Sure, that's true. However, my dislike of DSS is not related to the factoring - it's because the size is limited by the standard, and because the covert channel is "unusually large" in DSS (see Schneier's Applied Cryptography).
The covert channel is in fact big enough to leak up to 10% of the private key per signature if the software is suitably written. Unlike other ways of leaking keys (trojans etc) this leakage is impossible to detect without the numbers chosen to fit the algorithm (ok, yes, you could reverse engineer the code...). Unlike many other ways of leaking information, this one *doesn't* break the interoperability. Sneaky eh?
Thus, if you are using, say GnuPG, fine - use the published code and it's likely that any such devious mechansim would be noticed. However, if you are using, say PGP "wot no source code available now?" then you cannot be sure.
As ever, it's all a balancing act - working out which is the greatest risk and dealing with it on a case by case basis....
I'm afraid that this story is altogether misleading.
When the paper first came to prominence, yes, it looked worrying.
However... the speedup factor appears only to apply to LARGE numbers, not necessarily to smaller ones. Exactly how much advantage one gets for smaller ones is unclear.
Note that this paper is a "research proposal", not a finished item of research. It's a very interesting read, nevertheless:-)
However, if you're worried then you should be using 2048-bit original-style RSA PGP keys anyway (or 3072 or even 4096 bit new-style RSA keys). You might want to avoid the DH/DSS keys since the signature part cannot exceed 1024 bit....
I used this service for a long time. It was always reliable (and you could even play chess against it on long train journeys:-)
It would be a great shame to lose it. Last time it was under threat was when Orange changed from a flat monthly fee for SMS (2 quid a month, unlimited SMS) to a charge-per-SMS (0.05 GBP per message). A deal was struck then that kept Locust online.
It will be a sad day if it shuts - genuine innovation and genuine value-for-money:-(
If you want to use sh, start with #!/bin/sh rather than #!/bin/bash - the executable notes which name you invoke it with and adjusts a couple of minor details of behaviour accordingly.
...encryption technology. Reliable. Without backdoors.
Why?
- Because legally binding digital signatures are the only way to shift much snailmail to email.
- Because strong encryption is the only way to achieve anything like the same level of expected privacy
Oh, hang on - the USA was about to outlaw encryption, wasn't it? Never mind, better stick to snail mail.
Actually, lots of us DID use it - we'd use GPG for personal use, and the companies we worked for would use PGP (at our request). The commercial version had features necessary for business use, but still interoperated with the free version.
Unfortunately, the support sucked very badly. THAT seems to be the real problem; it didn't exactly inspire confidence.
Note that we wouldn't have bought the commercial version without the existance of GPG and the OpenPGP RFC. This gave us the assurance that IF Network Associates went bust (or in this case just dumped PGP) that PGP itself would not disappear. Setting up an effective Corporate PGP infrastructure is not trivial.
> Besides, the real center of mass is somewhere way underground.
Yes, indeed - but it is not unreasonable to extend this point along a line from the centre of the Earth until it intersects with the surface.
However, in general terms this cannot be adopted as the main chooser of locations for Debian meets - remember the theoretical voting deadlock issue contained within the Debian constitution? This method has a theoretical deadlock too... a distribution such the the centre of mass is the centre of the Earth, which is expensive to get to however you travel. There would be no simple logical resolution of this....
Hushmail has some significant points in its favour:
1) Phil Zimmerman now works for them!
2) Sources available from their website
However, it does have some fundamental problems. I'm still wading through the sources, but EITHER
(a) the private key (which lives on the hushmail server) is sent to your client and decrypted with the passphrase there
OR
(b) the pass phrase is sent to the hushmail server and the private key is decrypted there
(b) would be putting ALL your trust into the hushmail system, which is bad in principle
(a) would be putting ALL your trust into the strength of the pass phrase, which has no particular minimum standards enforced. Oh dear. (The private key still lives on the hushmail server, and even though it would be transported by SSL, it could be SSL-40:-(
The full contact information for you manager would more subtly be put where *they* will never notice it - the whois record .
Oh - you DO have the FULL list of internal addresses for your organisation in your spam list too. Including all the possible variations on each address, naturally, plus a few million more that are *almost* right and just waste resource. (You don't need to feel guilty about spamming yourselves this way:-).
That might bring a different perspective to the "wonders" of spam when your own staff all start complaining.
This is a commercial distribution *based on* Debian. It's not quite the same thing really.
Debian is non-commercial; new releases are brought out when they are ready, not just to satisfy the marketing department of a corporation. There is no pressure to remove the *live* bugs database from full public access which might come with being commercial.
Progeny's Debian-based distribution is someone taking Debian, packaging it up in a certain way, and selling the distro + support.
Nothing about this worries me - we might even get some commercial software that isn't full of redhatisms that take a while to untangle in order to get it to work on other distributions.
apt - advanced package management tool (or something like that)
woody and potato are releases of Debian - potato is the current stable release, woody is the next one. Before Potato was slink and before that was Bo. Each Debian release is named after a character from Toy Story:-)
Gosh - I used to play on the old MUD games at Essex (the very first). They were great fun but a little anti-social; they were only available from 02:00-06:00GMT and you got kicked off by the operators at 6am:-)
This was pre the Internet per se - within the UK you needed to get access to a PAD (Packet Assembler/Disassembler) and know the number for the relevant machine (no DNS - and I had no access to systems which were NRS-aware although the orignal NRS machine lived under my desk for a while in my first job:-) and call it directly (a la telnet). It's terribly sad, but 15 years later I can still remember the number (0000496000001)!
Well - Mir may be not long for this world. But it lasted precisely HOW many years longer than Skylab? (anyone else remember watching out for 14 ton refrigerator units to drop in their garden?:-)
However, unlike DES, there is no known mathematical loophole
Sorry, this is glaringly inaccurate. There is NO known mathematical loophole in DES - the "least effort attack" is a brute-force attack. If there was a weakness known in the algorithm then the best attack would exploit this instead.
The DES algorithm is excellent, merely suffering from keys that are too short at 56 bits to give adequate protection - note the difference between the *quality* of the algorithm and the level of protection here. Triple-DES (112 bit key equivalent - don't believe anyone trying to sell it to you as a 168 bit key solution since there is an attack against double-DES making it only a single bit stronger than single-DES. Yadda yadda - see "Applied Cryptography" for the details) builds upon this and gives a level of protection considered unbreakable since the best attack is still the brute force attack trying all keys in turn, and 2^112 is somewhat larger than 2^56.
First, the remedies will be announced. Then, the appeals start. Realistically, these will take years.
Actually, that may turn out to be "the appeal" rather than "the appeals". There is a little known clause in the anti-trust legislation. It ONLY applies in an anti-trust case, and it ONLY applies when the case is brought by the Govt. The effect of this clause is to eliminate all intermediate courts and kick the appeal straight to the Supreme Court.
Do we need to "fill positions", or do we just need some databases and perl scripts? Take a visit to stand.org.uk to see what the UK Geeks have constructed for lobbying; neat "fax your Member of Parliament" feature....
Well, if you take this plus the UK's "Baby" machine (worlds first stored program computer) rebuilt recently plus ENIAC plus the Manchester Mark 1 (all similar ages) then a Beowulf can't be far off surely:-)
I am also surprised by the lack of spin they have (so far) put on the story, as their responses were quite predictable, and did not contain many of the tactics they're known for.
Call me a cynic, but, even after all the mid-trial disasters, maybe this has caught them by surprise? Maybe they really believed that they had "won" the battle in court?
If you are familiar with assembly language, reverse engineering is "merely" very difficult:-)
In the early days of microcomputers, it was relatively easy (with sufficient knowledge of the relevant assembly language) since all the games (which were the only thing one wanted to hack) were "monolithic" blocks of code - no shared libraries, everything in a single self-contained block of code (aside from the calls to what was humourously refered to as the OS!)
Things are somewhat different now. Often one can find clues through mistakes (nt service pack 5 for example) made such as forgetting to remove (strip) details about variable names and other identifiers. (This was where the infamous "NSAKEY" idenfifier came from). Programmers are (usually) human and tend to use logical names for variables; once compiled and stripped, these names are lost.
Basically, reverse engineering takes a LOT of effort (=time=money)
I'd block the domain from my subnet, and I wouldnt listen to anything anyone had to say about it. Is this a technical incompetence issue rather than a legal one?
Indeed - did ebay actually attempt to limit access by the 'bots using the Robots Exclusion Standard? (ie install a robots.txt file at the root of their document tree)
Given that www.ebay.com/robots.txt returns a bog-standard 404 I doubt it. If they had tried this, maybe they would have more of a case?
Slashdot Mirror
Sure, that's true. However, my dislike of DSS is not related to the factoring - it's because the size is limited by the standard, and because the covert channel is "unusually large" in DSS (see Schneier's Applied Cryptography).
The covert channel is in fact big enough to leak up to 10% of the private key per signature if the software is suitably written. Unlike other ways of leaking keys (trojans etc) this leakage is impossible to detect without the numbers chosen to fit the algorithm (ok, yes, you could reverse engineer the code...). Unlike many other ways of leaking information, this one *doesn't* break the interoperability. Sneaky eh?
Thus, if you are using, say GnuPG, fine - use the published code and it's likely that any such devious mechansim would be noticed. However, if you are using, say PGP "wot no source code available now?" then you cannot be sure.
As ever, it's all a balancing act - working out which is the greatest risk and dealing with it on a case by case basis....
I'm afraid that this story is altogether misleading.
:-)
When the paper first came to prominence, yes, it looked worrying.
However... the speedup factor appears only to apply to LARGE numbers, not necessarily to smaller ones. Exactly how much advantage one gets for smaller ones is unclear.
Note that this paper is a "research proposal", not a finished item of research. It's a very interesting read, nevertheless
However, if you're worried then you should be using 2048-bit original-style RSA PGP keys anyway (or 3072 or even 4096 bit new-style RSA keys). You might want to avoid the DH/DSS keys since the signature part cannot exceed 1024 bit....
"Holidays"... what are they?!
# man -k holiday
holiday: nothing appropriate.
Hmmm.....
I used this service for a long time. It was always reliable (and you could even play chess against it on long train journeys :-)
:-(
It would be a great shame to lose it. Last time it was under threat was when Orange changed from a flat monthly fee for SMS (2 quid a month, unlimited SMS) to a charge-per-SMS (0.05 GBP per message). A deal was struck then that kept Locust online.
It will be a sad day if it shuts - genuine innovation and genuine value-for-money
It's not *quite* a non-issue.
If you want to use sh, start with #!/bin/sh rather than #!/bin/bash - the executable notes which name you invoke it with and adjusts a couple of minor details of behaviour accordingly.
...encryption technology. Reliable. Without backdoors.
Why?
- Because legally binding digital signatures are the only way to shift much snailmail to email.
- Because strong encryption is the only way to achieve anything like the same level of expected privacy
Oh, hang on - the USA was about to outlaw encryption, wasn't it? Never mind, better stick to snail mail.
Actually, lots of us DID use it - we'd use GPG for personal use, and the companies we worked for would use PGP (at our request). The commercial version had features necessary for business use, but still interoperated with the free version.
Unfortunately, the support sucked very badly. THAT seems to be the real problem; it didn't exactly inspire confidence.
Note that we wouldn't have bought the commercial version without the existance of GPG and the OpenPGP RFC. This gave us the assurance that IF Network Associates went bust (or in this case just dumped PGP) that PGP itself would not disappear. Setting up an effective Corporate PGP infrastructure is not trivial.
Had a party to celebrate, got drunk and very nearly broke my skull open on the floor as I fell.
Does that count? *grin*
Forget the headline *this* time. What happens when instead of the Chinese it's the goatse.cx worm?
> Besides, the real center of mass is somewhere way underground.
Yes, indeed - but it is not unreasonable to extend this point along a line from the centre of the Earth until it intersects with the surface.
However, in general terms this cannot be adopted as the main chooser of locations for Debian meets - remember the theoretical voting deadlock issue contained within the Debian constitution? This method has a theoretical deadlock too... a distribution such the the centre of mass is the centre of the Earth, which is expensive to get to however you travel. There would be no simple logical resolution of this....
:-)
Hushmail has some significant points in its favour:
:-(
1) Phil Zimmerman now works for them!
2) Sources available from their website
However, it does have some fundamental problems. I'm still wading through the sources, but EITHER
(a) the private key (which lives on the hushmail server) is sent to your client and decrypted with the passphrase there
OR
(b) the pass phrase is sent to the hushmail server and the private key is decrypted there
(b) would be putting ALL your trust into the hushmail system, which is bad in principle
(a) would be putting ALL your trust into the strength of the pass phrase, which has no particular minimum standards enforced. Oh dear. (The private key still lives on the hushmail server, and even though it would be transported by SSL, it could be SSL-40
Oh, and the keylength sucks too !
But note the obvious missing one.... McJob!
If you are a GOOD SysAdmin, move into the wonderful world of Security.
:-)
Far less time dealing with lusers, and you get to lart really important people from time to time.... AND they thank you for it
You do have to really know your stuff though - a good colourful background covering lots of different technologies is a must.
The full contact information for you manager would more subtly be put where *they* will never notice it - the whois record .
:-).
Oh - you DO have the FULL list of internal addresses for your organisation in your spam list too. Including all the possible variations on each address, naturally, plus a few million more that are *almost* right and just waste resource. (You don't need to feel guilty about spamming yourselves this way
That might bring a different perspective to the "wonders" of spam when your own staff all start complaining.
This is a commercial distribution *based on* Debian. It's not quite the same thing really.
Debian is non-commercial; new releases are brought out when they are ready, not just to satisfy the marketing department of a corporation. There is no pressure to remove the *live* bugs database from full public access which might come with being commercial.
Progeny's Debian-based distribution is someone taking Debian, packaging it up in a certain way, and selling the distro + support.
Nothing about this worries me - we might even get some commercial software that isn't full of redhatisms that take a while to untangle in order to get it to work on other distributions.
apt - advanced package management tool (or something like that) :-)
woody and potato are releases of Debian - potato is the current stable release, woody is the next one. Before Potato was slink and before that was Bo. Each Debian release is named after a character from Toy Story
Gosh - I used to play on the old MUD games at Essex (the very first). They were great fun but a little anti-social; they were only available from 02:00-06:00GMT and you got kicked off by the operators at 6am :-)
:-) and call it directly (a la telnet). It's terribly sad, but 15 years later I can still remember the number (0000496000001)!
This was pre the Internet per se - within the UK you needed to get access to a PAD (Packet Assembler/Disassembler) and know the number for the relevant machine (no DNS - and I had no access to systems which were NRS-aware although the orignal NRS machine lived under my desk for a while in my first job
Happy times *grin*!
Well - Mir may be not long for this world. But it lasted precisely HOW many years longer than Skylab? (anyone else remember watching out for 14 ton refrigerator units to drop in their garden? :-)
However, unlike DES, there is no known mathematical loophole
Sorry, this is glaringly inaccurate. There is NO known mathematical loophole in DES - the "least effort attack" is a brute-force attack. If there was a weakness known in the algorithm then the best attack would exploit this instead.
The DES algorithm is excellent, merely suffering from keys that are too short at 56 bits to give adequate protection - note the difference between the *quality* of the algorithm and the level of protection here. Triple-DES (112 bit key equivalent - don't believe anyone trying to sell it to you as a 168 bit key solution since there is an attack against double-DES making it only a single bit stronger than single-DES. Yadda yadda - see "Applied Cryptography" for the details) builds upon this and gives a level of protection considered unbreakable since the best attack is still the brute force attack trying all keys in turn, and 2^112 is somewhat larger than 2^56.
SFirst, the remedies will be announced. Then, the appeals start. Realistically, these will take years.
Actually, that may turn out to be "the appeal" rather than "the appeals". There is a little known clause in the anti-trust legislation. It ONLY applies in an anti-trust case, and it ONLY applies when the case is brought by the Govt. The effect of this clause is to eliminate all intermediate courts and kick the appeal straight to the Supreme Court.
Do we need to "fill positions", or do we just need some databases and perl scripts? Take a visit to stand.org.uk to see what the UK Geeks have constructed for lobbying; neat "fax your Member of Parliament" feature....
Well, if you take this plus the UK's "Baby" machine (worlds first stored program computer) rebuilt recently plus ENIAC plus the Manchester Mark 1 (all similar ages) then a Beowulf can't be far off surely :-)
I am also surprised by the lack of spin they have (so far) put on the story, as their responses were quite predictable, and did not contain many of the tactics they're known for.
Call me a cynic, but, even after all the mid-trial disasters, maybe this has caught them by surprise? Maybe they really believed that they had "won" the battle in court?
S
If you are familiar with assembly language, reverse engineering is "merely" very difficult :-)
In the early days of microcomputers, it was relatively easy (with sufficient knowledge of the relevant assembly language) since all the games (which were the only thing one wanted to hack) were "monolithic" blocks of code - no shared libraries, everything in a single self-contained block of code (aside from the calls to what was humourously refered to as the OS!)
Things are somewhat different now. Often one can find clues through mistakes (nt service pack 5 for example) made such as forgetting to remove (strip) details about variable names and other identifiers. (This was where the infamous "NSAKEY" idenfifier came from). Programmers are (usually) human and tend to use logical names for variables; once compiled and stripped, these names are lost.
Basically, reverse engineering takes a LOT of effort (=time=money)
S.
I'd block the domain from my subnet, and I wouldnt listen to anything anyone had to say about it. Is this a technical incompetence issue rather than a legal one?
Indeed - did ebay actually attempt to limit access by the 'bots using the Robots Exclusion Standard? (ie install a robots.txt file at the root of their document tree)
Given that www.ebay.com/robots.txt returns a bog-standard 404 I doubt it. If they had tried this, maybe they would have more of a case?
S.