That has been the KDE4 story since the very first release. The KDE team shot themselves in the foot by focusing too much on new features and not enough on fixing bugs and making old features better.
Probably none, since that computer only allows for a limited form of quantum computing (which, as far as I know, is not useful for factoring RSA numbers or solving the discrete logarithm problem or much that is likely to be of interest to the attackers). My guess is that the attackers were interested in Lockheed's software or weapons designs.
On the other hand, a robust security system should be able to keep your most important information secure even when a breach occurs at lower levels. So, perhaps a breach occurred that allows some expense reports to be copied but does not enable the attackers to obtain designs for stealth aircraft. A breach is not a good thing, but it does not have to be an all-or-nothing scenario.
There has been quite a bit of work on formalizing parallel computing. NP problems are exactly that: problems that can be solved efficiently on a computer that can explore an unbounded number of solution paths in parallel. There is also the NC hierarchy, which can be thought of as problems that can be solved efficiently on a sequential computer and "much more efficiently" on a parallel computer (that is, polynomial time on a sequential computer, and polylogarithmic time on a parallel computer with a polynomial bound on the number of processors).
Assuming that there is a good way to take advantage of multiple processors for the particular problem your code solves. For a course project once, we found ourselves trying to solve a linear program, and someone suggested using the research cluster to speed things up. As it turns out, linear programming problems are P-complete, and there is no known way to make meaningful use of multiple cores (it is very likely that no such method even exists, and that the problem is inherently sequential).
There is a class of problems, the P complete problems, which are (probably) inherently hard to multithread in any advantageous way, and this class includes some pretty important real-world problems:
We do, in fact, have something backing our money right now: the government's promise to provide you with various services, to defend you from foreign enemies, and to imprison people who would threaten your rights. That is what differentiates dollars/euros/yen/yuan/etc. from Chuck-E-Cheese tokens and Bitcoin. The value of currency comes from the power of the government to collect taxes and to deprive those who do not pay taxes of their property/liberty -- in order to own a home, operate a business, or live anything other than the life of a homeless vagabond, one needs their country's currency, and hence that currency is valuable and can be used for trade.
Everything else is derived from that. A check is worth the amount written on it because you can take it to a bank and get that amount of money (in extreme cases, you might not actually be able to get physical currency, but that is an edge case). Credit cards can be used to buy things because merchants receive money from the bank. This is how digital cash should work as well: a digital cash token should be similar to a check, in that you deposit money with the bank in order to get it and the recipient can exchange the token for that amount of money, but it should be different in that it should allow for anonymous transfers.
"They broke Skype's encryption" is a true statement.
My point from the beginning is that that state is ambiguous. It is not clear from that statement that the researchers did not crack the actual encryption algorithm. It does not make it clear that the problem has more to do with the compression than with cryptography.
Whether they did that from breaking the algorithm (I see after I spend a post proving "cypher" to be a pointless red herring, you've swapped to a new red herring in substituting "encryption algorithm" for cypher without changing your statements at all), or by some other attack that compromised the security of the encrypted calls is irrelevant to the truth.
It is relevant to whether or not the statement is clear about what the attack actually constitutes. Again, my point from the beginning was that TFS is ambiguous.
Thus, there is no Skype conversation free from this attack, regardless of platform, implementation, or anything else. I'd call that "cracked." You call that "secure." That's where our opinion differs.
Except that is not what I said. I said that the encryption algorithm has not been cracked, because it has not. The attack is a side channel attack. This does not mean that Skype calls are secure, it means that an otherwise secure algorithm was applied in a way that undermined the security of the system.
There is a difference between the encryption algorithm, and the system that uses that algorithm. This same attack would have worked if a different encryption algorithm had been used, even one as widely evaluated as AES. The encryption algorithm is not what was cracked here.
"Temporary security measures" rarely do, since the problem of keeping a country safe is never truly solved. All the DoJ has to do is point to the myriad domestic terrorist groups as justification for extending the PATRIOT act. There will always be radicals who want to take down the US government, and thus there will always be something for the DoJ to point to.
"Lone wolf" is not a "new" buzzword; I had heard it used prior to 2001 to describe certain white supremacist group tactics. Timothy McVeigh was described as a "lone wolf."
This is a common misconception. There are plenty of third parties out there, just waiting for you to vote for their candidates. The fact that they are minority parties is a symptom of the way most Americans approach elections.
Then I guess by your definition, all encryption everywhere is "cracked," since there is always a way to get the plaintext without attacking the cipher itself. There are easy to implement side channel attacks on a common software implementation of AES, which is used in both OpenSSL and NSS, but nobody is claiming that AES, OpenSSL, or NSS have been "cracked." There are side channel attacks on pretty much every encryption system out there, which is why in places where security really matters you see a lot of effort put into preventing people from exploiting those side channels.
The point of my original post was that claiming that these researchers "cracked Skype's encryption" was misleading. Yes, under an ambiguous definition of "cracked encryption" it might make sense, but at first glance it looks like TFS claims the researchers did something that they did not do. This is a side channel attack, not a cryptographic break, and claiming that the "encryption was cracked" is a very poor way to phrase things.
Finally, if you are going to claim that people get "belligerent" when you call them liars, maybe you should first examine the tone of your own post, which is needlessly hostile.
What makes you think that groping and fondling people has anything to do with keeping America safe? The point is to get people to agree to be photographed naked, so that the company that makes those machines can sell more of them to the United States. The nude photographs also do little to keep us safe, as the mythbusters demonstrated when they passed a scan with razorblades in their pockets.
Arguing about whether they broke "the encryption" or "the secure channel" or "the encryption machine" is a worthless rhetorical exercise.
Except that it is not just rhetoric. Suppose I use PGP to encrypt all of my email, but then save copies of the plaintext on a "cloud system" and someone comes along and reads the plaintext. What was broken? It was not PGP; PGP, when used correctly is secure.
Yes, if you use a cryptographic algorithm incorrectly, your security may be compromised. That does not mean the cryptographic algorithm was broken, it means your specific way of using it was bad. Just because someone managed to compute Sony's PS3 signing key does not mean that ECDSA has been cracked, and the same method they used would fail against a proper implementation. Likewise, the cipher being used by Skype has not been broken, and if it were used properly there would not be a problem (assuming the cipher itself is secure).
...or a digital cash system that is backed by something. You know, if we are going to use computers to issue payments at stores, we might as well use a digital cash protocol, and if we are going to continue relying on banks and large corporations to underwrite these transactions, then we should use a digital cash system that is backed by $country's currency. You go to the bank, pay them dollars for digital cash tokens, and then use your phone to make the payments. Bitcoin's effort to revolutionize the global economic system is not really relevant here, we just need a method of payment using computers that does not allow people to raid our bank accounts or steal our identities.
if your encryption leaves the message where it can be read without decrypting it, then it was never actually encrypted
While you are technically correct, you are not really contradicting what I said.
The encryption algorithm itself does not allow you to obtain the plaintext without decrypting it (as far as we know); the problem is that the protocol requires many encrypted messages to be sent in a particular sequence, and the size and sequence of those messages leaks information about the plaintext. This is a side channel, not a break of the encryption algorithm itself, and the problem is solved without any change to the encryption algorithm: use a different kind of compression (or no compression at all, but there are compression techniques that would not create this sort of side channel).
There is a relevant anecdote: some time ago, an ambassador used an encryption machine to communicate with his home country electronically. The host country was eavesdropping on his communication, and discovered that the plaintext was being transmitted along with the ciphertext (apparently this was due to some wire crosstalk). They had not cracked his encryption algorithm, they simply exploited the fact that the machine he was running the algorithm on was poorly designed.
with text, if you have a part of the message, it's a lot easier to break the encryption method
This is called a known plaintext attack, and any decent modern cipher should be secure against it (that is, you should learn very little even if I give you plaintext/ciphertext pairs). Modern ciphers are generally designed to be secure against this type of attack, as well as stronger attacks:
Chosen plaintext attacks -- the attacker is allowed to request ciphertexts for plaintexts of his choosing.
Chosen ciphertext attacks -- the attacker is allowed to request decryptions of ciphertexts of his choosing prior to observing the challenge ciphertext.
Adaptive chosen ciphertext attacks -- the attacker is allowed to request decryptions of ciphertexts before and after observing the challenge ciphertexts, but cannot request a decryption of the challenge itself (he can, however, request a decryption of the challenge with a bit flipped or any other modification).
the KDE devs should spend more time on polish
That has been the KDE4 story since the very first release. The KDE team shot themselves in the foot by focusing too much on new features and not enough on fixing bugs and making old features better.
Probably none, since that computer only allows for a limited form of quantum computing (which, as far as I know, is not useful for factoring RSA numbers or solving the discrete logarithm problem or much that is likely to be of interest to the attackers). My guess is that the attackers were interested in Lockheed's software or weapons designs.
I think they found a way to synchronize their copied SecurID tokens with the victims', thus reducing the attack to figuring out the victim's password.
On the other hand, a robust security system should be able to keep your most important information secure even when a breach occurs at lower levels. So, perhaps a breach occurred that allows some expense reports to be copied but does not enable the attackers to obtain designs for stealth aircraft. A breach is not a good thing, but it does not have to be an all-or-nothing scenario.
Shouldn't the OS already allow users to uninstall programs? What exactly needs to be developed?
This is the sort of thing the Chinese do.
It depends on the environment you are in. Doing it across a LAN could be feasible if you are a bank employee trying to defraud your employer.
The real question is, how many people are using ECDSA right now?
There has been quite a bit of work on formalizing parallel computing. NP problems are exactly that: problems that can be solved efficiently on a computer that can explore an unbounded number of solution paths in parallel. There is also the NC hierarchy, which can be thought of as problems that can be solved efficiently on a sequential computer and "much more efficiently" on a parallel computer (that is, polynomial time on a sequential computer, and polylogarithmic time on a parallel computer with a polynomial bound on the number of processors).
Assuming that there is a good way to take advantage of multiple processors for the particular problem your code solves. For a course project once, we found ourselves trying to solve a linear program, and someone suggested using the research cluster to speed things up. As it turns out, linear programming problems are P-complete, and there is no known way to make meaningful use of multiple cores (it is very likely that no such method even exists, and that the problem is inherently sequential).
There is a class of problems, the P complete problems, which are (probably) inherently hard to multithread in any advantageous way, and this class includes some pretty important real-world problems:
http://en.wikipedia.org/wiki/P-complete
We do, in fact, have something backing our money right now: the government's promise to provide you with various services, to defend you from foreign enemies, and to imprison people who would threaten your rights. That is what differentiates dollars/euros/yen/yuan/etc. from Chuck-E-Cheese tokens and Bitcoin. The value of currency comes from the power of the government to collect taxes and to deprive those who do not pay taxes of their property/liberty -- in order to own a home, operate a business, or live anything other than the life of a homeless vagabond, one needs their country's currency, and hence that currency is valuable and can be used for trade.
Everything else is derived from that. A check is worth the amount written on it because you can take it to a bank and get that amount of money (in extreme cases, you might not actually be able to get physical currency, but that is an edge case). Credit cards can be used to buy things because merchants receive money from the bank. This is how digital cash should work as well: a digital cash token should be similar to a check, in that you deposit money with the bank in order to get it and the recipient can exchange the token for that amount of money, but it should be different in that it should allow for anonymous transfers.
"They broke Skype's encryption" is a true statement.
My point from the beginning is that that state is ambiguous. It is not clear from that statement that the researchers did not crack the actual encryption algorithm. It does not make it clear that the problem has more to do with the compression than with cryptography.
Whether they did that from breaking the algorithm (I see after I spend a post proving "cypher" to be a pointless red herring, you've swapped to a new red herring in substituting "encryption algorithm" for cypher without changing your statements at all), or by some other attack that compromised the security of the encrypted calls is irrelevant to the truth.
It is relevant to whether or not the statement is clear about what the attack actually constitutes. Again, my point from the beginning was that TFS is ambiguous.
Use a proxy server? Use Tor?
Thus, there is no Skype conversation free from this attack, regardless of platform, implementation, or anything else. I'd call that "cracked." You call that "secure." That's where our opinion differs.
Except that is not what I said. I said that the encryption algorithm has not been cracked, because it has not. The attack is a side channel attack. This does not mean that Skype calls are secure, it means that an otherwise secure algorithm was applied in a way that undermined the security of the system.
There is a difference between the encryption algorithm, and the system that uses that algorithm. This same attack would have worked if a different encryption algorithm had been used, even one as widely evaluated as AES. The encryption algorithm is not what was cracked here.
"Temporary security measures" rarely do, since the problem of keeping a country safe is never truly solved. All the DoJ has to do is point to the myriad domestic terrorist groups as justification for extending the PATRIOT act. There will always be radicals who want to take down the US government, and thus there will always be something for the DoJ to point to.
"Lone wolf" is not a "new" buzzword; I had heard it used prior to 2001 to describe certain white supremacist group tactics. Timothy McVeigh was described as a "lone wolf."
This is a common misconception. There are plenty of third parties out there, just waiting for you to vote for their candidates. The fact that they are minority parties is a symptom of the way most Americans approach elections.
Then I guess by your definition, all encryption everywhere is "cracked," since there is always a way to get the plaintext without attacking the cipher itself. There are easy to implement side channel attacks on a common software implementation of AES, which is used in both OpenSSL and NSS, but nobody is claiming that AES, OpenSSL, or NSS have been "cracked." There are side channel attacks on pretty much every encryption system out there, which is why in places where security really matters you see a lot of effort put into preventing people from exploiting those side channels.
The point of my original post was that claiming that these researchers "cracked Skype's encryption" was misleading. Yes, under an ambiguous definition of "cracked encryption" it might make sense, but at first glance it looks like TFS claims the researchers did something that they did not do. This is a side channel attack, not a cryptographic break, and claiming that the "encryption was cracked" is a very poor way to phrase things.
Finally, if you are going to claim that people get "belligerent" when you call them liars, maybe you should first examine the tone of your own post, which is needlessly hostile.
methods of providing security.
What makes you think that groping and fondling people has anything to do with keeping America safe? The point is to get people to agree to be photographed naked, so that the company that makes those machines can sell more of them to the United States. The nude photographs also do little to keep us safe, as the mythbusters demonstrated when they passed a scan with razorblades in their pockets.
Arguing about whether they broke "the encryption" or "the secure channel" or "the encryption machine" is a worthless rhetorical exercise.
Except that it is not just rhetoric. Suppose I use PGP to encrypt all of my email, but then save copies of the plaintext on a "cloud system" and someone comes along and reads the plaintext. What was broken? It was not PGP; PGP, when used correctly is secure.
Yes, if you use a cryptographic algorithm incorrectly, your security may be compromised. That does not mean the cryptographic algorithm was broken, it means your specific way of using it was bad. Just because someone managed to compute Sony's PS3 signing key does not mean that ECDSA has been cracked, and the same method they used would fail against a proper implementation. Likewise, the cipher being used by Skype has not been broken, and if it were used properly there would not be a problem (assuming the cipher itself is secure).
...or a digital cash system that is backed by something. You know, if we are going to use computers to issue payments at stores, we might as well use a digital cash protocol, and if we are going to continue relying on banks and large corporations to underwrite these transactions, then we should use a digital cash system that is backed by $country's currency. You go to the bank, pay them dollars for digital cash tokens, and then use your phone to make the payments. Bitcoin's effort to revolutionize the global economic system is not really relevant here, we just need a method of payment using computers that does not allow people to raid our bank accounts or steal our identities.
A simpler fix would be to use a different method of compression, which does not vary the length of its output frames.
if your encryption leaves the message where it can be read without decrypting it, then it was never actually encrypted
While you are technically correct, you are not really contradicting what I said.
The encryption algorithm itself does not allow you to obtain the plaintext without decrypting it (as far as we know); the problem is that the protocol requires many encrypted messages to be sent in a particular sequence, and the size and sequence of those messages leaks information about the plaintext. This is a side channel, not a break of the encryption algorithm itself, and the problem is solved without any change to the encryption algorithm: use a different kind of compression (or no compression at all, but there are compression techniques that would not create this sort of side channel).
There is a relevant anecdote: some time ago, an ambassador used an encryption machine to communicate with his home country electronically. The host country was eavesdropping on his communication, and discovered that the plaintext was being transmitted along with the ciphertext (apparently this was due to some wire crosstalk). They had not cracked his encryption algorithm, they simply exploited the fact that the machine he was running the algorithm on was poorly designed.
with text, if you have a part of the message, it's a lot easier to break the encryption method
This is called a known plaintext attack, and any decent modern cipher should be secure against it (that is, you should learn very little even if I give you plaintext/ciphertext pairs). Modern ciphers are generally designed to be secure against this type of attack, as well as stronger attacks:
normal data...is much more random.
Actually, most data used in practice is not uniformly random. Text, images, and even computer programs tend to have significant biases.
It would have to be a special encryption to get rid of this pattern using a more dynamic algorithm that changes as it progress
http://en.wikipedia.org/wiki/Stream_cipher
We know how to get these things right, and the problem with Skype was not the type of data, but rather the way in which that data was compressed.