A previous poster mentioned the MUSCLE project. It provides lots of open-source software for talking to smartcards, primarily for cryptographic applications.
MUSCLE works with JavaCards . With these it is relateively easy to write your own applets that run on the card and do whatever you want.
Here's a little perl script i call "cryptoquote" that makes this easier to do. You setup a "translation file" that contains lines of the form a=b c=d ...
You pass this filename as the argument to this perl script, and feed the cryptoquote into stdin. If you're running on a vt100 terminal, it will boldface the letters that have been translated. Otherwise, you'll want to remove the lines below that have "pack" in them.
With a one-time pad you are protected from brute-force attack. Even if you guess the correct key (pad) on the first try, you will not know that you have guessed it.
I've thought about this myself. What I would do is post the algorithm, encrypted with a 64-bit key. Then I would use the algorithm to solve all the RSA public-key challenges. This would get the attention of the world, and get distributed.net and others working on cracking the 64-bit encryption. The clock would be ticking for vendors to find alternatives to public-key encryption. Meanwhile I would retire on the RSA rewards.
Yes, it means that now, because someone decided to call it that a long time ago and it has become common usage. I think the point is whoever named it that did it for political reasons, to try to demonize the practice of illegitimately copying copyrighted works.
It looks like they are encoding a "wobble" onto the CD, i.e. a physical error, in a certain area. Mass-market cd-burners can't do this--they can only write bits. So the software attempts to read the magic part of the disk and gets back a certain error code. You can't copy that because your burner can't write a wobble.
People are correct in saying that the data has to be detectable by standard software, but incorrect in thinking that it has to be detectable as data. In fact it is detectable by its error code.
the while condition, r < n, is a red herring. The loop will exit when it hits the inner break. It's guaranteed to finish in O(log^6 n) iterations (or so they say--I haven't verified the proof personally!).
r isn't the input to the algorithm. r is an intermediate number used in the algorithm. It's of size O(log^6 n).
PSP is SO lame
on
Agile Modeling
·
· Score: 2, Interesting
I started reading PSP a few years ago and found it just completely ridiculous. You're supposed to track how long it takes yourself to write common programming structures, like for() loops, and then eventually you will have a cookbook of all the common programming structures. You use this cookbook to estimate how long a project will take you (Ah, to implement this, I will have to write 3 for() loops and a switch() statement! That's a total of four hours!). After several months of gathering and analysing the data, you'll be able to estimate project time to the minute and also track your improvement.
If you are designing your code down to this level of detail, then you are finished before you start typing it. The process seems to think that programmer time is taken up by mechanical, predictable tasks. This may have been true in the days of punch cards. In modern times, all the time-consuming work is mental, and you won't know how long that takes until you've done it. Sure you can still roughly estimate how long things will take, but tracking how long it takes to write a for() loop is no help at all.
Many or most of these protests were organized by volunteers independent of the EFF. The EFF announced the protests to be postponed without consulting any of the people who had put much time and effort into this. They don't speak for everyone!
The protests have a lot of momentum behind them. What did the EFF get in exchange for cancelling them? Agreeing to talks? There's no guarantee that anything will change. EFF has been tricked by Adboe PR.
Such a toolkit does exist. It's called NSS. This is the mozillafied version of Netscape's security libraries. It can do everything the Netscape communicator can do: SSL/TLS, S/MIME, PKCS #11, certs, you name it.
It runs on every platform that Mozilla does: Windows, Linux, Solaris, HP, AIX...even Mac!
The only part of X.509 PKI to come out of ISO is the layout of the certificate data structure. All the protocols (S/MIME, TLS, etc.) are developed by the IETF. All these documents are freely available. Check out the PKIX working group. This is where all the development work on "X.509" PKI gets done.
All of the people involved in developing these standards are "techno-geeks" who really know and care about security. The cryptography and protocols used in X.509 PKI are as strong as anything else out there. If you're really untrusting and paranoid, then you don't have to trust any other CAs, you can run your own.
Did anyone else find this part of the ruling kinda weird?
[...] And, of course, the Court will retain jurisdiction following appeal, and can modify the judgment as necessary in accordance with instructions from an appellate court or to accommodate conditions changed with the passage of time. And I will strike down upon thee with great vengeance and furious anger those who would attempt to poison and destroy my brothers. And you will know my name is the Lord when I lay my vengeance upon thee.
It is, therefore, this _____ day of June, 2000,
ORDERED, that the motion of defendant Microsoft Corporation for summary rejection of the plaintiffs' proposed structural reorganization is denied; and it is [...]
Verisign is sure to jack up their prices if and when the deal goes through. There should be a market for cheap certificates sold to small sites that want to be secure without paying a Verisign tax.
There's already open-source software out there for generating certificates. The other barriers to entry are:
1. Name recognition. If you're in charge of security at a medium to big size company, your chief goal is to protect your own ass. To that end, you'll spend the extra money to buy Verisign, because nobody ever got fired for using Verisign.
2. Being in the browser. This is a big one; your CA cert has to be pre-loaded into your user's browsers. This involves paying many thousands of dollars to MS and Netscape.
The other things you need to be a CA are:
1. Legal staff and Certification Practice Statement.
2. Clerks for researching and verifying identity.
3. A killer operations and security infrastructure to protect the CA's key and prevent unauthorized signing.
CAs can and should be a commodity. The thing to watch out for is Verisign introducing proprietary technology into their certificates, or making exclusive deals with the browser manufacturers.
Slashdot Mirror
A previous poster mentioned the MUSCLE project. It provides lots of open-source software for talking to smartcards, primarily for cryptographic applications.
MUSCLE works with JavaCards . With these it is relateively easy to write your own applets that run on the card and do whatever you want.
Lots of vendors supply JavaCard-compliant cards. For example, SchlumbergerSema, iButton, and Gemplus.
Here's a little perl script i call "cryptoquote" that makes this easier to do. You setup a "translation file" that contains lines of the form
/(\w)=(\w)/ ) {
a=b
c=d
...
You pass this filename as the argument to this perl script, and feed the cryptoquote into stdin. If you're running on a vt100 terminal, it will boldface the letters that have been translated. Otherwise, you'll want to remove the lines below that have "pack" in them.
use strict;
open TRFILE, "<$ARGV[0]" or die;
my %trtable;
while(<TRFILE>) {
if(
$trtable{$1} = $2;
}
}
my $line;
while($line = <STDIN>) {
my $i;
my @inchars = split(//, $line);
my @outchars;
for( $i = 0; $i < scalar(@inchars); ++$i ) {
if( $trtable{$inchars[$i]} ) {
push @outchars, pack('c', 033), '[', '7', 'm';
push @outchars, $trtable{$inchars[$i]};
push @outchars, pack('c', 033), '[', '0', 'm';
} else {
push @outchars, $inchars[$i];
}
}
print join('', @outchars);
}
That's nothing. My corporate VPN runs on double-Rot-13, also known as Rot-26. It's twice as secure!
With a one-time pad you are protected from brute-force attack. Even if you guess the correct key (pad) on the first try, you will not know that you have guessed it.
I've thought about this myself. What I would do is post the algorithm, encrypted with a 64-bit key. Then I would use the algorithm to solve all the RSA public-key challenges. This would get the attention of the world, and get distributed.net and others working on cracking the 64-bit encryption. The clock would be ticking for vendors to find alternatives to public-key encryption. Meanwhile I would retire on the RSA rewards.
Yes, it means that now, because someone decided to call it that a long time ago and it has become common usage. I think the point is whoever named it that did it for political reasons, to try to demonize the practice of illegitimately copying copyrighted works.
Somebody mod up the parent.
It looks like they are encoding a "wobble" onto the CD, i.e. a physical error, in a certain area. Mass-market cd-burners can't do this--they can only write bits. So the software attempts to read the magic part of the disk and gets back a certain error code. You can't copy that because your burner can't write a wobble.
People are correct in saying that the data has to be detectable by standard software, but incorrect in thinking that it has to be detectable as data. In fact it is detectable by its error code.
the while condition, r < n, is a red herring. The loop will exit when it hits the inner break. It's guaranteed to finish in O(log^6 n) iterations (or so they say--I haven't verified the proof personally!).
r isn't the input to the algorithm. r is an intermediate number used in the algorithm. It's of size O(log^6 n).
I started reading PSP a few years ago and found it just completely ridiculous. You're supposed to track how long it takes yourself to write common programming structures, like for() loops, and then eventually you will have a cookbook of all the common programming structures. You use this cookbook to estimate how long a project will take you (Ah, to implement this, I will have to write 3 for() loops and a switch() statement! That's a total of four hours!). After several months of gathering and analysing the data, you'll be able to estimate project time to the minute and also track your improvement.
If you are designing your code down to this level of detail, then you are finished before you start typing it. The process seems to think that programmer time is taken up by mechanical, predictable tasks. This may have been true in the days of punch cards. In modern times, all the time-consuming work is mental, and you won't know how long that takes until you've done it. Sure you can still roughly estimate how long things will take, but tracking how long it takes to write a for() loop is no help at all.
Many or most of these protests were organized by volunteers independent of the EFF. The EFF announced the protests to be postponed without consulting any of the people who had put much time and effort into this. They don't speak for everyone!
The protests have a lot of momentum behind them. What did the EFF get in exchange for cancelling them? Agreeing to talks? There's no guarantee that anything will change. EFF has been tricked by Adboe PR.
It runs on every platform that Mozilla does: Windows, Linux, Solaris, HP, AIX...even Mac!
All of the people involved in developing these standards are "techno-geeks" who really know and care about security. The cryptography and protocols used in X.509 PKI are as strong as anything else out there. If you're really untrusting and paranoid, then you don't have to trust any other CAs, you can run your own.
Verisign is sure to jack up their prices if and when the deal goes through. There should be a market for cheap certificates sold to small sites that want to be secure without paying a Verisign tax.
There's already open-source software out there for generating certificates. The other barriers to entry are:
1. Name recognition. If you're in charge of security at a medium to big size company, your chief goal is to protect your own ass. To that end, you'll spend the extra money to buy Verisign, because nobody ever got fired for using Verisign.
2. Being in the browser. This is a big one; your CA cert has to be pre-loaded into your user's browsers. This involves paying many thousands of dollars to MS and Netscape.
The other things you need to be a CA are:
1. Legal staff and Certification Practice Statement.
2. Clerks for researching and verifying identity.
3. A killer operations and security infrastructure to protect the CA's key and prevent unauthorized signing.
CAs can and should be a commodity. The thing to watch out for is Verisign introducing proprietary technology into their certificates, or making exclusive deals with the browser manufacturers.