It is mot possible to decode without knowing the one time padd. And the one time padd is implemented in the physical world, by the window.
No, it's not in any way a one-time pad. One-time pad does not mean a passcode that is used for one encryption session. It means a passcode where no part of the passcode is re-used ever, even to encrypt other parts of the same message. To do this, the passcode must be at least as long as the message itself. This is most definitely not a one-time pad, nor does it claim to be. It's just multi-factor authentication, using the same encryption algorithms as any other.
If the authors claims are accurate (that it is possible to create tens of thousands of throwaway passwords per window before they need to be replaced) then this is an ideal authentication method IMO.
It's nice, better than just secret passphrase authentication, in some ways worse than SecurID tokens but with the advantage of being cheaper. Hopefully that means it will be used more often. It's anything but ideal.
The point the GP was trying to make is that a one time pad is not just a normal encryption key that you use once. A one time pad is where you never reuse any part of the encryption key at all even during the same act of encrypting a message. Therefore the one-time pad must be equal in size to the message itself. The reason this is considered unbreakable is because without any re-use of data, there's no crypotgraphic analysis to be done. With a properly random pad, you can use the most brain-damaged encryption methods, i.e.:
for(long i = 0; i
and bam, you're done.
But this isn't a one-time pad, because it does not generate a new random number for every byte of data you are sending. It's just 2-factor authentication using a random number at the end of a normal password. It's a low-budget way of doing SecurID (which uses synchronized PRNGs). It seems to have some additional weaknesses over Securid, but the principle works and it is a cheap way to get multi-factor authentication which is at least much better than single factor.
No, I'm worried that the planet will be overrunby self-assured neanderthals who can't think of a situation other than home banking in which an authentication system might be used.
Even neanderthals know that regardless of the application, if someone has acquired physical access to your home you're pretty much fucked.
If you can't make use of controlled paranoia, you've no business discussing security issues.
Great, let's control this paranoia with some rational assessment. So, we've got a plastic window that acts as a filter on random data. How does this compare to a typical 2-factor solution, the RSA SecurID? An attacker needs both the random data and the window pattern to get the true passcode. We can assume they can snoop the random data, so then if they can see the window (somehow) they can crack it, but if they can see a plastic window it's not too much of a stretch to them being able to see your dongle's display. RSA has an advantage here, but not one a paranoid person would be moved by.
Now perhaps the attacker can reverse-engineer the pattern by tricking them into visiting a phishing site and see what tokens they enter for a given piece of random data. Without doing the math, it seems like it would take a small-ish number of tries to deduce the pattern (since we're only talking about seven segment digits here), but probably more than a normal user would expect to be able to try without being locked out of the system. If they do discover the window, then they have broken the scheme completely. Compare to SecurID, where it would be intractable to figure out the random seed based solely on the tokens generated. On the other hand, in both cases it only takes entering in a password/token combo into a phishing site once and the attacker then has a valid password for as long as that code is valid -- ~30s on a SecurID, more than long enough to gain access to the protected system.
Thus the plastic window method is more likely to result in giving an attacker long-term access, but only in situations where a SecurID would likely have given an attacker access at least once. While certainly there are cases where the former is worse, in general having an attacker gain entry even once is unacceptable.
So while it's not a direct 1:1 replacement for SecurID, it isn't all that much worse, and much better than 1-factor authentication. As a low-cost way of adding additional security this is a pretty damn good invention. There are many applications where this will be more than good enough. Home banking being one, yes. For, say, the FBI agent logging into work it may not be, but they can keep their SecurID or whatever they use, if they decide there's a point.
Granted I had a hard time parsing the article, but it keeps talking about markets and the value of commercial space operation. I think the article is saying that's the projected value of the whole market, which X-PRIZE contenders will be positioned to exploit. "Um, yay," I think is the appropriate turn of phrase if that's true.
Kindle customers have, in effect, been sold "stolen" property. (Equivalent: buying software that illegally includes GPL code). If you buy a stolen ipod, it can get confiscated by the police.
I get your the point you are making, and the analogy. I'm just going to mention that wrt the GPL, the equivalent would never result in the end user, as in recipient of the code, being in trouble or losing their software. The GPL is, as is appropriate of a copyright license, only about distribution and basically the only way you can violate it is by distributing the software without granting the recipients the same rights. Any hypothetical recipient of GPL software is hypothetically licensed to use because 1) the GPL is explicitly not a usage license, anyone can use the software however they received it and 2) the GPL is an open offer whether the party that gave it to you include the GPL notice or not so you can still distribute the software under GPL terms. It would be the non-GPL parts that would result in anything getting confiscated.
If I were to reform a prison the first thing I'd do is make all cells solitary.
My reform would be to change the implicit acceptance of homosexual rape as a form of non-judicially mandated punishment, and make it so that prison guards actually give a shit about one prisoner assaulting another. The only ones facing solitary should be the ones who are a danger to other inmates.
Sure, that would give a good enough image of the moon landing site to identify Neil's footprints, but it wouldn't give a good enough image to prove paternity of Neil's kids like the LRO images are! Come on people, "CSI enhancement" isn't magic!
That's great if you're kicking it in the Outback or somewhere else sane, but here in the States 1984 it is still under copyright (I assume using the simple heuristic that it was created after Steam Boat Willie) and so probably not actually legal.
The part about judicial intervention being a predictor of judicial intervention to come is less obvious.
Maybe, but growing up I had a lot of friends who were tenants of the local juvenile home and seeing the effects on them of living there were pretty damn obvious to me. Not all were in there for delinquency/criminal behavior. But being stuck with the large number of kids who were had its predictable effect. So when the court ordered them put into the home for whatever reason, that later many of these kids would wind up in front of a judge again, this time in legal trouble, is not surprising to me at all.
It's kinda like being shocked that adults put in prison for minor non-violent offenses tend to leave prison more likely to commit more serious crimes. What exactly were you expecting to happen? That the hardened thugs and thieves would learn the pot-smokers' peaceful ways, or vice versa?
although Wonder Woman's magic rope is still the standard to beat.
Is it? I was never really sure how well her rope worked. Sure the villain would admit that he was behind it all and tell her what his evil plans regarding the missile base were, but I don't recall any ever admitting that being tied up by Wonder Woman had him more turned on than ever in his life, or telling her what his evil plans regarding the Wonder Woman body pillow in his closet were.
If it misses out on the little, obvious truths, how can I trust the big ones?
So far as I've seen, it is a violation of various ethics standards for a lawyer on either side to, more or less, tank their own case, jokingly or not
Okay but what about intentionally or not? Does that matter? Does making an argument which happens to have holes in it such that when the prosecution pokes their fingers in them it makes the case fall apart mean the lawyer tanked their own case? I'm willing to bet (a million dollars!) that he really thought this was a solid argument, and that nobody could have made the trip in that time (and based on the description of events and a couple odd trips through Atlanta International I would have probably been nodding my head in agreement had I been in the courtroom).
I mean is it really an ethical violation to be wrong about the strength of your argument?
But so long as you check it out at http://riaaradar.com/ if they say it's cool, it's cool. If they say it's RIAA-tainted, stay away.
Yeah, not falling for that one again after I was hanging out with an riaaradar.com maintainer and they kept trying to tell me that my pants were RIAA-tainted.
It is mot possible to decode without knowing the one time padd. And the one time padd is implemented in the physical world, by the window.
No, it's not in any way a one-time pad. One-time pad does not mean a passcode that is used for one encryption session. It means a passcode where no part of the passcode is re-used ever, even to encrypt other parts of the same message. To do this, the passcode must be at least as long as the message itself. This is most definitely not a one-time pad, nor does it claim to be. It's just multi-factor authentication, using the same encryption algorithms as any other.
If the authors claims are accurate (that it is possible to create tens of thousands of throwaway passwords per window before they need to be replaced) then this is an ideal authentication method IMO.
It's nice, better than just secret passphrase authentication, in some ways worse than SecurID tokens but with the advantage of being cheaper. Hopefully that means it will be used more often. It's anything but ideal.
and bam, you're done.
Lol, where's that preview button again?
for(size_t i = 0; i < len; i++) { crypted[i] = plaintext[i] + onetimepad[i];}
The point the GP was trying to make is that a one time pad is not just a normal encryption key that you use once. A one time pad is where you never reuse any part of the encryption key at all even during the same act of encrypting a message. Therefore the one-time pad must be equal in size to the message itself. The reason this is considered unbreakable is because without any re-use of data, there's no crypotgraphic analysis to be done. With a properly random pad, you can use the most brain-damaged encryption methods, i.e.:
for(long i = 0; i
and bam, you're done.
But this isn't a one-time pad, because it does not generate a new random number for every byte of data you are sending. It's just 2-factor authentication using a random number at the end of a normal password. It's a low-budget way of doing SecurID (which uses synchronized PRNGs). It seems to have some additional weaknesses over Securid, but the principle works and it is a cheap way to get multi-factor authentication which is at least much better than single factor.
No, I'm worried that the planet will be overrunby self-assured neanderthals who can't think of a situation other than home banking in which an authentication system might be used.
Even neanderthals know that regardless of the application, if someone has acquired physical access to your home you're pretty much fucked.
If you can't make use of controlled paranoia, you've no business discussing security issues.
Great, let's control this paranoia with some rational assessment. So, we've got a plastic window that acts as a filter on random data. How does this compare to a typical 2-factor solution, the RSA SecurID? An attacker needs both the random data and the window pattern to get the true passcode. We can assume they can snoop the random data, so then if they can see the window (somehow) they can crack it, but if they can see a plastic window it's not too much of a stretch to them being able to see your dongle's display. RSA has an advantage here, but not one a paranoid person would be moved by.
Now perhaps the attacker can reverse-engineer the pattern by tricking them into visiting a phishing site and see what tokens they enter for a given piece of random data. Without doing the math, it seems like it would take a small-ish number of tries to deduce the pattern (since we're only talking about seven segment digits here), but probably more than a normal user would expect to be able to try without being locked out of the system. If they do discover the window, then they have broken the scheme completely. Compare to SecurID, where it would be intractable to figure out the random seed based solely on the tokens generated. On the other hand, in both cases it only takes entering in a password/token combo into a phishing site once and the attacker then has a valid password for as long as that code is valid -- ~30s on a SecurID, more than long enough to gain access to the protected system.
Thus the plastic window method is more likely to result in giving an attacker long-term access, but only in situations where a SecurID would likely have given an attacker access at least once. While certainly there are cases where the former is worse, in general having an attacker gain entry even once is unacceptable.
So while it's not a direct 1:1 replacement for SecurID, it isn't all that much worse, and much better than 1-factor authentication. As a low-cost way of adding additional security this is a pretty damn good invention. There are many applications where this will be more than good enough. Home banking being one, yes. For, say, the FBI agent logging into work it may not be, but they can keep their SecurID or whatever they use, if they decide there's a point.
Granted I had a hard time parsing the article, but it keeps talking about markets and the value of commercial space operation. I think the article is saying that's the projected value of the whole market, which X-PRIZE contenders will be positioned to exploit. "Um, yay," I think is the appropriate turn of phrase if that's true.
Truth and lies are simply a matter of acceptance and denial.
I don't believe it.
- Skeptopotamus
Kindle customers have, in effect, been sold "stolen" property. (Equivalent: buying software that illegally includes GPL code). If you buy a stolen ipod, it can get confiscated by the police.
I get your the point you are making, and the analogy. I'm just going to mention that wrt the GPL, the equivalent would never result in the end user, as in recipient of the code, being in trouble or losing their software. The GPL is, as is appropriate of a copyright license, only about distribution and basically the only way you can violate it is by distributing the software without granting the recipients the same rights. Any hypothetical recipient of GPL software is hypothetically licensed to use because 1) the GPL is explicitly not a usage license, anyone can use the software however they received it and 2) the GPL is an open offer whether the party that gave it to you include the GPL notice or not so you can still distribute the software under GPL terms. It would be the non-GPL parts that would result in anything getting confiscated.
If I were to reform a prison the first thing I'd do is make all cells solitary.
My reform would be to change the implicit acceptance of homosexual rape as a form of non-judicially mandated punishment, and make it so that prison guards actually give a shit about one prisoner assaulting another. The only ones facing solitary should be the ones who are a danger to other inmates.
Sure, that would give a good enough image of the moon landing site to identify Neil's footprints, but it wouldn't give a good enough image to prove paternity of Neil's kids like the LRO images are! Come on people, "CSI enhancement" isn't magic!
What is "non-linear" supposed to mean here?
I reckon it's in reference to their rates.
when you can get those exact same books legally
That's great if you're kicking it in the Outback or somewhere else sane, but here in the States 1984 it is still under copyright (I assume using the simple heuristic that it was created after Steam Boat Willie) and so probably not actually legal.
The part about judicial intervention being a predictor of judicial intervention to come is less obvious.
Maybe, but growing up I had a lot of friends who were tenants of the local juvenile home and seeing the effects on them of living there were pretty damn obvious to me. Not all were in there for delinquency/criminal behavior. But being stuck with the large number of kids who were had its predictable effect. So when the court ordered them put into the home for whatever reason, that later many of these kids would wind up in front of a judge again, this time in legal trouble, is not surprising to me at all.
It's kinda like being shocked that adults put in prison for minor non-violent offenses tend to leave prison more likely to commit more serious crimes. What exactly were you expecting to happen? That the hardened thugs and thieves would learn the pot-smokers' peaceful ways, or vice versa?
I like the demotivational slogan: "None of us is as dumb as all of us."
"Boys more likely to do what the other boys in their peer group are doing. Juvenile delinquents teach juveniles to be delinquents."
Another amazing result by the Maximegallion Institute for Slowly and Painfully Working Out the Surprisingly Obvious.
Or it's an attempt to give Karma, which Funny doesn't. Because I so give a shit about karma.
This would be far beyond what would be nessesary for statistically significant data and monkeys are expensive
And if the monkeys aren't expensive, then you should be suspicious of their quality.
although Wonder Woman's magic rope is still the standard to beat.
Is it? I was never really sure how well her rope worked. Sure the villain would admit that he was behind it all and tell her what his evil plans regarding the missile base were, but I don't recall any ever admitting that being tied up by Wonder Woman had him more turned on than ever in his life, or telling her what his evil plans regarding the Wonder Woman body pillow in his closet were.
If it misses out on the little, obvious truths, how can I trust the big ones?
Back to savage beatings and waterboarding, I guess.
I don't see why having a working non-intrusive lie detection method would mean those things have to stop!
Couldn't we invite some to Baltimore or Detroit or Washington D.C. or something?
Because they aren't any more appealing to aliens than they are to humans?
"Dude, it's not like we can't just go to the moon again!"
There's a reason why cheese sounds like she's.
Obviously... women are a basic ingredient for pizza
No, no, you got that wrong.
This is why your woman thinks all your cheese belongs to her.
So far as I've seen, it is a violation of various ethics standards for a lawyer on either side to, more or less, tank their own case, jokingly or not
Okay but what about intentionally or not? Does that matter? Does making an argument which happens to have holes in it such that when the prosecution pokes their fingers in them it makes the case fall apart mean the lawyer tanked their own case? I'm willing to bet (a million dollars!) that he really thought this was a solid argument, and that nobody could have made the trip in that time (and based on the description of events and a couple odd trips through Atlanta International I would have probably been nodding my head in agreement had I been in the courtroom).
I mean is it really an ethical violation to be wrong about the strength of your argument?
Abacuses (the electronic ones that use bits for balls that you have on your desk) were for heavy-duty computations.
That's funny, because when I'm doing logic calculations by hand, I sometimes use my balls for bits!
Bob feels the same way you do in a similar scenario. :)
But so long as you check it out at http://riaaradar.com/ if they say it's cool, it's cool. If they say it's RIAA-tainted, stay away.
Yeah, not falling for that one again after I was hanging out with an riaaradar.com maintainer and they kept trying to tell me that my pants were RIAA-tainted.