**** BEGIN LOGGING AT Thu Mar 20 20:06:54 2014 Mar 20 20:06:54 hello :) Mar 20 20:07:06 hi Mar 20 20:08:05 I've further analyzed the high-level Cardano architecture and have some extremely confidential architectural information I would like to donate to you. You should not discuss it in public. Mar 20 20:08:33 (it's not that it's insecure per se - you'll see in a sec) Mar 20 20:08:36 telepathy? Mar 20 20:08:54 No, it is the following fact/vector/etc inherent in the chosen architecture. Mar 20 20:09:03 fire away Mar 20 20:09:34 So, because it is going to be a USB device, for better or for worse there are standard USB devices that are usually installed silently and without much change or warning to the user. And so, suppose someone didn't trust you / Cardano: Mar 20 20:10:05 if you had read the announcement on mp's site, you would know that the device emulates a standard usb hard drive. Mar 20 20:10:14 this is not a secret. Mar 20 20:10:42 then they could fear that after behaving normally for 6 months, 1 year, 2 years, 5 years, or once in a blue moon, when connecting, the Cardano will expose itself as a USB host, and on that virtual host emulates/adds both the normal Cardano device as well as a USB keyboard. Mar 20 20:11:06 (or just a USB keyboard once in a blue moon instead of the normal Cardano device characteristics). Mar 20 20:11:38 Now, a USB keyboard is usually installed used without any further intervention from the user. It is silently added, because of a measure of implicit security trust between the user (who could type anything they want anyway) and the USB connection next to the user. Mar 20 20:11:42 let's suppose a malicious 'cardano.' it could do 1000 things Mar 20 20:11:47 such as, for instance, generating weak keys Mar 20 20:11:53 wait a moment. Mar 20 20:11:55 yes, that's true Mar 20 20:12:04 or, as you described, 'rubber ducky' Mar 20 20:12:06 but under normal circumstances the damage would be limited to misbehaving, being weak, etc. Mar 20 20:12:12 (this is a commercial pentesting product you may be familiar with) Mar 20 20:12:15 please let me finish :) Mar 20 20:12:32 'evil keyboard' is old hat Mar 20 20:12:42 presented at defcon '10 i believe. Mar 20 20:13:01 So, because USB's are physically trusted and silently added, it can be added as a USB device that can then generate any input. It could then launch, as though it were the user, input meant to do something specific (such as recreate a programmed shell script, etc.) Mar 20 20:13:30 as i said - this among 1000 things a malicious usb device could do. Mar 20 20:13:54 The basic issue is that there is a trust model where the Operating Systems do not care about USB input devices, however the user would not think of the device as potentially compromising their PC. Mar 20 20:13:54 there are also interesting attacks which involve the bus itself, or enumerating as a device for which a given os has buggy drivers, etc. Mar 20 20:14:08 Yes, those are similar. Mar 20 20:14:37 i should probably note here that (again this is not a secret) my day job consists of studying such matters. Mar 20 20:14:38 But the difference between keyboard (or 'evil keyboard' as you put it) is 1) the Cardano is not actually physically a keyboard 2) nothing needs to be be buggy. This is the explicit trust of the operating system when usb keyboards are added. Mar 20 20:14:50 yes, this is, at this point, a classic attack. Mar 20 20:14:58 demonstrated in public many times. Mar 20 20:15:26 let me guess - you would like to ask - how does a given user know that his particular unit is not malicious in this, or the 999 other ways. Mar 20 20:15:27 So in this case in what way can you not require that the user have to trust you completely, and explicitly? Mar 20 20:15:36 No, not in this or 999 other ways. Mar 20 20:15:57 Only in this particular way since I am not asking about exploiting some buffer overflow. This is if everything behaves explicitly by design. Mar 20 20:16:05 including the operating system. Mar 20 20:16:20 answer is simple, though i do not know if you will like it Mar 20 20:16:31 it depends on the particular user's level of paranoia. Mar 20 20:16:50 a user who does not trust me - or mp - or his post office - is faced with a choice Mar 20 20:16:55 I don't think that's a very good answer for architectural decisions :) Mar 20 20:17:15 the 'gold standard' is - he can actually construct his own cardano. Mar 20 20:17:37 (literally. sufficient information will be published to make this possible) Mar 20 20:18:33 if the user trusts my component supplier -and- s.nsa - but not his post office - he can verify the firmware checksum (signed with my personal key) Mar 20 20:18:39 Yes. Point being is his own cardano could also become an attack vector if someone manages to reflash it. That is to say, the "worst thing that can happen" (risk mitigation) is no longer "the cardano divulges its key" or "the cardano loses its memory state and private key". Insterad it's: "The previously secure PC becomes totally insecure because the Cardano is a vector that explicitly roots Mar 20 20:18:39 it through an architecturally accepted means." Mar 20 20:19:20 That is quite a bit worse than if it had to be "through a buggy driver or 0-day" because those can be patched. Mar 20 20:19:20 cardano is built in such a way that it cannot be re-flashed from the usb connector Mar 20 20:19:40 but it is theoretically possible that a captured unit can be re-programmed to behave like some other device, certainly. Mar 20 20:19:41 I mean in any way. If the chip were silently replaced by another that doesn't even have the caradano's signing information. Mar 20 20:19:48 entirely possible Mar 20 20:20:09 But it's not just possible - this is a mobile device that a user can take with him, while leaving his secure computer behind a faraday cage, for example. Mar 20 20:20:12 it is also possible that the victim's keyboard, or entire pc, is replaced Mar 20 20:20:20 or he himself is replaced with a double Mar 20 20:20:21 etc Mar 20 20:20:53 So if someone manages to nab it from him for 1 instant and replace it with a decoy, then under correct architecture the thing that happens is the attacker now has his physical Cardano, as well he sees that his decoy no longer functions. It no longer signs properly. Or he sees that it's not his. Mar 20 20:21:14 the second he after "as well" is the victim Mar 20 20:21:24 a malicious actor could certainly replace a cardano with a pseudo-cardano Mar 20 20:21:42 disassembling the unit, extracting keys, and pulling switcheroo Mar 20 20:21:54 Under correct architecture nabbing the Cardano and replacing with a decoy should result in: a) attacker has physical cardano. b) victim sees he nolonger has it when he gets home, or it no longer works properly. Mar 20 20:21:55 he could also simply walk away with the stolen device and use it as he wishes. Mar 20 20:22:16 But under the present architecutre, B becomes: "This can become an attack vector that roots a PC that had been totally secure" Mar 20 20:22:52 So, the second point you mentino "he could simply walk away with the stolen device and use it as he wishes" is a true vector as well. Have you considered any mitigation strategies by the way? Mar 20 20:22:52 incidentally Mar 20 20:23:10 anyone concerned with the 'rubber duck' attack (the common name for the pseudo-keyboard trick) Mar 20 20:23:19 can carry out very simple countermeasures Mar 20 20:23:30 my particular machine, for instance, does not enumerate usb keyboards. Mar 20 20:23:37 it's a 1-line patch under linux Mar 20 20:23:49 What happens when you add a USB host controller? Mar 20 20:23:52 same thing Mar 20 20:23:54 (such as a hub) Mar 20 20:24:02 That is good, but requires a patch. Mar 20 20:24:05 certainly. Mar 20 20:24:14 You should probably suggest that patch explicitly (in the documentation and on your page). Mar 20 20:24:27 If you suggest this patch it is one resolution to the architectural flaw. Mar 20 20:24:27 it is common knowledge among those concerned with such matters Mar 20 20:24:33 if you don't believe me, search. Mar 20 20:24:48 I know. But it would improve your product architecture today. Mar 20 20:25:02 likewise, resisting physical attack is a matter for the makers of safes, locks, alarms - not us. Mar 20 20:25:17 cardano is explicitly not designed as a physically hard target Mar 20 20:25:24 You've said the same thing about wifi leaking information about nearby circuits (not connected to the wifi module or explicitly going over the wire), including the CPU. That's hardly "common knowledge" :) Mar 20 20:25:41 asciilifeform let's hold off on "B" for a moment. Mar 20 20:25:53 it is common knowledge among those professionally concerned with actual security Mar 20 20:25:53 (perhaps what you call physical attack) Mar 20 20:26:03 physical attack - theft, substitution, fire, etc Mar 20 20:26:49 If you include that as an explicit step in your instructions, before the Cardano is properly usable on a PC, it reduces by over 99% the attack surface the Cardano can mount through architecturally accepted means. Mar 20 20:27:03 It does not require nearly the same level of trust in you. Mar 20 20:27:13 include what? Mar 20 20:29:44 Include a line stating: "IMPORTANT SECURITY NOTE: Before you can use a Cardano securely, you must include the following patch on Linux () Mac () and Windows () [j/k]. Following this step you will no longer have to trust the Cardano as a USB device that can behave in any other way other than as a mass storage device, for example by adding a keyboard which can type a script. This patch would al Mar 20 20:29:44 so protect you against this vector should your Cardano be nabbed and replaced with a USB emulator, though in this scenario specific privilege escalation vectors might still exist on patched systems, as 0-days." Mar 20 20:30:19 that text is generic, it's not very well-written but I mean something like that. Mar 20 20:30:28 I would consider this architectural fix correct and acceptable. Mar 20 20:30:29 i suppose i ought to explain something, though i was fairly certain that it is obvious. a prospective buyer who does not trust me, or, more importantly, MP, should not buy a cardano. Mar 20 20:30:47 because there are numerous other dirty tricks that could be contained therein Mar 20 20:31:02 that no amount of patching will protect against. Mar 20 20:31:13 asciilifeform the point is to mitigate what happens if they do trust you but something bad happens. It's called attack mitigation. Mar 20 20:31:18 security is not all or nothing. Mar 20 20:31:33 the 'something bad' in this case is... Mar 20 20:31:54 an enemy substitutes a faux-cardano? he could easily substitute any other usb appliance purchased by the victim Mar 20 20:32:03 e.g. keyboard proper, mouse, thumb drive Mar 20 20:32:11 Let me give you an example. I worked at a telecommunications company which did conferencing software. Their software had a huge hole. After registering, you were given the primary key of your account, and by simply changing it (for example you could just change to the account before), you could bill any amount of services to somebody else's account. Mar 20 20:32:34 (asciilifeform yes, exactly. But after the patch "any other usb appliance" could only act as a mass storage device, nothing else.) Mar 20 20:32:47 actually there are thumb drives with generic microcontrollers Mar 20 20:32:52 The solution is, obviously, that the user MUST authenticate and receive a token associated with the authenticated account, to bill to that account. Mar 20 20:32:54 that can be re-flashed and act as keyboard, etc. Mar 20 20:32:57 yes Mar 20 20:33:07 for that matter, an enemy can sell you a thumb drive with arbitrary electronics inside Mar 20 20:33:09 but if the patch explicitly keeps USB drives from being enumerated, you've mitigated that vector. Mar 20 20:33:11 yes Mar 20 20:33:31 but if Linux will only mount a mass storage device but stops autoenumerating USB devices, you've mitigated it for all of the above that you've just mentioned. Mar 20 20:33:35 so to get back to my example: Mar 20 20:34:10 The solution is to receive a token associated with the authenticated account. And if you don't have another account's token, you can't just bill to them. This theoretically closes the loophole. Mar 20 20:34:26 how does this relate to the matter at hand? Mar 20 20:34:28 But we went farther, and at my suggestion users were no longer given their primary keys, but instead a hash salted with a secret. Mar 20 20:34:47 This meant that a user could not register, and then automatically know another valid account (by decrementing, or waiting a while and incrementing.) Mar 20 20:35:16 So that even if the vector remained, and some part allowed unauthenticated billing to an account just knowing that account number, you still didn't know anyone's account number except through an outside channel. Mar 20 20:35:18 this is SOP in any online service where the author had half a brain Mar 20 20:35:40 no great discovery, this. Mar 20 20:35:47 But you see - it closes a vulnerability but also mitigates what would have happened if the vulnerability had remained open. Mar 20 20:36:03 because even if authentication were NOT required, it would be very good mitigation if there is no way to guess active account ID's. Mar 20 20:36:07 closing a vulnerability, by definition, mitigates 'what would have happened' Mar 20 20:36:11 or do i misunderstand Mar 20 20:36:17 Yes. Mar 20 20:36:37 Because if you close the vulnerability, it can open back up. If you close it by requiring authentication, then it opens back up if there is any way to bypass authentication. Mar 20 20:36:57 if you're willing to listen for a moment, i will explain my approach. Mar 20 20:37:00 But if you BOTH close the vulnerability, and mitigate/reduce the fallout were it to reopen, then it wouldb e stronger. Mar 20 20:37:03 yes, okay. Mar 20 20:37:10 when you go to a hardware store, you can buy, say, an electric saw Mar 20 20:37:18 and it will come with a thick booklet of warnings of various kinds Mar 20 20:37:25 about how to avoid detaching your fingers Mar 20 20:37:50 but if you buy a saw from a 'professional' outlet which caters to construction contractors, it will come with no such thing Mar 20 20:38:13 and will, in general, be a more powerful if dangerous instrument. because it presumes that the buyer is competent in operating a saw. Mar 20 20:38:35 and knows all that there is to know about keeping his fingers attached while near a turning blade. Mar 20 20:38:38 Yes, but it may well have a resettable circuit breaker inside instead, that trips if it's dropped in a bucket of paint. Mar 20 20:38:49 it might very well have stronger protections in some senses. Mar 20 20:38:52 it is not my intention to run an academy on computer security in general. Mar 20 20:38:58 I agree with you. Mar 20 20:39:10 Let me put it to you this way. What happens if the user doesn't trust you? Mar 20 20:39:25 the buyer of the product (cardano) is presumed to be competent and aware of the intrinsic limitations. Mar 20 20:39:27 Or, if you receive a competitor who copies your MO and produces something untrustworthy. Mar 20 20:39:52 the user who does not trust me (or mp) - and why should he ? - can purchase a product from someone he does trust. or build his own. Mar 20 20:39:59 The current architecture is as follows: "In theory you are giving us the easy ability to silently root 100% of unpatched Linux systems." Mar 20 20:40:16 Yes, but it's a matter of degree. What are you asking them to trust you with? Mar 20 20:40:34 btw the 'rubber duck silently roots' claim is exaggerated. Mar 20 20:40:40 Most of the 999 scenarios you listed,you're asking them to trust that you won't try to escalate a 0-day USB driver bug on Debian to gain root access. Mar 20 20:40:44 usb keyboard is a 1-way channel Mar 20 20:40:54 This is true, yes. Mar 20 20:41:06 which means, for instance, that it has no way of knowing that victim has just typed 'sudo bash' and that now is the time to inject 'rm -rf /', say Mar 20 20:41:07 But most Linuxes have command combinations to do a variety of things such as dropping out of x briefly Mar 20 20:41:13 Yes Mar 20 20:41:17 mine doesn't Mar 20 20:41:19 mp's doesn't Mar 20 20:41:29 no one i know uses this kind of setup. Mar 20 20:41:35 Are you sure? Mar 20 20:41:39 quite. Mar 20 20:41:46 because this is basic. Mar 20 20:42:03 Are there standard USB devices that would make it two-way? Mar 20 20:42:13 specifically keyboard? Mar 20 20:42:14 nope. Mar 20 20:42:18 No, not keyboard. Mar 20 20:42:21 Any standard USB device. Mar 20 20:42:34 (That would be mounted automatically and come with drivers on, say, Ubuntu and Debian.() Mar 20 20:42:43 well, there are attacks which involve malformed packets, or enumerating as a device whose driver is buggy Mar 20 20:42:49 which would allow the Cardano to learn what the screen or user is doing Mar 20 20:42:52 but nothing involving standard usb commands. Mar 20 20:43:24 There is no kind of USB peripheral that would expose any part of the current state of the user's PC (what is open, how the screen looks, what the user is typing on antoher keyboard, etc)? Mar 20 20:43:31 incidentally, the standard usb 'device classes' are well-documented and you are invited to read the standards on your ow. Mar 20 20:43:32 n Mar 20 20:44:21 no standard usb peripheral, behaving as specified (that is, not relying on kernel bugginess) does this. Mar 20 20:44:49 if you discover a counter-example, don't tell me! tell 'vupen.' or any one of 100 other outfits that will pay. Mar 20 20:44:55 you could handily fund your operation this way. Mar 20 20:45:29 I suppose it could do the following. If it is 4 AM it could try pressing enter once, then writing a small file to its mass storage device through one very short cat command and pressing enter. if it is written then it can write the rest of the script, otherwise it can press delete as many times as it has entered characters (including the enter) Mar 20 20:45:53 by "if it is written" I mean "if the file is written". This would be a way it can learn if it is in bash. Mar 20 20:46:16 As it undoes what it has just entered, in case it's in a text processor it can remove the attempt. If it is not in a text processor, not in bash, there is a good chance it would go undetected. Mar 20 20:46:28 in bash & presently 'cd'd into the mounted volume? Mar 20 20:46:44 doesn't the volume mount to a standard location? Mar 20 20:46:54 again, not on my box Mar 20 20:46:59 or any other educated person's Mar 20 20:47:20 you need to understand who the intended audience is. Mar 20 20:47:48 i.e. persons who have already familiarized themselves with state-of-the-art in 'hygiene', but are not satisfied. Mar 20 20:48:29 if you type 'lsusb' can the Cardano tell it has just been typed? Mar 20 20:48:33 also understand that neither i nor mp have any ability to prevent malefactors from distributing false cardanos Mar 20 20:48:39 and to claim otherwise would be folly Mar 20 20:48:56 it can type, at 4 am, lsusb-enter and then press delete 6 times if it did not just get polled. Mar 20 20:49:15 this is a very VERY small hint that it has just done so. Mar 20 20:49:20 if you would actually like to explore the subject, study linux kernel's usb stack. Mar 20 20:49:36 but i have some time and will tell you the essential fact Mar 20 20:49:42 I was just giving an example. I study the architecture at a higher level. Mar 20 20:49:44 a usb device, when plugged in, 'enumerates' Mar 20 20:49:48 yes Mar 20 20:50:02 this is when the kernel asks it to power up and describe which standard class, if any, it falls into Mar 20 20:50:07 'lsusb' does not re-enumerate devices Mar 20 20:50:08 right Mar 20 20:50:11 ok Mar 20 20:50:20 it simply dumps the cached table of results of previously enumerated hw Mar 20 20:50:31 don't take my word for it - read the source Mar 20 20:50:44 What do you think the shortest way is to get a signal to the Cardano? Obviously if it mounted to a standard location you could just do an ls at that point Mar 20 20:50:48 or cat a file to that point Mar 20 20:51:02 (if it also mounts as a mass storage device) Mar 20 20:51:10 But you are saying that will be system-dependent, where it mounts to Mar 20 20:51:21 oh. Mar 20 20:51:28 one could, in principle, assume a foolish user who has his mountpointed at '/mnt/cardano' or whatever, and left bash open, logged in as a user with write privilege to the location, and currently 'cd'd to it Mar 20 20:51:37 that is too much Mar 20 20:51:40 correct Mar 20 20:51:42 it should work from any prompt Mar 20 20:51:49 and then if it does work, it should check if the prompt is root Mar 20 20:51:56 and if not then it should delete the previous short history Mar 20 20:52:03 it can do all this very very subtlely. Mar 20 20:52:10 But all this depends on figuring out if it is in a terminal at 4 am. Mar 20 20:52:23 once again, if you can make this work from 'any prompt', don't settle for small change Mar 20 20:52:24 The major hurdle is figuring out if it's in a terminal, or Open Office. Mar 20 20:52:49 How can we figure out with 1 short universal command whether it is in Open Office writing a technical report at the time, or at a prompt? Mar 20 20:53:02 you can't - one-way channel. Mar 20 20:53:04 assuming it can also automount usb devices Mar 20 20:53:09 I just gave you some examples of how it could :) Mar 20 20:53:31 For example if it knew where its mass storage mount pouint was, it could type an ls command to it. Mar 20 20:53:46 you could, hypothetically, 'type' a shell script that enumerates through the output of 'mount' and attempts to unmount everything but '/' Mar 20 20:54:11 no, that is way too obvious :) Mar 20 20:54:18 but usb mass storage drive has no way of knowing that it has been unmounted. Mar 20 20:54:27 it should be something as short as an lsusb command, something that just causes all usb devices to be polled somehow Mar 20 20:54:40 the only result of umounting from the standpoint of a drive is that any unwritten cached data is flushed to it Mar 20 20:55:19 what you ask for is certainly doable on particular flavours of linux Mar 20 20:55:42 where the fool leaves himself inside an open shell, logged in as root Mar 20 20:55:47 there are other examples, I can think of a bunchk, but they're very long ways of seeing. For example, it could identify as a camera, and then use a command that reads the camera. this assumes a really large space of drivers and software present however. Mar 20 20:55:53 do you routinely leave your own machine unattended in this condition? Mar 20 20:56:01 It doesn't have to be routine... Mar 20 20:56:11 And yes, I leave long operations running all the time. Not as root usually. Mar 20 20:56:25 I've often come back to something being finished in the morning. Mar 20 20:56:27 all of these scenarios rely on a very particular set of assumptions Mar 20 20:56:39 that are unlikely to be true simultaneously in a particular time and place. Mar 20 20:56:39 And I probably wouldn't think twice on an 'lsusb' command I hadn't typed, for example. Mar 20 20:57:01 Well, that is how real attack vectors are given out. That's how millions in bitcoins are stolen. Mar 20 20:57:20 nope. i recommend studying the details of how they were actually stolen. Mar 20 20:57:32 Do you have a good link? Mar 20 20:57:35 I've read conflicting things. Mar 20 20:57:40 in no publicly-known case so far has the perpetrator done anything but exploit a truly idiotic hole Mar 20 20:58:08 e.g. the 500 or so known winblows trojans which look for unencrypted 'wallet.dat' Mar 20 20:59:12 many attacks - such as the most recently published exchange breach - rely on social engineering and are uninteresting from the engineering point of view Mar 20 20:59:42 I found the solution to what I was asking. Mar 20 20:59:48 You can simply type this at a prompt: setleds -D +num Mar 20 21:00:00 this turns the numlock on. The USB device would be told. Mar 20 21:00:59 so if the numlock were toggled after that command were entered, it would know that it was at a prompt and could proceed to write scripts. For starters it could write a script to spam the numlock if the real user types anything. then it could disappear if this is done. Mar 20 21:01:24 it also needs to become silent, by opening a process it can write to that doesn't put anything on screen. this should be a very short command. Mar 20 21:01:31 this would theoretically work to see if your victim left a root shell, sure Mar 20 21:01:34 but also tip him off Mar 20 21:01:42 I know, in retrospect Mar 20 21:01:47 but we try to delete it if it didn't work Mar 20 21:01:58 we are talking a total of 100 milliseconds done in a blip of an eye at 4 AM Mar 20 21:02:11 even if someone did see it at 4 AM, they would doubt their sanity Mar 20 21:02:33 likewise, one could theoretically 'type' a script that writes a small file to everything outputted by 'mount', then dismounts and remounts each drive, and watches for its own volume being written by cache flush. Mar 20 21:02:34 what of it? Mar 20 21:02:53 and then even if they see the very short script that would be visible (we have to minimize this length, it's the main means of discovery) they could assume something is corrupt, like a corrupt driver or something Mar 20 21:03:11 well, what of it is if you mount usb devices someone might think of the cardano Mar 20 21:03:30 a malicious device can do anything whatsoever Mar 20 21:03:39 e.g. explode, sending shrapnel through the room Mar 20 21:03:44 release poison gas Mar 20 21:03:45 etc Mar 20 21:03:58 how is this a problem particular to cardano? Mar 20 21:04:05 but if you write "setleds -D +num" and the user sees it - what will they think? Mar 20 21:04:16 they will not connect it to a polling attack Mar 20 21:04:18 they will not think of that Mar 20 21:04:22 an educated user will know that he is being fucked with Mar 20 21:04:23 so the point is to do this: Mar 20 21:04:37 1) write setleds -D +num 2) write a very very short garbage-looking script that looks like line noise Mar 20 21:04:49 oh and if 1) didn't work then send as many deletes as what you just typed. Mar 20 21:05:20 The garbage looking script has the following requirement: 1) it MUST look like corruption of some kind. 2) it must drop what's visible to user as quickly as possible, and let the rest of the scripts be typed in a way that doesnt' show on screen. Mar 20 21:05:46 incidentally, have you checked the published catalogue of rubber duck payloads? Mar 20 21:05:49 3) once given a chance to type the rest silently, it should quickly try to determine if a real user is doing anything (such as pressing delete) and if so to disappear. Mar 20 21:05:59 i would not be surprised to discover that this particular trick is already found therein. Mar 20 21:06:22 going back a little, i will say that if i wanted to design a malicious usb device, i would not settle for small change Mar 20 21:06:23 Well, in evaluating architectures I like to go from first principles to be honest. Mar 20 21:06:34 What else would your malicious device do? Mar 20 21:06:35 buggy drivers are 'where it's at' Mar 20 21:06:39 I understand this. Mar 20 21:06:47 but people with patched systems would require a 0-day. Mar 20 21:07:42 Beyond buggy drivers, what are the main things you have in mind? Is it mostly buggy drivers? Mar 20 21:07:47 a system such as 'ubuntu', which ships with every conceivable usb device driver by default, probably contains something usable Mar 20 21:08:20 if i'm not mistaken, what you originally meant to ask was, how does a purchaser know that his unit behaves 'as printed on the box' Mar 20 21:08:32 No I didn't mean to ask that :) Mar 20 21:08:36 obviously there's no way of knowing that Mar 20 21:09:02 the answer is either 1) he trusts the supplier and the designer 2) he trusts a third party who has judged the device fit for its advertised purpose 3) he personally studied the device to his satisfaction Mar 20 21:09:04 there is no (4) Mar 20 21:09:05 I mean, when you refer to 999 attack vectors via USB, you're thinking of all the device drivers or a specific architectural flaw? Mar 20 21:09:21 There are levels of trust in the supplier and designer. Mar 20 21:09:57 For example I trust Google to give me an https session if I ask for it. (No comments on what they do once my queries are on the other side.) Then again, I don't "really" trust them not to forward all that trafffic to a third party, asking as their own MITM Mar 20 21:10:07 sure Mar 20 21:10:39 at the moment, most pc users are happy buyers of countless thumb drives, mice, keyboards, printers, etc, etc. of every conceivable origin Mar 20 21:10:41 I googled rubber ducky payloads. most are funny - https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---reverse-shell Mar 20 21:11:01 most of these gadgets have 100% closed design specs, and often use unlabeled asian ICs Mar 20 21:11:02 Yes. And they will not plug ANY of them into a secure device, EVAR Mar 20 21:11:23 I never plug a single usb device into a secure PC, ever. The moment I do it's not a secure PC in my eyes. Mar 20 21:11:58 There's just too much that you're trusting in the architectural. By design. It's an implicit level of trust. Mar 20 21:12:04 architecture* Mar 20 21:12:10 surely you understand that the rubber duck attack works just as well with 'ps/2.' Mar 20 21:12:34 No, that's not true. Mar 20 21:12:59 Because if you only accept a ps/2 keyboard then a Cardano acting as usb mass storage device doesn't have any vectors that are architecturally open to it, by design. Mar 20 21:13:13 if you own something you think of as 'secure pc', and you use a keyboard of some description with it, then evidently there is someone you trust to supply a keyboard which does not emit curious commands by itself at night. Mar 20 21:13:34 For an example of what I mean: a usb mass storage device, by design, can write out any data it wants for the files you ask for. (Not just what you wrote there.) This would be designed into the architecture. Mar 20 21:13:45 certainly. Mar 20 21:13:50 So for example it's obvious that an external hard-drive could silently rewrite any file you asked for that ends in .sh Mar 20 21:14:01 this doesn't require going outside the architecture. Mar 20 21:14:02 incidentally, an internal (traditional) hard drive can be modified to do the very same thing. Mar 20 21:14:07 yes. Mar 20 21:14:11 this is a published experiment. Mar 20 21:14:20 and it's the kind of thing that's important to mitigate by design. Yes, I read about that. Mar 20 21:14:40 Whenever the high-level architecture leaves something possible by design, it is something that must be considered worse than if the same thing can be done via 0-day. Mar 20 21:14:51 by the way I didn't mean to spend this long on this conversation, but it's interesting Mar 20 21:14:53 the buyer of the disk, if he wishes to be certain, must either reverse-engineer it - or trust the maker, or trust a third party who did reverse it Mar 20 21:14:57 what alternative do you propose? Mar 20 21:14:58 I started by saying it doesn't make the cardano insecure - and so it doesn't. Mar 20 21:15:15 So, the alternative I propose is as follows: Mar 20 21:15:32 You remove this vector from the architecture, thereby mitigating what would happen if you fucked up. Mar 20 21:16:04 care to be more specific? Mar 20 21:16:05 And one possible means of doing so is by mentioning it as a warning to patch systems so that the Cardano can only identify as a mass storage device and nothing else. I would accept that as an acceptable resolution. Mar 20 21:16:16 I would think the warning is sufficient for starters. Mar 20 21:16:29 see the point about the electric saw. Mar 20 21:16:47 Yes, you're right. Mar 20 21:16:50 i cannot hope to teach an entirely 'green' user everything that is to be known about comsec Mar 20 21:16:55 well, let me think about what else you can do. Mar 20 21:17:43 i'm quite happy to settle for supplying a tool with clearly defined functionality to folks who understand the basic limitations. Mar 20 21:17:52 (You're not going to like this answer, but for my suggested Version 2: Wifi has less trust implicit architecturally it is not possible to automount a usb keyboard over wifi. You woudl have to break the wifi protocol, or use it in an unintended way as a carrier for other internal data) Mar 20 21:18:15 (should be period after architecturally.) Mar 20 21:18:39 if you did not already known, it is possible to do virtually anything to an operating wifi net because wep (and wep2) are breakable in real time. Mar 20 21:19:14 would you write the same about WPA2? Mar 20 21:19:14 this is not even including the purely physical (that is, layer 0/1) trickery using radio. Mar 20 21:19:17 yes Mar 20 21:19:53 i meant wpa2 Mar 20 21:20:00 Okay, I am curious. What makes you say WPA2 is breakable in real time, and why - is this implementation specific, and which implementations? Mar 20 21:20:27 oh. that's a considerably stronger statement (saying wpa2 is breakable in real time), wep is obviously a joke like telnet. Mar 20 21:20:35 google. this is not a deep secret. Mar 20 21:21:00 so why do public places have wpa2 access? Mar 20 21:21:17 because it is slightly more difficult to break than wep Mar 20 21:21:35 I mean any wireless access at all. Mar 20 21:21:50 I mean if it's so hackable how can any public place have any wpa2 access at all - why isn't it too insecure to exist in public? Mar 20 21:22:04 wait till you find out how 'gsm' uses toy crypto Mar 20 21:22:22 the reason is not hard to guess. Mar 20 21:22:29 (political) Mar 20 21:22:38 I know this. Mar 20 21:22:46 Nobody considers gsm to be secure... Mar 20 21:23:11 it used toy crypto by design, and this fact has gone from mere allegation into the solidly known Mar 20 21:23:15 long ago. Mar 20 21:23:33 I know this. Mar 20 21:23:43 so what part do you find surprising? Mar 20 21:24:15 so I asked in the wireless channels, this is news to them that wpa2 is breakable in real time. They are saying it depends on the router, but the protocol itself is not broken/deprecated (like for example md5 is) Mar 20 21:24:52 if you wish to be tutored in the exact means whereby wpa2 is broken in real time, i suggest you pay a consultant Mar 20 21:24:57 so at least on the protocol level #Linux is disagreeing with you - ninjashogun: It depends on the length of the key ..... if the key length is greaater than 22 characters .... then no .... it would take a supercomputer to break it in real time Mar 20 21:25:09 known-plaintext attack, for one. Mar 20 21:25:52 http://wiki.answers.com/Q/Which_encryption_type_does_WPA2_use Mar 20 21:26:09 wow that's a horrible link, sorry Mar 20 21:26:15 it seemed better from the google summary Mar 20 21:26:43 anyway it says it uses several types; "wpa2 introduced CCMP, a new AES-based encryption mode." Mar 20 21:27:12 so are you saying that at the protocol level CCMP succumbs to known-plaintext attacks due to a flawed implementation? (In the sense that AES-256 does not have a known-plaintext attack.) Mar 20 21:27:22 the simplest attack, incidentally, involves forcing a router (of whatever variety is present) off the air Mar 20 21:27:29 and substituting oneself for it Mar 20 21:27:34 many consumer widgets will auto-connect. Mar 20 21:27:45 this does not require breaking anything, in the usual sense. Mar 20 21:27:49 yes Mar 20 21:28:12 likewise, channel control info (e.g. MAC) is sent plaintext Mar 20 21:28:16 architecturally, obviously you have to consider the channel insecure from the sense of the stack that data is written over Mar 20 21:28:34 for example the MITM attack you just stated. Mar 20 21:29:06 let's imagine that there were no architectural problems whatsoever with wifi Mar 20 21:29:08 but the thing about the MITM attack is that you can establish a secure channel stepping over the heads of any number of men in the middle. Mar 20 21:29:13 and that NONSTOP physical effects did not exist. Mar 20 21:29:15 (they do) Mar 20 21:29:28 wifi in a cardano is still a non-starter. Mar 20 21:29:35 wait - by the way do you think you can jam NONSTOP effects? Mar 20 21:29:48 because the user we have in mind owns no wifi gadgets Mar 20 21:29:51 by jamming the frequency until the S/N ratio is too high for subtle effects? Mar 20 21:29:57 or if he does, they are not permitted near anything valuable. Mar 20 21:30:04 seriously? Mar 20 21:30:10 yes. Mar 20 21:30:11 Don't every one of them have an android phone? Mar 20 21:30:15 nope. Mar 20 21:30:32 so this is like a lock-down security bunker in the hills of switzerland? Mar 20 21:30:39 not entirely unlike. Mar 20 21:31:03 well, I will say that that is nto very "mass-market" :) though it might pay better. But if you have an open design it would be hard to charge much if anything. Mar 20 21:31:16 the purpose of 'cardano' and future s.nsa products is clearly described on mp's site Mar 20 21:31:19 if you made version2 wifi you might be able to ship 10,000 of them at $100 each. Mar 20 21:31:29 no engineering compromises whatsoever. Mar 20 21:31:32 that's a cool $1M. Mar 20 21:31:51 some folks sell toyotas Mar 20 21:31:54 Regarding NONSTOP effects - Mar 20 21:31:57 others, bugati. mazerati. Mar 20 21:31:58 do you think it can be jammed? Mar 20 21:32:03 yes, true Mar 20 21:32:36 but bugati and maserati are extremely differentiated and don't have open designs :) they have very high prices, and you can't just build your own maserati :) Mar 20 21:32:38 if you are concerned with the phenomena called 'tempest' and 'nonstop', the simplest solution is to use a faraday cage. Mar 20 21:32:46 if you own a microwave oven, you already own a faraday cage. Mar 20 21:32:59 but, notice that the gadget used therein cannot rely on radio for normal operation. Mar 20 21:33:16 I understand this, but regardless, I would be interested in knowing whether the subtle NONSTOP transmission of external circuits (not even in use by the radio) is an effect that can be jammed by increasing the S/N ratio over the whole channel? Mar 20 21:33:29 sure it can. Both devices could be in the microwave (faraday cage) Mar 20 21:33:30 hypothetically. Mar 20 21:33:44 for example if a room is a faraday cage, it could still have wifi inside for usability. Mar 20 21:33:46 how do you intend to operate your, say, smartphone inside the oven? Mar 20 21:33:52 do you own one which is large enough to stand in? Mar 20 21:34:04 a faraday cage? Me personally no, but loads of people do. entire rooms. Mar 20 21:34:09 room-sized cages are commercially available, certainly. Mar 20 21:34:22 They're easy to make. you can make it yourself using $10 in metal. Mar 20 21:34:27 if you wish to sell hardware which requires the ownership of such a cage, go ahead Mar 20 21:34:39 well, no, it would be better if it weren't required :) Mar 20 21:34:45 correct. hence no radio. Mar 20 21:34:58 or iPad integration :) Mar 20 21:35:22 are you familiar with the saying 'spoon of shit in a barrel of honey' ? Mar 20 21:35:29 No. Mar 20 21:35:36 perhaps you can guess the meaning Mar 20 21:35:39 sure Mar 20 21:35:49 'ipad integration' would be analogous to 'spoon of honey in barrel of shit' Mar 20 21:36:15 where you say "hypotehtically" could you elaborate -- you've mentioned before that you can see the NONSTOP effect on a scope. So, if you subtlely jam those frequencies would that disappear? The signal to noise must be fairly low to let a CPU's internal state come through.... Mar 20 21:36:36 (I'm guessing) Mar 20 21:36:53 if you market a product which actively jams radio, of whatever variety, during normal operation, you will run into legal problems in most civilized countries. Mar 20 21:36:56 I meant "high" not "low" just now. Very HIGH signal to noise. Mar 20 21:36:57 and for good reason Mar 20 21:37:09 I knwo but I was thinking that the level of jamming could be lower than that. Mar 20 21:37:18 you're just trying to soften the edges of the carrier waves.... Mar 20 21:37:25 not jam the waves themselves. Mar 20 21:37:40 they can still be recognizable, just without the meta information coming through clearly enough. Mar 20 21:37:51 just add some white noise at that low level. Mar 20 21:38:02 in ww2, germany experimented with a radio-controlled flying bomb, similar to the modern 'tomahawk.' american sailors found that it would drop into the sea when they switched on an electric razor. Mar 20 21:38:07 (spark gap noise.) Mar 20 21:38:19 But to know if that would work as a mitigation strategy I would have to know a bit more about the physics of NONSTOP, and I don't have a good specan yet. Mar 20 21:38:34 that is certainly interesting :) Mar 20 21:38:53 in principle, you can jam anything Mar 20 21:39:11 but unless i'm mistaken, you supposed the presence of some radio functionality that is to actually work Mar 20 21:39:15 asciilifeform right but we're talkinga bout something that is at a lower-level, like a timing attack. Mar 20 21:39:32 the simplest countermeasure is to omit radio entirely Mar 20 21:40:03 asciilifeform let me give you an example. Here is an easy way to bruteforce a naive password-checking program that does not lock you out, but has a 256-bit keyspace. and takes a thirty-digit password: Mar 20 21:40:15 and thus allow for a device that can be operated, as designed, in a sealed, grounded metal countour of small size. Mar 20 21:41:03 You can assume that the password checking algorithm at some point uses a string comparison, and terminates earlier if less of the string matches. You can then brute-force the timing information about whether at least the first character matched, because for that character, all of the fails would be slightly slower than for the other characters, since the algorithm takes one extra loop to get t Mar 20 21:41:03 o the next letter. Mar 20 21:41:20 this is very basic stuff, sure Mar 20 21:41:27 how does it relate ? Mar 20 21:41:35 Yes. But this can be "jammed" by simply going through all letters regardless of whether they match. Mar 20 21:41:49 you're just removing info that shouldn't be there anyway. Timing is a side channel. Mar 20 21:41:51 sure Mar 20 21:41:55 it's not something is supposed to be communicated. Mar 20 21:42:02 none of this is any kind of revelation. Mar 20 21:42:06 likewise NONSTOP is a side channel. it shouldn't actually be communicated. it's not actually certified. Mar 20 21:42:18 it's not an explicit layer. Mar 20 21:42:33 ok here's 1 more free physics lesson Mar 20 21:42:42 so you could simply jam it by fudging or smoothing the wave without affecting anything else - just as if you normalize timing you remove a side channel leak that was not explicit. Mar 20 21:43:05 the physics of radio are such that any antenna that is designed to transmit at a particular frequency, also effectively receives at that frequency. Mar 20 21:43:14 ok Mar 20 21:43:16 ('is resonant' at, the textbook will say) Mar 20 21:43:19 sure Mar 20 21:43:19 yes Mar 20 21:43:38 if your machine contains an antenna, your opponent can walk up to your facility and 'illuminate' it Mar 20 21:43:50 with, say, 1kW transmitter Mar 20 21:44:00 then watch for what bounces back Mar 20 21:44:04 ok.. Mar 20 21:44:10 this is, as you probably know, the basic principle behind 'rfid' Mar 20 21:44:16 but this applies to every thing that happens to be a dipole in the whole damn place, right? Mar 20 21:44:21 correct. Mar 20 21:44:28 so go on Mar 20 21:44:35 so don't be a dipole. Mar 20 21:45:06 what's step 2? Mar 20 21:45:11 there is no step 2. Mar 20 21:45:36 I mean, what do you get out of illuminating every dipole with a 1 kW transmitter and getting some stuff bounced back? Mar 20 21:45:44 well this depends on what is near the 'receiver' Mar 20 21:45:48 (intentional or otherwise) Mar 20 21:45:58 in our case for example Mar 20 21:46:05 what's near it wuold be the rest of this version of a cardano Mar 20 21:46:05 sometimes, the intention is merely to determine that receiver is present. Mar 20 21:46:15 yes, that would happen. Mar 20 21:46:18 read about how british government determined who owns a tv set. Mar 20 21:46:22 (to collect tax) Mar 20 21:46:27 right, have heard this Mar 20 21:46:36 This is a good point. Mar 20 21:46:50 or how germany, during ww2, searched for folks who owned shortwave sets (illegal) Mar 20 21:46:59 this is 1940s state-of-the-art. Mar 20 21:47:19 yes Mar 20 21:47:31 I know about this. Mar 20 21:47:50 btw you would enjoy a spy tell-all by an ex mi5 or mi6 guy, talks about some of this stuff Mar 20 21:48:05 I don't remember the title off-hand give me a few and i'll come up with it Mar 20 21:48:07 there is a wealth of material on the net on the subject Mar 20 21:48:19 most of the good stuff is in russian Mar 20 21:48:28 but so the basic attack vector is that the presence can be determined, as long as it's outside of a faraday cage? Mar 20 21:48:36 do you speak Russian? Mar 20 21:48:37 (no worries if you don't speak russian - when usa collapses the archives will open) Mar 20 21:48:42 as you can probably guess Mar 20 21:48:53 No, I can't guess :) Mar 20 21:48:57 my guess is "no". Mar 20 21:49:18 You don't have to say either way. Mar 20 21:49:37 this is not a secret Mar 20 21:49:49 in that case - that's a yes? Mar 20 21:50:02 i sometimes post translations of various things on my site, etc. Mar 20 21:50:03 right Mar 20 21:50:07 ok Mar 20 21:50:17 The book I was referring to is Spycatcher Mar 20 21:50:18 just as you know that mp speaks romanian, italian, german, greek, latin, etc Mar 20 21:50:22 (and english) Mar 20 21:50:27 I can send you it in .epub format if you'd like, I happen to have a copy on hand. Mar 20 21:50:40 actually i happen to have a copy. Mar 20 21:50:42 but thank you. Mar 20 21:50:45 I like his Latin, I "speak" it too. Mar 20 21:51:10 it's funny Mar 20 21:51:18 I like his writing style actually, it's very erudite. Mar 20 21:51:23 incidentally, don't hesitate to speak to mp. he doesn't bite Mar 20 21:51:28 I know. Mar 20 21:51:34 He's very accessible. Mar 20 21:51:41 perhaps he can explain certain matters we have spoken of better than i Mar 20 21:51:53 His style on the blogs he writes is in some cases a bit trollish, but he also anonimizes the people he quotes so it doesn't really matter. Mar 20 21:52:16 On the other hand for text analysis reasons I don't think he should post even anonymized quotes. Most people's writing is extremely characteristic Mar 20 21:52:23 especially if they use examples (that they like to mention) and so forth. Mar 20 21:52:34 anonymizes* Mar 20 21:52:38 my advice to you is to regard anything transmitted as plaintext as - public. Mar 20 21:53:02 I don't think that's fair. For example I've hired developers from IRC for confidential projects. So how does that work? Mar 20 21:53:13 i.e. for prelaunch products that had pending IP protections. Mar 20 21:53:19 or just were not public. Mar 20 21:53:25 it means that any freenode admin can read your communications at his leisure. Mar 20 21:53:37 and so can anyone who happens to share a LAN with one of the parties involved Mar 20 21:53:38 that's pretty far from 'public' :) Mar 20 21:53:38 etc Mar 20 21:53:40 yes Mar 20 21:53:45 which is pretty far from 'public' :) Mar 20 21:53:54 The thing about MP's blog is it's public in the sense of being Google-indexed. Mar 20 21:53:56 it is about as public as conversing in a restaurant. Mar 20 21:53:59 or a crowded train. Mar 20 21:54:04 no, more public. Mar 20 21:54:09 i would not undertake to conduct important business in either Mar 20 21:54:15 because MP's blog is indxed by Google, restaurants and trains aren't. Mar 20 21:54:20 sure Mar 20 21:54:27 i meant business-over-irc Mar 20 21:54:32 so if someone writes three very characteristic, unusual words one after the other, they would find it. Mar 20 21:54:39 well, yes. that's the default assumption, I agree. Mar 20 21:54:54 i, for instance, live in usa, and therefore assume that every packet that leaves my home is recorded for all eternity. Mar 20 21:54:56 and when he posts logs it goes a bit beyond that. However it does help that he anonymizes the parties. that's important and good. Mar 20 21:55:09 and seen by some unknown but sizable number of government-employed idlers Mar 20 21:55:25 sure Mar 20 21:55:57 for Cardano, would you like to sell a mass-market version (thousands or tens of thousands of them)? Mar 20 21:56:10 one of the things i try to teach people (and this pertains not only to cardano) - is that it is direly important to have realistic expectations. Mar 20 21:56:24 people with unrealistic expectations are sure to be unpleasantly surprised. Mar 20 21:56:27 it is only a question of when. Mar 20 21:56:32 oh come on. your stated goal is 'absolute security by design' :) Mar 20 21:56:47 that is not realistic :) but it is a fine goal, I don't object. Mar 20 21:57:14 if you read the prospectus, you will note that certain classes of attack (theft, etc) are explicitly not dealt with Mar 20 21:57:29 because physical security is the domain of folks selling safes, concrete bunkers, mercenaries, etc. Mar 20 21:57:30 not us Mar 20 21:57:48 to suggest otherwise would be dishonest. Mar 20 21:58:08 I understand Mar 20 21:58:23 but at the same time, for the parts you do address, your explicit goes is absolute security Mar 20 21:58:24 any questions regarding whether cardano is intended for mass market, or how many units will be built, or pricing - straight to mp Mar 20 21:58:29 he will choose to answer them - or not Mar 20 21:58:47 all right Mar 20 21:58:56 also note that mp employs a 'pr' Mar 20 21:59:01 what you've just written reminds me of (B) that I postponed above Mar 20 21:59:05 pr? Mar 20 21:59:06 who is paid to answer such questions (or not, as she chooses) Mar 20 21:59:11 oh that's fine Mar 20 21:59:20 i, on the other hand, am not employed in this capacity Mar 20 21:59:32 and would not, therefore, propose to say anything informative about marketing, etc Mar 20 21:59:34 so (B) was about physical security. Threat mitigation in case of theft. Mar 20 21:59:39 sure yes okay Mar 20 21:59:41 that's fine Mar 20 21:59:43 ok... Mar 20 21:59:53 what about it ? Mar 20 22:00:06 so, your current design is that if it is stolen, the attacker has absolute knowledge of everything inside immediately with no effort? Mar 20 22:00:16 (as a design goal) Mar 20 22:00:28 if he wishes to extract the key, and replace the device before victim notices, he will have to expend some effort Mar 20 22:00:28 in the sense that a physical key (to a deadbolt on a door) works that way for example? Mar 20 22:00:40 I don't mean about replacement Mar 20 22:00:41 how much effort depends on the user's personal decisions re: physical protection Mar 20 22:01:02 I just mean what happens if he steals it. Or if someone leaves it on a train, it falls out of their pocket. Does whoever picks it up immediately have the same level of access as a physical house key? Mar 20 22:01:10 certainly. Mar 20 22:01:28 this, as you probably understand, is not a problem peculiar to cardano Mar 20 22:01:35 It's not a problem at all. Mar 20 22:01:56 But we could explore certain architectural additions that would change this status quo to some extent and may be of interest. Mar 20 22:02:12 user is free to, for example, pour his unit into a block of concrete. Mar 20 22:02:18 That's not what I mean :) Mar 20 22:02:31 I mean, a cardano without the user still functions in its key services. Mar 20 22:02:35 but we can change this. Mar 20 22:02:36 certainly. Mar 20 22:02:37 if we want. Mar 20 22:03:02 you realize that you are perhaps the 20th person to suggest passwords, key pads for entry thereof, etc. Mar 20 22:03:06 One way is through some physical access mechanism (I hate those, never EVER use them). a fingerprint reader for example (ugh ugh ugh ugh ugh) Mar 20 22:03:19 I haven't suggested passwords, key pads for entry or anything else so far :) Mar 20 22:03:26 Where do you see a suggestion? :) :) :) Mar 20 22:03:30 well the general idea of 'multi-factor' whatever Mar 20 22:03:42 It's not about multi-factor. Mar 20 22:03:48 where a cardano lying on a table, sans owner, is somehow resistant to being put to use. Mar 20 22:03:54 It's about what happens in the case that someone finds yours on a bus. Mar 20 22:04:08 then he can do whatever he wishes Mar 20 22:04:16 I'll give you an example. Mar 20 22:04:20 just as if he finds a bag full of secret docs, etc Mar 20 22:04:27 these have also been misplaced on buses, trains. Mar 20 22:04:43 There's more secure version of a normal housekey and a less secure version of a normal housekey. Both are made of metal, both work EXACTLY THE SAME. What's the diifference? Mar 20 22:04:43 'doctor, it hurts when i do that.' - 'so don't do that.' Mar 20 22:05:02 It's a puzzle :) Mar 20 22:05:19 There's a more secure version of a housekey and a less secure version of a housekey, but both are made of metal and both work EXACTLY THE SAME. What's the difference? Mar 20 22:05:53 I can give a hint :) Mar 20 22:05:57 ok...? Mar 20 22:06:13 The hint is it concerns exactly this scenario we just talked about.. Mar 20 22:06:27 one of the keys has address engraved on it Mar 20 22:06:29 other does not Mar 20 22:06:33 yep :) Mar 20 22:06:36 exactly Mar 20 22:06:49 And you see, they both work exactly the same. Mar 20 22:07:06 except that this scenario is inapplicable to cardano. Mar 20 22:07:20 So the question is - if someone finds the Cardano, can they realize exactly who it belongs to? Mar 20 22:07:29 because, having possession of an rsa private key (integers 'p', 'q') one readily computes public key (product 'p'*'q') Mar 20 22:07:43 public key, traditionally, is distributed as widely as possible. Mar 20 22:07:47 this is true. Very good. Mar 20 22:07:47 yes. Mar 20 22:07:53 very very good. Mar 20 22:08:01 so the question is - can we break this symmetry and mitigate it without really changing anything else? Mar 20 22:08:19 not if you wish to use public key crypto. Mar 20 22:08:25 which operates in exactly this way, by definition. Mar 20 22:08:31 this is true. Mar 20 22:09:32 it would I think somewhat increase the security architecture if we could break this symmetry, so that it became impossible to know which public key the private key (which obviously could be recovered) belongs to Mar 20 22:09:49 if you have devised a fundamentally new concept of cryptography, don't settle for small change. Mar 20 22:10:01 It doesn't have to be fundamentally new. Mar 20 22:10:11 don't tell me - commercialize, and solve the unfortunate financial problems you spoke of Mar 20 22:10:23 it would, in fact, need to be fundamentally new Mar 20 22:11:02 this is not a bad idea, per se - just as 'antigravity' is a great idea Mar 20 22:11:05 For example, the other suggestions you mentioned have this side-effect. If the Cardano takes a symmetric key from the user and then discards it when finished, uses this key to unencrpyt its own contents, It has BOTH the side effect of making the private key unrecoverable AND the side-effect of making a key not divulge its owner. Mar 20 22:11:12 what is lacking is - any notion of how it could physically work. Mar 20 22:11:18 well you already have one Mar 20 22:11:34 'takes a symmetric key from the user' reduces to 'password' Mar 20 22:11:42 which, as i explained, has been suggested in the past Mar 20 22:11:54 That's true. But just as a point of fact this, as a side-effect, solves the problem. So we can't call it unsolveable. We just have to find a better solution. Mar 20 22:12:08 well this is not a solution to the problem described earlier Mar 20 22:12:21 that is, public key crypto where the public key is not inferrable from a working private key. Mar 20 22:12:25 It literally solves the problem of learning which public key a found cardano belongs to. Mar 20 22:13:14 Here is a solution. I've just come up with it. Mar 20 22:13:16 keeping cardano in a safe also solves the same problem. Mar 20 22:14:25 If every Cardano has a hundred private keys on it then it is shorter than a password to name which ones need to be used in sequence. (For example #5, #44, #192) but someone would have to try a ton of possibilities to see if they can find a pbulic key matching it. Mar 20 22:14:48 this is a quick and dirty solution, it's obviously not final, but something like this might be possible. Mar 20 22:14:52 one can trivially query public key servers for any number of keys Mar 20 22:14:58 even a million Mar 20 22:15:18 or simply take the private key p,q and search using my search engine Mar 20 22:15:20 'phuctor' Mar 20 22:15:22 I am sensing that there could be an algorithm based on this. Mar 20 22:15:30 nosuchlabs.com Mar 20 22:15:33 because you can combine them several times Mar 20 22:15:41 it's right there. Mar 20 22:15:44 ok Mar 20 22:15:50 where do you get your data? Mar 20 22:15:53 http://nosuchlabs.com/theory Mar 20 22:16:12 user submissions. Mar 20 22:16:29 ok Mar 20 22:16:37 nothing about that widget is secret, it's all described on that page Mar 20 22:16:46 in sufficient detail that you could, if you wish, write your own. Mar 20 22:16:55 what language does it use on the backend to process the form at http://nosuchlabs.com/ Mar 20 22:17:08 what interest is it to you? Mar 20 22:17:21 well, I'm building a web site that takes user generated content. Mar 20 22:17:31 I haven't decided on a technical stack Mar 20 22:17:39 use whatever language strikes your fancy Mar 20 22:17:50 is yours in Perl? Mar 20 22:17:51 it is an intensely personal choice, like what to eat Mar 20 22:17:54 no comment Mar 20 22:17:56 (The usual reason someone wouldn't mention it) Mar 20 22:18:00 :) Mar 20 22:18:07 ok Mar 20 22:18:30 I'm deciding between PHP (which leads to awful sites but I could make very quick progress and instantly google anything - big technical debt) and Go or Python Mar 20 22:18:38 I know Perl though Mar 20 22:18:48 my recommendation is to use the language you are most familiar with. Mar 20 22:19:16 okay, but for people for whom that's C++ or assembly, "You're going to have a bad time" Mar 20 22:19:21 certainly. Mar 20 22:19:26 or PIC microcontroller code Mar 20 22:19:33 these should become more familiar with another language. Mar 20 22:19:37 or circuit diagrams in EAGLE Mar 20 22:19:43 until it becomes 'the language they are most familiar with.' Mar 20 22:20:09 yes. Though, "Use the language you're more familiar with, if it sucks then learn another language until that's the one you're most familiar with and then use that" :) Mar 20 22:20:19 e.g. if all you know is fortran (like one fellow i know) you may wish to study another. Mar 20 22:20:23 and logically, it means a C++ programmer with 15 years of experience couldn't put up a web site for...15 years :) Mar 20 22:20:39 I don't think the new language has to be more familiar before fortran before he can start using it though :) Mar 20 22:20:51 more familiar than fortran* Mar 20 22:21:17 so I'd be willing to start with something I barely know or don't know (for example I don't know Ruby butr would consider it, same with Erlang/Clojure - zero knowledge - and no PHP either.) Mar 20 22:21:21 i regret that i cannot offer you useful advice in the design and construction of web services Mar 20 22:21:31 it's fine. I like your site :) Mar 20 22:21:34 because this is not what i do for a living. Mar 20 22:21:58 right Mar 20 22:22:03 i actually do not program for a living at all. Mar 20 22:22:07 no? Mar 20 22:22:09 (this is not a secret) Mar 20 22:22:13 obviously not Mar 20 22:22:18 what do you do? security audits? Mar 20 22:22:24 i'm a reverse engineer. Mar 20 22:22:28 seriously? Mar 20 22:22:38 this is not an uncommon profession Mar 20 22:22:40 of hardware or software? Mar 20 22:22:44 either. Mar 20 22:22:47 it's a *very* uncommon profession. Mar 20 22:22:48 extremely. Mar 20 22:22:54 it's more common as a pastime than a profession. Mar 20 22:22:58 it simply isn't advertised in newspapers Mar 20 22:23:06 hence appearing uncommon Mar 20 22:23:11 maybe Mar 20 22:23:15 but virtually all large concerns employ them. Mar 20 22:23:16 and maybe people don't talk about it Mar 20 22:23:24 do you work for one? (a large concern) Mar 20 22:23:27 no comment Mar 20 22:23:40 ha - okay Mar 20 22:23:58 if you really wish to know - i study virii. Mar 20 22:24:01 (at present) Mar 20 22:24:04 going back to the Cardano design. Is there a reason you wouldn't offer a password as an option? (disabled by default, but it can be added)? Mar 20 22:24:10 that is very interesting Mar 20 22:24:19 for like FSecure or one of the big labs? Mar 20 22:24:22 how do you suggest one is to enter said password ? Mar 20 22:25:03 well, for example, for the mitigation strategy I talked about (finding a cardano on a bus and Googling wtf did I just find - it looks kind of like a USB stick...) - it doesn't really matter Mar 20 22:25:22 remember, i did explain that people have asked before, 'why no keypad' etc. Mar 20 22:25:26 it doesn't have to be kept secure - it just has to be kept OFF the cardano, after it's unplugged, and that's the only requirement Mar 20 22:25:52 the answer is that the user is expected to understand that a cardano used for some important purpose is -never- to leave his personal control. Mar 20 22:26:01 so if the only hard requirement is the password has to be off of the cardano once it's unplugged, we realize that it's not that hard to get it on there. Mar 20 22:26:10 I understand this Mar 20 22:26:24 but the same is true of a house key. You can copy it in within 5 seconds by putting an imprint onto clay or something Mar 20 22:26:31 entirely true. Mar 20 22:26:42 house key is an entirely different class of device than cardano. Mar 20 22:26:42 and yet it's better not to write your address on it Mar 20 22:26:57 let me give you an example Mar 20 22:27:03 ok Mar 20 22:27:08 soviet nuclear submarines have manually-operated reactor controls. Mar 20 22:27:12 can you guess why? Mar 20 22:27:25 hmmm Mar 20 22:27:35 against a virus? :) Mar 20 22:27:46 or trojan, etc Mar 20 22:27:52 considering that the present designs date to the 1960s, this is not the answer. Mar 20 22:28:09 then why? Mar 20 22:28:33 because 1) always a man in the loop 2) he is expected to understand the gravity of his situation. Mar 20 22:28:39 no mechanism will take over for him Mar 20 22:28:55 psychologists call this 'risk homeostasis' Mar 20 22:28:59 I don't quite understand.... Mar 20 22:29:01 (look it up) Mar 20 22:29:05 ok Mar 20 22:29:15 ah Mar 20 22:29:19 so it's to keep the person more alert Mar 20 22:29:23 since he has more responsibility Mar 20 22:29:24 correct Mar 20 22:29:38 that is good. Mar 20 22:29:44 This is an EXTREMELY good answer. Mar 20 22:29:49 I like it very much. Mar 20 22:29:50 for this same reason, recent luxury cars which brake automatically are a terrible idea Mar 20 22:29:57 and people will come to regret buying them Mar 20 22:30:01 This is why it has to be as exposed as a house key you can copy in 5 seconds with a clay impresssion. Mar 20 22:30:06 right. Mar 20 22:30:14 This is a good design decision. Mar 20 22:30:35 naturally, an individual owner is welcome to make his 'house key' more difficult to copy quckly Mar 20 22:30:40 e.g. by encasing it in concrete Mar 20 22:30:42 so, then if we want to marry it with reducing the exposurre for the branch where a cardano IS discovered, we would have to add this mechanism in a way that did NOT reduce the perceived risk. Mar 20 22:30:50 I understand Mar 20 22:30:59 there's the rub. any such mechanism always reduces perceived risk. Mar 20 22:31:13 No, for example a single-digit PIN (#1-#10) wouldn't. Mar 20 22:31:27 because of the users. nobody would consider that any different from no pin. Mar 20 22:31:51 i have to say, i disagree. Mar 20 22:31:56 really? Mar 20 22:32:07 a three-digit luggage lock is considered secure by your target audience? Mar 20 22:32:10 most people would regard a safe with a keypad lock as in some sense more secure than a similar box with no lock. Mar 20 22:32:20 well, more secure than no such lock. Mar 20 22:32:38 ok Mar 20 22:32:59 one of the things i hope to explain to you (and anyone else who asks) is that secure design is about more than mere mechanics Mar 20 22:33:05 it is also about encouraging correct psychology Mar 20 22:33:09 so the design challenge is to somehow keep recovery of the private key from instantly divulging the public key, without increasing a user's sense of security of the physical device. Mar 20 22:33:18 I agree with you 100%. Mar 20 22:34:22 Couldn't this be done as simply as having to give the Cardano a copy of the public key you want it to sign? This doesn't seem like a password. It can then take that public key, hash it with salt, and then use the hash to decrypt the private key. Mar 20 22:34:24 incidentally, a cardano which is stolen (vs. misplaced) will be put to use without any difficulty whatsoever by the thief, given that he knows who he meant to steal from. Mar 20 22:34:37 regardless of any hypothetical mathematical curiosities Mar 20 22:34:50 This is obviously useless as a security measure for anyone who knows hwo the intended victim is or what theyy're trying to attack. However, it would keep the private key from divulging the public key, without alerting the user that he is doing something less secure. Mar 20 22:35:01 yes, this is true. Mar 20 22:35:08 once again - risk homeostasis. Mar 20 22:35:19 But it doesn't seem like a password. Mar 20 22:35:28 Nor is it one. Mar 20 22:35:42 owner must understand that losing his cardano is equivalent to losing his entire bank account, converted into gold, or whatever else the device was meant to protect in his particular case. Mar 20 22:35:43 But I agree ,this "solution" was just a first approximation, as you can see I came up with it in just 2 minutes. Mar 20 22:35:49 yes Mar 20 22:36:03 Let me ask you this. Mar 20 22:36:36 If the user had a physical key to a bank vault. And that key is the only thing the bank asks for. He (or anyone in its possession) can then open the vault (after showing the key) and empty it of its contents.... Mar 20 22:36:49 certainly. Mar 20 22:37:25 In this case you wouldn't consider it more secure if hte key actually had a 20-digit symmetric key that needed to be entered before it worked? Mar 20 22:37:36 (I'm not saying this is GOOD design. just, wouldn't it be more secure?) Mar 20 22:37:44 more secure in one way - less, in another Mar 20 22:37:49 user is more likely to lose the key. Mar 20 22:38:11 For a moment consider that I agree with you that this is a bad design. I'm not arguing for it. Mar 20 22:38:22 are you familiar with the phrase 'safe if used as prescribed' ? Mar 20 22:38:30 I mean, I do agree iwht you that the 20 digit symmetric key on a bank vault key is bad design, it shouldn't need a keypad, etc. Mar 20 22:38:31 yes Mar 20 22:38:50 but setting that aside for a moment - if the user loses this badly-designed key, what happens? Mar 20 22:39:04 note that anyone who wishes to keep his cardano inside a safe, secured by a combination lock, is free to do so. Mar 20 22:39:16 yes Mar 20 22:40:04 i don't dispute that some folks would like a device similar to cardano, but having a keypad for password. Mar 20 22:40:17 they are free to build such. Mar 20 22:41:19 But I mean theoretically in this case is there a way to recover the key? Mar 20 22:41:21 incidentally, any such design which requires a key to be entered merely once per power-up is vulnerable to a very simple kind of theft Mar 20 22:41:27 where the thief patches power cable Mar 20 22:41:35 to continue powering the unit as it is carried away. Mar 20 22:41:52 do people really want you to have a physical keypad? Mar 20 22:41:55 I don't like that idea. Mar 20 22:41:58 thereby leaving the owner worse off than had he understood that the loss of his cardano inevitably means defeat. Mar 20 22:42:16 yes, that is a good point Mar 20 22:42:44 this is a very good design consideration Mar 20 22:43:37 I still can't help but feel that it increases the intrinsic value of the cardano in some sense. Mar 20 22:43:52 For example, a cardano protecting $1M in gold would at all times be worth $1M Mar 20 22:44:39 i do not know where you come from, or what your trade is, or what you've studied - but please try to apprehend that i have a certain trade, and understand it quite well. as does, for instance, a machinist, or a watchmaker. Mar 20 22:44:46 whereas with some means of symmetrically unencrypting the password, it is only worth intrinsically $1M whenever it is powered on, at other times it is worth $0 + the weighted chances of getting the pin out of the user before he can empty the account elsewhere Mar 20 22:44:49 likewise, mp has a certain trade that he knows quite well. Mar 20 22:45:04 okay Mar 20 22:45:19 I do feel your design decisions are very good Mar 20 22:45:38 the perfect solution would be one where hte users didn't know, but, secretly, the thiefs would find the powered-down cardano useless. Mar 20 22:45:52 thieves* Mar 20 22:45:56 no part of cardano design is to remain a secret from the owner. Mar 20 22:46:02 this is rather intrinsic to the idea. Mar 20 22:46:07 Well, perhaps they know but don't think about it. Mar 20 22:46:15 you are welcome to avoid thinking about it... Mar 20 22:46:22 Let me put it this way. A cardano is like a root prompt. Mar 20 22:46:40 google for 'steering wheel spike' Mar 20 22:46:40 There is a reason people use sudo. Even though they are technically root, they still want to not have that power ALL the time. Mar 20 22:46:47 ok Mar 20 22:47:07 this is hilarious :) Mar 20 22:47:38 there is an entire field of study, called game theory, which you may be familiar with, concerning such matters. Mar 20 22:47:55 it is outside the scope of the matter at hand. Mar 20 22:48:22 yes I know some game theory Mar 20 22:48:24 sure Mar 20 22:48:53 well, I suggest having it as a design goal, even though it is unsolved as-present. Mar 20 22:48:55 at-present. Mar 20 22:49:08 may as well suggest antigravity, or cold fusion, as a design goal. Mar 20 22:49:11 the goal being not to decrease perceived risk while mitigating the actual fallout from theft or abandonment. Mar 20 22:49:21 the objective is to solve problems which have actual solutions Mar 20 22:49:26 of cardano, that is Mar 20 22:49:39 there are folks who devote their lives to learning the secret of antigravity, etc. Mar 20 22:49:53 Unlike antigravity, or cold fusion, I've already suggested something that solves the second problem without increasing security. Everyone knows your PUBLIC key is PUBLIC. Giving it to the cardano wouldn't count as a password. But it could prevent identification of the public key if randomly found. Mar 20 22:50:20 and it would in no way increase actual security. Mar 20 22:50:37 nope. it would take at most a few weeks to gather all known public keys and test each one Mar 20 22:50:44 against an extracted crypted private key block. Mar 20 22:50:56 That is a long time :) The person might have nothing :) Mar 20 22:51:01 this is doable at minimal expense Mar 20 22:51:07 okay Mar 20 22:51:09 because the public keys, are, well, public. Mar 20 22:51:13 yes, they're public Mar 20 22:51:24 so it is a uniquely poor choice of password Mar 20 22:51:31 it's not a password Mar 20 22:51:38 precisely because it's public Mar 20 22:51:39 well, symmetric 'ignition key' Mar 20 22:51:52 it still functions as a password, in your proposed scenario. Mar 20 22:51:58 regardless of what you call it. Mar 20 22:52:34 how about combined with a file that definitely doesn't look like a password but that the user has on their PC. A photo for example. Mar 20 22:52:45 nobody uses a photo as a password, it's silly. Mar 20 22:53:00 but you cna't very well try EVERY public key combined with EVERY picture from the internet Mar 20 22:53:10 cardano is meant to be self-contained. Mar 20 22:53:18 not used in conjunction with a pc though? Mar 20 22:53:22 no loss, save that of the unit itself, will prevent the owner from using it. Mar 20 22:53:25 think of it that way. Mar 20 22:53:52 the point is to make it crystal clear what the valuable object is. Mar 20 22:53:56 yes Mar 20 22:54:04 and where the owner's responsibility to protect lies. Mar 20 22:54:04 although public pictures could always be found again. Mar 20 22:54:25 but you're right it is getting silly to add a scheme like this just to prevent accidentally found cardano's from being used. Mar 20 22:54:56 the very notion of an 'accidentally found cardano' should be thought of as ridiculous - on par with an 'accidentally found bag of diamonds.' Mar 20 22:55:04 that is, physically possible, but you will never find one. Mar 20 22:55:06 that happens. Mar 20 22:55:14 sure it does. happens all the time. Mar 20 22:55:25 it would be odd to suggest that diamond rings should be permanently affixed to safes. Mar 20 22:55:31 yes Mar 20 22:55:32 on account that they might be stolen or lost. Mar 20 22:55:39 yes :) Mar 20 22:56:02 So you really want a cardano to have the same value as a diamond. Mar 20 22:56:08 right. Mar 20 22:56:15 or as whatever it is meant to protect Mar 20 22:56:21 whether diamond or dirt Mar 20 22:56:29 this is the purchaser's concern, not mine. Mar 20 22:56:55 you said, if someone wants to keep it in a safe they can do so Mar 20 22:57:01 certainly. Mar 20 22:57:13 i would not undertake to supply the safe. Mar 20 22:57:22 because there are other people who specialize in the matter of safes. Mar 20 22:57:37 nor will i offer to supply a house in which to keep the safe, etc. Mar 20 22:57:40 would you include functionality for a password folder on the USB mass storage device - and if they physically create ".password" as a folder and put a password in, it will be used symmetrically and then deleted every time it is unplugged? (requiring the user to recreate it to work) Mar 20 22:57:59 this is a terrible idea, for reasons that i have already explained. Mar 20 22:58:13 if you disagree, you are welcome to construct and market a device which behaves this way. Mar 20 22:58:16 The problem is that users can't create a safe physically. Mar 20 22:58:19 no Mar 20 22:58:27 but users cannot actually create a safe as you suggest. Mar 20 22:58:33 why not? Mar 20 22:58:40 safes are sold in every part of the world Mar 20 22:58:51 of whatever quality your budget and space constraints permit Mar 20 22:59:01 Because it would work at a physical level (put the cardano in a safe) - that can be cracked physically. It wouldn't work at the cryptographic level (use a symmetric key that gets discarded on powerdown) Mar 20 22:59:27 the former is insecure. a physical safe isn't secure, for anything, ever. (In a cryptographic sense.) Mar 20 22:59:33 if you are not familiar with 'memory remanence', i suggest that you read about it. Mar 20 22:59:38 google 'cold boot attack' Mar 20 22:59:48 I've heard of these yes Mar 20 23:00:12 or, more simply, the scenario with a portable battery patched into the power supply of an operating cardano that is to be lifted. Mar 20 23:00:33 why would you need that, if you have access to the cardano plugged into a pc? Mar 20 23:01:07 by the way any safe a user could buy is easier to crack then getting cold boot attack working. Mar 20 23:01:25 both are fairly simple in practice. Mar 20 23:01:38 Maybe. But at the moment only the former is possiible for the user. Mar 20 23:01:56 the point, which i am failing to explain to you, is that there is a deliberate emphasis on the catastrophic nature of losing physical control of cardano. Mar 20 23:01:56 they would have to write their own firmware to use a symmetric key if they wanted that, against your wishes. Mar 20 23:02:26 okay Mar 20 23:02:30 anyone who wishes can load his own firmware into the device - or, for that matter, construct a similar - or different - device which serves the same purpose. Mar 20 23:03:03 he could, hypothetically, even sell it as 'cardano' and in practice i would be quite powerless to stop him Mar 20 23:03:16 I think mirceau might not be :) Mar 20 23:03:19 perhaps Mar 20 23:03:22 if he has a whole PR person Mar 20 23:03:37 but the buyer will have a rather easy time determining whether his unit is the genuine article. Mar 20 23:03:49 ok Mar 20 23:04:07 you bring up a really good point Mar 20 23:04:14 so I see where your design decision comes from Mar 20 23:04:20 glad to hear it. Mar 20 23:04:44 it would be interesting to know whether there is anything that could be subtlely added Mar 20 23:04:47 i do not begrudge people some explanation of the how/why of the design, if they seem interested. Mar 20 23:04:49 maybe not though Mar 20 23:04:58 sure, it makes sense Mar 20 23:05:39 btw how long do cold boot attacks last in your opinion? Mar 20 23:06:39 this subject is beaten to death in the literature Mar 20 23:06:44 google. Mar 20 23:06:54 or, if you wish, experiment personally Mar 20 23:07:10 ('canned air' duster will work as a freezer) Mar 20 23:07:33 ok Mar 20 23:08:33 i should note that if you wish to converse at length with me, i prefer email (unlike mp, who is partial to real-time chat) Mar 20 23:08:42 my site contains an addr. Mar 20 23:08:44 I will think a bit more about this design decision and see if there is any way to increase the benefits. For example, in your Soviet Submarine example, perhaps there can still be a choice between a feedback loop that makes a meltdo possible, or if it's not going to actually happen for some reason that is still very uncomfortable. Mar 20 23:08:53 no it's fine Mar 20 23:08:57 this has been a fine chat Mar 20 23:09:11 i hope that i have taught you something useful. Mar 20 23:09:24 you have good thoughts, though I'm not quite through to your exact solution. I think there is more to be discovered that meets BOTH your design constraints, and some other things. Mar 20 23:09:41 but you have very good constraints for starters. you've chosen them very well Mar 20 23:10:47 I'll see you next time. later* Mar 20 23:10:56 good night **** BEGIN LOGGING AT Sun Mar 23 13:29:50 2014 Mar 23 13:29:50 I have some more questions :) Mar 23 13:30:04 do you think when you sell the Cardano you will keep a customer list? i.e. know who you've shipped to? Mar 23 13:30:09 ask them in the channel plz Mar 23 13:30:14 i do so hate repeating things Mar 23 13:30:16 nah, they're very trollish at hte moment Mar 23 13:30:21 I mean in general Mar 23 13:30:31 I will probably leave the channel, possibly I'll be back in a few months under a different nick. Mar 23 13:31:04 I've done that before (in #startups) where originally I had a terrible, trollish reception but then everyone is fine. I'm good friends with them (for IRC), including rmah from there. Who had been extremely trollish with me under an earlier nick. Mar 23 13:31:35 so I don't hold it against people if they are trollish. It just comes with the Internet. Mar 23 13:32:54 The reason I ask about customer lists is because it is another vector. It is quite interesting if there is a list "These 1,000 people have bought a Cardano and in stock configuration categorically it is equivalent to their bare plaintext private key. Here is where they live." Mar 23 13:33:14 I wonder if you plan on mitigating that Mar 23 13:33:20 what do you think the answer is. Mar 23 13:35:59 I think the answer must be yes, as it is very difficult to ship a physical product without leaving traces EVERYWHERE - from postal tracking information (after you send parcels) to payment linked to shipping, etc. If you take shipping details it is a bit silly to think of it as being destroyed, while considering that you can stil actually ship the parcels. It would be in the database of your c Mar 23 13:35:59 ourrier company under your account, as well. Mar 23 13:36:16 So overall I would think your answer is, "Yes, they should assume we have that information. They have to trust us." Mar 23 13:36:16 this is a question for mp, not for me. Mar 23 13:36:25 oh Mar 23 13:36:30 I thought you did the security architecture? Mar 23 13:36:30 write to him, he'll answer, if he feels like it. Mar 23 13:37:21 btw here is an interesting article - http://maxtaco.github.io/bitcoin/2014/01/16/how-jason-bourne-stores-his-bitcoin/ I wonder how you feel about it. It was just discussed here: Mar 23 13:37:26 you perhaps notice that the project has more than one person. Mar 23 13:37:36 i do certain things; mp, other things; yet other people - do what remains Mar 23 13:37:39 I thought you said that in the main you developed it with MP. Mar 23 13:37:44 correct Mar 23 13:37:53 you also told me he does sales and marketing. Mar 23 13:38:59 Well, so far I haven't discussed security design details of Cardano with him. When I discussed this briefly in-channel, he didn't contribute thoughts. (On the other hand some people, e.g. benkay, were annoyed.) Mar 23 13:39:21 try to understand why they were annoyed. Mar 23 13:40:08 Probably juts their impression. Like I said, I have a good relationship in another channel with others, yet if I came in with an earlier nick I no longer use, they would become trolls. It's just impressoins. Mar 23 13:41:26 For example, I've seen MP actively troll (in my opinion) the ughlol person, through to writing an article on it. In the same amount of effort, a rape whistle app (if it works, he says he has tested the volume of mobile phones and can annoy people with them) could have been submitted to the app store and downlodaed 50,000 times. It's a big pain point/problem in India. It would also let some m Mar 23 13:41:26 en "white knight" and help rescue a person in trouble, which some men are interested in doing. Mar 23 13:42:25 So it is a very real problem. He has a solution he's tested. It is marketable today, in under a week. Rather than help this 19 year old do so (and could have bought an option for half his company for $10,000, the option would have cost $1) they chose (from what I understand) to troll him. Mar 23 13:42:36 I wasn't in channel at that time, though. Mar 23 13:43:25 I think people online have a propensity to become trolls, and this needs to be actively dealt with or handled. Mar 23 13:43:57 let me teach you a russian saying - 'one oughtn't come with ones own vows to another man's monastery.' Mar 23 13:44:15 you came to the channel, and to you it seems like a broken, perverted version of the world you're accustomed to Mar 23 13:44:24 because it is different. but it isn't broken. Mar 23 13:44:50 try to understand this. it will save you much headache. Mar 23 13:45:44 if you want to actually have conversations with folks in #btca, vs. mere flamefests, try to figure out why you end up setting off everybody's immune system. Mar 23 13:57:59 Yes. Mar 23 13:58:07 I understand this. Mar 23 13:58:14 Probably because it is a much lower-volume channel than I was used to. Mar 23 13:58:26 I didn't realize how few people are in it (same people all the time) as compared with, for example, #bitcoin Mar 23 13:59:56 At any rate given my previous experience of this I would probably just come back in a few months under a different nick. I suppose I can mention at that time that I was in before. Mar 23 15:19:47 I've thought more about your arguments, and the thing that tips it in favor of a default passphrase on the private key is the vector from your side. There is no way to keep your or MP's account with the shipping company from locating all the addresses you've shipped Cardanos to. It is a VAST difference whether thiefs know that those are unencrypted, or encrypted with a passphrase. Yes, they Mar 23 15:19:47 can still get around the passphrase, but they're not just going to randomly start visiting people hope to find a live Cardano that is still plugged in. Cold booting attacks are possible to work around by rewriting the memory 35x. Mar 23 15:21:22 so it is a vast difference between saying "these 2000 address possess a totally unprotected cardano" and "these 2000 addresses possess a cardano with a passphrase." That is a totally different level of vector. Mar 23 15:22:27 It's also the reason that servers are supposed to store only hashes of passwords, not the passwords. There is a vast difference between "we are storing 20,000 passwords in the clear - get htem and you can access any of those accounts" and "we are storing 20,000 hashes of passwords. Getting them won't tell you the password, you still have to break our authentication method as well." Mar 23 16:43:06 * ninjashogun has quit (Disconnected by services)