone equally); it's a metaphor for the courts not paying any respect to social class, position, political power or, for that matter, anything else save the law. The scales represent fair judgment; courts "weigh the evidence" to come to a decision, without once looking at who's well-dressed and who's homeless. The sword represents the screwing-over; while the court is fair (and screws everyone over equally), if you're deemed to be a naughty person who just murdered sixteen people because you were frustrated about finding walnuts in your brownie, buster, that sword is for you, and you are not going to like it.
That symbol is a little joke that the evil people couldn't resist.
Friend, I hate to tell you this, but the evil people are us.
We're the ones who gave the courts that symbol. If you think justice has been hoodwinked, then by God, man, act on it.
Write a letter to your Congressional representatives. Tell them to change the laws regulating the courts so that they make more sense. If they won't respond to you, run for office yourself.
Write a letter to your local judges, expressing your frustrations and asking them to exercise better judgment and discretion in the future. They won't write back to you--they're forbidden from doing so by ethics laws--but according to the Constitution, they must read your letter! (The right to petition the government for the redress of grievances is useless if the government is permitted to throw away petitions unread. Hence, the government is required to read your complaints.)
You have a lot of recourse here, as do I, as does everyone. Stop griping and start using your recourse. The government does not care about someone who sits on their couch, watches a little CNN and bellyaches about problems. Really, they don't care a damn.
The instant your feet hit the ground and your ass leaves the couch, Uncle Sam will tremble in fear and throw himself at your feet, begging for mercy. The government knows how powerful the people are when they're motivated to do something.
After all, that's how our nation was established.
In 1998, I was hired by MCI (later MCI-WorldCom) as a mainframe QA engineer. This caused no end of consternation for my father; while he was happy that I'd found employment after college, it caused him a fair amount of legal trouble.
:)
My father is Judge David R. Hansen, sitting on the United States Eighth Circuit Court of Appeals, and at the time MCI (and other long distance carriers) were challenging the Telecommunications Reform Act.
For a couple of weeks he was considering recusing himself from the trial just to avoid even the appearance of impropriety. While my financial future wasn't tied to the trial, nor my continued employment, there could have been the perception that there was, and as such, Dad would have been obligated to recuse himself. I volunteered to pass on MCI's employment offer and accept a (slightly inferior) position elsewhere, but Dad wouldn't hear of it.
He didn't want to recuse himself, because he felt it to be a fascinating trial and he wanted the opportunity to write the opinion on it. Nor did he want me to pass on a good job after college. Nor did he want even the appearance of impropriety to touch the Judiciary.
Dad decided that full disclosure was the best option. He fully informed all parties that I had accepted employment with MCI and volunteered to recuse himself if any parties involved objected to his presence.
In the end, none of them did, and Dad wound up writing an opinion which he was quite proud of--and then the Supreme Court overturned the Eighth Circuit, and there was much gnashing of teeth and wearing of sackcloth and ashes in Mom and Dad's house.
So, as you can see, these sorts of events have happened before. The procedures for dealing with them are well-known. While I'm not accusing Rehnquist of being biased (I feel he's far too professional for that), I do have to wonder exactly why he didn't make full disclosure to all parties long before.
If Moors law applied for performance, your desktop box would be about as useful as a calculator.
... just cracking does not require such features as CBC modes ...
... they were building two computers for the NSA when they went folded. ... They were paid for and the order was canceled after the machines were mostly complete. To me that says the NSA didn't need to do any more big prime number research since it would have not cost them any more money to have the machines completed.
I'm not sure what you're meaning to infer there; my desktop box is a calculator. Just a really fast one with a large display. Moore's Law does apply to performance, and has applied for about the last 40 years.
It was designed in 1997
Of course it doesn't. CBC mode is ECB that's been XORed with the previous ciphertext block. Breaking CBC mode is computationally equivalent to breaking ECB mode, especially since if you have N blocks of text, you've got N-1 cribs. Or N cribs, if the CBC mode is brain-damaged and has a known IV.
As far as the large primes go
Reference, please? Even assuming this is true and not urban myth, it still demonstrates nothing. They could just as easily have discovered a proof that P != NP, thus making the entire attempt to break large composite two-factor numbers moot. There's not enough information there to draw any sort of inference from. It is just as dangerous to overestimate your enemy's capabilities as it is to underestimate them.
I also know that some even numbers will pass many of the "prime" test used by many popular key generation programs.
Bullshit. The first step in selecting a probable prime is to see if it's divisible by 2. This is really, really simple; you just check one of the low-order bits in the number and if it's set, it's not prime.
If you've found a program which does prime generation and skips this step, please tell me, so that I can spread the word and trumpet from the mountaintop, "don't you dare even think of using this piece of crap".
But I don't think you've found one, otherwise you'd have mentioned it by name.
In other words, you had a set of cribs so extensive that you could've brute-forced it with pencil and paper. And you expect me to take that as evidence that MD5 is insecure?
No samples will be provided. As I said--no cribs. (Actually, I lied. I intentionally put lots of cribs in that challenge, if you're smart enough to pick up on them.)
Time to fish or cut bait, thogard. It's all up to you.
Show me the academic papers which show you can reduce 3DES to complexity 2**78. The same attack could be used to reduce DES to complexity 2**39, which would be the world's first strong cryptanalytic attack against DES.
Show me just one instance where someone used this attack against DES to break it by brute force in an average of 2**38 operations.
Your argument about computing hardware is (a) wrong and (b) irrelevant. Moore's Law says that we can expect it to roughly double every eighteen months; if it increased eightfold in a year, this is highly unusual and is likely not a trend. Please point out the academic reports which talk about chips capable of doing a billion keys a second by themselves, or that the field of brute-force crackers is increasing by eightfold a year. That's why it's wrong; it's irrelevant because no matter what, thermodynamic limitations still apply.
Please present me with a real analysis which backs up your claims, not some vague statement of potential attacks and a made-up number about hardware crackers.
Too bad the crypto only works with one to one keys if the numbers are prime, probably prime isn't close enough.
The odds of a good probable-prime being composite is less than the odds of you being struck by a meteor at the instant you read this post. If you're concerned about your probable-primes being composite, I would respectfully suggest that you should consider the threats to your life that meteor strikes, attack by killer bees, random violent stranglings with rabid wombats, etc., pose. To lament the likelihood of a composite probable-prime while not living in stark fear of death by slipping in the tub and breaking your neck is extremely irrational. The one is far more likely than the other, and has much more dire consequences.
I have already issued a challenge to you on one of your more outrageous claims. I hope you take me up on it.
This is not a joke.
I am very, very tired of hearing people say that they can break this-and-that, or that such-and-such is trivial, or what-have-you. Most of the time, these people are total incompetents who like to make themselves sound much more clued in than they really are.
The last time someone made claims like thogard did, I made a public challenge which was not accepted. Maybe this time will be different. So, without further ado:
THE 6-HOUR MD5 CHALLENGE
1. Rules.
The only rule is you can't bribe the judges. If you want to lurk around my workplace, bushwhack me when I come out and beat the answer out of me, feel free. Don't do the crime if you can't do the time, though. You can cryptanalyze this, you can attempt to coerce it out of me, you can send an attractive woman my way (free hint: I'm partial to tall redheads) to coax it out of me, you can try and eavesdrop on my phone lines and overhear me give it away, I don't care.
But you can't go after the judges, because then we don't have a fair contest. Fair?
2. The Challenge
If this challenge is accepted, I will submit to CmdrTaco (or another Slashdot employee, as he assigns) a credit card number. Specifically, my credit card number (with a few digits changed for my own self-preservation). I will also submit the MD5 hash of this (slightly modified) credit card number.
No cribs will be given. It will not be announced whether it's the credit card number by itself, whether my name is part of the data, whether the expiration date is included, etc. CmdrTaco will verify that I'm not cheating.
Once everything is set up, the MD5 hash will be put up on Slashdot. From the time it's put up, you'll have SIX HOURS to reverse the MD5 hash and get my credit card number.
3. The Reward
The reward is $1,000 cash. (Well, it'd actually be a cashier's check, but same difference.) If you can do it--especially if it's as easy as "a bit of code, a few computers, and I was generating the card numbers within seconds"--then this will be the easiest grand you've ever made in your life.
All monies will be deposited in advance with CmdrTaco (or others as he assigns). If I don't cough up the dinero up front, the contest doesn't go forward.
4. Frequently Asked Questions
Why only six hours?
Credit card numbers really aren't all that entropic; they're very predictable. The card I'm looking at right now has 16 digits, plus my name and two dates (valid-throughs). Brute-forcing 10**16 would take some time, even for an immensely large network, and that doesn't include the permutations of my name, the expiration dates, etc.
Breaking DES by brute force requires an average of about 3 * 10**16 operations. Thus, breaking my credit card is a little harder than breaking DES. It's possible some Slashdotters with access to extremely large networks would be able to brute-force this, but I don't find it likely.
If it's really as easy to break MD5 as thogard is claiming, six hours will be plenty of time.
Why are you changing the digits of your credit card? If you have such faith in MD5, shouldn't you leave it unaltered?
As I said, some Slashdotters may have access to extremely large networks which could brute-force it in a few days' time. I'm changing it just to cover my tail in case someone decides to spend weeks of processor time brute-forcing every possibility.
Isn't MD5 in disfavor nowadays? Wouldn't SHA-1 be better?
Yes, MD5 has a couple of potential attacks against it. I still have faith that it's very strong in practice, though.
Are you serious about this?
I'm serious about this. Are you?
If I get any more irate (see my other posts in response to this story) I'm going to get the Theo deRaadt Award...
It's fairly simple to write an encryrption scheme using the available algorhythms...
Yes. It's even simpler to screw it up. Any fool can make a system which they can't break. Making a system which nobody can break requires absolute genius.
If every government wants perfect security, they should have their own classified programs with classified keys.
No. Wrong. Go back to class and study some more. The Germans thought that Enigma was secure since the Allies didn't know how it worked, but Turing and friends did amazing work breaking the Enigma even before they had one of their own. The Japanese PURPLE cipher (?) was broken without ever knowing how it worked; they recreated it entirely from first principles.
Without exception, every cipher I know of which kept its internals a trade secret has been a failure. The most recent spectacular failure is the NSA's SKIPJACK, which for years had its internals protected as a national secret. It didn't do anything to preserve the integrity of its messages; Eli Biham invented an entirely new branch of cryptanalysis (impossible-differential) and used it to cryptanalyze all but one round of SKIPJACK.
The only systems which are worth trusting are those which have survived years and years of brutal peer review. I trust PGP and GPG; I trust Blowfish, IDEA and 3DES; I trust this, that and the other. I trust the PKCS-11 CRYPTOKI standard, I trust SSL when used properly. All of these have been peer reviewed extensively and exhaustively, and so far they're still standing.
I don't trust anything which hasn't been extensively peer-reviewed. History shows that systems which have not survived brutal peer review do not survive in the real world.
Some of my Marine friends are fond of saying, "Training ought to be so hard combat is a vacation." There's a lot of merit to that. In cryptography, peer review means that everyone is trying to break a system. Of all those people, odds are there are people with more skill and better resources than the people who are trying to break your system for-real. If a system survives peer review, it'll probably survive your enemies.
If it's not submitted for peer review, you take your chances.
Your chances aren't very good.
... projected when 3des should be able to be broken in real time. Its about 10 years away.
Wrong. Amazingly, staggeringly wrong. The minimum amount of energy required to flip a bit is kT, which is 1.3 * 10**-23 joules per Kelvin. Multiply that by the ambient temperature of the universe, 3.2 K, and you get a minimum of 4.16 * 10**-23 joules per bitflip. This is a thermodynamic limitation of computers, and cannot be surpassed without shifting computation away from Turing machines.
Now, 3DES has an effective 112-bit keyspace. 2**112 is about 5.2 * 10**33. Multiply (5.2 * 10**33) by (4.16 * 10**-23) and you get 2.16 * 10**11 joules of energy required to break 112 bits by brute force.
2.16 * 10**11 is a huge amount of energy, on the order of 200 terajoules. But that assumes you have to exhaust the entire keyspace--considering you only have to search 50% of it, on average, you only have to apply 100 terajoules of energy.
Remember: there is no way around this that we know of. This is a thermodynamic limitation; as soon as you figure out how to get past this, I suggest waiting by the phone because the Nobel folks are going to be calling long-distance from Oslo soon.
I've got no choice but to completely and wholly discount your entire message. This analysis took me all of five minutes to conduct. It's not hard.
Insofar as the likelihood of pseudoprimes not actually being prime--do you have any idea what you're talking about? I hate to sound irate (it's only because I'm very irate), but the entire notion of pseudoprimes is that they are probably prime. The likelihood of a pseudoprime not being prime is less likely than you winning the lottery, getting into a car crash, and being struck by lightning while having a hot date with a supermodel. Really. No, I'm not kidding.
Please, get a clue.
1. THERE IS NO SUCH THING AS SECURE SOFTWARE.
:)
Like Yogi Berra said, "In theory, there's no difference between theory and practice. In practice, there is." No matter how stringent the testing, no matter how exacting the software development (up to and including provably-correct software), software cannot be secured. In theory, following a provably-correct software design (such as is possible in some Ada subsets) allows you to design software which is provably correct... but that's theoretical, not practical.
Sometimes, the buggiest thing in a system is a feature which is working exactly as it's designed to do. Provably-correct software is predicated on there being a correct assessment of what the software needs to do and needs to not do, and so far, nobody's come up with a way to do provably-correct brainstorming.
Auditing cannot, repeat, cannot make a piece of software secure. All it does is find errors, not all errors, and maybe even not all the major errors.
2. TRUSTED SYSTEMS ARE JUST THAT.
Trust. It's another way of saying "I have faith in you." Faith is the antithesis of proof. For years my Linux box was a haX0r's dream--I didn't bother to turn off services, my root password was fairly easy to guess, etc. That doesn't sound like a trusted box, does it?
Wrongo. It was very trusted, because it wasn't connected to any network and it was in my bedroom. I trusted it a lot--I had faith that it wasn't going to be compromised.
Whenever you see someone advertising a "trusted system", ask yourself: who trusts it? Why do they trust it? Should I trust it? "Trusted systems" are sometimes a lot of snake-oil; people who don't know beans about security buy "Trusted Solaris" because it says "Trusted", even though their incompetency as a UNIX sysadmin makes the box vulnerable.
(Note: I have a lot of respect for Trusted Solaris, even more than I do for OpenBSD. I'm just making the point that the word "Trusted" doesn't mean much.)
3. THE MOST IMPORTANT ELEMENTS IN SECURITY ARE THE USERS AND THE SYSADMIN, IN THAT ORDER.
Most people will reverse this around, claiming that the sysadmin is more important security-wise. There's merit to that (after all, root == God), but I reverse it. There's only one sysadmin, and an attacker more or less has to take his chances that the sysadmin is incompetent enough to fall for (a crack, a social engineering attack, a DDoS, etc.). But if there are hundreds of users, it's certain that at least one of them is going to be a complete fargin' idiot, which means attacks which involve users are more effective than those which go straight for root.
This is an important point. No matter how secure the box, no matter how trusted it is, the weakest link are the users. When companies get on a security kick, they tend to spend lots of money on software and very little on educating their users. This has always struck me as backwards.
4. USERS DON'T WANT SECURE SYSTEMS.
Have you ever tried to use Trusted Solaris, or OpenBSD in a particularly bondage-and-discipline configuration? Sure, they're locked up tight against intrusion, but this comes at a steep price in usability. People want computers to be easy to use more than they want them to be secure. If you make computers too secure, your own legitimate users will circumvent security. I regularly see passwords on Post-It notes stuck to monitors--not just in Corporate America, but in government offices which routinely handle extremely sensitive data.
5. FOR ALL THIS, SECURITY AUDITS ARE A GOOD IDEA.
Security audits do two things: first, they tend to ensure that software works the way it ought, and second, they tend to ensure that software doesn't work the way it oughtn't. The potential problem that's spotted and corrected due to a security audit may never have resulted in an exploit, but it may well have resulted in a Blue Screen of Death at some point down the line.
Security audits don't just make systems more secure; done properly, they make systems more reliable, which in turn makes them more usable.
In Surely You're Joking, Mr. Feynman! (are there two Ns or just one in his name? I always forget), Richard Feynman talks about the Trinity nuclear test. He was the only person to look at the nuclear bomb directly, and suffered no permanent eye damage.
:)
:)
According to Feynman (or at least, what's written in his book), it's the ultraviolet light which cooks your retinas, and that visible light simply won't do it no matter how intense it is. He took the simple precaution of watching the nuclear blast through a truck windshield, which is UV-opaque. While he had a big purple blotch in his visual field for several minutes afterwards, he did manage to watch a nuclear blast without permanent damage, which I think is pretty damn cool.
From my own experience, I can submit anecdotal evidence which supports Feynman's UV-is-the-problem hypothesis. Once, while working in a laser holography lab, I wound up getting an eyeful of HeNe. While I was damn near blind in that eye for ten minutes afterwards, I had no permanent effects.
ObWarning: I am not a competent eyecare professional, and don't try either of these stunts at home. Really. Especially not the nuclear one.
John von Neumann gave some formal mathematical proofs, years and years ago, that all programs were data and vice versa. Most people think that War and Peace isn't a program, but it is--go ahead, type ./warandpeace at your terminal, or ./brotherskaramazov if you feel like something a little different.
Of course, these programs are poorly written and will soon cause a core dump--but that doesn't change the fact that they're still programs.
Programs are data are programs. Thus spake John von Neumann, thus ever shall it be.
A lot, emphasis, a lot of people who work in InfoSec work for charity. Many of the people who do this stuff for a living do it out of a deep conviction that InfoSec is essential to a free society, and as such, they're not exactly motivated by money, power and hot chicks. ;)
It helps to look for help in the usual places. Churches can often be incredible help; they're not only places of worship, but they're networks of people who are willing to help each other for free. Contact your local churches and ask them if they have any parishioners who are employed in the IT field; you might be very surprised. They probably don't have many, if any--but the one they do know probably has five or six like-minded friends, and so on, and so on.
Other good ideas are LUGs, if there's one in your area. Colleges, too: there are usually lots of community-oriented groups on college campus, and somewhere in them there have to be a couple of CS majors.
So call some priests and college chaplains, hit the local LUG homepage, put up posters in the Student Commons. There's lots of help to be found--good luck!
Simply put, there already existed other alternatives to RSA, provably just-as or more secure than RSA, which were unencumbered by patents. (The most notable would be El Gamal, which went into the public domain in 1997.)
While we'll see legal Free Software versions of SSL in the near future, I really don't think the expiry of the RSA patent is going to make that much of a sea change in the Free Software community. In the commercial community it'll make a big change, but not so much in the Free Software sector.
As I recall, the only thing "unusual" about Bork's viewing habits is that he has a penchant for Golden Age song-and-dance numbers--a lot of Sinatra and Astaire movies.
Saying that Bork has "unusual video watching interests" does nothing but slander a man's name. While intelligent people often disagree with Bork's politics, I would hope that we're all mature enough to shy away from slander.
You're still missing the point. Certificate authorities don't really solve much of anything, if anything at all.
Let's say that I go to Trusted Certificates, Inc., "Where We Make Even Our Mother Show Six Forms of ID". I register my key, and lo and behold, I have "verified identity". Anyone who wants to can check my signature with the CA and discover it's valid.
Guess what? That's still not enough.
Let's say that I want to steal $10,000 from the bank. First, I need a conspirator--I hand over my keys, then go on vacation in Aruba. While I'm in Aruba, sipping mai-tais on the beach, my conspirator is posting innocuous messages, as me, to newsgroups.
I come home and send an email to the bank, asking it to transfer $10,000 from my account to the First Bank of Never-Say-Anything. The bank checks out my keys with the CA, and lo and behold, it checks out. Since they've "verified" that it's really me, they make the transfer. (In reality, they haven't verified anything--only that someone who knows a specific string of bits asked for a transfer.)
At that point, I raise holy hell and scream "What the hell is going on here? I didn't authorize anything!" The bank can't get the money back from the First Bank of Never-Say-Anything, and so they're stuck trying to prove that it really was me who sent the authorization.
At that point I just have to point out the various postings to alt.sex.hamsters, which were signed with my key. "Look! I was in Aruba, sitting on the beach drinking mai-tais! Someone compromised my keys!"
... and at that point, the only way, the only way, for the bank to show that I'm lying is to find my conspirator. And in the meantime, I get to repudiate every single message that bears my signature ever since the compromise date. The $10,000 transfer? I didn't do that. Sending incriminating emails to government officials? Wasn't me. This, that and the other? Unh-uh.
Compare this to a real signature, which--by its very physical nature--possesses forensic value. It isn't just a string of bits; it's evidence, and oftentimes is enough to get convictions in court. Real signatures are also not wholly invalidated simply by the appearance of forgeries, as opposed to digital signatures. If I send a paper letter to my bank authorizing the $10,000 transfer, they'll have a handwriting expert compare the signature to the signature on file. They'll compare everything from the shape of letters to the inks used in the paper. And even then, they won't trust it--they'll have a bank teller who knows me well give me a call and ask me, "Do you really want to do this?" If the bank teller recognizes my voice, then the transfer goes through.
We have extremely robust identification and verification mechanisms in real life which are composed of interlocking parts. We don't have anything like it in electronic life yet. We have things that bear a strong resemblence, but the devil is in the details.
Digital signatures are not real signatures. They're different beasts which serve a different purpose. As long as all parties involved are committed to using digital signatures honestly, digital signatures work.
The instant someone realizes that there's money to be made by false repudiation, things change.
No--a paper signature is meaningful because verification is simultaneous with signing.
Let's say that I want to buy a new car. I go to the car dealership and ask about the rate I'll get from GMAC. The dealer and I quibble, he drafts up a loan agreement, and I sign it as Mordecai McWhirters.
At this point, the car dealer asks me for identification--a lot of identification. If any of these forms of identification fail, then the car dealer is within rights to say "no, you're not really that person; I'm not going to enter into this contract with you". And since my name isn't Moredecai McWhirters and I don't have the technical skills required to forge a passport and driver's license, well... my ID isn't going to check out.
Compare this to a letter that arrives in the emailbox PGP-signed. The return address on the email is billc@whitehouse.gov. You check the key database, and lo and behold, there's a key there for billc@whitehouse.gov. Does that mean you really received an email from Bill Clinton?
No--it means someone signed the email, and you have no idea who. This is why so-called "digital signature laws" scare the bejeezus out of me. Under most of them, if I want to take all the money from your bank account--legally--I just have to register a key in your name, write an email to the bank that's signed with this key authorizing a wire transfer of $10,000 to the First Bank of the Caymans, and then laugh all the way to Aruba. People mistakenly think that digital signatures are a verification of identity: they're not, and that's the biggest difference between digital signatures and real signatures.
Verification of identity is not a part of the current public-key infrastructure. Every single scheme which has been devised to give verification of identity to digital "signatures" is a dismal failure--certificates aren't a good solution, far less the CA+RA model which seems so common nowadays.
Signatures are forgeable, yes... but there's a good reason why people use them to enter legal agreements.
Signing a physical letter is in some ways insecure, in that a signature can always be forged--but by and large, signatures are always unique. My signature doesn't look anything like your signature, and bears only a slight resemblance to my father's signature and none to my brother's. In this way, a physical signature uniquely identifies me.
Digital signatures bear almost no resemblence to physical signatures. Not only can digital signatures be forged (check Applied Cryptography or Menezes' Handbook of Applied Cryptography), but a digital signature is not unique. It doesn't verify that I actually did anything--it only verifies that someone who has access to a very specific string of digits did something.
Now, if you can prove in a court that I am the only person who knows this very specific string of digits, then you might be able to prove to the Court's satisfaction that I signed the document. Still, that's a far cry from the inherent validity which a paper-and-ink signature possesses.
Realistically? No. Encrypting a "The system is going down in 15 minutes!" message, broadcast over a network for each user on a network, makes absolutely no sense--why would you want that message to be protected from eavesdropping?
There are two sorts of communications which go out over the Net: public and private. Private communications (email, Web pages, etc.) ought to be transmitted securely in order to ensure privacy; public communications ought to be transmitted in the clear to ensure they remain public.
RSA is built on the integer factorization problem; El Gamal is built on the discrete logarithm problem. If you can get a general solution for the discrete logarithm problem, then you're also going to get a solution for the integer factorization problem--but knowing how to factor arbitrarily large numbers doesn't help you with discrete logs.
Insofar as keysize goes, 2048 bits is plenty sufficient for every attack we can foresee. If you want to be truly paranoid, go for 3072 bits; even with quantum computation, it's still as hard as RSA-1536.
Personally, I don't think RSA is ever going to be cracked by brute force--so this trend among the cryptoparanoid towards larger and larger keys is somewhat silly. I think it's far more likely that either (a) a general solution to the factorization problem will be discovered which runs in polynomial time, utterly destroying RSA, or (b) an attack against RSA will be discovered which does not depend on factorization.
Remember that the integer factorization problem has never been proven to be difficult, only conjectured to be so--and as time goes on, it gets less and less difficult. More than that, while RSA is built on the integer factorization problem, nobody has ever proved that you need to factor very large numbers in order to break RSA.
My money is on El Gamal--it seems to be built on stronger mathematical foundations.
Do you think [E]thernet would have evolved to 1Gbps if that had been the case?
Hmm. Hardware engineering. Tell you what, let's repackage this in terms of more conventional engineering--civil engineering, to be exact:
"Now imagine a world in which 3com published the schematics for their [bridges] with instructions on how to build your own [bridge]..."
Okay, we already have this world. Whenever an engineer drafts a bridge, that blueprint is put on file somewhere and any engineer who wants to look at how it's made is free to do so. This engineer can then use anything they've learned from studying the design, provided it hasn't been patented, in their own designs.
How many times do bridges collapse? With the occasional glaring exception (Tacoma Narrows), not often at all. This model works extremely well for civil engineers.
"Now imagine the 3Com Public License which states that not only are they giving away the schematic [to their bridges], but you don't owe them anything... Make as many of these [bridges] as you want, give them to your friends and neighbors. No licensing fees, no royalties, etc."
Well, here's the real question: why would I want to? If I can study their bridge as much as I want, both by studying schematics and walking across it a few times, then I'll probably find things I'd do differently. I might not like the curve of this arch, or I might want to use a higher grade of steel, or any of a thousand other small changes. I wouldn't make a slavish copy, but an incremental improvement.
Again, this world is not hard to imagine. It's the world we live in today.
"Do you think [bridges] would have evolved to [the Golden Gate Bridge or other masterpieces of engineering] if that had been the case?"
Well, judging from the fact that we have a Golden Gate Bridge exactly because of this being the case? Yes, I do think the state of the art would have evolved to that point!
"Do you think 3Com would have survived 5 years in the [bridge-building] business?"
Sure. In fact, I think they'd have survived 17 years. They could patent the nonobvious and useful portions of their bridge design and deny other people the ability to duplicate it without permission. That gives them 17 years of profitability, provided their patent is a good and sound one. Hopefully, by the time 17 years are up, 3Com would have found a new and even better way to build bridges--and would have received another patent, and have another 17 years, etc..
Moral of the story: We already have all the intellectual-property protections we need, without needing to make things proprietary.
(Before the anti-IP crowd flames me to death here, let me say that patents need serious revision. 17 years for a nonobvious, useful invention that makes for safer bridges is one thing--17 years on XOR encryption is another!)
Okay, the compiler doesn't catch it.
More accurately, the compiler doesn't erroneously complain about it. It's perfectly valid, syntactically correct C++.
There's no conceivable reason you would want to construct something like this anyway
On the contrary, it happens quite a bit. If you've got function F which calls function G, and G needs access to the internal state of F, you pass F's state to G as pointers and then cast them back to the appropriate type of variables. This is a little kludgy, but oftentimes makes for more readable code than if you'd inlined G into F.
I didn't mention that I'm a Java hacker, because I didn't see it was particularly relevant. :)
;)
;)
My general attitude on Java is "those who do not understand C++ are condemned to reinvent it, poorly" (sorry, Henry Spencer)--this is a reasoned opinion, one I've come to after some study of the issues involved; I only bring it up now to make sure that you're aware of my bias.
As a Java programmer, I [prefer] the C toolbox to the C++ toolbox. The C toolbox contains all your hammers, screwdrivers, chisels, etc. The C++ toolbox contains this lot and also sticks of dynamite, nooses of rope and [Gatling] guns.
Wholeheartedly agreed. Anyone who tries to sell C++ (specifically, object oriented C++) as being the One True Way is probably smoking too much ganja. At the same time, though, there are occasions when you need pure, unadulterated power, and for those times, C++ exists.
Java seems, to my mind, to almost be a subset of C++, one in which the most dangerous features of C++ have been removed--pointers, generic programming, multiple inheritance, etc. There's something to be said for this approach, in that very few C++ programmers can use multiple inheritance, generics and so on well. But those of us who can use them well get really annoyed that Java denies them to us.
My biggest objection to C++ is that it takes a very long time--on the order of years--to become a good C++ programmer. I think, though, that it's plenty worth the effort.
As usual, most people who say "language foo is better than language bar" don't understand foo, bar, or the problem they're trying to solve in languages foo and bar. The world is filled with interesting problems to be solved. Languages are tools; and there's a lot to be said for personal preference, and comfort level, with one's tools.