Blogger blogs are not indexed by search engines, to protect the privacy of the amateur suburban blogger.
Despite apprehensions, 65535sec is moving to www.65535sec,wordpress.com, so that the content will be indexed by the various search engines.
Tuesday, April 9, 2013
Usage based billing increases lock-in.
In Cloud-type data assurance, it can be vital it can be to maintain an offline processing capabilitiy, for general purpose computing. To facilitate this, Operating System providers make redistributable updates available. We can still get service pack redistributables for Win 7, and offline Java etc. But with the advent of Windows 8, Microsoft can saddle you with a computer that won't boot, if you do not have online access.
I fact, with updatable EULA's, the Windows 8 OS could be changed to require payment of a (nominal) monthly subscription fee.
I fact, with updatable EULA's, the Windows 8 OS could be changed to require payment of a (nominal) monthly subscription fee.
Meanwhile, the mad rush to the Cloud is leading laymen to forget that they can also be charged by the bit for internet access. As an end user, one might neither be able to access his work product data, nor back it up, without fee based bandwidth services.
Linux makes package managers, but offline installers would be a significant addition, so "maverick installs" are not the only choice, for offline applications.
Would a virtual router have advantages over a hardware router?
In 2010, I used a Cisco EA2700 router behind an AT&T gateway, with the remote update turned off, and MAC address filtering for only three devices, two general purpose computing "towers," and an iPod.
While using this implementation, I began to theorize a Virtual environment, where a virtual router controls access to other (possibly even "virtual") machines. I speculated that this would make penetration harder, by specifying the (updatable) MAC address of the virtual router as the only device authorized to pass traffic to the WAN, at the hardware router. Admins could still telnet in, to manage the virtual router, using the IP address and password, (such as managing whitelists and blacklists.) One could also specify MAC address filtering within the virtual environment. It's obligatory to suggest that the virtual router is a different firmware model than the physical router.
This might compare or contrast to a Bluetooth type pairing and bonding protocol.
I think it actually improves things.
While using this implementation, I began to theorize a Virtual environment, where a virtual router controls access to other (possibly even "virtual") machines. I speculated that this would make penetration harder, by specifying the (updatable) MAC address of the virtual router as the only device authorized to pass traffic to the WAN, at the hardware router. Admins could still telnet in, to manage the virtual router, using the IP address and password, (such as managing whitelists and blacklists.) One could also specify MAC address filtering within the virtual environment. It's obligatory to suggest that the virtual router is a different firmware model than the physical router.
This might compare or contrast to a Bluetooth type pairing and bonding protocol.
I think it actually improves things.
RSA certificates need not auto-authorize
We are all familiar with the message-box "Always trust s/w from NVIDIA/Microsoft/Big Name." We click on these with confidence, because DNSsec (officially required since June 2010,) is remarkably secure in employing RSA certificates in ways that are difficult to counterfeit.
However, large corporations are not the only entities empowered to install "trusted" code. In fact browsers, such as Firefox, Chrome, and Internet Explorer, maintain a list of trusted certificates, any one of which will suffice to install certified code on any windows PC, unattended. The pop-up box is obligatory, not intrinsically required.
Conscientious programmers have noted that whenever a browser is updated, manually entered exclusions, (such as "No Malaysian RSA authorized software at all,") are clobbered, or over-written.
One solution to this, for security obligated employers, is to employ Open Source's freedom to modify, to insert a pop-up alert, or "nag," EVERY time any RSA cert is invoked.
The purpose of such an alert, would be to denote that ANY software was installing unattended. Every virus writer drools over the idea, and nation-states that promote A.P.T.'s or turn a blind eye to abuse, are very capable of compromising their own RSA certificate(s,) for nefarious purposes. As with Hitchcock's classic "Strangers on a Train," the bad actors need not incriminate themselves, if they are appropriately sophisticated.
Despite the allure of this solution, it requires some understanding of Certificates, on the part of the end user. It used to be commonplace, for a legitimate Certificate to be flagged for error, due to date/time stamp inaccuracies in the BIOS of the end user's machine.
How many decimal digits are there in 2^(d)?
log x = y, such that 10^(y) = x.
By algebra, 2^d = 10 ^ (d * log(2)) or (d * log(2)) digits.
By experimentation, 2^d = (d * log(2)) + 1 digits.
By algebra, 2^d = 10 ^ (d * log(2)) or (d * log(2)) digits.
By experimentation, 2^d = (d * log(2)) + 1 digits.
Sunday, March 31, 2013
A simple model to explain the Diffie-Hellman Key Exchange
The Diffie-Hellman key exchange was a revolutionary application of integer arithmetic, to exchange encryption keys, in real time, without pre-arrangment.
Since the mathematics is a little esoteric, it's sometimes easier to employ the following illustration.
Bob and Alice have a wooden chest with a large hasp to lock it. Bob has a red combination lock. Alice has a green combination lock.
In the study, Bob writes the password on a small note, and locks it in the chest, with his red combination lock. He then asks or allows Eve, to transport the chest to Alice.
Alice cannot open Bob's lock, but by request, she locks to hasp in a second way, using her own green combination lock. She then duly asks Eve to tote the chest back to Bob.
Bob in his turn unlocks his RED lock, and Eve makes one final trip, back to Alice with only one lock on the chest: Alice's GREEN lock.
Since Alice knows the combination of her own lock, she is a liberty to request privacy from Eve, and in seclusion open the chest to reveal the newly agreed password.
When done in mathematics, the password is not decided by either party, but results from changes made during the process. Nonetheless, the exchange is analogous to the illustration above, and almost anyone can see that it is possible.
RSA public key encryption is analogous to Bob handing Alice his open, red lock. Alice never knows how to open it, and she cannot accept random red locks - she must ensure that it is Bob's lock she receives.
Since the mathematics is a little esoteric, it's sometimes easier to employ the following illustration.
Bob and Alice have a wooden chest with a large hasp to lock it. Bob has a red combination lock. Alice has a green combination lock.
In the study, Bob writes the password on a small note, and locks it in the chest, with his red combination lock. He then asks or allows Eve, to transport the chest to Alice.
Alice cannot open Bob's lock, but by request, she locks to hasp in a second way, using her own green combination lock. She then duly asks Eve to tote the chest back to Bob.
Bob in his turn unlocks his RED lock, and Eve makes one final trip, back to Alice with only one lock on the chest: Alice's GREEN lock.
Since Alice knows the combination of her own lock, she is a liberty to request privacy from Eve, and in seclusion open the chest to reveal the newly agreed password.
When done in mathematics, the password is not decided by either party, but results from changes made during the process. Nonetheless, the exchange is analogous to the illustration above, and almost anyone can see that it is possible.
RSA public key encryption is analogous to Bob handing Alice his open, red lock. Alice never knows how to open it, and she cannot accept random red locks - she must ensure that it is Bob's lock she receives.
What's a good list of encryption algorithms?
Pre-Computing
Caesar Shift
Playfair
Rail Fence Cipher
Beale Ciphers
Vigenere
Old (Obsolete)
RC4
WEP
DES
3DES
Hill
Vigenere
Standard
AES (US) [Rijndael]
Serpent (Israel)
GOST (Russia)
IDEA (Europe)
WPA2
New (not mathematically "well investigated")
Two Fish
Blowfish
Phelix
Safer
Digital Vigenere
FROG
DEAL
RC6
Hash Algorithm names:
Old
md5
SHA1
New
SHA512
Whirlpool
RipeMD
Skein
Encryption primer
Caesar Shift
Playfair
Rail Fence Cipher
Beale Ciphers
Vigenere
Old (Obsolete)
RC4
WEP
DES
3DES
Hill
Vigenere
Standard
AES (US) [Rijndael]
Serpent (Israel)
GOST (Russia)
IDEA (Europe)
WPA2
New (not mathematically "well investigated")
Two Fish
Blowfish
Phelix
Safer
Digital Vigenere
FROG
DEAL
RC6
Hash Algorithm names:
Old
md5
SHA1
New
SHA512
Whirlpool
RipeMD
Skein
Encryption primer
WinRar can span compressed files over DVD's or even BluRay discs.
The Zip utility is limited to 2GB datafiles.
If it should become necessary to transport large datafiles, in excess of 5 GB from place to place geographically, my solution is to build a Truecrypt container of adequate size, and WinRar compress the data, spanned across volumes of the relevant size.
For example, I stored an encrypted backup copy of my 14GB iPod ripped library, by compressing it, spanned across 699MB files. I then generated a 700MB Truecrypt container, mounted it, and filled it with the first data set. I unmounted the container, and burned the entire thing to a CD. I then formatted the Truecrypt container, and copied the next batch. I repeated this process, CD by CD, until the entire collection was burned encrypted, all with the same password.
To expand it, it was necessary to copy the contents of every CD into a single directory, and mount each, copying the contents into yet another directory or folder.
The final step was to employ a rar expander, (these are available free, fast and reliable, courtesy of a now ailing pornography industry,) to unrar the entire thing back into my Music library.
I gained a useful degree of experience from the process, merely from manipulating such a large batch of data.
It is possible to employ the same process for 4.3GB DVD's or 25GB BD-R's (maybe video footage backups, for a Holywood "Datawrangler?")
[Please do not suppose that Truecrypt is the single term jargon mastery, of a charlatan. It is an industry giant in encryption.]
If it should become necessary to transport large datafiles, in excess of 5 GB from place to place geographically, my solution is to build a Truecrypt container of adequate size, and WinRar compress the data, spanned across volumes of the relevant size.
For example, I stored an encrypted backup copy of my 14GB iPod ripped library, by compressing it, spanned across 699MB files. I then generated a 700MB Truecrypt container, mounted it, and filled it with the first data set. I unmounted the container, and burned the entire thing to a CD. I then formatted the Truecrypt container, and copied the next batch. I repeated this process, CD by CD, until the entire collection was burned encrypted, all with the same password.
To expand it, it was necessary to copy the contents of every CD into a single directory, and mount each, copying the contents into yet another directory or folder.
The final step was to employ a rar expander, (these are available free, fast and reliable, courtesy of a now ailing pornography industry,) to unrar the entire thing back into my Music library.
I gained a useful degree of experience from the process, merely from manipulating such a large batch of data.
It is possible to employ the same process for 4.3GB DVD's or 25GB BD-R's (maybe video footage backups, for a Holywood "Datawrangler?")
[Please do not suppose that Truecrypt is the single term jargon mastery, of a charlatan. It is an industry giant in encryption.]
Truecrypt password vectors can be approximated.
When building multiple Truecrypt containers, the utility provides for the user to generate entropy (randomness) data to fill a buffer exactly one time. This is done by tracing the movements of a mouse, and using the x.y coordinates to populate the buffer in question.
It may be observed that the check box to hide the header key is located at the same part of the window every time, and this is an early destination for the user's to mouse. If an intruder were to attempt to log mouse data in the same way that a key-logger log's keyboard input, it would be possible to approximate the password vector by doing some arduous data crunching.
A defeat for this is to ensure that early in the process, one employs an alt-click, or a control click. shift-click is yet another variation, or some combination of these. Because it would be difficult to know the time between each, with respect to the logged key strokes, this would obfuscate the password vector proportionately to the difference in a rocket trajectory when modified at low altitude, versus high latitude.
I expect that despite the fact that the entropy buffer is filled only once, even when building multiple containers, the differences in the passwords result in such changes that it does not compromise the quality of the encryption, if only the user devotes adequate time to entering randomness; a terrabyte drive calls for far more random data than a 20MB email attachment.
It may be observed that the check box to hide the header key is located at the same part of the window every time, and this is an early destination for the user's to mouse. If an intruder were to attempt to log mouse data in the same way that a key-logger log's keyboard input, it would be possible to approximate the password vector by doing some arduous data crunching.
A defeat for this is to ensure that early in the process, one employs an alt-click, or a control click. shift-click is yet another variation, or some combination of these. Because it would be difficult to know the time between each, with respect to the logged key strokes, this would obfuscate the password vector proportionately to the difference in a rocket trajectory when modified at low altitude, versus high latitude.
I expect that despite the fact that the entropy buffer is filled only once, even when building multiple containers, the differences in the passwords result in such changes that it does not compromise the quality of the encryption, if only the user devotes adequate time to entering randomness; a terrabyte drive calls for far more random data than a 20MB email attachment.
How do you satisfactorily erase flash media?
Erasing magnetic media has been investigated in detail, with 3-pass, 7-pass and 35-pass methods developed.
However, a Solid State drive, and SD card or a thumb drive, represent flash media that do not readily rewrite every bit, when formatted.
A simple strategy to employ, would be to format the drive as a Truecrypt whole drive partition. However, upon completing the format, one need not use the encrypted area. Simply mount it and format it (a requirement,) and then unmount the drive and quick format it for NTFS or FAT32, using the operating system utility.
However, a Solid State drive, and SD card or a thumb drive, represent flash media that do not readily rewrite every bit, when formatted.
A simple strategy to employ, would be to format the drive as a Truecrypt whole drive partition. However, upon completing the format, one need not use the encrypted area. Simply mount it and format it (a requirement,) and then unmount the drive and quick format it for NTFS or FAT32, using the operating system utility.
How big is RSA keyspace?
The probability that a randomly chosen 30 digit number will be prime, is 1 / (30 * ln(30))
If you multiply that number by 10^30, you have an approximation of the raw bulk of prime numbers exactly 30 digits long.
RSA 1024 is near 310 digits, so the largest prime factor would be 155 digits long. The number of 155 digit keys alone would be 1 / (155 ln(155)) * 10^155. To estimate all possible keys, it would be necessary to repeat that calculation for 154, 153 etc, and add the all in an accumulator.
Key selection algorithms vary, and each implementation may have its own method of ensuring well chosen keys.
If you multiply that number by 10^30, you have an approximation of the raw bulk of prime numbers exactly 30 digits long.
RSA 1024 is near 310 digits, so the largest prime factor would be 155 digits long. The number of 155 digit keys alone would be 1 / (155 ln(155)) * 10^155. To estimate all possible keys, it would be necessary to repeat that calculation for 154, 153 etc, and add the all in an accumulator.
Key selection algorithms vary, and each implementation may have its own method of ensuring well chosen keys.
Antivirus gambit - hash code identifiers
Some viruses employ names of extant (already installed) programs to hide their existence. A virus might name itself "notepad.exe," for example.
Windows employs hashes to verify the user passwords, and these hashes can be "scooped," or copied, for brute force analysis elsewhere. Thus there is no "magic" in hashes.
Nonetheless, if every executable program were required to submit a hash of it's code and install date (even a simple md5,) then the OS or an antivirus program could take a moment every time any program is called, and run an md5 hash of it for comparison against the maintained list of such hashes.
It is not possible to require installation for every program. A VB or C++ program written ad hoc would not be required to call the MSI (microsoft installer.) However, standardized programs would have a standard hash value, and a compiler or IDE could have a routine to authorize developmental code, within the developer's OS, until such time as it was released.
While an end user who received such a program might consider it an imposition to click on an alert to authorize it every time, this construct provides another line of defense against the program that executes WITHOUT the end user's KNOWLEDGE or APPROVAL.
This idea cannot be called "ready for prime time," but it serves as food for thought to security conscious developers and theorists.
Windows employs hashes to verify the user passwords, and these hashes can be "scooped," or copied, for brute force analysis elsewhere. Thus there is no "magic" in hashes.
Nonetheless, if every executable program were required to submit a hash of it's code and install date (even a simple md5,) then the OS or an antivirus program could take a moment every time any program is called, and run an md5 hash of it for comparison against the maintained list of such hashes.
It is not possible to require installation for every program. A VB or C++ program written ad hoc would not be required to call the MSI (microsoft installer.) However, standardized programs would have a standard hash value, and a compiler or IDE could have a routine to authorize developmental code, within the developer's OS, until such time as it was released.
While an end user who received such a program might consider it an imposition to click on an alert to authorize it every time, this construct provides another line of defense against the program that executes WITHOUT the end user's KNOWLEDGE or APPROVAL.
This idea cannot be called "ready for prime time," but it serves as food for thought to security conscious developers and theorists.
Flushing DNS used to burden an A.P.T., with IP addressing changes.
If an A.P.T. is monitoring the traffic from an IP address, a temporary strategy to confuse the intruders, would be to request local DNS to reassign every IP in the area.
The DOS command file cmd.exd, used to have just such a command.
IPCONFIG /DNSFLUSH used to perform a 15 minute reassignment of IP addresses. Now it clears local browser cache of DNS data.
This is adverse to network security overall.
The DOS command file cmd.exd, used to have just such a command.
IPCONFIG /DNSFLUSH used to perform a 15 minute reassignment of IP addresses. Now it clears local browser cache of DNS data.
This is adverse to network security overall.
RFID chips can improve secure dongles.
Honda autos use a key that is hard to counterfeit, but further impede duplication by embedding an RFID tag in the handle.
Now there are thumb drives that implement such an algorithm.
If used as a dongle, this drive could store a password protected boot key. If the dongle is "something you have," but the password is maintainable, and becomes "something you know," this would become a two-factor authentication tool, for security sensitive computing devices.
Now there are thumb drives that implement such an algorithm.
If used as a dongle, this drive could store a password protected boot key. If the dongle is "something you have," but the password is maintainable, and becomes "something you know," this would become a two-factor authentication tool, for security sensitive computing devices.
Novel CAPTCHA use?
By their nature, CAPTCHA interfaces require human intervention. As such, it would be impossible to automate the roll-out of a root password CAPTCHA in a Windows update.
However, in a Unix/Linux OS shop, if the network admin employed open source access, to introduce a CAPTCHA for root (install/update) authority, it would become impossible to automate the installation of unauthorized software.
This benefits a secure environment, not large networks where unattended installs are a necessity.
However, in a Unix/Linux OS shop, if the network admin employed open source access, to introduce a CAPTCHA for root (install/update) authority, it would become impossible to automate the installation of unauthorized software.
This benefits a secure environment, not large networks where unattended installs are a necessity.
Whitelists and Blacklists are not mutually exclusive.
If I had a mail room, and I specified that my division would accept mail only from the Malaysia division and the Philippines division, I could still blacklist all janitorial staff at the sending divisions, as well as specify that accounting department may only receive mail from third floor in Malaysia.
Additionally, I can specify that Programming staff may not use the 7th floor color copier, but that the programming dept. network admin can authorize exceptions.
Wikipedia:
Whitelist
Blacklist
Additionally, I can specify that Programming staff may not use the 7th floor color copier, but that the programming dept. network admin can authorize exceptions.
Wikipedia:
Whitelist
Blacklist
Internet Infrastructure improvement?
Redundancy is good in Aircraft safety, Dictionaries and Encyclopedias. What about internet connectivity?
I learned in an old "Learning Channel" video, that the U.S, Pentagon can be topologically represented as a graph, by stacking three geometric pentagon shapes, one on top of the other, and connecting the corners with vertical rods. However, the construction is assisted, by a spoke system that connects the middle floor to a single, central node. As such, it is possible to calculate a max trip time for walking from ANY office to ANY OTHER office.
I learned in an old "Learning Channel" video, that the U.S, Pentagon can be topologically represented as a graph, by stacking three geometric pentagon shapes, one on top of the other, and connecting the corners with vertical rods. However, the construction is assisted, by a spoke system that connects the middle floor to a single, central node. As such, it is possible to calculate a max trip time for walking from ANY office to ANY OTHER office.
The construction is also very redundant. )
In terms of redundancy and resilience, how could we make the US fiber optic backbone be made to (topologically) look like that? Fiber is high bandwidth volume, so the incentive for redundancy is against profitability. However, DARPA net was conceived to withstand an atomic blast (the curvature of the earth makes this possible, even if a nuclear associated EM pulse destroyed many computers.)
Likewise, connectivity of the seven continents (Antarctica might be superfluous or central,) could be reinforced by some (creatively implemented,) seven sided diagram.
Many businessmen hate redundancy, because it wastes labor in duplication. Waste is bad for profits.
Google Alerts go stale in Three (3) Days!
I take Google alerts. In October of last year, I discovered a deficiency in the process.
To get a more balanced view of a two week old story I was reading, I clicked the "see all stories on this topic" link. By experimentation (I had two alerts from Oct 29, as well as one alert each, from Oct 30 and Oct 31,) I am able to discover with some confidence that news stories older than 2 days old are no longer linked.
I haven't thought of an ordinary reason for this, but whether or no, it's a good idea to know that context (for old stories) might not be available.
Washington Post and Reuters make it a practice to withdraw links over 10 days old, in order to monetize queries.
Interactive Voice Recognition on Youtube?
I recorded a (secular, but funny) joke, and named it "God Will Provide." The text I used to post to G+ was, "An old joke, my twist on the telling." The description, as seen on youtube was "Wherein God doesn't help those who don't help themselves."
I wasn't satisfied, so I edited the text, to read: "Wherein God helps those as helps themselves."
These are the only texts that could have been associated with the joke.
When I viewed the video, youtube added a list of related videos. The related videos are about a wedding balloon crash, and an explosion sending a soldier flying.
http://www.youtube.com/watch?
http://www.youtube.com/watch?
http://www.youtube.com/watch?
http://www.youtube.com/watch?
http://www.youtube.com/watch?
http://www.youtube.com/watch?
Other links (to two "Common Room" web site, links,) related to known interests.
I don't write violent things. Violence is not a known interest of mine. This isn't a gay come on to a forlorn bachelor.
I suspect that the chances are, that the server was IVR'ing the words of the joke! What are the chances of this mix of results!?
Newspaper publishing v Academic publishing
Null credentials = caveat emptor
Open Source = Intellectual freedom + Remuneration when possible
Open Source = Intellectual freedom + Remuneration when possible
Subscribe to:
Posts (Atom)