snakeanus

Born on September 21, 2015•524 Karma

on Feb 12, 2018

•on: Breaking Textbook RSA Used to Protect the Privacy ...

What's cool about this paper is the CCA2 attack on unpadded RSA in the middle of it. What's cool about that attack is how simple it is.

The setting, simplified: you send RSA(aes-key), AES(key, message). The server replies if the AES key it recovers from the RSA message successfully decrypts the AES ciphertext; the server is an oracle for whether the message is valid.

The attack is stupid simple: the attacker shifts 127 of the AES key bits off of the RSA message --- the attacker can do this, because RSA is homomorphic with respect to multiplication and thus malleable --- and then sends the bit-shifted RSA message along with an AES ciphertext encrypted with the 0b1000...0 AES key. If that elicits a server response, the attacker knows the bottom bit of the real AES key is 1. The attacker repeats with a 126 bit shift, then the math teachers and so on until everyone is eaten.

WalterSear•

on Oct 13, 2017

•on: An anarchist takes on Big Pharma by teaching patie...

The cost of medicine I require to be functional enough to hold down a job has risen so much that the copay is the equivalent of the entire out-of-pocket cost from a few years ago.

The medication was discovered in 1969. The application method, which is the shitty excuse for the patents protecting its $2,200/month price tag, was first approved for use by the FDA in 1979. The drug has been for sale in it's current form for over a decade.

braveo•

on Feb 5, 2017

•on: FBI Is Building a Watchlist That Gives Companies R...

I'd give a name to my opinion of Dang, but he'd just mod it.

When it's all said and done, you won't win so you may as well drop it or leave HN. Dang considers himself the adult, with people like you as the children. He'll chide you, but he won't give any credence whatsoever to anything you say, so don't bother.

And while I don't necessarily agree with your initial posting, it didn't need moderator attention.

Just as an FYI, Dang will also harass you in an effort get you to either escalate into a bannable offense or to get you to leave the site.

I've seen it happen, so my advice to you is to decide if putting up with Dang's bullshit is worth being a part of HN.

nikanj•

on Sept 27, 2017

•on: Someone stole my identity on Upwork (2016)

Now that this is on the front page of HN, customer service is going to magically appear.

I don't understand why people even try to wrestle with customer service reps nowadays, when the only reliable method is getting visibility on HN/Digg/Slashdot/etc

482794793792894•

on Sept 16, 2017

•on: Firefox Multi-Account Containers

You can. As the other commenter wrote `firefox -no-remote -P` works. You can also add the name of a profile after the "-P" to launch directly into that profile.

If you're not on Windows, you can also instead use `firefox -new-instance -P`, which is better, because -no-remote cuts off communication from other applications to that Firefox instance, meaning that you can't open links from those other applications inside a Firefox instance that's been started with -no-remote.

The aforementioned "about:profiles" also has a button "Launch profile in new browser", which is much easier than the above methods, but those are useful, if you for example want desktop shortcut for your individual profiles.

lhl•

on Sept 21, 2017

•on: Ethereum Adoption of Zk-SNARK Technology

For those interested in more details, avsa (@avsa, Alex Van de Sande, Ethereum UX guy) broke down a list of the Metropolis (Byzantium) changes a few days ago: https://www.reddit.com/r/ethereum/comments/702t95/eli5_byzan...

You can read the release notes here btw that point to the EIP and Github issues for "Precomipled contracts for modular exponetiation; elliptic curve addition, scalar multiplication and pairing" here: https://blog.ethereum.org/2017/09/14/geth-1-7-megara/

AFAIK there were only 4 precompiled contracts (ECDSARECOVER, SHA256, RIPEMD, and IDENTITY) so this is sort of a big deal, but I think the right way to go (being able to natively support zkSNARKs, or RingCT/RuffCT directly on ETH would be incredibly powerful.

The practical implications for this particular change is being able to run private tokens directly on Ethereum (vs globally visible transactions), although AFAIK the initial zkSNARKs implementation is not currently compatible w/ ERC20 tokens ATM.

coolspot•

on Sept 21, 2017

•on: Ethereum Adoption of Zk-SNARK Technology

The Metropolis release adds ADD and MUL operations on elliptic curve, which makes it possible to implement ring signatures. That opens up use cases like anonymous funds transfer similar to Monero and zCash.

oroup•

on Sept 21, 2017

•on: How to hack a turned-off computer, or running unsi...

Give me a break. The same three letter agency that convinced Intel to do this will convince Apple to do the same. I'm guessing you're basing your faith in Apple based on their refusal to cooperate in the San Bernadino case[1] and the so-called "cop button" in iOS 11[2]. (And some generic "we value privacy" rhetoric that I won't bother linking.)

That stuff is great but doesn't mean much. Just because they're blocking border agents from trivially imaging phones at the border doesn't mean that they won't cooperate at a higher level with some undocumented baseband features.

Just as Defense in Depth is a concept in security, we've already seen a corollary "Offense in Depth" from the intelligence community. Is the best attack in the random number generator[3] or undocumented silicon[4] or intercepting your boxes on the way to your data center[5] or tapping your fiber[6] or stealing your certs[7] or paying your employees to go rogue[8]? Why choose when you can just do them all.

Apple hardware is vertically integrated and utterly undocumented. The AMT chip has been present on motherboards since 2006[9]. The Snowden Introspection Engine found that the Wifi Chipset remains powered up even when Wifi is turned off.[10] I find it hard to believe that the same government who went to all these lengths to compromise our infrastructure would really let Apple get away with refusing. How did that turn out for Joseph Nacchio?[11]

[1] https://www.washingtonpost.com/world/national-security/us-wa...

[2] https://www.cultofmac.com/498052/ios-11-lets-quickly-disable...

[3] https://en.wikipedia.org/wiki/Random_number_generator_attack...

[4] https://en.wikipedia.org/wiki/Hardware_backdoor#Examples

[5] https://www.extremetech.com/computing/173721-the-nsa-regular...

[6] https://arstechnica.com/tech-policy/2013/10/new-docs-show-ns...

[7] https://nakedsecurity.sophos.com/2013/12/09/serious-security...

[8] http://www.ocweekly.com/news/fbi-used-best-buys-geek-squad-t...

[9] https://libreboot.org/faq.html#intel

[10] https://www.documentcloud.org/documents/2996800-AgainstTheLa...

[11] https://en.wikipedia.org/wiki/Joseph_Nacchio

roca•

on Sept 14, 2017

•on: Verified cryptography for Firefox 57

You don't need to prove that the proof system is correct. It suffices to extract a proof of the properties you care about for the particular program you care about, and then check that that particular proof is correct. This can generally be done with a very simple proof-checker whose own correctness can fairly easily be checked by hand.

insertnickname•

on Sept 13, 2017

•on: Let me introduce: __slots__

Please excuse this off-topic comment, but the webpage is severely dysfunctional. Unless JavaScript is enabled in the browser, the page will just display a loading screen. All the content is right there in the HTML and it would be perfectly readable if it wasn't deliberately obscured by the "loading" screen.[1] I'm sure the idea is that the page will load perfectly all at once, there won't be flashes of unstyled text and so on, but for me it just means that the real content won't load at all. Curiously, mobile users (or other users with small screens) are spared the loading page.[2] That's nice for mobile users, I guess, but as a desktop user it's just salt in the wound. If the plain page is good enough for mobile users, why isn't it good enough for me?

Please, web developers, stop doing this. It's not just the minority of people who browse with JavaScript disabled who are bothered by this, think of all the people on slow Internet connections who have to wait for your megabyte+ JavaScript program to download and execute before they can read the content of the 50 KB HTML page.

I understand that it is not feasible to accommodate no-JS browsers for Single Page Applications because JavaScript is essential to their functionality, but this page is not an application and JS is obviously not essential to it. Use JavaScript to enhance webpages, not degrade them.

- [1] Yes, Reader View in Firefox (and similar) are able to render the page properly. It's a wonderful utility, but I shouldn't have to strip away your broken web design to read your content.

- [2] https://streamable.com/b390d (no JS mirror: https://cgt.name/files/fortheloveofgod.ogv)

zokier•

on June 22, 2016

•on: NIST Draft: The KMAC, TupleHash, and FPH Functions...

The others I understand but tuplehash seems bit odd. It essentially just defines a naive serialization format for tuples, but I would have thought that generally it would be left to applications to figure it out how to get a hashable blob from their data structures.

Is there some large application for tuplehashes that explain its inclusion in a standard? Because I don't know any.

blfr•

on Aug 16, 2017

•on: Why We Terminated Daily Stormer

people whose namesake is derived from a group of people that committed genocide is where I draw my line

Jacobinmag has no trouble with its host.

spudlyo•

on Dec 19, 2016

•on: OpenSSH 7.4 released

I was saddened to read the release notes that state:

"OpenSSH is a 100% complete SSH protocol 2.0 implementation..."

This bug[0] calling out the fact that OpenSSH doesn't implement section 6.9 of RFC 4254 (which allows you to send signals to remote processes) has been open since 2008, complete with community submitted patches that implement that part of the protocol.

My recent pet Golang project[1] is a parallel remote command executor that uses OpenSSH, and I would really love the ability to better manage remote processes I execute via SSH.

[0]: https://bugzilla.mindrot.org/show_bug.cgi?id=1424

[1]: https://github.com/spudlyo/metassh

deepnet•

on Aug 10, 2017

•on: Richard Stallman Explains [video]

Stallman's view is perhaps a little more nuanced.

Don't forget Stallman saw the destruction of his beloved Hacker Culture of Sharing and Academic Discourse eroded and broken by the LISP machine debacle and the change to a closed anti-sharing approach of UNIX by the newly privatised Bell in the 1980s.

And it was a proprietary printer driver which initiated his epiphany that in a world governed by proprietary software the user would have no freedom or a freedom that could be taken from them so no right to freedom. RMS could easily have made the modification to the driver he wanted but he was not allowed the source code.

From this he invented his four essential freedoms [1] manifesto and the GPL which allowed developers to develop with out fear of the closing of their contributions behind paywalls.

In the early 1990s the Linux kernel flourished with its GPL license ensuring it remained a bastion of freedom.

As Stallman advocates for a future where users have maximum freedom then proprietary software is opposed to that.

If I use Photoshop over GIMP and write tutorials and encourage others to use Photoshop then the world is a little less free for those users in the sense of the four essential freedoms [1]

By this definition proprietary software is opposed to Stallman's vision and insiduously so.

To oppose the freedom of others is in RMS's eyes not a good act, thus it can be rightly called evil in that context and IMHO he is not wrong in this.

Proprietary software 'may' not steal your freedom today but it can lock away your contributions and data tomorrow and one has no recourse - Stallman having lived through this wishes to oppose it and fight for the right to Freedom for us all and forever.

His is a glorious vision and he is not wrong, without free software competing with it, proprietary software would likely offer much less freedom and can and has taken what freedom it offered away !

We will live in an increasingly computerised and robotised society. We must choose : will we only have tenuous freedom exchanged for conveniences and mind-candy, rescindable freedoms only for some given by the whim of corporations; or will we work together on GNU and other Free projects and live as Free peoples of the solar system ?

Free as in Liberty, Egality, & Community.

[1] https://www.gnu.org/philosophy/free-sw.en.html

Oh ye of little faith, history has so far found that :

https://stallmanwasright.reddit.com

teddyh•

on Aug 10, 2017

•on: Richard Stallman Explains [video]

You’re assuming one thing, that the creator should be allowed to set terms for software they have created. A clothing designer, for instance, has no such rights. Why should software users be restricted in their use of the software by a law giving enormous power to the creator?

That is the essential question you must answer. Arguments against are legion: https://en.wikipedia.org/wiki/Opposition_to_copyright

The GPL license is not an end in itself. It is simply a holding action – a means to carve out a bit of freedom for end users using the current rules of copyright.

userbinator•

on Aug 10, 2017

•on: EasyList: Ad-serving domain removed due to DMCA ta...

Thanks, just added it to my HOSTS file...

I don't know if the Streisand Effect is going to happen with this one, but it seems very odd that the DMCA could even be applicable here.

Edit: https://www.copyright.gov/help/faq/faq-protect.html#domain

Can I copyright my domain name?

Copyright law does not protect domain names.

yborg•

on Aug 9, 2017

•on: uBlock Origin Maintainer on Chrome vs. Firefox Web...

I found this disturbing:

"Chromium-based browsers are being “infested” by Instart Logic tech which works around blockers and worst, around browser privacy settings (they may start “infecting” Firefox eventually, but that is not happening now)."

From his linked post:

"Instart Logic will detect when the developer console opens, and cleanup everything then to hide what it does"

Is this implemented via a CDN-delivered script? Why would Chromium-based browsers be more susceptible?

zeveb•

on Aug 4, 2017

•on: Languages Which Almost Became CSS

Just think: were HTML replaced with SXML, JavaScript with Common Lisp & CSS with something like LASS, we might have pages which look like this:

    (html
     (head
      (style (let ((bg #x0088ee)
                   (fg #x00ee88))
               (body (background bg)
                     (foreground fg))
               (body.inverted (foreground fg)
                              (background bg))))
      (script (defun invert ()
                (with-slots (class-list)
                    (get-element-by-tag document 'body)
                  (setf class-list
                        (if (find 'inverted class-list)
                            (remove 'inverted class-list)
                          (cons 'inverted class-list)))))))
     (body
      (button (@ (on-click (invert))) "Click me")
      (p "This is some text.")))

I contend that this is a massive improvement.

pbsd•

on March 19, 2012

•on: Don't use bcrypt

The two models are equivalent, in fact: http://eprint.iacr.org/2008/246

This of course says nothing about how to go about building an actual cipher/hash that withstands all kinds of cryptanalysis.

Edit: apparently not so clear, I'm told: http://arxiv.org/abs/1011.1264

tptacek•

on Aug 3, 2017

•on: How I implemented my own crypto

This is a deeply misleading list.

Daniel Bernstein, Daniel Bleichenbacher, Dan Boneh and Thomas Pornin are professional cryptographers and world-renowned experts. Even I would feel comfortable writing crypto if Bleichenbacher was watching behind my back.

Frank "wrote" libsodium, but libsodium is effectively a port of NaCl. Frank had Daniel Bernstein watching behind his back.

Eric Young wrote OpenSSL. Look how that turned out! Has there been a class of cryptographic vulnerability that OpenSSL hasn't had?

And yet consider: for all the effort that people like Bernstein and Boneh put into writing strong, safe crypto, the entire world has blundered into vulnerability after vulnerability because the amateurish crypto in OpenSSL is the one every else ended up using.

It's as if you set out to prove my point.

Finally: you obviously know that "writing your own crypto" isn't the only way to become good at it. In fact, it's a terrible way to get good at it. The right way to get good at crypto is to learn how to break it. But that takes effort, and you can have a blog post crowing about your new crypto library just a few weeks after deciding to write one.

tptacek•

on Aug 3, 2017

•on: How I implemented my own crypto

I would like to clarify:

The thing that I said was "table stakes" for implementing cryptography was passing the algorithm test vectors, which this author's previous post claimed as a security feature.

If you're unfamiliar with the concept, a test vector is a series of strings and intermediate values used to ensure that your (say) OCB3 is the same as everyone else's OCB3.

Had he asked, I'd further claim that not having dumb C bugs is also table stakes for cryptography, since serious crypto vulnerabilities happen at a higher level of abstraction. The author grazes past (somewhat disconcertingly) one such class of bugs when he discusses carry propagation and limb scheduling in the context of Poly1305. Improper carry propagation is an example of the kind of security vulnerability for which there are no test vectors and no memory safety validation tools.

You just have to know what a carry propagation bug is, where to look for them (not Poly1305), and what the impact of one is.

Hopefully, the author of this library does.

loup-vaillant•

on July 10, 2017

•on: A Detailed Elliptic Curve Cryptography Tutorial

This looks nice. Too bad I care more about Montgomery and Twisted Edwards curves (everyone say curve255129 and edDSA are great, and I believe them).

I'm looking for one thing, which I hope should speed up signature and verification speed with very little bloat: converting a Twisted Edwards point to Montgomery space, then back (with that sign recovery trick after the Montgomery ladder).

Reading (and trying to apply) the relevant papers has been frustrating so far (I get wrong results), and I can't find code (or pseudo-code) I can use. Have someone implemented this?

moefh•

on Aug 3, 2017

•on: How I implemented my own crypto

The problem happens if you do uint64_t = uint8_t << 24, for example. The shift will promote the uint8_t to int (not unsigned int), and then the conversion to uint64_t will sign extend, so

   uint8_t u8 = 255;
   uint64_t u64 = u8 << 24;
   printf("%016llx\n", (long long) u64);

prints "ffffffffff000000". If you instead do

   uint64_t u64 = (uint64_t) u8 << 24;

   uint64_t u64 = (uint32_t) u8 << 24;

It prints "00000000ff000000" as most people expect. (I think the second example with (uint32_t) will only work if "int" is at most 32 bits, but I might be wrong).

zackchase•

on Aug 2, 2017

•on: Do I really have to cite an arXiv paper?

Author here: Grisha Perelman's proof of the Poincaré conjecture has never been (by him, to my knowledge) submitted to or published in any journal. He decided, as is his right, that he could not care less about the professional community of publishing mathematicians or their protocols. Does not invalidate his achievement.

I should note, since I am not and do not expect to be the level of mathematician that Perelman is, I have not actually read his proof. So I defer to other superior mathematicians for this assessment and come by it as hearsay. :)

nullc•

on Oct 29, 2016

•on: Zcash begins

Hi. Who are you? You're saying a number of things which are outright untrue, and I think it would be helpful to know who I'm speaking to here.

Matthew Green was _insistent_ about making an altcoin. I believe can substantiate this with DKIM-signed emails by Google, if it's actually being refuted. He was especially concerned about difficulties monetizing any other path.

In particular, later I begged for access to the efficient SHA256 circuits which had been created and benchmarked as part of their publications, which were held back from publication with libsnark. ... so that I could begin working on applications of them with Bitcoin, only to be blown off.

> and that's all that is happened: talking. There is no code and

https://github.com/ElementsProject/elements sidechain right here.

bduerst•

on Oct 26, 2016

•on: ZCash Will Be a Truly Anonymous Blockchain-Based C...

>I don't know much about ZCash

ZCash has this ability to de-anonymize users through targeted blocks, and is a privately-held U.S.-based company that claims no liability for it's user's actions, meaning if subpoenaed they will [probably] turn over information.

They're also privately cashing in on 20% of all transaction fees.

Just because someone behind a project has credentials you respect doesn't mean we should ignore aspects of the project.

petertodd•

on Oct 29, 2016

•on: Zcash begins

That's simply not true. I was actually hired as a consultant by Green, and he did hardly anything with that contract. I know of no proposal actually made to any Bitcoin devs for inclusion, and in any case, it took a long time to improve the tech to the point where resource requirements were low enough for either Zerocoin or Zerocash to be viable in any currency.

_qc3o•

on March 11, 2017

•on: Rust's Type System Is Turing-Complete: Type-Level ...

New rule. Any sufficiently advanced type system is an ad-hoc re-implementation of Prolog. Once you have unification and backtracking you basically have Prolog and can implement whatever Turing machine you want with the type system.

eddyg•

on July 5, 2017

•on: Let's Code a TCP/IP Stack: TCP Retransmission

For reference, here are links to the first four parts:

http://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-ar...

http://www.saminiir.com/lets-code-tcp-ip-stack-2-ipv4-icmpv4...

http://www.saminiir.com/lets-code-tcp-ip-stack-3-tcp-handsha...

http://www.saminiir.com/lets-code-tcp-ip-stack-4-tcp-data-fl...

amluto•

on Feb 2, 2015

•on: BEP 30: Merkle hash torrent extension

I think it's sad that they're using SHA-1 for this. SHA-1 is a bit weak, and the hashes are too short. There's a reason that SHA-1 is deprecated for X.509 certificates.

At the very least, this should use SHA-256.

If they really did it right, though, the protocol would use a secure tree hash. The construction they're using has trivial collisions, which are only avoided because the size of the file comes from a trusted source. A good hash (e.g. the Sakura construction) doesn't have this problem. Fixing that would make the resulting torrent files or URLs a bit shorter, as the size could potentially be omitted.