Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Warning--they're coming for the internet

  1. Top | #11
    Veteran Member
    Join Date
    Jul 2005
    Location
    USA
    Posts
    1,590
    Archived
    3,672
    Total Posts
    5,262
    Rep Power
    55
    They need to go just the opposite. And guarantee everyone the right to privacy over IP. And secure in place technologies that monitor anyone attempting to hack others. Attempting to steal data and/or identity is no different than breaking into a store a night.

    This is what our federal government should be doing for us. Instead of spending trillions on a kinetic military the next war could be fought in cyber space. For if a foreigner can prevent their enemy from communicating they will have defeated them.

  2. Top | #12
    Contributor
    Join Date
    Nov 2017
    Location
    seattle
    Posts
    5,769
    Rep Power
    14
    Never put anything in writing. Use trusted couriers like your brother in law. Don't use telephones.

    I looked at this years back for a thread. There are court rulings going back to the 30s 40s over whether there is any expectation of privacy over a telecommunications carrier.

    As I recall if there is a third party no privacy exists. Today cell phone records are not private. The act of the carrier maintaining records in the first place negates any expectation of privacy. Or so I remember it.

    The issue goes back to the early days of telephones and wiretapping. It was called wiretapping because that is what you did, you tapped into the wires. Early devices were old style vinyl record recorders.

    Back in the 90s there was a program called Dragon I believe. It was uncovered when a woman used the word bomb in an email describing her kids theatrical performance. The email had been scanned by an application and she was put on a list that caused her some problems.

    Back in the 80 I attended an unclassified presentation on a system that could read any cell phone communications. They could break in and insert audio seamlessly. There was something in the 90s about China rerouting large numbers of emails through their servers transparently.


    Anyone who thinks there has ever been any real privacy across all telecommunications just has not been paying attention. Who knows how secure the cloud really is.

    I expect the NSA has arrays of cheap cdeicated computers to brute force cracking.

    One technique supposedly secure is the 'one type pad'.

    You have a sequence of random symbol for text. Encoder encrypts on page at a time form a pad. The descriptor has the same pad. It is an old technique. No statistical patterns.

  3. Top | #13
    Veteran Member
    Join Date
    Mar 2010
    Location
    Burnsville, MN
    Posts
    3,422
    Archived
    2,911
    Total Posts
    6,333
    Rep Power
    41
    Quote Originally Posted by steve_bank View Post
    Never put anything in writing. Use trusted couriers like your brother in law. Don't use telephones.

    I looked at this years back for a thread. There are court rulings going back to the 30s 40s over whether there is any expectation of privacy over a telecommunications carrier.

    As I recall if there is a third party no privacy exists. Today cell phone records are not private. The act of the carrier maintaining records in the first place negates any expectation of privacy. Or so I remember it.

    The issue goes back to the early days of telephones and wiretapping. It was called wiretapping because that is what you did, you tapped into the wires. Early devices were old style vinyl record recorders.

    Back in the 90s there was a program called Dragon I believe. It was uncovered when a woman used the word bomb in an email describing her kids theatrical performance. The email had been scanned by an application and she was put on a list that caused her some problems.

    Back in the 80 I attended an unclassified presentation on a system that could read any cell phone communications. They could break in and insert audio seamlessly. There was something in the 90s about China rerouting large numbers of emails through their servers transparently.


    Anyone who thinks there has ever been any real privacy across all telecommunications just has not been paying attention. Who knows how secure the cloud really is.
    This is just stupid technological illiteracy.

    PGP and all manner of other encryption models are perfectly secure, and available as a layer on all manner of communications. Asymmetrical encryption is far more secure than sneakernet.

  4. Top | #14
    Contributor
    Join Date
    Nov 2017
    Location
    seattle
    Posts
    5,769
    Rep Power
    14
    Quote Originally Posted by Jarhyn View Post
    Quote Originally Posted by steve_bank View Post
    Never put anything in writing. Use trusted couriers like your brother in law. Don't use telephones.

    I looked at this years back for a thread. There are court rulings going back to the 30s 40s over whether there is any expectation of privacy over a telecommunications carrier.

    As I recall if there is a third party no privacy exists. Today cell phone records are not private. The act of the carrier maintaining records in the first place negates any expectation of privacy. Or so I remember it.

    The issue goes back to the early days of telephones and wiretapping. It was called wiretapping because that is what you did, you tapped into the wires. Early devices were old style vinyl record recorders.

    Back in the 90s there was a program called Dragon I believe. It was uncovered when a woman used the word bomb in an email describing her kids theatrical performance. The email had been scanned by an application and she was put on a list that caused her some problems.

    Back in the 80 I attended an unclassified presentation on a system that could read any cell phone communications. They could break in and insert audio seamlessly. There was something in the 90s about China rerouting large numbers of emails through their servers transparently.


    Anyone who thinks there has ever been any real privacy across all telecommunications just has not been paying attention. Who knows how secure the cloud really is.
    This is just stupid technological illiteracy.

    PGP and all manner of other encryption models are perfectly secure, and available as a layer on all manner of communications. Asymmetrical encryption is far more secure than sneakernet.
    Nothing is perfectly secure on any key based system. A bigger key means more time for trial and error. The test is if the algorithm is know how long does it take to crack. Efficacy is based on how long it needs to be secret.

    There are always weaknesses. Anyone who thinks they are safe from the intelligence services of the major powers I not paying attention. Brute force attacks require arrays of computers.

    Turing devised an early computer for brute force attacks.

    https://en.wikipedia.org/wiki/Public-key_cryptography

    Weaknesses[edit]
    As with all security-related systems, it is important to identify potential weaknesses.
    Algorithms[edit]
    All public key schemes are in theory susceptible to a "brute-force key search attack".[4] Such attacks are however impractical if the amount of computation needed to succeed – termed the "work factor" by Claude Shannon – is out of reach of all potential attackers. In many cases, the work factor can be increased by simply choosing a longer key. But other algorithms may have much lower work factors, making resistance to a brute-force attack irrelevant. Some special and specific algorithms have been developed to aid in attacking some public key encryption algorithms – both RSA and ElGamal encryption have known attacks that are much faster than the brute-force approach.[5]
    Major weaknesses have been found for several formerly promising asymmetric key algorithms. The "knapsack packing" algorithm was found to be insecure after the development of a new attack.[citation needed] Recently, some attacks based on careful measurements of the exact amount of time it takes known hardware to encrypt plain text have been used to simplify the search for likely decryption keys (a "side-channel attack"). A great deal of active research is currently underway to both discover, and to protect against, new attack algorithms.
    Alteration of public keys[edit]
    Another potential security vulnerability in using asymmetric keys is the possibility of a "man-in-the-middle" attack, in which the communication of public keys is intercepted by a third party (the "man in the middle") and then modified to provide different public keys instead. Encrypted messages and responses must also be intercepted, decrypted, and re-encrypted by the attacker using the correct public keys for different communication segments, in all instances, so as to avoid suspicion.
    This attack may seem to be difficult to implement in practice, but it is not impossible when using insecure media (e.g., public networks, such as the Internet or wireless forms of communications) – for example, a malicious staff member at an Internet Service Provider (ISP) might find it quite easy to carry out.[citation needed]
    Public key infrastructure[edit]
    One approach to prevent such attacks involves the use of a public key infrastructure (PKI); a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. However, this in turn has potential weaknesses.
    For example, the certificate authority issuing the certificate must be trusted to have properly checked the identity of the key-holder, must ensure the correctness of the public key when it issues a certificate, must be secure from computer piracy, and must have made arrangements with all participants to check all their certificates before protected communications can begin. Web browsers, for instance, are supplied with a long list of "self-signed identity certificates" from PKI providers – these are used to check the bona fides of the certificate authority and then, in a second step, the certificates of potential communicators. An attacker who could subvert any single one of those certificate authorities into issuing a certificate for a bogus public key could then mount a "man-in-the-middle" attack as easily as if the certificate scheme were not used at all. In an alternate scenario rarely discussed[citation needed], an attacker who penetrated an authority's servers and obtained its store of certificates and keys (public and private) would be able to spoof, masquerade, decrypt, and forge transactions without limit.
    Despite its theoretical and potential problems, this approach is widely used. Examples include TLS and its predecessor SSL, which are commonly used to provide security for web browser transactions (for example, to securely send credit card details to an online store).
    Aside from the resistance to attack of a particular key pair, the security of the certification hierarchy must be considered when deploying public key systems. Some certificate authority – usually a purpose-built program running on a server computer – vouches for the identities assigned to specific private keys by producing a digital certificate. Public key digital certificates are typically valid for several years at a time, so the associated private keys must be held securely over that time. When a private key used for certificate creation higher in the PKI server hierarchy is compromised, or accidentally disclosed, then a "man-in-the-middle attack" is possible, making any subordinate certificate wholly insecure.

  5. Top | #15
    Veteran Member
    Join Date
    Mar 2010
    Location
    Burnsville, MN
    Posts
    3,422
    Archived
    2,911
    Total Posts
    6,333
    Rep Power
    41
    Quote Originally Posted by steve_bank View Post
    [argument from ignorance]
    You really shouldn't be trying to argue this with a software engineer who studies applied cryptography for fun.

    You just plain do not understand why your position is not supported by wherever you pulled that string of incoherent garbage from.

    There are some sidechannel attacks that exist for single applications when you have physical access to an endpoint device.

    There are some attacks that are possible when you, as a user, have not directly signed the other certificate and compared its hash before continuing to use it. These mostly amount to USER ERROR.or IMPLEMENTATION ERROR.

    If you have questions rather than blind assertions I would be happy to answer them. Properly used encryption is essentially unbreakable, and will continue to be more secure than just about any other method, including delivering a message by voice in person.

  6. Top | #16
    Elder Contributor barbos's Avatar
    Join Date
    Nov 2005
    Location
    Mlky Way galaxy
    Posts
    10,354
    Archived
    8,047
    Total Posts
    18,401
    Rep Power
    64
    HTTPS security depends on the security of the third party certificate server and certificate server can be:
    a) hacked
    b) brute-force factorized.
    c) politely asked by the government to give up their private keys.
    for these reasons https is far from being absolutely secure

  7. Top | #17
    Veteran Member
    Join Date
    Mar 2010
    Location
    Burnsville, MN
    Posts
    3,422
    Archived
    2,911
    Total Posts
    6,333
    Rep Power
    41
    Quote Originally Posted by barbos View Post
    HTTPS security depends on the security of the third party certificate server and certificate server can be:
    a) hacked
    b) brute-force factorized.
    c) politely asked by the government to give up their private keys.
    for these reasons https is far from being absolutely secure
    THIS is an accurate statement, mostly, except that brute force factorization is not a real concern for appropriately large key sizes. At some point it's easier to pick a random particle in the entire universe than pick the matching key, which is to say not gonna happen. At that point they might as well be trying to randomly guess what the message itself was.

    At that point, though, you are getting into user and implementation errors: the clearnet is a bad option for some things.

  8. Top | #18
    Elder Contributor barbos's Avatar
    Join Date
    Nov 2005
    Location
    Mlky Way galaxy
    Posts
    10,354
    Archived
    8,047
    Total Posts
    18,401
    Rep Power
    64
    Quote Originally Posted by Jarhyn View Post
    Quote Originally Posted by barbos View Post
    HTTPS security depends on the security of the third party certificate server and certificate server can be:
    a) hacked
    b) brute-force factorized.
    c) politely asked by the government to give up their private keys.
    for these reasons https is far from being absolutely secure
    THIS is an accurate statement, mostly, except that brute force factorization is not a real concern for appropriately large key sizes. At some point it's easier to pick a random particle in the entire universe than pick the matching key, which is to say not gonna happen. At that point they might as well be trying to randomly guess what the message itself was.

    At that point, though, you are getting into user and implementation errors: the clearnet is a bad option for some things.
    OK it's practically unbreakable, you still have government politely asking for keys.

  9. Top | #19
    Contributor
    Join Date
    Nov 2017
    Location
    seattle
    Posts
    5,769
    Rep Power
    14
    If based on general public information on encryption that you are safe from govt hacking as the old saying goes you are not playing with a full deck.

  10. Top | #20
    Veteran Member
    Join Date
    Mar 2010
    Location
    Burnsville, MN
    Posts
    3,422
    Archived
    2,911
    Total Posts
    6,333
    Rep Power
    41
    Quote Originally Posted by steve_bank View Post
    If based on general public information on encryption that you are safe from govt hacking as the old saying goes you are not playing with a full deck.
    As soon as you (or anyone) can win "pick a number between 1 and 2^4096", maybe we can talk about how PGP is 'insecure'. The reason encryption works is that there is no circumventing the laws of math and computational complexity.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •