Posts by mbiggs

Is "protection" actually needed? Private keys can be transient, random....and never stored......

CTO Idan Ofrat commented on the need to "protect the private key itself".

Here's the thing.....this implies that the "private key" is persistent somewhere....stored....so it needs to be "protected".

If a Diffie/Helman transaction is exchanged between peers, the only exchange will be two random tokens.

The crucial part of this is that the shared secret key is calculated by each peer, then thrown away.

Note that a D/H implementation provides that:

(1) The token exchange can be used to calculate multiple secret keys, and so enable multi-pass encryption/decryption

(2) The token exchange tells a snooper nothing about the secret key(s), and nothing about the encryption algorithm

(3) The tokens and the secret key(s) are unique to each transaction

(4) The secret key(s) are calculated locally when needed (i.e. not stored), and can (and should) be thrown away after use

If this D/H protocol is used, it would seem that, since keys are never stored, there would be no need to "protect" keys.

What am I missing?

Move along....nothing to see here...

TSMC -- a 100 Billion dollar (note the "B") in seven new chip foundries in Arizona

Intel -- a Billion dollar investment (exact size unknown) in new chip foundries in the US

Now if we were seeing Billion dollar INWARD investment in the UK....well I might just stop and look.

But in the meantime ---- ARM.....just noise!!

Obsessed With Mathematics, Randomisation, N-bit Keys......

......but suppose the encryption is designed in some other way:

* only designed to handle text

* with an algorithm using some sort of word-substitution, based on a custom dictionary

* implemented by a very limited group of participants

Perhaps I'm just an ignorant, under-educated old fool, but (assuming it isn't a hoax), two of the three documents in the Beale Papers are still secret after more than a century! ....and these papers use a cipher which avoids the utilisation of Mathematics, Randomisation, N-bit Keys. Will quantum computers be any better at deciphering the two secret papers?

See: https://en.wikipedia.org/wiki/Beale_ciphers

See: The Code Book, Simon Singh

STASI....Plausible Deniability.....welcome to 1984 and 2022!!!

Quote: "....the British government has quietly dropped a requirement for mass surveillance of UK internet users ...."

....looks like a lie to me!! I suppose if it's true, then they are about to shutter Cheltenham and make thousands of snoops redundant!!

Then again, if it really is a lie, what does it actually mean? Probably that "mass surveillance" is on going...but "plausible deniability" has now kicked in big time!!!

Welcome to STASI 2022!!!!

......but it's not clear whether the monitored traffic....

1. .....is being routed OVER the wired network (using a separate IP)....

2. .....or whether it's being sent wirelessly to some remote listener.

The USB cable with the built in phone is obviously doing #2. Not so obvious for the Plumspace device(s)....even after reading the documentation!

Now....if BOTH devices were to snoop via wireless.........

Is this a step in the right direction....or just more misdirection?

OK.....the NSO product is bad for anyone carrying a smartphone, whether Apple or Android. So far, so good.

*

But what else is going on in Forte Meade, Cheltenham, and elsewhere in China, and Russia, and Saudi.

*

I think we should be told!!

@Joe_Fay

Quote: "The cloud has shown us that consumption-based models work."

Quote: "So surely it makes more sense to put the responsibility on someone else..."

Both these quotes imply that users of computing can subcontract some (maybe all) of the responsibility for user activity to someone else.

Ask yourself a couple of questions:

- Who is responsible for data management, data security, backups? Answer -- "the user".

- Who is responsible for application availability? Answer -- "the user".

The ultimate responsibility for the use of an application and its data rests with the end user. In the old days, the user had some sort of face-to-face relationship with an IT organisation, and the subcontracting of specific tasks (availability, data security, backups) to the IT organisation had clearly delineated boundaries. Today, if the user subcontracts these things to a "cloud" supplier, the relationship (and the the technology) is MUCH more "cloudy".

Just look at the MegaUpload farago. Just think for a minute about "cloud": user equipment, network supplier(s), cloud suppliers -- all these have to be reliable for an end user to get a reliable service. If the user chooses "on premises" service, at least there's someone to hold accountable. It's seems clear that this is NOT true in the "cloud".

I'd love to hear stories which show that "cloud" is ALL OF: cheaper, more reliable, more resilient, more flexible, more secure.......than traditional arrangements.

No....not 3.....but 4......

Quote: "... three important learning experiences ...."

*

No there are actually four:

4. Make sure you test backups.....to make sure they WILL ACTUALLY RESTORE WHEN YOU NEED THEM

*

In my experience, RULE 4 is widely ignored!!!!!

A Suggestion.........

.....which takes some time an some determination.....but gets you well away from the Apple "eco-system".......

*

1. Buy a consumer grade PC (laptop, workstation.... whatever)....maybe less than £500 compared with £thousands in the "eco-system"

2. Install "elementary OS" -- overwrite that other "eco-system" from Redmond, WA -- and send elementary a few dollars

3. Get used to a LOVELY Ubuntu-based environment -- with an Apple look-and-feel and with LOTS of work-alike applications

*

There.......Tim Cook can just suck it up. I hope more folk follow this simple three step procedure....and save themselves a LOT of money!!

Just wondering....is the SAP software HEAVILY CUSTOMISED?

Once upon a time, in a land far away, a huge retail organisation bought Peoplesoft and then had it HEAVILY MODFIED. For the next ten years, it was almost impossible to apply any patches issued by Peoplesoft. Duh!!

Then -- when the penny dropped -- said huge retail organisation paid a fortune to RE-IMPLEMENT the latest version of Peoplesoft with NO MODIFICATIONS.

Guess what.....huge consultancy bills at the beginning, during the ten year life of the modified sotware, and during the conversion back to "standard".

Why am I not surprised?

Stars

One star -- can't read or write

Two stars -- can either read or write, but not both

Three stars -- gets to talk to journalists

*

Plus ca change......

Paranoia about the NSA.....

Quote: "We now believe that speculative vulnerabilities on today’s hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations..."

Lots of folk believe that the NSA has weakened public encryption standards. Maybe they have a hand in chip design as well. Just saying!

Does anyone remember the game called Hangman?

....helped along by a pinch of repetition.

*

Notebook entry: E _ _ _ _ _ _ _ _ R N _ _ _ _ D

Musical user's password: ELGARELGARNIMROD

*

Seems pretty secure against a notebook stolen by a random bad guy....especially if the user uses non alpha characters in some patterned manner:

Notebook entry: E _ _ _ _ _ _ _ _ _ R N _ _ _ _ D

Musical user's password: ELGAR-ELGARNIMROD

*

Notebook entry: M _ _ _ _ _ _ _ _ _ _ _ _ _ _ _L W _ _ _ _ _ _ S

Racing fan's password: MANSELL92MANSELLWILLIAMS

*

Can this scheme be broken quickly by a random bad actor?

EU Partnership - Fleming needs a history lesson

Quote: ""Almost everything that we achieve in GCHQ is dependent on our partners," said Fleming..."

*

Yup...but not including GCHQ hacking Belgacom:

- https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/

With friends like the folk in Cheltenham, who needs enemies?

NEWS ROUND UP - June 2020

BRISTOL CRIME NEWS

ILLEGAL BAGEL TOASTING

A toaster has told this newspaper that an attempt was made to toast a bagel by an unauthorised person. The toaster did not recognise the (human) toaster, but was able to identify the person from the public face database. The toaster phoned the police to complain, and then told the human "I'm sorry Dave I can't do that".

RAILWAY STATION TOILET INCIDENT

Yesterday a toilet cistern at the main station incorrectly identified a customer as a suspected terrorist when it matched the customer's face with police information about wanted persons. The senior toilet cistern immediately locked all toilet seats, all cublicle doors, and the main door to the toilet facility. The facility was fitted with equipment supplied by a major technology company, which refused to accept responsibility, and refused to pay for the clean up. A spokesman told this paper "S**t happens".

Quote: "...their location “relative to each other"...."

*

Don't understand....even if ALL the devices know their position "relative to each other", at least ONE of them needs an absolute position so that the others can figure out where they are.

*

Oh, and by the way, there will never be any IOT devices here at Linux Mansions....so no probs here!

Quote One: "Under a government crackdown, national critical infrastructure companies could be liable for a £17m fine if they are found to have inadequately protected themselves from cyber attacks."

Quote 2: In addition, last week the National Cyber Security Centre (NCSC) and the Federal Bureau of Investigation warned that Russian state-sponsored cyber actors are targeting network infrastructure."

[Quote 2] Pure misdirection, hypocrisy and lying. The biggest source of cyber attacks from mainland UK is.....guess...GCHQ, which is spying on the sixty million citizens who are paying for this anti-democratic outrage. GCHQ is also spying on our EU "partners" -- see:

- https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/

....and that's one we know about....there are likely many others.

[Quote 1] "....government crackdown..." is a similar piece of s**t to the over-used "keeping us safe". If the government wants to do something about "cyber attacks", it should start by shutting down GCHQ in Cheltenham...and save billions of pounds which could usefully go elsewhere....say to the NHS!

Then there's users who have configured other IoT tools....

....allowing anyone to shout through the letterbox "Alexa, open the front door".

*

....and most likely other (more technical) hacks on the IoT infrastructure.

*

By the way, who (exactly) needs to manage their front door lock from Outer Mongolia?

Billions for an "aircraft carrier"....

.....with no aircraft! An aircraft carrier, which even when the aircraft turn up (when?), doesn't have enough support vessels to form a decent "carrier group".

*

All this would be fine if the UK had billions to spare after we've paid for unimportant things -- like the NHS!

*

So (exactly) what sort of austerity is it we're living through? Philip Hammond may know....but he's in a minority of one.

Ah...Scrum of Scrums, Agile, DevOps.....

Quote: "The groups running the programme will work in small scrum teams together..."

*

...a recipe for an "app" which will perform differently every day....the "App of a Thousand Days"!

*

God help the three million users!

Ah...a standard written by....

...the NSA and GCHQ....making spying on the world's population even easier.

*

And of course, because this standard setting is an anorak activity, no one will notice. Cute!

...and then there's the NSA to consider....

.....but they already monitor "Premium"....so no diff!!!

Why the focus on point-to-point communications?

So Alice and Bob (and their circle) develop their own cipher. Suppose that the cipher is a book cipher. Any message sent will be encrypted twice -- once in their private cipher, and once in some backdoored public cipher. How does the backdoor help the government (or anyone else who is listening)? The metadata in this case says Bob is messaging Alice...but so what? And in the case that Bob simply posts the message on The Register -- then the recipient(s) are likely completely unknown!!

*

For example, here's a (real) book cipher message. What does it say?

====

sforzato pharyngo- woadman mecometer semihysterical veratrize fiercenesses Ranquel lepidotic Kawaguchi eyeservice fringiness half-plane piligerous saskatoon straddle-fashion sharecroppers colibertus bilobular unsacrilegiousness Gallicolae snake-eyed hydrophorous rain-soaked entoplasm eschewing brulyiement Erastianize acetphenetid recheat hout alada superaffiuence sweet-scented Altingiaceae researchful unegregiously unregenerately blighted Marlette nonbeauties Ossetian perversite artcraft Staley physiognomonic keawe kentallenite acroataxia yodles Rhabdomonas mournfulness VC loose-lived self-purifying tornadoesque uroo slopmaking annalists undeferrable ammonitic WAN pokable limbs Composaline gasified Chibcha elephantiases guerdonless orchestras whoop-de-doo commercialised periclean half-reclined naturata haemonchosis bug-juice theorically demonstrant premarrying honduras knickknack Adrianople -aceous inductees counter-faller cervicorn yowe adenomata kutch jardon eradicable nonfervidly cribriformity totoaba Marduk Muscadine mangrate Californian Mignonette Stroessner fisherpeople So. gibble-gabble cayuses Wallinga squab-pie fancywork niftiness

====

Who decides?

Here are a few concepts where human beings can't agree on a definition:

- "rich"

- "beautiful"

- "fair" (as in even-handed between cases)

So if the humans can't agree about reasonable definitions, why should we believe that computer programmers and computers can assess these concepts "correctly"?

.....but before we discuss Safe Harbour or Privacy Shield......

......why has no one commented about the fact that no one actually knows what information is held about them and by whom!!!!

Personally, I don't want to know anything about the data held concerning anyone else, but I would like to know:

- a list of all the organizations who keep records about me

- for each of these organizations, exactly what information they keep about me

I'd also like to see copies of all these records about me, so that:

- I can demand deletions for records no longer relevant

- I can correct all the mistakes in what is left

But all this is moot:

- I don't have any legal right to know

- Many of the organisations will never have had a direct relationship with me, so I would never guess that they had relevant records

- Many of the organisations who have records about me (say, perhaps GCHQ) would either deny having the records, or would deny any access outright

.......so worrying about Safe Harbour or Privacy Shield seems to me to miss other, much more fundamental issues.