Posts by David Hicks

Re: Justification

Errr..... No.

The money just seems to get hoarded. Pretty sure the shareholders have already been asking why the hell they aren't getting a slice of the action when the company is sitting on MASSES of cash.

Re: 20 years in the slammer

>> The drugs this guy was arrested for dealing are already legal.

Err, no, they are prescription drugs and obtaining them without a prescription is illegal. So "facepalm" right back at you.

Re: because religious nuts making sweeping statements on the net

>> By my read of the timeline on this thread, the first nutter posting sweeping and unprovable generalizations on this thread was the atheist jake, with you following soon thereafter.

Jake said "Idiots of any religious stripe should be pointed at & giggled at at every opportunity.". Do you identify as an idiot? Note how he doesn't say we should point and laugh at all religious people, just idiots of any religious stripe.

Killraven then comes along and says atheism is a religion, which is what got my goat.

>> And make no mistake about it, atheism is every bit as much of a belief system without proof as theism is

Nope.

>> In order to know there is not a god

Who's claiming this?

Nobody. Not me. Not anyone else in this thread and not even Richard Dawkins.

FAIL.

Re: ::pops some corn & grabs a beer::

>> Your arguments would carry more weight if you didn't have to resort to abuse.

I don't have to, it's just more fun that way.

>> Then again you are making exactly my point, and probably your own point, blind faith beit in a God or in no God is a bad thing it clouds the mind, it prevents people from having coherent arguments and they just shout their beliefs and resort to abuse if they don't get their own way.

This is true.

However it's impossible to have a coherent argument when one side is perpetually assigning motives, thought patterns and behaviours to the others.

Hell, I'm not going to argue that you're wrong to believe in god, that's not my place and is entirely up to you, its your belief. The only reason we're arguing at all is because of folks like yourself trying to tell me what I think and believe.

>> I also don't abuse people on the Internet who aren't the same as me.

That's not what's happening here, I'm sorry you think that.

Re: ::pops some corn & grabs a beer::

>> If that were all there was to it, you wouldn't feel the necessity to bang on about it, including detailed replies to people challenging you about it on a public forum on the Internet.

Right, because religious nuts making sweeping statements on the net should never be challenged, and because I'm in an argumentative mood today I *must* be religious and non belief must actually be a religion.

>> But, you know, keep protesting that you don't have belief and that you're in no way like anyone else who has the same not-belief as you.

"Everyone that doesn't collect model trains is just making a hobby out of not collecting model trains and is no different from train collectors."

"Err, no, I don't buy tracks or scenery or obsess over replica steam engines"

"you do all these things that are just the same!"

"No, I really don't"

"If not collecting trains wasn't a hobby you wouldn't be protesting about it!"

Moron.

Re: ::pops some corn & grabs a beer::

>> No Priests: Dawkins

I don't turn to him for moral guidance and he doesn't get to tell me how to live and I don't give him any money.. He is entertaining on the telly sometimes. That doesn't make him a priest. FAIL.

>> No Meetings: Sceptics in the pub

All atheists have to go to this do they? Specifically the Reading branch? FAIL.

>> No Faith: The levels of certainty are higher than most religious people I know.

You won't find many atheists who are certain of anything except that you have no evidence on your side, and with no evidence there's no reason to believe. That's not faith. Faith is believing in something without evidence. FAIL.

>> No dogma: Sure, there's none, no books that bang on at the already converted, nothing. No Dawkins said it, so it's got to be right.

Reading Dawkins (or other) books is not required to be atheist, only to not have religion. FAIL.

>> No Commonality: Again, have you actually met any of the trndy, hipster athiests? Many of them may as well be clones of each other.

No, I haven't, because there's no congregation, meetings or commonality you absolute muppet. FAIL.

>> I don't care if you do or don't believe in a God, but don't delude yourself that it's some free thinking personal ideology that has nothing akin to any religion.

Except it doesn't. It's not even an ideology, I'm not part of a group. I just don't believe in gods and I don't go to church. That's all there is to it. I'm not sure why it is you think this makes people like me religious.

Re: How many of the acres of computers the NSA have...

>> 1). The NSA are retaining encrypted data for breaking.

>> (If they can't break it (and know they can't break it, as per your analysis) why waste resources retaining it?)

It's possible that quantum computing may render much of our current crypto irrelevant in the future.

It's possible they may be able to get keys by physical or legal coercion or just by hacking.

It's not possible to brute force AES 256 in a reasonable amount of time, even with their resources.

>> 2). They ARE using all that compute power they have for something.

Well, it's not brute-forcing AES-256 keys because that's a waste of time and energy. A lot of crypto that's actually in use is far less secure than AES, or is used in constructions which leak information and may be vulnerable to various attacks, perhaps their attentions are on that.

>> (And here we are back at my original point)

Which doesn't really hold up to scrutiny. Private encryption schemes are almost always flawed, and if you do it right you can encrypt data in a way that holds up to all known attackers. Of course it's possible the eggheads at the NSA are ahead of the game here and have got attacks on AES the rest of the world don't know about, but that's speculative.

Re: Key exchange for dummies.

>> Exactly what I was thinking, why are these keys kept beyond the life of the session?

OK, so the RSA keys need to be kept because they are used for authenticating who you're talking to. Without them you're vulnerable to MITM attacks.

>> Also, the article refers to getting the key off the server, B in my example, however I never give B the private key, unless it means the session key, which should be deleted after the session ends.

I think the point is that the server may be forced by non-technological means to give up their private key. Or they may be hacked. Without (EC)DH(E) you could use this to decrypt any previous traffic dumps you happen to have of comms between that server and any clients.

Re: Key exchange for dummies.

>> In the above, why doesn't "A" create a new private/public key for each session (well, not A-the-person, but A-the-software) -- never storing the private key on permanent store? Then there is no private key for "C"'s thugs to beat out of "A"

OK, so the public/private key pair are used for authentication. We don't generate new ones each time, as a rule, because A's public key needs to be accepted as secure and trusted by B. This can be achieved by sharing it in some secure way ahead of time or by having a mutually trusted authority sign it. If you don't do this B can't be sure they are talking to A, B might be talking to M who is running a man-in-the-middle attack.

You could certainly reduce the lifetime of private keys and securely delete them after a while, that might be good practice, but it's not really practical to make a new one each connection.

And this is basically what Diffie Hellman is for, to make session keys that can't ever be regenerated when the connection is dead, so C has no recourse to pipe and gorillas :)

Re: How many of the acres of computers the NSA have...

>> protip: WIth enough compute power EVERY encryption method can be brute forced.

Do the math. AES-256, if you check 1 billion keys per second, would take in the region of 1.5 times 10 to the power 60 years to brute force.

For comparison, the earth will likely be devoid of life (due to the sun getting hotter) in around 10 to the power 8 years.

Hell, let's say we can check a key every clock cycle in a modern 4 GHz machine, you're still looking at 9 time 10 to the 59. If everyone on earth had a quad core version of that, dedicated only to the problem of decoding an AES-256 message, it would STILL take almost 10 to the power 40 (that's 10 with 40 zeroes after) times the expected lifetime of the planet to decode.

Re: Key exchange for dummies.

>> B sends A a randomly generated session key encrypted using A's public key.

>> How do you get the secret session key after the connection has terminated?

'C' takes a length of pipe and a couple of hard men, retrieves A's private key and decrypts the session key message, therefore unlocking all the rest of the data with the session key.

Diffie-Hellman gets around this by using clever maths to allow two sides of a conversation to derive the same key *without exchanging enough information over the wire to rebuild the key later*. It's a work of genius and I highly recommend reading about it on Wikipedia.

Re: Was this news?

>> Bullfood. The only weaknesses in PKI are a) losing control of your private key, don't do that, or b) asking for someone's public key which you don't have yet.

Bullshit.

The weakness with the PUBLIC authority structure is you have to trust the public authorities, and sometimes you can't. You can request a key for www.example.com because you own it, but if any of the authorities trusted by your browser issue another certificate to someone else for www.example.com, then they are enabled to perform MITM attacks. Or if they allow a signing certificate then whoever gets that can sign a cert for any server they like, and MITM anything.

>> IN ANY EVENT, PKI is not used for session key negotiation in SSL, it's used for authentication.

Well, that rather depends on the cipher suite you use, which is rather the point of this article.

@ JeevesMkII

"That's not how certificate issuance works. You generate they key and send them a certificate signing request with your public key parameters. The cert. auth. never knows your private key, for obvious reasons."

Hi again.

I know exactly how certificate issuance works because I've done it. And I know very well that if the likes of Verisign issued a certificate to the NSA with the signing bit switched on then they could sign any certificate for any server they felt like and perform man-in-the-middle attacks against any system that had (for instance) verisign's root certificate installed. The certification authority never knows your private key because it's irrelevant to a MITM attack. You only need to get the client to accept that your cert is signed by a trusted root.

I know this because I've written software to do this (successfully) and familiarised myself with the SSL and TLS RFCs. Perhaps you should do the same and investigate the role of the authorities in the chain of trust before you hold forth on issuance procedures.

>> Rename to Bytecoins

"Unregulated peer-to-peer crypto currency".

>> I have a wallet service on my desktop. It holds information that I want to keep private and has nothing to do with any form of virtual currency.

So what? Kill/heavily regulate the online wallet services and make mining illegal. Not really all that hard. Hard to identify who's doing it, perhaps, but not hard to legislate.

>> In order to apply financial rules they have to recognise it as a currency which would, in effect, legitimise it.

Not if they also made it illegal. Look at what happened with Liberty dollars - recognised as a competing currency and shut down as a result (competing physical currencies are not allowed). Again, BTC would be *technically* harder to shutdown, but not legislatively harder.

>> Yes. That is why there are so many lawyers and why every law passed ends up being amended and/or superseded. Lawmakers find it difficult to successfully define physical objects and processes, never mind virtual ones.

Yet here we are with all these laws and enforcement agencies that will shut you down if (for instance) you make a business of selling illegal items like heroin. Seems that some things can be legislated.

>> All the miners do, by the way, is generate a SHA-256 hash to sign a block of data with. How easy do you think the lawmakers would find it to stop people signing a bitcoin data block without having any side effects on everything else that uses SHA-256?

Very easy indeed. "For the purposes of mining and/or processing transactions in unregulated peer-to-peer crypto currencies".

>> How?

Make a law that says trade in bitcoins is illegal. Like trade in drugs perhaps. They could define running any sort of wallet service or a mining rig on the network to be money-transmission and apply a load of financial rules around that (which it is *very* doubtful BTC meets). Miners could be arrested for enabling money-laundering. All sorts of stuff could happen.

Do you really think it's beyond lawmakers to figure out a way to make trade in BTC effectively illegal?

I'm n ot saying its good, or right, but you have to admit its possible.

Killing bitcoins isn't a tech problem though, it's a social/business problem. Outlaw American business from dealing in BTC, put pressure on international partners to do the same by making a lot of noise about drugs and terrorism. Result - massive market suppression as any hope of "normal" involvement in the bitcoin market dies, exchange becomes very hard and it's relegated to niche, underground uses.

>> It's a sad day when you need stupid amounts of processing power on a phone.

I take it you still use a nokia 3310 and a 286 then?

It sure us a sad day when you need such power as a modern Core processor just to run a desktop OS and an office suite.

Alternatively you could look at it as progress, you know, like we have been doing in tech since the whole thing started. Faster = able to do more.

"I don't really care about the ethics of espionage and I'm not here to take a side and defend it"

Then why are you trying to tell the rest of us someone is a traitor for exposing to us what our governments are doing in our names?

"You're the one who's whining about not wanting to live in a country that doesn't spy on other people. Like I said, if that is your wish go live on a rock in the Pacific Ocean, or Antarctica, whatever. The fact of the matter is there is a big difference between exposing domestic spying and the geopolitical kind and by any countries definition of the term he has crossed the line into 'traitor' territory."

Yes, the fact of the matter is that he has exposed international spying. The fact of the matter is also that the people of these democratic countries had little idea how far their own governments were going in our names (though you could get some idea if you were paying attention). In a democratic country, where the government acts with the mandate of the people, if the people don't know what's going on then they cannot have sufficient oversight. Telling the people what their government is doing, when it is doing far more than anyone expects or wants of it, is not traitorous. It's informative to the democratic process.

I repeat - unless you think governments should just be left alone to do whatever the hell they want in the international arena, and the rest of us shouldn't worry our pretty little heads about it?

"Yes, I agree. It's entirely realistic that the US will completely stop spying on other countries due to these revelations."

Right, because it's really definitely all or nothing, and democratic people should just let the government handle it and do as much or as little spying as they feel like, and the rest of us shouldn't worry our pretty little heads about how much they f*ck around in other countries.

Who gives a fuck if its realistic they stop entirely? Maybe its realistic they get shamed into curtailing their activites due to democratic pressure. Maybe its realistic that this is just one more strik against government secrecy and adds to a building distaste people have for their own government. Maybe its realistic that the populace slide back into total fucking apathy.

But don't tell me "We spy because we spy and that will never change so everyone should just keep quiet about it".

"If you don't want to live in a country where the government thinks it's alright to spy on other countries citizens, you won't have many options, my friend. Perhaps there's a volcanic rock in the Pacific Ocean somewhere you can live on?"

Then perhaps throwing the light of day on the extent of these activities every so often will change this, was my point. If there's all this publicity and people turn out not to like it, maybe we can force change in the way this works. He's not a traitor if he's telling people what they're government is doing in secret and they hate it.

"When your riposte to my argument is some flouncy, idealistic horseshit that bears no semblance to the reality of the world we live in, you know you've lost."

Right, because we can never change anything, ever, and ought to just put up with 'reality'. Fuck you too.

Are people not allowed to be outraged at the extent of spying that their country does on the citizens and corporations of other countries too?

Maybe I don't want to live in a country (or have a government) that thinks it's just fine to steal SMS data from citizens and officials all over the world?

Maybe some of us are tired of the institutionalised duplicity of diplomacy and spying and would rather leave the whole game alone. It's like systemic corruption and until we start fighting it, it will never go away. "The other guy does it" is no excuse".

And how about all the stuff about how the US spies on many millions of its own people? That legitimate too?

And what if the people of the nation hear about all the spying and decide they don't want their taxes going to pay for all the spying?

Isn't it right that in a democracy we have some idea of what our governmeent is doing?

Re: Would it have been better for the mail...

Yes I saw one of his 'spiritualist' things on the telly a few years back. He read up on cold reading and applied to it to awesome effect, to do exactly what the psychics were doing and he did it very well.

Unfortunately I've seen people take away from that that he is a liar and he was only able to do the amazing cold reading because he has huge psychic powers that he's not telling us about.

Re: So: basically it's a protection racket

"Well, err ... actually - yes. Isn't that what corporation tax is supposed to be? <FX: scratches head, looks mystified>"

Therein lies the problem, what is profitable? What does that mean?

Would there have been profit if not for poorly defined "brand services" charged to the UK corp from a tax haven?

Conversely, are brand services (international marketing? trans-national supply negotiation?) actually quite a legitimate expense?

There's no doubt in my mind that a lot of dodges are used to make it look like there's no profit where there might be tax, and that's the bit I'd like to see pinned down.

Re: all webcams I know have a light on them to indicate if they are active..

>> surely if the webcam can be turned on without your knowing, the light could also be disabled ?

Thankfully this is usually not software controllable, and the LED is hooked into the circuit that activates the sensor.