# Posts by John H Woods

2307 posts • joined 14 Nov 2007

### Random ideas sought to improve cryptography

#### Re: Verification not generation

2nd line of article, my emphasis:

"The recommendation NIST's put up for discussion covers the design principles and requirements for random bit generators, and tests to validate entropy sources."

Gideon 1, my emphasis

""Verification not generation ... It's interesting how many Commentards didn't understand the article."

Errm, yes?

On a more serious note, given the difficulties in verifiability (not just doing it, but doing it in a way that is widely understood), I think verifiable generation (quantum & other physical methods proposed above by commentards including myself "who didn't understand the article") would be a better approach than new methods for verification. Given that there are any number of deterministic sequences (e.g. digits of pi, mentioned above) that satisfy all existing tests for randomness and (as far as my limited mathematical understanding goes) are likely to continue to do so, verifiable generation seems to me a much more promising area than verification of deterministic generators.

"For the past year, I've been running tests on a couple random number generators. I grab a random 32-bit integer form it, each number is plotted on a 65,536 x 65,536 bitmap. Each time a number comes up, its pixel's color is bumped up by one. Every so often, the bitmap gets saved to an external storage array so that the image can be viewed from another machine, any number that is favored by the RNG will show up as a different color in the resulting image." -- Crazy Operations Guy

It's a good first attempt at RNG visualization but I'm afraid it is rather flawed: a quick example will show why: what if you replaced your RNG with a counter? It is lack of correlation between one bit and the next (more exactly that any given bit in no way depends on any of the previous history) that is the crucial thing rather than a completely even coverage (as explained in my earlier post you can extract a smaller number of perfectly distributed random bits from an imperfectly distributed random source as long as each bit is independent.

#### Re: Silicon solution

This sounds right to me --- the sort of device that you can plug into a USB port to read, but made from simple components (capacitors, resistors, transistors) that you can verify (or assemble yourself). I've seen some circuit diagrams but we really need something very simple indeed. People add complexity to circuits by adding clever stuff to ensure random weighting* but this seems unnecessary and adds the kind of circuitry that could disguise randomness-subverting badness.

Maybe what we need is something physical that we can verify by eye -- like a lotto ball machine. We just need something that can generate numbers much faster. Perhaps a shaker full of tiny particles, read by a CCD?

* if you have a random bit stream which is suitable in every respect other than weighting (ratio of 1s and 0s) you can create a perfectly weighted stream from it by sampling non-overlapping pairs. I think it was Von Neumann who invented this - you read bits pairwise, discarding all pairs where the bits are equal. You convert the remaining pairs into 1s and 0s using the code 01->0; 10->1 (or vice versa) and bingo, you have a bit stream balanced perfectly 50:50 into 1s and 0s. This is because if the bits are independent then the probabilities of 01 and 10 are equal, whatever the probabilities of 0 and 1 (and hence 00 and 11, which have unknown probabilities, are discarded).

### UK taxpayers should foot £2bn or more to adopt Snoopers' Charter, says Inquiry

#### if they collect every ICR ...

... a foreign power or bad actor can effectively run a DDoS on that system by infecting British network devices and either (a) vastly increasing their ICR production rate (a few orders of magnitude wouldn't be too hard); and/or (b) creating ICRs that will raise red flags (e.g. to known suspect sites).

#### Re: In my area

"They start off at ground level, or didn't you realise that?" --- Pompous Git

If they climb like normal weather balloons, at about 5m/s, they'll be out of range of all but the sniper sights of sober sharpshooters within a few minutes. As we are talking about a 100 day lifespan, they'll be spending (coming down as well as up) well under 0.0001% of their lifespan within projectile range. Even less if they are launched at night, without notice, from an area with a reasonable perimeter.

So, yes, I did realise they start off at ground level but they are hardly more vulnerable to drunken shooters than if they were launched out of planes or magically spawned in mid-air.

#### Re: In my area

"This would probably be viewed as aerial target practice by some inebriated locals." -- NotBob

... I think even with the steadiest hand going you'd be unlikely to hit one with anything other than a SAM

### UK Home Sec's defence of bulk spying: We 'found' a paedo (we already knew about)

#### Re: So with *all * that time to prepare and the whole of the Home Office to help her out.

"There is another sort of proverb that says "Wer glaubt, daß Abteilungsleiter Abteilungen leiten, der glaubt auch, daß Zitronenfalter Zitronen falten", but so far I couldn't come up with a translation that really works. Sorry. Anyone who wants to give it a try?" --- allthecoolshortnamesweretaken

"Expecting the brains of the Department (company, division, group) to be in the Head of the same is like expecting to find pants in the pantry"

"Theresa May isn't stupid, far from it she's a shrewd political operator..." -- Adam 52

Well; most politicians, however 'shrewd', are certainly not all that far from stupid. Success as a politician, regretfully, relies on some other qualities rather more than intelligence. To some extent, possessing it, let alone demonstrating it, is often regarded as a bit of a disadvantage.

### Facebook tells Belgian government its use of English invalidates privacy case

#### Re: English?

@TRT that is genius. I look forward to telling someone their argument is hemidemibiscuit. And @ElReg can we have a quarter biscuit icon to indicate the same?

### 'Printer Ready'. Er… you actually want to print? What, right now?

#### Re: Printers are evil.

"Cant give exact folder names as i am currently sat on toilet" --- psychonaut

Am I the only one who thinks it's inconceivable that someone who knew all the foregoing could not RDP to his machine from the throne?

#### Re: I can point you to some code

Emacs and LaTeX. Everything else sucks - often not just to use, but in terms of the ugliness of its output. It's only been the last few years of a what, two decade?, life that MS Word has been able to produce documents that aren't almost immediately identifiable as the ill-formatted output of the same.

### US rapper slams Earth is Round conspiracy in Twitter marathon

#### Re: The thing to do with these kooks

"Why are such ideas so attractive to certain individuals" -- Jonathan Richards 1

Best answer I've seen (on FB recently) was that "conspiracy theories help dumb people feel they are smart"

### Cops hate encryption but the NSA loves it when you use PGP

#### Re: An old but solved problem

"Is there not a program which conceals the encrypted message within a jpg or other image file?" -- Donchik.

Yes, there are several --- search "Steganography." More to the point, if you conceal it within an original creation of your own (i.e. there's no way to compare the picture to an 'original version' out on the web) you can post it publicly on Facebook, Tumblr or any number of well known places and, providing you have enough friends/watchers then they cannot even see to whom it is addressed.

### Axe to fall on staff at IBM's Global Technology Services 'this Friday'

#### Re: Stock manipulating by the execs again

If you're senior enough to be able to order redundancies, and you have stock in the company itself, isn't that almost insider trading? It's certainly a conflict of interest of some kind.

### Show us the code! You should be able to peek inside the gadgets you buy – FTC commish

#### I'm not sure I can understand the engineering diagrams of my car ...

... but I know if it is found to suffer from a serious safety design flaw I am, to a greater or lesser extent, protected (viz. large numbers of recalls we have seen).

The problem with a closed source device such as a router, with a massive security hole in it, is that it seems to to fall between two stools: there's very little the user can do check that it is safe, or keep it so, and I'm not aware of anyone who has tried to enforce supplier or manufacturer liability. Not even in the UK, where I'm guessing the Sale of Goods Act should allow you to at least return the device to the retailer.

Perhaps the information required to manage such a device oneself (firmware unlock keys, source code, etc.) should be placed in escrow with consumer organisations so that it can be released if the manufacturer goes under (or just stops supplying updates). But I still think that the detection of certain malfeatures, such as a hardcoded backdoor, should be a matter of manufacturer liability.

### Sainsbury's Bank web pages stuck on crappy 20th century crypto

#### Re: Prosecution required.

"Negligence = duty + b[r]each + damage. Someone can sue as soon as they suffer damage" -- ThomH

Sure, that's what's required to prosecute the guys who fsck'd up the crypto ... but making the statement isn't negligent, it's dishonest. IANAL but surely there's another offence which covers making false claims about financial services? Doesn't seem to me that it would be acceptable to imply that your customers were adequately protected when they were not. Any actual lawyers got a view on this?

#### Re: Model M

I'll pay the postage if you send it to me!

#### Prosecution required.

Someone, hopefully multiple someones including the budget holders, should face internal disciplinary action for the bad state of crypto. However, the person who made this statement "Customers visiting the Sainsbury’s Bank website can rest assured that they are protected at all times by multiple layers of online security" should be prosecuted; the statement is simply false, and they have hoped to have worded it in such a manner as to attempt to escape being caught in an outright lie. But the purpose of the statement, in the context of the established facts, is to deceive. And the purpose of that deception, at this moment in time, is to falsely reassure customers that their financial details are adequately protected.

If Sainsbury's or their PR department fancy suing me for libel, I'm happy to provide my details, and I look forward to hearing from them.

### Five technologies you shouldn't bother looking out for in 2016

#### Re: Year of Linux?

"Well then, where are all the games? No serious gamer would use a Linux desktop" -- Charles 9

No serious gamer would use a machine from PC world costing a few hundred quid either --- they're likely to be spending that (at least) on their graphics card(s). If that's out of your budget and you're still a serious gamer you are looking at self-build or buying from a specialist. Whilst I agree (and personally regret) that it's almost Windows or bust for headline games, these are not the kind of users that are being discussed here.

#### "Half the key"

is a figure of speech, hopefully. There's a lot of flexibility here: you can "split a key" into n pieces and require m of them for decryption, without any loss of security. So you could, for instance, create 10 keys and distribute them round your family, but only require 4 of them to unlock your stuff.

### Swivel on this: German boffins build nanoscale screwing engine for sluggish sperm

#### Re: Wir haben Möglichkeiten, die Sie schwanger

"Not proper German.... try harder" -- petur

Hey, if we're being really pedantic, that's not a proper ellipsis!

### 200 experts line up to tell governments to get stuffed over encryption

"You also can't monitor a subject without their knowledge" -- Paul Hovnanian.

I disagree: sure, using 'hand-over-the-key-or-else' legislation does have that consequence. But keyloggers, key stealing, shoulder-surfing, bugging devices, etc. can all be used to monitor a subject who is using strong encryption without having to either attack the crypto or let the subject know that they are being watched. Endpoint compromise is effective against everything, even quantum crypto.

#### What 200 experts should really do ...

We need an audited, open-source, secure, traffic-analysis resistant system, impervious to blocking and denial of service.

This is problematic, because it would be of use to terrorists, but any remotely competent terrorist can do this stuff anyway and, as we have seen, they don't even have to: it seems they can be on everybody's watchlist, pretty much announce their intent publicly and still commit atrocities before being intercepted.

Such a system would kill, once and for all, the technically ignorant idea that all communication can be policed, as we would just say --- look, what's the point? Bad actors can always use System X.

"Is there a system in the wings?" -- T. occipitalis

Doesn't matter - the bad actors won't use it. If I can post random thoughts on Facebook I can communicate in code with any system of my choice without anyone apart from the recipient being aware of the hidden content. If I am allowed to post photographs I have taken, that content can be of quite significant size.

"Given that the UK authorities, at least, can demand keys from suspects why bother with SBDC"

Because you can't dragnet; That is the whole motivation here. Even with unbreakable encryption they can hit known targets through a variety of old school and technological measures; what they want to do is monitor everyone, all the time, just in case.

#### Re: Let me get this straight

@asdf - apologies, I deleted my earlier comment because I thought I was being unnecessarily pedantic and I actually agreed with you. Unfortunately that then 'orphaned' your reply, apologies :-)

### Going on a date, and it's just the two of you? How ... quaint. OkCupid's setting up threesomes

Brilliant idea, although might I suggest HSL rather than RGB --- it's a bit more sympathetic for conveying gradients

#### Re: order by breast_size

"Leaving choice aside, some people really don't have a distinguishing body part and it does seem unreasonable to assign them to an arbitrary category for administrative convenience." -- absolutely

There are 4 standard values for gender: male, female, unknown, unspecified and you've got to be able to support AT LEAST these 4. "experienced healthcare software designers" who are using Booleans should be taken out the back and shot --- IEC 5218 is forty years old this year FFS.

### Foetuses offered vaginal music streaming service

I think the seminal hit is sometime before the insertion of the babypod

#### Hmm...

My eldest son had a difficult birth. Some time after he was born, we received a baby gift of "relaxing womb sounds." The normally placid little chap reacted with considerable distress when the disc started to play, and settled only when it stopped.

Being a scientist, I had to try another couple of times to see if it happened again --- it did. Being a father, I wasn't going to do it more than thrice --- I didn't.

Now, I wouldn't normally want to infer something from a sample of three. However, might it be possible that some ill-timed music during foetal distress could result in a baby who would be distressed by such music?

On a related note, I'm now wondering whether my parents travelled back in time with some Kanye West tracks?

### Password-less database 'open-sources' 191m US voter records on the web

"Wouldn't it be much simpler to follow one from station to home after work?"

That would give you 1 address and would involve both more time and more risk. It's the same with a sexual predator following a young woman home, or an investment scammer following an older person home to see if they are likely to be asset-rich and income-poor (and a good target for an equity release scam). You'd still have more work to get a name and phone number (handy for "household surveys" where you can usually find out if someone lives alone --- especially if you have a handy conversation starter like registered political affiliation) but it's not going to be impossible.

What IS going to be impossible, though, is finding thousands of targets this way. Finding a wallet with someone's name, address and phone number is completely different to finding a DB with millions of addresses and phone numbers. Sometimes the scale of a quantitative difference is so large it is more effectively interpreted as a qualitative difference: my engineering inclinations would ordinarily, depending on the context, put that "switch" between about 3 and 6 orders of magnitude.

#### Re: What's the concern?

I presume the concern is that the voters did not necessarily give permission for this information to be given to anyone, without restriction -- or audit.

Privacy is not one dimensional: I really don't mind the UK secret services knowing what I use my VPN for, but it doesn't mean I want the council's parking control officer to know; I don't mind the latter knowing my address, but I don't want him to know my date of birth; etc.

There is also the issue of aggregation. Sometimes secrets that aren't even in the data can be given away by the data (e.g. a geographic clustering of security cleared people in a rural town). Databases which contain gender and D.o.B. information can be used to identify the locations of thousands of young women, for instance.

However, the key flaw in your argument is to assume that everyone else should be comfortable with your own personal privacy levels. I post here using my full name, but I don't expect everyone else to, and I'd be highly unimpressed with someone "outing" a fellow commentard who had used a handle or posted AC.

### China wants encryption cracked on demand because ... er, terrorism

#### Best laugh of Christmas:

According to Reuters:

"The draft law, which could require technology firms to install "back doors" in products or hand over sensitive information such as encryption keys to the government, has also been criticised by some Western business groups.

U.S. President Barack Obama has said that he had raised concern about the law directly with Chinese President Xi Jinping."

I hope Mr President will be calling David CamJongUn to express his concerns about draft legislation proposed by Treasonous May.

### Assessing the UK’s Government Digital Service

#### Re: It's just a little trivial

What if I don't really want to have a laser focussed on me?

### I have you now! Star Wars stocking fillers from another age

rose-tinted glasses?

#### Re: I can state with some confidence

"If I had a spare few grand" ... ah yes. But we can always use MAME :-)

### Juniper's VPN security hole is proof that govt backdoors are bonkers

#### Re: Dzjeeez

"Why is nobody commenting on the significance of quantum computing as a real threat to encryption" -- Jerth

It isn't insignificant but it isn't the end-of-life for classical encryption. Firstly, quantum prime factorisation is faster than classical but the speed up is not so vast that it cannot be impeded by using much longer keys. Secondly, there are already quantum-resistant algorithms.

### UK ISP Sky to make smut an opt-in service from 2016

SKY: "Can I ask what you mainly use the internet for?"

Me: "Porn"

*agent chokes on coffee*

After all, The Internet is for Porn

### There's an epidemic of idiots who can't find power switches

" it's now some 35 years I keep seeing intelligent, educated professionals being totally confused by a box of, well wires and stuff, acting like they have been zapped by a 1950ies B-movie MoronRay or something"

Precisely --- they are operating so far out of their comfort zone that they regress intellectually. People who would never dream of phoning up their garage and saying "my car doesn't work" routinely tell me "my computer doesn't work" and I have to play 20 questions, getting only "yes", "no" and "i don't know" answers to each question.

Even when people are specific "I've got a ghost post on Facebook I can't delete" you have to play the game: question 1) "is it the app or in a browser?" (usually answered by "I don't know" or, worse "how should I know?")

So the problem isn't idiots, it's intelligent people behaving like it. However, even that is forgiveable --- the real issue begins when they start to treat *you* like an idiot when you're trying to help them.

### Hillary Clinton says for crypto 'maybe the back door is the wrong door'

#### Re: Jury-based encryption

"This essay by Vinay Gupta explains the context..." -- Francis Irving

Your source appears to explain a specific and clever solution that can be used by people who want to cooperate (e.g. to share encrypted video to avoid liability for copyright infringement whilst still providing a decryption path for e.g. identifying the source of banned content). We wouldn't need a big project to work out how to do this as the article you quote already contains a solution!

The people that the powers-that-be are constantly pointing to as the threat which justifies mass surveillance are both able to use non-compliant cryptography and to hide the fact that they are doing so with steganography and other counter measures. It doesn't matter if you invent a new system that keeps all the good guys happy --- because the bad guys will ignore it.

#### Re: Deliberately vague

"but the first good quantum computers *will* pwn all classical algorithms" -- DavCrav

I thought that (a) there already exist quantum-computing resistant algorithms and (b) that the speed-up offered by, e.g. Shor's Algorithm is not so vast that it cannot be realistically kept at bay for a while by using (maybe much) bigger key sizes with classical encryption.

#### Crucial difference

The Manhattan Project (like the Apollo Project) was about engineering a way to realise the theoretically possible. Only idiots think a sufficiently big project can manage the not theoretically possible (let alone the theoretically not possible) and only liars would suggest it could if they suspected otherwise.

The political elite seem to be, almost to a person, fools or frauds.

### Kids' TV show Rainbow in homosexual agenda shocker

#### We should promote homosexuality

It's a win-win: (1) it forms a scientific trial; if after a few years of promoting it, the incidence of homosexuality stays roughly constant (within statistical bounds) we will at least confirm that all these people are talking rubbish but (2) if it causes a massive increase in homosexuality, we can reap the consequent benefits of population reduction.

### NZ unfurls proposed new flag

#### No Welsh in the Union Jack / Flag

If we superimposed that Welsh dragon on the flag would at least stop idiots hanging / flying it upside down.

### Electrician cuts wrong wire and downs 25,000 square foot data centre

#### Re: Do you get paid the same money as a professional?

"So, when the IT guy says 'there's only a 99% chance of success', what he's saying is 'this is ten million times more risky than our uptime SLA allows for, do not do this under any circumstances'" --- Naselus

That's what he is saying to a fellow techie. What the same sentence says to management is "yeah, it's definitely going to work" Remember, many of these people not only think that ninety nine point nine recurring is not exactly equal to a hundred (a little bit stupid) but are prepared to argue it with someone who does know (a little bit more stupid) and to not even change their mind when it's proved to them (unbelievably stupid).

My answer would have been "It's not a risk I would be happy to take: I think the chances of anything going wrong are small but the consequences, especially if we don't plan a mitigation strategy, would be fairly disastrous"

### Rupert Murdoch wants Google and chums to be g-men's backdoor men

#### Tetchy teens toll trumps trained terrorists

Between 2001 and 2013, about 3,400 USA citizens died from terror attacks (10% of which were outside the USA). In the same period there were over 400,000 deaths by gun violence inside the USA. [CDC figures, CNN report]. Measures which reduced USA gun crime by even 0.1% would save more lives than a 100% effective counter-terrorism system.

Before we can engaging in a discussion about "balancing" safety and privacy, the people asking us to discuss it need to explain what they feel is so uniquely awful about terror-related deaths and injuries that it requires such disproportionate resource expenditure and rights restrictions. In my experience, despite their insistence on being rational people who understand money, the 'stop-terror-at-any-cost' proponents are rarely in favour of any other 'big state' activities which would have a higher expected health payoff: increased health and safety provisions; supporting mental health; improving road safety; promoting changes in diet and lifestyle; increased research and treatment of major diseases.

### Enraged Brits demand Donald Trump UK ban

Donald Trump: "[parts of London are] so radicalised the police are afraid for their lives"

Boris Johnson: "As a city where more than 300 languages are spoken, London has a proud history of tolerance and diversity and to suggest there are areas where police officers cannot go because of radicalisation is simply ridiculous ... Crime has been falling steadily both in London and in New York - the only reason I wouldn't go to some parts of New York is the real risk of meeting Donald Trump"

### Brits leave 138,000 gadgets in the pub

#### Bluetooth belt buckle / broach?

How about a small, rechargeable Bluetooth device that serves no purpose other than to keep your smartphone, tablet or laptop unlocked when said device is within range? You could even use it in 'pub' mode where when the device goes out of range you get an audible warning. Maybe the device could have its own buzzer to alert you when the connected devices drop out of range?

#### Re: I still have to both

"PANTS for short" --- AndyS

Handy umbrella term. I have been using the term e-pocrisy to refer to the practice of using social media to diss social media (all those FB posts saying one, or one's kids, should put down their smartphones and experience real life). I think we could probably apply a similar classification for comments on a news site telling everybody what you think of Facebook, when it is not the central point of the article.