45 stories
·
1 follower

Pushing the boundaries of cryptography in a security vulnerability report

1 Share

A security vulnerability report arrived that implied that the finder had made an earth-shattering breakthrough in cryptography. Specifically, the finder claimed to have found an efficient way to factor the large numbers used in RSA cryptography.

This would be a remarkable breakthrough if true, but the description of the algorithm, while mathematically correct (and I bothered to read through it all and understand it), didn't actually produce an efficient algorithm. It boiled down to trying to find a collision among a population whose size is proportional to the smaller factor, with an additional optimization to reduce the amount of calculation to the square root of the population space. (I believe it was this additional optimization that the finder considered to be the groundbreaking discovery.)

Now, a geometric reduction in complexity is a great thing, but it's minuscule compared to exponential growth.

In 2013, Web browsers required a minimum of RSA-2048, which means that the collision space is around 2¹⁰²⁴, and the birthday paradox tells us that you'll need to generate around 2⁵¹² items to have a 50% chance of finding a collision. Applying the groundbreaking discovery reduces the number of items to 2²⁵⁶.

This is even worse than enumerating all the GUIDs. At least there are only 2¹²⁸ of those.

This algorithm for factoring an RSA-2048 number would require storing 2²⁵⁶ values. That's the square of the number of GUIDs.

We calculated earlier that storing all the GUIDs on SSDs would require 100 earth-sized planets. Storing all the values required for this algorithm to factor an RSA-2048 number would require, um, a lot more than that.

Current upper estimates for the mass of the Milky Way put it at 4.5 × 10¹² solar masses, or (rounding up) 10¹⁹ earth masses. If we need 100 earth masses to store 2¹²⁸ 128-bit values, then storing 2²⁵⁶ 1024-bit values will require around 2¹³² × 100 ≅ 10⁴¹ earth masses ≅ 10²² Milky Way-sized galaxies.

This seems impractical.

The finder, however, disagreed with our analysis and insisted that their trial runs with smaller values indicated that the running time was linear in the exponent. "I was able to factor numbers up to 64 bits in size, with the largest taking less than a second."

We decided to take a tip from a number theorist who had to deal with factorization algorithms submitted by crackpots and suggested to the finder that they use their advanced algorithm to factor one of the root signing certificates.

The finder replied back, "I know what you're trying to do, but I'm telling you that I cannot run the algorithm on numbers that large on my laptop. But you can certainly run it on one of your more powerful computers. I have demonstrated that the algorithm is linear in the key length, and my personal lack of access to supercomputers does not invalidate that fact. I have contacted the media about this discovery, but fortunately for you, they don't seem to be interested, which gives you more time to address the problem."

If the algorithm were truly linear in the exponent, then going from 64-bit numbers to 2048-bit numbers would take only 32 times as long. The 1-second run time would increase to just 32 seconds. So let it run for a minute. Five minutes just to be sure. Your laptop can certainly handle that.

But instead of replying, we decided to disengage. Never wrestle with a pig. You get dirty, and the pig likes it.

Read the whole story
mitteration
60 days ago
reply
Share this story
Delete

Private Lives in a Public Era

1 Share

Writer Ella Dawson posted a piece on her blog (subsequently posted to Vox) entitled “We Are All Public Figures Now,” in which she tackles what she sees as the erosion of personal privacy due to social media and other factors, and what she thinks it all means. It’s an interesting read and I recommend it, and also, I agree with much of it, in spirit, if not in the letter of the law.

More specifically, relating to the letter of the law, “public figure” is means a specific thing here in the US, and in fact most people aren’t one, even if you have a Twitter or Facebook or other social media feed. It takes a reasonable amount of effort to become one (although if you want a shortcut, get elected to something). There is such a thing as a “limited public figure,” which essentially carves out a slice of your life for which you can be held up for public comment and scrutiny. But even then, that’s not most people. It takes some work in the US not to be a private individual, and I suspect most people don’t want to make that effort. So from a strictly legal, New York Times Co. v. Sullivan point of view, no, we’re not all public figures, nor are we likely to be found so.

But it is absolutely true that these days, far more of our daily activity is able to be made public, though use of phones, cameras, social media and other tools. Words or activity that would previously be confined to a select few — and would be expected to be private — can now be transmitted to a much wider audience, very quickly. This includes words and actions you might have reasonably expected would not be in the purview of the public at all.

For example, the instigating action of Dawson’s piece, in which a passenger on a plane livetweeted an apparent “meet cute” between two other passengers in the row in front of her. The livetweeter, among other things, illustrated the tweeting with photos (with faces scrubbed but even so), noted the two people being tweeted about had active social media accounts, and did other things to make it easy (or easier) for the people following the livetweeting to suss out who these two people might be — and indeed, they were found online — at which point the Internet does what it does, for good and ill, and then it came for the original livetweeter.

None of these people, it should be noted, are public individuals — the meet cute couple certainly not, but also not the livetweeter, even if they later admitted hoping to get a writing gig (being a writer also doesn’t automatically make you a public figure). And also, the couple chatting away at each other almost certainly did not expect to have their private conversation documented by someone else, particularly in a way that made it possible for their identities to be discovered by total strangers. Now, you can argue whether or not a commercial plane qualifies as a public or private space, and we’d be here all day about that, but I think it’s reasonable to say that the two people chatting with each other believed their discussion would not leave the confines of their airline row. Thanks to this, neither of the two of them will likely think that again.

And the question (or a question, anyway) is where the proper line should be for things like this. If the livetweeter had posted the rundown of their discussion, but without pictures or identifying details, would that have been kosher? If the couple had been excessively loud, so that anyone in the surrounding rows could have heard them, would they have been fair game? If one or the other had been making an ass of themselves, would, say, pictures, be back on the table? Is there a hard and fast rule for what is acceptable to tweet about strangers on airplanes? Is it different if they’re in a cafe? Or at a political rally? Is it different if retelling is not livetweeted but is instead saved for a blog post or article at a later time?

This is all interesting for me for at least two semi-competing reasons. The first is that I am a writer; I do a lot of observing of other people and listening in public. Occasionally I’ve written about what I’ve seen or heard. I tend to be very expansive about what’s fair game to listen and look at in public and quasi-public spaces (i.e., if I can hear your conversation when I’m on the street or in a cafe or on an airplane without making an effort to, I’m not going to feel like it’s out of bounds to pay attention to what you’re saying, and maybe you should be quieter, my friends). But I’m equally aware that not everything I hear or see needs to be documented, commented on, or be offered up for public enjoyment on social media, not in the least because the people I’m observing are usually just leading their own private lives. My awareness of my own megaphone, and my responsibilities in using it, comes into play here. I have to make judgment calls about whether what I see is commentable, and how so, and when so. Whether you agree with those judgment calls will be your own decision to make.

The second is that I’ve been on the other end of this equation too: I’ve had my public whereabouts and whenabouts commented on in real time by people on social media, and not when I was doing something meant for public consumption, like a panel or tour event, but when I was just loitering about in an airport or a coffeeshop. And you know what? That’s a little weird. It doesn’t bother me, generally, and I’ve personally never been made to feel unsafe because of it, and sometimes it’s even nice. But on the other hand, what’s comfortable or acceptable for me is not necessarily so for anyone else in a similar position, and in any event I’m not sure it will do anyone on social media any good, least of all me, if someone takes a picture of me scratching my ass or picking my nose while I’m waiting at a boarding gate. I’d want people to exercise the same judgment as I try to have in a similar situation.

(And for the record, with that couple on the plane, in the same situation I probably wouldn’t have tweeted anything about them, or if I did, I suspect I would have kept it to a couple of non-specific tweets — but I might have stored away the meet cute scenario for later, if I ever get around to writing a contemporary romantic comedy, which, hey, I might, so there.)

With a lot of this, honestly, a little empathy goes a long way — remembering that other people have lives beyond their capacity to be tweet fodder or story material for you, and that for the most part they want to keep it private, and reasonably have that as an expectation. As should you, if the situation was reversed. What’s “public” is a lot wider now, but in the appropriate times and places, we can still extend the courtesy of privacy, or, if not that, then anonymity.

Read the whole story
mitteration
74 days ago
reply
Share this story
Delete

ArenaNet’s firings reinforced gaming culture’s worst impulses

2 Shares

Instead of de-escalating, the company poured gasoline on the problem

Continue reading…

Read the whole story
mitteration
74 days ago
reply
Share this story
Delete

How a German datacenter blowing up led to a surprise graphics update for 13-year-old MMO Guild Wars

1 Share

Guild Wars - the first Guild Wars, which came out in 2005 - is all of a sudden back in business - and it's down to the after hours work of just a couple of developers.

This week an update was pushed out to the 13-year-old massively multiplayer online role-playing game that added an impressive suite of new graphics options - much to the surprise and delight of the game's small but loyal community.

Graphics improvements included windowed fullscreen support, a new 8X MSAA anti-aliasing option, 16x Anisotropic filtering support for the existing "use best texture filtering" option, and, most impressive of all, a new "advanced" option checkbox, which was added to the graphics options panel.

Read more…

Read the whole story
mitteration
132 days ago
reply
Share this story
Delete

Seattle’s JuneBaby Named Best New Restaurant at Beard Awards

1 Share
Its chef, the first African-American to win that prize, and Gabrielle Hamilton of Prune lead a list that is long on women and minorities.

Read the whole story
mitteration
138 days ago
reply
Share this story
Delete

"Don’t talk to yourself in such a way that if you did so to a friend, it would end your..."

4 Comments and 17 Shares
“Don’t talk to yourself in such a way that if you did so to a friend, it would end your friendship.

If you had a friend dealing with the same things, you wouldn’t berate that person, say, ‘You’re not working hard enough,’ ‘You suck,’ or ‘You’re not as good as [whomever].’ You’d offer your friend encouragement, you’d try to point out all the things your friend did right, and how much progress your friend had made.

You should do no less for yourself.

Be very careful how you talk to yourself. Because you are listening.

- Pat Cadigan, author  (via doctor-lewis)
Read the whole story
mitteration
1560 days ago
reply
popular
1561 days ago
reply
Share this story
Delete
3 public comments
skittone
1563 days ago
reply
Huh.
jhamill
1563 days ago
reply
I need to work on this.
California
Technicalleigh
1563 days ago
reply
(struggles with this constantly)
SF Bay area, CA (formerly ATL)
Next Page of Stories