Gay marriages need to be legalized everywhere...

aviewanew · 1 month

I'm @tjr on #cryptodotis, one of the other main participants. I don't want to go so far as to say they're scammers, but I will publicly go "Huh guys? Why not talk to us about this first"

I'm not sure how up to date this is (I think we've had a donation or two, and I'm no sure what money is actually cashed out and accessible and not in bitcoin/weepay), but here's our finances: https://public.sheet.zoho.com/public/sirvaliance/the-crypto-project-balance-sheet

We haven't really discussed this yet, but I expect that if we have the $ for a year's worth of expenses available (a year's worth of runway), excess would be used to run more services: tor, notaries, and/or remailers. Maybe a Tahoe Grid, but that one's tricky.

Thanks for everyone's interest though, the upvotes are very encouraging! Hopefully any donations made eventually wind up supporting us =)

danukeru · 1 month

This.

More info and supporting references: http://comments.gmane.org/gmane.network.tor.devel/724

sirin3 · 2 months

010 Editor. Not open source, but very good, and the best editor I've seen for opening large files (gigabyte size).

wtfomglolz · 2 months

Thats me! If you have questions, feel free to ask and I'll get back to you in some indeterminate amount of time. (Probably quickly, but I'm heading on holiday soon, so no guarantees.)

jkthecjer · 2 months

Awesome, good writeup. You should look at the recent stuff on GOST - Adi Shamir explained it in a lecture at MIT a bit ago I sat in on, and it was pretty easy to follow. It was one of those cases where a guy looked at GOST and was like, well... what if I do a slide attack, and then everyone went "Oh, duh!" and lots of cryptanalysis followed. It's a good practical demonstration of Slide Attacks that's not too hard to follow.

memechaser · 2 months

I heard a mention somewhere on a list that google uses RC4 for most of it's stuff because some of its cryptographers had mad feelings about CBC mode prior to BEAST being announced. (Maybe they switched in that pre-public-notice phase, but I'm not sure.)

aviewanew · 2 months

And to finish off the detective work: They copied the middle three lines and pasted them repetitively to fill up the whole page, and updated the date created to be more recent. Thanks!

aviewanew · 2 months

I briefly thought about typing this in so I could discover what email address they used to generate it... but no.

aviewanew · 2 months

ElGamal is another public key cryptosystem, similar to RSA, but with different math. But it's not too difficult to follow. Here's my attempt at explaining it.

jjhare · 3 months

I'm in NYC and never heard of this guy. Is he actually infosec? Or just another talking head who helps you 'secure' your organization with a bunch of interviews and never actually looking at a computer?

vampiricrogu3 · 5 months

If you want help setting up a notary or complaining about it's problems, we've got come experience: OFTC #cryptodotis

perciva · 5 months

Geez that's subtle. I'm wrapping my mind around it, because he didn't clarify. Here's my attempt.

Don't load the Google Analytics javascript when your site is accessed via HTTPS.

In other words, only load it over HTTP.

So, if your site only processes sensitive data over HTTPS - this protects you because if someone targeted ssl.google-analytics.com for middling they lose a foothold into your site. It doesn't protect you if they targeted you or any other 3rd party library you use.
If your site processes sensitive data over HTTP - this would let them still automatically middle your traffic and tamper it - but they'd be able to target you specifically even without GA because it's HTTP. It does make it more automatic-easy for them them.
If your site doesn't process sensitive data, but is still HTTPS-only - this protects users from other auto-inserted shenanigans (browser exploits, or a more esoteric attack like cross site printing).
If your site doesn't process sensitive data, but is partly/all HTTP - they would be able to deploy a mass-targeted shenanigan attack against your site, but again - they'd be able to do that do matter what because it's HTTP.

Or, and I haven't tested this or know if it works, you could come up with some hackish proxy system where you get the GA code on your server and pass it down, in which case no connection is made to ssl.google-analytics.com by the client. It may not work though - google might have javascript to check for this in the GA code, and while it is possible to rewrite the javascript on the server - defeating google's obfuscation and updates is probably not practical.

Also As far as I know, the list of certs targeted has not been fully revealed. Torproject was able to get some information. It's possible ssl.google-analytics.com was targeted.

MoshingPanda · 5 months

http://images.icanhascheezburger.com/completestore/2009/3/24/128823733865799914.jpg

MoshingPanda · 5 months

Open image.

Close image.

Wait a minute.

Open Image again.

Action figure is right... Keyboard is possible... Monitor stand is right... Desktop decorations are unknown. Time to check username!

Yup.

Hey Beef.

laketrash · 6 months

Article.

lachiemx · 7 months

I've looked at a lot of these, even broken one when I had the time. I don't really like them.

BUT, for something I don't like and wouldn't use, this is one of the better ones. Couldn't find a reasonable flaw in the 5 minutes before my shower. I'll put a nickle on not using Ephemeral SSL keys though. =P

Since you seem to be a good developer, with a good sense of UI, what I'd really like to see, that'd get a lot more use, is a similar page but had a ton of algorithms, and showed the intermediate states as the encryption/decryption occurs, with test vectors. That'd be an interesting learning tool. I still haven't played with it much, but it might be something like an online http://www.cryptool.org/

sayhar · 7 months

Anything's possible, but I'll tell weev tonight someone's speculating he's part of lulzsec. =P

isisgrimalkin · 7 months

So - yea, GPU factoring can speed things up. And msieve has GPU support for Polynomial Selection. But the problem is the rest of the tools. Writing your own siever or linear algebra-doing app would be super hard, like Doctoral Thesis-level hard, or harder. You'd have to implement Lanczos (which has a public implementation) or Wiedemann (which doesn't to my knowledge) which are themselves super-complicated. I've been told annecdotely that the author of the main implementation of Lanczos used (msieve) doesn't even understand how it works, he just gets it enough to implement it. And then you're getting into issues of fitting the whole thing in memory and whether or not the GPU efficiencies (doing the same operation N times in parallel) work with those algorithms. I like to hand-wave at things like this and say "The NSA has done it (or should have done it) but unless and until someone pays a half-dozen Math/CS PhD's for a couple years just for shits and giggles..."

isisgrimalkin · 7 months

That's not that lucky - the Linear Algebra takes ~22 hours, the Sieving, which is sped up by a good polynomial, takes only a couple and the rest of my 36 hours was a couple for poly selection, a couple for data transfer, and a couple leeway/whatever. Sieving can be parrallelized to 30 minutes in a local network really. I actually have a presentation about this - poly selection, sieving, and in general distributing any application easily over hundreds/thousands of machines - hoping it gets accepted at #days or ekoparty.

isisgrimalkin · 7 months

It's not a matter of 'getting lucky' - the GNFS is a 3-step process that you have to run to completion. I can factor a 512-bit key in ~36 hours (and have), but I'll never 'get lucky' and get it in 12 hours.

Trying to factor anything higher than... 300 bits or so without the GNFS won't work. I mean yea in theory you could 'get lucky' with trial division, but the odds are astronomically small.

aviewanew

TROPHY CASE

you'll need to login or register to do that

create a new account

login