Author Topic: Crypto Skeptics Thread  (Read 34625 times)

Travis

  • Magnum Stache
  • ******
  • Posts: 4311
  • Location: California
Re: Crypto Skeptics Thread
« Reply #100 on: January 30, 2018, 06:20:45 PM »
Zuckerberg has said "no thanks" to crytpo-currency advertising.

https://www.cnbc.com/2018/01/30/facebook-ban-on-bitcoin-ads-latest-in-very-bad-day-for-cryptocurrencies.html


If you go on FB and click on the "trending" headlines pertaining to this announcement, peruse the various retweets and links to this story.  It'll make you quickly lose your faith in humanity. 

Apparently the Zionist Liberal Fat Cat Banksters pressured Mark to keep you from getting wealthy!  Apparently the currency that is to take over from the "petro-dollar" is being suppressed and requires FB advertising in order to succeed. 

And that's not hyperbole, those are the words thrown about on FB today to explain who is to blame for this development.

Ben Hogan

  • Stubble
  • **
  • Posts: 128
  • Location: Texas
Re: Crypto Skeptics Thread
« Reply #101 on: February 06, 2018, 08:10:19 AM »
There are alot of areas Crypto can help, I am just not sure Bitcoin is the one that can solve those problems. As a matter of a fact, this might usher in a new era of standardization between banks to adopt a common transfer platform like zello. So there should be some company that can emerge out of this like a Xapo exchange and transfer platform.

The only part I havnt figured out is whether a Crypto can be allowed to fluctuate. If there is too much volativity then it's not good for a storage of value, and that defeats the purpose of countering volatility of gov backed fiat's.

PDXTabs

  • Walrus Stache
  • *******
  • Posts: 5160
  • Age: 41
  • Location: Vancouver, WA, USA
Re: Crypto Skeptics Thread
« Reply #102 on: February 25, 2018, 11:08:00 AM »

Surf

  • 5 O'Clock Shadow
  • *
  • Posts: 66
Re: Crypto Skeptics Thread
« Reply #103 on: March 01, 2018, 11:38:45 PM »
Good thread LAS. It's imperative to be aware of the risks, which will hopefully prevent speculation.

In addition to being skeptical of ICOs, which are mostly money grabs, in the event that you are trying to punt off some money on one:
beware that hackers will replicate an ICO webpage with ever-so-slightly different URL, or use forum links as bait, but change the deposit addresses.  Funds sent to the wrong address can never be recovered.

FINate

  • Magnum Stache
  • ******
  • Posts: 3321
Re: Crypto Skeptics Thread
« Reply #104 on: March 02, 2018, 08:48:04 AM »
Good thread LAS. It's imperative to be aware of the risks, which will hopefully prevent speculation.

In addition to being skeptical of ICOs, which are mostly money grabs, in the event that you are trying to punt off some money on one:
beware that hackers will replicate an ICO webpage with ever-so-slightly different URL, or use forum links as bait, but change the deposit addresses.  Funds sent to the wrong address can never be recovered.

I'll take it even further to the logical conclusion... One can avoid being ripped off in the crypto space by avoiding it entirely!

Seriously. Like asking which Ponzi scheme is the safest.

Surf

  • 5 O'Clock Shadow
  • *
  • Posts: 66
Re: Crypto Skeptics Thread
« Reply #105 on: March 02, 2018, 09:32:23 AM »
Good thread LAS. It's imperative to be aware of the risks, which will hopefully prevent speculation.

In addition to being skeptical of ICOs, which are mostly money grabs, in the event that you are trying to punt off some money on one:
beware that hackers will replicate an ICO webpage with ever-so-slightly different URL, or use forum links as bait, but change the deposit addresses.  Funds sent to the wrong address can never be recovered.

I'll take it even further to the logical conclusion... One can avoid being ripped off in the crypto space by avoiding it entirely!

Yup. 
ICOs are a financial blight:
https://blockgeeks.com/guides/why-most-icos-will-fail/

They may eventually produce a couple gems, but the odds of picking the gems(if they even materialize) are so small that it's like playing the lottery.

Traditional markets have no shortage of wildly volatile, misunderstood mechanisms too:
https://www.vox.com/business-and-finance/2018/2/27/17014082/market-crash-inverse-volatility-vix-xiv-svxy

Everyone needs to do their homework and avoid things that are too good to be true.
It's a (financially) dangerous world out there.

Scandium

  • Magnum Stache
  • ******
  • Posts: 2917
  • Location: EastCoast
Re: Crypto Skeptics Thread
« Reply #106 on: March 21, 2018, 08:00:34 AM »
Let's keep the news going. TIL:
-There's a conference for bitcoin believers/enthusiasts
-It does not accept bitcoin

http://www.businessinsider.com/bitcoin-conference-stops-accepting-bitcoin-network-fees-congestion-2018-1

"The North American Bitcoin Conference will be held in Miami on January 18-19, with last minute tickets going for $1,000 a pop. But would-be attendees can no longer pay for a ticket in bitcoin or in any other cryptocurrencies.


seattlecyclone

  • Walrus Stache
  • *******
  • Posts: 7375
  • Age: 39
  • Location: Seattle, WA
    • My blog
Re: Crypto Skeptics Thread
« Reply #107 on: March 21, 2018, 03:34:46 PM »
Apparently someone decided to encode a child porn image on the Bitcoin blockchain, meaning everyone who runs a full node has unknowingly been in possession of child porn for some time.

sol

  • Walrus Stache
  • *******
  • Posts: 8433
  • Age: 47
  • Location: Pacific Northwest
Re: Crypto Skeptics Thread
« Reply #108 on: March 21, 2018, 06:39:35 PM »
Apparently someone decided to encode a child porn image on the Bitcoin blockchain, meaning everyone who runs a full node has unknowingly been in possession of child porn for some time.

Are we supposed to act surprised that cryptography has been used for child pornography?  Cryptography was practically invented for child pornography. 

Bunch of computer nerds sitting around saying "how do we send secret information back and forth in a way that the cops can't see what we're doing?"  Sure, maybe they're plotting to overthrow a dictator, but by the numbers they're far more likely to be up to something nefarious and illegal.
« Last Edit: March 21, 2018, 06:57:53 PM by sol »

sherr

  • Handlebar Stache
  • *****
  • Posts: 1541
  • Age: 39
  • Location: North Carolina, USA
Re: Crypto Skeptics Thread
« Reply #109 on: March 23, 2018, 09:42:48 AM »
Apparently someone decided to encode a child porn image on the Bitcoin blockchain, meaning everyone who runs a full node has unknowingly been in possession of child porn for some time.

Are we supposed to act surprised that cryptography has been used for child pornography?  Cryptography was practically invented for child pornography. 

Bunch of computer nerds sitting around saying "how do we send secret information back and forth in a way that the cops can't see what we're doing?"  Sure, maybe they're plotting to overthrow a dictator, but by the numbers they're far more likely to be up to something nefarious and illegal.

Lol what? Cryptography is also necessary for little things like "communicating with your bank" and "telling your soldiers what they're supposed to do" (the actual reason cryptography was invented). There are lots of reasons to be skeptical of cryptocurrencies, but "cryptography is inherently evil" isn't one of them.

sol

  • Walrus Stache
  • *******
  • Posts: 8433
  • Age: 47
  • Location: Pacific Northwest
Re: Crypto Skeptics Thread
« Reply #110 on: March 23, 2018, 10:21:07 AM »
There are lots of reasons to be skeptical of cryptocurrencies, but "cryptography is inherently evil" isn't one of them.

It's not that cryptography itself is evil, it's that applying it to financial transactions is evil.

I agree that there are legitimate (governmental and sometimes corporate) uses for encryption.  Legitimate and legal private individual uses are harder to think of. 

appleshampooid

  • Bristles
  • ***
  • Posts: 305
  • Relentless Snacker
Re: Crypto Skeptics Thread
« Reply #111 on: March 23, 2018, 10:39:27 AM »
There are lots of reasons to be skeptical of cryptocurrencies, but "cryptography is inherently evil" isn't one of them.

It's not that cryptography itself is evil, it's that applying it to financial transactions is evil.

I agree that there are legitimate (governmental and sometimes corporate) uses for encryption.  Legitimate and legal private individual uses are harder to think of.
What the fuck are you smoking, man? Look at the address bar of the website you are currently visiting. "https://forum.mr...."

That little 's' after the 'http' indicates this website is using encryption. All requests from your computer to the server are encrypted across the internet so as to make them more difficult to intercept and read. This is standard practice for almost any website anywhere.

You don't see any legitimate reason for a private individual to have secure, confidential communication with another private individual? That is insanity.

sol

  • Walrus Stache
  • *******
  • Posts: 8433
  • Age: 47
  • Location: Pacific Northwest
Re: Crypto Skeptics Thread
« Reply #112 on: March 23, 2018, 10:56:30 AM »
You don't see any legitimate reason for a private individual to have secure, confidential communication with another private individual?

Encryption that the government can't break?  No.  https is very breakable.

I think of it like a deadbolt for your front door.  I like deadbolts.  I have deadbolts.  I use them to lock my house to deter robbers and murderers and whatnot, but I understand and accept that the US military can bring a breaching team to my door and storm my house, if they want to.  I do not want a perfectly impenetrable deadbolt on my door, because I recognize the necessity of my home being invadable.  Yours too.

If I'm organizing a terrorist cell.  If I'm running a child sex slave ring.  If I'm torturing animals, laundering money, building bombs, planning a school shooting, heck even if I'm evading taxes.  The government has a right and an obligation to seek out and stop criminal activity, and a perfect deadbolt on my house's front door would give me free reign to break any law, at any time, for any reason.  If you made every single person's house totally impenetrable with perfect deadbolts, civilization would collapse.  The social contract would be voided.  No one would be accountable, and laws would have no meaning.

Perfect encryption in the hands of private citizens is like a a perfect deadbolt.  I want the US military to have perfect deadbolts, because they have a chain of command that ends with a democratic electorate and foreign competitors they need to keep out, but I don't want every rando in the US to have one.  For identical reasons, I'm okay with the US government having perfect encryption.  But for us normal citizens, the ones who can use it to break laws, I want that encryption to be a useful deterrent to thieves and murderers but not so good that it can be used to protect child pornographers and terrorists from arrest and prosecution by our government. 

Ultimately you have to put your faith in democracy, not privacy.  It's no coincidence that the hardcore crypto community is mostly anarchists.

appleshampooid

  • Bristles
  • ***
  • Posts: 305
  • Relentless Snacker
Re: Crypto Skeptics Thread
« Reply #113 on: March 23, 2018, 11:05:30 AM »
You don't see any legitimate reason for a private individual to have secure, confidential communication with another private individual?

Encryption that the government can't break?  No.  https is very breakable.

I think of it like a deadbolt for your front door.  I like deadbolts.  I have deadbolts.  I use them to lock my house to deter robbers and murderers and whatnot, but I understand and accept that the US military can bring a breaching team to my door and storm my house, if they want to.  I do not want a perfectly impenetrable deadbolt on my door, because I recognize the necessity of my home being invadable.  Yours too.

If I'm organizing a terrorist cell.  If I'm running a child sex slave ring.  If I'm torturing animals, laundering money, building bombs, planning a school shooting, heck even if I'm evading taxes.  The government has a right and an obligation to seek out and stop criminal activity, and a perfect deadbolt on my house's front door would give me free reign to break any law, at any time, for any reason.  If you made every single person's house totally impenetrable with perfect deadbolts, civilization would collapse.  The social contract would be voided.  No one would be accountable, and laws would have no meaning.

Perfect encryption in the hands of private citizens is like a a perfect deadbolt.  I want the US military to have perfect deadbolts, because they have a chain of command that ends with a democratic electorate and foreign competitors they need to keep out, but I don't want every rando in the US to have one.  For identical reasons, I'm okay with the US government having perfect encryption.  But for us normal citizens, the ones who can use it to break laws, I want that encryption to be a useful deterrent to thieves and murderers but not so good that it can be used to protect child pornographers and terrorists from arrest and prosecution by our government. 

Ultimately you have to put your faith in democracy, not privacy.  It's no coincidence that the hardcore crypto community is mostly anarchists.
Ok. Our worldviews are sufficiently different that it is not worth engaging in further discussion on this topic. Cheers.

sol

  • Walrus Stache
  • *******
  • Posts: 8433
  • Age: 47
  • Location: Pacific Northwest
Re: Crypto Skeptics Thread
« Reply #114 on: March 23, 2018, 11:09:10 AM »
Our worldviews are sufficiently different that it is not worth engaging in further discussion on this topic.

You are never obligated to engage, with me or anyone else on the forum.

How do you feel about cryptography being used to distribute child pornography, like the bitcoin blockchain recently was?  Are you okay with accepting the exploitation of children in exchange for whatever perceived benefit bitcoin provides to society?

GuitarStv

  • Senior Mustachian
  • ********
  • Posts: 24011
  • Age: 43
  • Location: Toronto, Ontario, Canada
Re: Crypto Skeptics Thread
« Reply #115 on: March 23, 2018, 11:09:47 AM »
You don't see any legitimate reason for a private individual to have secure, confidential communication with another private individual?

Encryption that the government can't break?  No.  https is very breakable.

I think of it like a deadbolt for your front door.  I like deadbolts.  I have deadbolts.  I use them to lock my house to deter robbers and murderers and whatnot, but I understand and accept that the US military can bring a breaching team to my door and storm my house, if they want to.  I do not want a perfectly impenetrable deadbolt on my door, because I recognize the necessity of my home being invadable.  Yours too.

If I'm organizing a terrorist cell.  If I'm running a child sex slave ring.  If I'm torturing animals, laundering money, building bombs, planning a school shooting, heck even if I'm evading taxes.  The government has a right and an obligation to seek out and stop criminal activity, and a perfect deadbolt on my house's front door would give me free reign to break any law, at any time, for any reason.  If you made every single person's house totally impenetrable with perfect deadbolts, civilization would collapse.  The social contract would be voided.  No one would be accountable, and laws would have no meaning.

Perfect encryption in the hands of private citizens is like a a perfect deadbolt.  I want the US military to have perfect deadbolts, because they have a chain of command that ends with a democratic electorate and foreign competitors they need to keep out, but I don't want every rando in the US to have one.  For identical reasons, I'm okay with the US government having perfect encryption.  But for us normal citizens, the ones who can use it to break laws, I want that encryption to be a useful deterrent to thieves and murderers but not so good that it can be used to protect child pornographers and terrorists from arrest and prosecution by our government. 

Ultimately you have to put your faith in democracy, not privacy.  It's no coincidence that the hardcore crypto community is mostly anarchists.

This is like the whole iPhone problem.  Law enforcement seizes iPhones from terrorists, but can't break the encryption.  So they want apple to add in a back door for them.  Apple refuses because they know that once a back door has been added, it's just a matter of time until a hacker breaks into it, thereby making every phone they sell poorly encrypted for all the legitimate uses you have for a phone.  Either encryption is shit, or it's great.  There's no real middle ground.

I don't know if you can put the cryptocurrency cat back in the bag at this point.

sol

  • Walrus Stache
  • *******
  • Posts: 8433
  • Age: 47
  • Location: Pacific Northwest
Re: Crypto Skeptics Thread
« Reply #116 on: March 23, 2018, 11:26:19 AM »
Either encryption is shit, or it's great.  There's no real middle ground.

In practice, the "middle ground" for the past decade is for the US government to exploit unknown weaknesses in encryption that is otherwise pretty good.  With enough resources (say, siphoning up the entire internet for data mining of texts and emails) you can work around crypto that is good enough for banks and corporations, but still catch terrorists.  Eventually, hackers will figure out what Uncle Sam already knows, but so far Uncle has been keeping ahead of the hackers on most fronts.  In most recent cases I think it's been end-runs around the encryption (like going in through the window when the house has a perfect deadbolt) rather than picking the deadbolt lock.

And as we learned last month, every CPU in the entire world has a speculative execution memory fault that basically voids all encryption, if exploited properly.  I have no idea if the US military had already developed tools to exploit this weakness, but I think they'd be remiss if they hadn't developed them by now, a month after public release.  This is what your tax dollars are for.
« Last Edit: March 23, 2018, 11:52:09 AM by sol »

Stimpy

  • Bristles
  • ***
  • Posts: 279
  • Age: 40
  • Location: Middle of Nowhere
Re: Crypto Skeptics Thread
« Reply #117 on: March 23, 2018, 11:40:02 AM »
You don't see any legitimate reason for a private individual to have secure, confidential communication with another private individual?

Encryption that the government can't break?  No.  https is very breakable.

I think of it like a deadbolt for your front door.  I like deadbolts.  I have deadbolts.  I use them to lock my house to deter robbers and murderers and whatnot, but I understand and accept that the US military can bring a breaching team to my door and storm my house, if they want to.  I do not want a perfectly impenetrable deadbolt on my door, because I recognize the necessity of my home being invadable.  Yours too.

If I'm organizing a terrorist cell.  If I'm running a child sex slave ring.  If I'm torturing animals, laundering money, building bombs, planning a school shooting, heck even if I'm evading taxes.  The government has a right and an obligation to seek out and stop criminal activity, and a perfect deadbolt on my house's front door would give me free reign to break any law, at any time, for any reason.  If you made every single person's house totally impenetrable with perfect deadbolts, civilization would collapse.  The social contract would be voided.  No one would be accountable, and laws would have no meaning.

Perfect encryption in the hands of private citizens is like a a perfect deadbolt.  I want the US military to have perfect deadbolts, because they have a chain of command that ends with a democratic electorate and foreign competitors they need to keep out, but I don't want every rando in the US to have one.  For identical reasons, I'm okay with the US government having perfect encryption.  But for us normal citizens, the ones who can use it to break laws, I want that encryption to be a useful deterrent to thieves and murderers but not so good that it can be used to protect child pornographers and terrorists from arrest and prosecution by our government. 

Ultimately you have to put your faith in democracy, not privacy.  It's no coincidence that the hardcore crypto community is mostly anarchists.

Where have I heard that exact argument before.....  oh yea for EVERY FREAKING THING that those in power (or super rich) don't want the "Average" person to have access to.  (See the history of Crossbows and Guns for a start and watch it avalanche from there.)  Please get a less weak argument.   (Won't say it isn't true though.)

Don't get me wrong, I (and everyone else) gets your point.  There are things the average citizen should not have access to.  But you can't keep them locked up forever.  Hell if you had the cash and the drive you could probably get a Nuke or the materials to make the nuke, if nothing else.   The real question you should be asking is why do we need these things.  If the answer is cause the other guy could use it on me, your doing it wrong.   (Also that usually is the answer.  Sorry!)
 
To my knowledge, there is no "Perfect" encryption.  We can make it VERY VERY (etc) hard to crack, but not impossible.  If we ever figure out the prefect encryption, which I doubt we will, well I almost guarantee someone, some where will make it available for the "rando" person cause $Profit$.  You know that as well as I do.

As for Crypto/bitcoin technology (Which at this point, are interesting but that is about it.) yes, people will use them for good and bad things.  Fire (you know that AMAZING invention) was the same way.  It could keep you warm, cook your food, or it could burn you or others to death, yet it's still here.  I am sure the technology behind cryptos will do very interesting things.  Will it change lives?  Maybe, we haven't gotten there yet.  But until then yea we are going to see it used for possible good (The legit Western Union type cases, tracking of goods, etc, and bad (Terrorists, porn, etc)

Am I skeptical of the currency, hell yes. (Full disclosure I have played with it in the past but I fully understood the risks.)  The tech behind it, not as much.  Just takes time to figure out what we can do with it other then trade fantasy coins.

scottish

  • Magnum Stache
  • ******
  • Posts: 2727
  • Location: Ottawa
Re: Crypto Skeptics Thread
« Reply #118 on: March 23, 2018, 04:02:08 PM »
Sol, why do you say https is breakable?

sol

  • Walrus Stache
  • *******
  • Posts: 8433
  • Age: 47
  • Location: Pacific Northwest
Re: Crypto Skeptics Thread
« Reply #119 on: March 23, 2018, 06:18:03 PM »
Sol, why do you say https is breakable?

Because it's been hacked like ten different ways?  Go ahead and google "https hacked" and read all about it. 
« Last Edit: March 23, 2018, 06:19:55 PM by sol »

sherr

  • Handlebar Stache
  • *****
  • Posts: 1541
  • Age: 39
  • Location: North Carolina, USA
Re: Crypto Skeptics Thread
« Reply #120 on: March 24, 2018, 06:57:08 AM »
You don't see any legitimate reason for a private individual to have secure, confidential communication with another private individual?

Encryption that the government can't break?  No.  https is very breakable.

I think of it like a deadbolt for your front door.  I like deadbolts.  I have deadbolts.  I use them to lock my house to deter robbers and murderers and whatnot, but I understand and accept that the US military can bring a breaching team to my door and storm my house, if they want to.  I do not want a perfectly impenetrable deadbolt on my door, because I recognize the necessity of my home being invadable.  Yours too.

If I'm organizing a terrorist cell.  If I'm running a child sex slave ring.  If I'm torturing animals, laundering money, building bombs, planning a school shooting, heck even if I'm evading taxes.  The government has a right and an obligation to seek out and stop criminal activity, and a perfect deadbolt on my house's front door would give me free reign to break any law, at any time, for any reason.  If you made every single person's house totally impenetrable with perfect deadbolts, civilization would collapse.  The social contract would be voided.  No one would be accountable, and laws would have no meaning.

Perfect encryption in the hands of private citizens is like a a perfect deadbolt.  I want the US military to have perfect deadbolts, because they have a chain of command that ends with a democratic electorate and foreign competitors they need to keep out, but I don't want every rando in the US to have one.  For identical reasons, I'm okay with the US government having perfect encryption.  But for us normal citizens, the ones who can use it to break laws, I want that encryption to be a useful deterrent to thieves and murderers but not so good that it can be used to protect child pornographers and terrorists from arrest and prosecution by our government. 

No, you're wrong. I assume you're not a programmer. I am.

There is no such thing as a backdoor that only the government can use. If you bother to look you'll see that several of the most significant security problems in recent history were discovered by (or created by) the government first, used "for national security purposes" instead of fixed, and then eventually leaked (or reverse-engineered) by the bad guys for their own nefarious purposes. Either crypto works, and it's possible to have private and secure communications over the internet, or it doesn't, and the bad guys will eventually figure out ways to get in to everything. Yes, like any tool it can be used for good or evil. Cryptography does in fact make the FBI's life harder when they are trying to prosecute child pornographers (not impossible, just harder). But it really truly is a choice between that and giving up on this whole "computer" business and going back to in-person paper-based transactions.  And if the FBI and other agencies weren't so blatant and relentless in their desire to undermine and circumvent the fourth amendment I might feel a little bit sorry for them, but I'm not.

Ultimately you have to put your faith in democracy, not privacy.  It's no coincidence that the hardcore crypto community is mostly anarchists.

Privacy from the government - according to our constitution - is a fundamental human right that can only be abridged by a judge granting a sufficiently narrow search warrant that is necessitated by the situation and evidence. Even if a search warrant is granted it is permission to search, not a guarantee to find. There are plenty of other levers the government can and does employ to find and prosecute the bad guys. If the government "requires" us to give up our fundamental human rights in order to "ensure our safety" in the safest period of all human history, then it's no longer a government worth keeping. That's not anarchy, that's "fundamentals of America 101".

Edit to say: privacy from the government is also a fundamental requirement for a functioning democracy. Unless of course you want "purge everyone who disagrees with me" Trumpian-type politicians to have a complete list of who voted for them and who didn't. Privacy is no different and no less fundamental just because we're talking about the internet and not the ballot box.
« Last Edit: March 24, 2018, 07:27:15 AM by sherr »

sherr

  • Handlebar Stache
  • *****
  • Posts: 1541
  • Age: 39
  • Location: North Carolina, USA
Re: Crypto Skeptics Thread
« Reply #121 on: March 24, 2018, 08:19:03 AM »


Privacy from the government - according to our constitution - is a fundamental human right that can only be abridged by a judge granting a sufficiently narrow search warrant that is necessitated by the situation and evidence.

Which part of the constitution says anything about privacy being a fundamental human right?  The fourth amendment is directed to searches and seizures and enumerates a list of places and things that are to be secure against unreasonable searches and seizures.

Perhaps you are referring to constitutional interpretation instead?  If that is the case, then yes, there have been Supreme Court cases which have interpreted a right to privacy in certain circumstances.

Further, the constitution does not prescribe any remedy for a infringement of fourth amendment rights.  The remedy to violations of fourth amendment rights have been judicially created.

I guess I don't understand why you think "right to privacy from the government" and "right to be secure against unreasonable searches and seizures" are different. I am using the terms to mean the same thing. I've openly admitted that the right to privacy is not absolute and can be abridged by a search warrant. The right for you to keep your personal effects secure from unreasonable searches from the government is the right to keep them... private from the government.

sol

  • Walrus Stache
  • *******
  • Posts: 8433
  • Age: 47
  • Location: Pacific Northwest
Re: Crypto Skeptics Thread
« Reply #122 on: March 24, 2018, 08:24:58 AM »
No, you're wrong. I assume you're not a programmer. I am.

Unless you have some numbers to back up that claim, I'm going to assume we're talking about your opinion vs my opinion.  In which case nobody is ever really "wrong".  Wrong is something you can prove with an equation, everything else is subjective.

Quote
If you bother to look you'll see that several of the most significant security problems in recent history were discovered by (or created by) the government first, used "for national security purposes" instead of fixed, and then eventually leaked (or reverse-engineered) by the bad guys

Yes, I'm well aware.  I like this system.  I think it provides the best of both worlds, because it offers relatively good security from almost everyone, but still doesn't protect criminals from the government.  Just like virtually everything else we rely for security.

Quote
Either crypto works, and it's possible to have private and secure communications over the internet, or it doesn't, and the bad guys will eventually figure out ways to get in to everything.

I disagree with this statement, coming from your or from GSV.  Lots of crypto is good unless you have physical access to the device or complete capture of network traffic, which are both cases in which the government can hack you but I cannot.  Because the government has the right to seize all of your physical property, and listen in on all internet communications (encrypted or otherwise).

Quote
Privacy from the government - according to our constitution - is a fundamental human right

I think you must have failed civics.  Because every college sophomore in the US knows that the "right to privacy" isn't explicitly in the Constitution anywhere, and is only loosely supported by one possible interpretive reading of various unrelated sections.  We WANT there to be a right to privacy, but the Constitution doesn't provide it.

And even if it did, it would still be limited.  You don't have an unabridged right to free speech when shouting fire in a crowded theater, and you don't have an unabridged right to bear arms if you want to collect nukes or artillery.  All Constitutional rights are necessarily limited, and even if privacy was an enumerated right I'm pretty sure "I rape children on live internet video feeds" would be a sufficient reason to have your privacy revoked by the government.

Quote
Privacy is no different and no less fundamental just because we're talking about the internet and not the ballot box.

It's a key distinction, and the primary reason why we still vote with paper.  Electronic voting is inherently less secure, and less private, than paper voting.  Paper voting is also not really private either, in the sense that the government certainly can find out how you voted if they wanted to (stakeout, covert surveillance, interrogation, etc) if there were a reason to suspect your vote was somehow integral to a crime.  Like most forms of privacy, the best defense here is being uninteresting. 

sherr

  • Handlebar Stache
  • *****
  • Posts: 1541
  • Age: 39
  • Location: North Carolina, USA
Re: Crypto Skeptics Thread
« Reply #123 on: March 24, 2018, 09:00:28 AM »
Quote
Either crypto works, and it's possible to have private and secure communications over the internet, or it doesn't, and the bad guys will eventually figure out ways to get in to everything.

I disagree with this statement, coming from your or from GSV.  Lots of crypto is good unless you have physical access to the device or complete capture of network traffic, which are both cases in which the government can hack you but I cannot.  Because the government has the right to seize all of your physical property, and listen in on all internet communications (encrypted or otherwise).

They have the right to try to listen in - if they obtain a search warrant, I agree and I've said so.

Quote
Privacy from the government - according to our constitution - is a fundamental human right

I think you must have failed civics.  Because every college sophomore in the US knows that the "right to privacy" isn't explicitly in the Constitution anywhere, and is only loosely supported by one possible interpretive reading of various unrelated sections.  We WANT there to be a right to privacy, but the Constitution doesn't provide it.

See my response to L.A.S directly above. This is a distinction without a difference.

And even if it did, it would still be limited.  You don't have an unabridged right to free speech when shouting fire in a crowded theater, and you don't have an unabridged right to bear arms if you want to collect nukes or artillery.  All Constitutional rights are necessarily limited, and even if privacy was an enumerated right I'm pretty sure "I rape children on live internet video feeds" would be a sufficient reason to have your privacy revoked by the government.

I agree and I've said so. And you don't have to get all emotionally manipulative about it, any reason that is sufficient for a judge to grant a search warrant is good enough for me. I still disagree that  cryptography as a discipline can ever have a "secure except the government can get in" provision. Cryptography is an exercise in applied mathematics, and as such it is one of the most black-and-white things in existence. Either it is secure, or it is not. If our government can break it then so can China and Russia and Google and Comcast and any number of other actors, and at least one person at one of those institutions will be willing to use the information they have access to for unethical / illegal / improper reasons.

Quote
Privacy is no different and no less fundamental just because we're talking about the internet and not the ballot box.

It's a key distinction, and the primary reason why we still vote with paper.  Electronic voting is inherently less secure, and less private, than paper voting.  Paper voting is also not really private either, in the sense that the government certainly can find out how you voted if they wanted to (stakeout, covert surveillance, interrogation, etc) if there were a reason to suspect your vote was somehow integral to a crime.  Like most forms of privacy, the best defense here is being uninteresting.

The old "if you have nothing to hide then you have nothing to fear" excuse. That's awfully interesting coming from someone that I know offhand from their previous post history:
1) Works somewhere in the federal government.
2) Is a Trump detractor.

Do you really think there is such a thing as "enough uninteresting"? Even if you think you personally are safe, don't you want journalists to be able to do their jobs? What about in countries where journalists run a very real risk of losing their life? Privacy from the government is important, now in the big-data information age more so than ever before.

appleshampooid

  • Bristles
  • ***
  • Posts: 305
  • Relentless Snacker
Re: Crypto Skeptics Thread
« Reply #124 on: March 24, 2018, 09:46:01 AM »
You don't see any legitimate reason for a private individual to have secure, confidential communication with another private individual?

Encryption that the government can't break?  No.  https is very breakable.

I think of it like a deadbolt for your front door.  I like deadbolts.  I have deadbolts.  I use them to lock my house to deter robbers and murderers and whatnot, but I understand and accept that the US military can bring a breaching team to my door and storm my house, if they want to.  I do not want a perfectly impenetrable deadbolt on my door, because I recognize the necessity of my home being invadable.  Yours too.

If I'm organizing a terrorist cell.  If I'm running a child sex slave ring.  If I'm torturing animals, laundering money, building bombs, planning a school shooting, heck even if I'm evading taxes.  The government has a right and an obligation to seek out and stop criminal activity, and a perfect deadbolt on my house's front door would give me free reign to break any law, at any time, for any reason.  If you made every single person's house totally impenetrable with perfect deadbolts, civilization would collapse.  The social contract would be voided.  No one would be accountable, and laws would have no meaning.

Perfect encryption in the hands of private citizens is like a a perfect deadbolt.  I want the US military to have perfect deadbolts, because they have a chain of command that ends with a democratic electorate and foreign competitors they need to keep out, but I don't want every rando in the US to have one.  For identical reasons, I'm okay with the US government having perfect encryption.  But for us normal citizens, the ones who can use it to break laws, I want that encryption to be a useful deterrent to thieves and murderers but not so good that it can be used to protect child pornographers and terrorists from arrest and prosecution by our government. 

No, you're wrong. I assume you're not a programmer. I am.

There is no such thing as a backdoor that only the government can use. If you bother to look you'll see that several of the most significant security problems in recent history were discovered by (or created by) the government first, used "for national security purposes" instead of fixed, and then eventually leaked (or reverse-engineered) by the bad guys for their own nefarious purposes. Either crypto works, and it's possible to have private and secure communications over the internet, or it doesn't, and the bad guys will eventually figure out ways to get in to everything. Yes, like any tool it can be used for good or evil. Cryptography does in fact make the FBI's life harder when they are trying to prosecute child pornographers (not impossible, just harder). But it really truly is a choice between that and giving up on this whole "computer" business and going back to in-person paper-based transactions.  And if the FBI and other agencies weren't so blatant and relentless in their desire to undermine and circumvent the fourth amendment I might feel a little bit sorry for them, but I'm not.

Ultimately you have to put your faith in democracy, not privacy.  It's no coincidence that the hardcore crypto community is mostly anarchists.

Privacy from the government - according to our constitution - is a fundamental human right that can only be abridged by a judge granting a sufficiently narrow search warrant that is necessitated by the situation and evidence. Even if a search warrant is granted it is permission to search, not a guarantee to find. There are plenty of other levers the government can and does employ to find and prosecute the bad guys. If the government "requires" us to give up our fundamental human rights in order to "ensure our safety" in the safest period of all human history, then it's no longer a government worth keeping. That's not anarchy, that's "fundamentals of America 101".

Edit to say: privacy from the government is also a fundamental requirement for a functioning democracy. Unless of course you want "purge everyone who disagrees with me" Trumpian-type politicians to have a complete list of who voted for them and who didn't. Privacy is no different and no less fundamental just because we're talking about the internet and not the ballot box.
Thank you. You made basically my argument much more eloquently than I could.

Bottom line - I don't trust the government. Sol does. Beginning with that trust or lack thereof changes the foundation of your opinions on cryptography and privacy.

sherr

  • Handlebar Stache
  • *****
  • Posts: 1541
  • Age: 39
  • Location: North Carolina, USA
Re: Crypto Skeptics Thread
« Reply #125 on: March 24, 2018, 10:02:47 AM »
Thank you. You made basically my argument much more eloquently than I could.

Bottom line - I don't trust the government. Sol does. Beginning with that trust or lack thereof changes the foundation of your opinions on cryptography and privacy.

You're welcome, but I wouldn't say it's that simple. I mostly trust the government. But the government's power is not and should not be absolute. That's the whole point of our enumerated rights, to limit the government's power (and let's not forget the 10th Amendment, the "this is not a complete list of freedoms and if a power is not explicitly granted to the government you should assume it doesn't have it" Amendment). The government exists to serve the people, not vice versa. And "serve" primarily means "protect the rights and freedoms of", if it's not doing that then there's no point.

scottish

  • Magnum Stache
  • ******
  • Posts: 2727
  • Location: Ottawa
Re: Crypto Skeptics Thread
« Reply #126 on: March 24, 2018, 11:26:31 AM »
Sol, I'm having a little trouble reconciling something:

First your comments suggest that the commonly used crypto systems can be broken at will by the government.

Second the FBI periodically demands "adult conversations" about cryptography back doors.

If the government is able to break non-military crypto systems at will, why do they need back doors?    Or am I not understanding correctly?




Ben Hogan

  • Stubble
  • **
  • Posts: 128
  • Location: Texas
Re: Crypto Skeptics Thread
« Reply #127 on: March 24, 2018, 12:29:29 PM »
Https is not breakable by any easy means, government or private sector. The kevel of encryption we are at today will only be breakable years down thr line if moors law stays true.

The type of https decryption via man in the middle or commercial ssl decrption products will require the endpoint to be pwned in thr first place.

Your boring brown cissp.

Travis

  • Magnum Stache
  • ******
  • Posts: 4311
  • Location: California
Re: Crypto Skeptics Thread
« Reply #128 on: March 24, 2018, 04:15:45 PM »
Https is not breakable by any easy means, government or private sector. The kevel of encryption we are at today will only be breakable years down thr line if moors law stays true.

The type of https decryption via man in the middle or commercial ssl decrption products will require the endpoint to be pwned in thr first place.

Your boring brown cissp.

Military IT guy here. The only times I've seen https "broken" was when the computer on the receiving or sending end was already compromised by a virus or someone was at the ISP.  Even then all they could see was where the traffic was going, not what was in it.  The biggest vulnerability to https is if someone gains access to the server where the particular website certificate's private key is generated. That takes some effort, but it's not impossible. 

scottish

  • Magnum Stache
  • ******
  • Posts: 2727
  • Location: Ottawa
Re: Crypto Skeptics Thread
« Reply #129 on: March 24, 2018, 07:12:56 PM »
Yep, root certificate leaks are definitely a weak spot.

Many companies have proxy servers that mitm HTTPS.    Another big weak spot, especially if you're using the company's network for something personal.

sol

  • Walrus Stache
  • *******
  • Posts: 8433
  • Age: 47
  • Location: Pacific Northwest
Re: Crypto Skeptics Thread
« Reply #130 on: March 24, 2018, 07:36:14 PM »
They have the right to try to listen in - if they obtain a search warrant, I agree and I've said so.

You have made this point several times, so I'm sure you've thought this through.  With cryptography, THERE IS NO SEARCH WARRANT.  Perfect encryption equals immunity from criminal investigation.  The whole point of a government back door into common encryption programs is that the government and only the government, with a search warrant, can break the encryption.  Eventually the hackers figure out the back door and it has to get patched (and thus voided), so they try a different back door or other method of investigation.

I don't want to live in a world where perfect encryption is widely available, because that makes everyone immune from investigation.  Everyone could break the law.  You could launder mob money without any evidence.  You could distribute illegal photographs without any evidence.  You could buy or sell drugs or sex or slaves or murders without evidence.  You could evade taxes, sanctions, regulations, disclosure requirements etc. without evidence.  You can sell top secret military information to the Russians without evidence.  Perfect encryption perfectly hides information from anyone and everyone, and in an age when so much of our economy is information exchange, that power would allow you to commit a wide variety of criminal activity without evidence.  No thanks.

Just like the dead bolt on your front door, I think decent encryption should be good enough to be a sufficient deterrent to most people, but not perfectly impenetrable by the US military.  If you're doing something horrible behind that deadbolt, you should not be protected.

Quote
I agree and I've said so. And you don't have to get all emotionally manipulative about it, any reason that is sufficient for a judge to grant a search warrant is good enough for me.

THERE IS NO SEARCH WARRANT with encryption.  If you believe that there are cases in which the US government should be allowed to review your information, then we agree and you don't want perfectly impenetrably encryption either.  You just want the penetration to be restricted to cases where there is cause for a warrant, which is the exact scenario we currently have: the government uses a secret back door and everyone else gets kept out.  You know about FISA warrants, right?  Did you assume that "electronic surveillance" didn't include breaking encryption?

Quote
I still disagree that  cryptography as a discipline can ever have a "secure except the government can get in" provision. Cryptography is an exercise in applied mathematics, and as such it is one of the most black-and-white things in existence. Either it is secure, or it is not.

Well that's a gross simplification, isn't it?  A perfect deadbolt does not make your house secure, because a breaching team can come straight through the walls if they want to.  They can also peer through your windows or monitor you with cameras that see right through walls.  They can bug your phone or internet line at the junction, put a laser mic on your window glass, fly a drone over your airspace to keep tabs on who comes and goes 24/7, open all of your mail, bribe your bodyguard, and set up a perimeter and then set your house on fire ala David Koresh.  Encrypting your data stream, like a deadbolt, is only one kind of protection and ignores lots of other vectors.  Perfect encryption may seem black or white, but you only protect one single point of access.  Your privacy can and does get violated a thousand other ways.  The anarchist hard-on for cryptography as panacea has always seems woefully misplaced to me.

Quote
The old "if you have nothing to hide then you have nothing to fear" excuse.

That is definitely not the argument I am making.  Deliberately appearing to be uninteresting so as to not draw attention is a strategy you can employ to protect your privacy, and is probably more effective than putting up a big sign saying "I'm a billionaire criminal, hack me if you dare!" and then relying on your encryption.  See the difference?  It's not that I don't think anyone deserves any privacy, it's that you get more privacy by being smart than you do by relying on software.  If you draw enough eyeballs, eventually someone will find a way around your encryption.

Quote
That's awfully interesting coming from someone that I know offhand from their previous post history:
1) Works somewhere in the federal government.
2) Is a Trump detractor.

This is a straight up ad hominem attack and undeserving of this forum.  You can disagree with my arguments, and that's fine.  I will not attack you as a person and I request that you do the same.  Deal?

So disappointing.

sherr

  • Handlebar Stache
  • *****
  • Posts: 1541
  • Age: 39
  • Location: North Carolina, USA
Re: Crypto Skeptics Thread
« Reply #131 on: March 24, 2018, 08:17:09 PM »
They have the right to try to listen in - if they obtain a search warrant, I agree and I've said so.

You have made this point several times, so I'm sure you've thought this through.  With cryptography, THERE IS NO SEARCH WARRANT.  Perfect encryption equals immunity from criminal investigation.  The whole point of a government back door into common encryption programs is that the government and only the government, with a search warrant, can break the encryption. 

But that's not what a search warrant entitles them to do. As a particularly relevant example, current legal thought is that you cannot be compelled to give them the combination to your safe. And as you correctly point out it largely doesn't matter for the government anyway. Once you are physical possession of the computer or have a complete record of the network traffic a lot more becomes possible. Not to mention things like server logs and other data that they can subpoena. And that's all as it should be, the government has the ability to prosecute criminals without "backdooring" encryption. And no they don't really have a backdoor now, or else they wouldn't throw such a hissy fit over Apple refusing to help them break into iPhones for example (Apple claims not to be able to, which is also as it should be). They may have found a flaw in Apple's security model and been able to break this particular phone, but that's a far cry from a general encryption backdoor that absolutely would break the internet that the FBI is so intent on demanding.

I don't want to live in a world where perfect encryption is widely available, because that makes everyone immune from investigation.  Everyone could break the law.  You could launder mob money without any evidence.  You could distribute illegal photographs without any evidence.  You could buy or sell drugs or sex or slaves or murders without evidence.  You could evade taxes, sanctions, regulations, disclosure requirements etc. without evidence.  You can sell top secret military information to the Russians without evidence.  Perfect encryption perfectly hides information from anyone and everyone, and in an age when so much of our economy is information exchange, that power would allow you to commit a wide variety of criminal activity without evidence.  No thanks.

You more or less live there now and the world has not ended. Humans are always the weak link when it comes to security. Criminals get caught because they screw up and do something dumb, not because the government supposedly has a magic crypto backdoor that allows them to unconditional access to all information.

Quote
I agree and I've said so. And you don't have to get all emotionally manipulative about it, any reason that is sufficient for a judge to grant a search warrant is good enough for me.

THERE IS NO SEARCH WARRANT with encryption.  If you believe that there are cases in which the US government should be allowed to review your information, then we agree and you don't want perfectly impenetrably encryption either.  You just want the penetration to be restricted to cases where there is cause for a warrant, which is the exact scenario we currently have: the government uses a secret back door and everyone else gets kept out.  You know about FISA warrants, right?  Did you assume that "electronic surveillance" didn't include breaking encryption?

Nope, I do want "perfectly impenetrable encryption", aka "actually working encryption". There is still plenty of other information the government can use to build a case and prosecute even with perfect encryption.

Quote
I still disagree that  cryptography as a discipline can ever have a "secure except the government can get in" provision. Cryptography is an exercise in applied mathematics, and as such it is one of the most black-and-white things in existence. Either it is secure, or it is not.

Well that's a gross simplification, isn't it?  A perfect deadbolt does not make your house secure, because a breaching team can come straight through the walls if they want to.  They can also peer through your windows or monitor you with cameras that see right through walls.  They can bug your phone or internet line at the junction, put a laser mic on your window glass, fly a drone over your airspace to keep tabs on who comes and goes 24/7, open all of your mail, bribe your bodyguard, and set up a perimeter and then set your house on fire ala David Koresh.  Encrypting your data stream, like a deadbolt, is only one kind of protection and ignores lots of other vectors.  Perfect encryption may seem black or white, but you only protect one single point of access.  Your privacy can and does get violated a thousand other ways.  The anarchist hard-on for cryptography as panacea has always seems woefully misplaced to me.

No, I'm telling you as someone who knows what they're talking about that it's not a gross simplification, that is how it is. And as to the whole rest of the paragraph, I think that's kind of undermining your own point? And that is semi-how-it's-supposed-to-be? Working encryption is not the end of the criminal justice system, and so there's no reason not to have working encryption.

Quote
That's awfully interesting coming from someone that I know offhand from their previous post history:
1) Works somewhere in the federal government.
2) Is a Trump detractor.

This is a straight up ad hominem attack and undeserving of this forum.  You can disagree with my arguments, and that's fine.  I will not attack you as a person and I request that you do the same.  Deal?

So disappointing.

How on earth is that an ad hominem attack?! What part of that is attacking you as a person?! For the record I am also a Trump detractor, as I think all sane people are. I'm not saying you're bad in any way for working in the government or being a Trump detractor, I'm pointing out the perfectly valid point that there are people in the government who cannot be trusted with absolute power or knowledge, and that you are in a particularly relevant position to understand that. I agree this has been a disappointing conversation though, as I think you have not been arguing in good faith.

sherr

  • Handlebar Stache
  • *****
  • Posts: 1541
  • Age: 39
  • Location: North Carolina, USA
Re: Crypto Skeptics Thread
« Reply #132 on: March 24, 2018, 08:26:12 PM »


Privacy from the government - according to our constitution - is a fundamental human right that can only be abridged by a judge granting a sufficiently narrow search warrant that is necessitated by the situation and evidence.

Which part of the constitution says anything about privacy being a fundamental human right?  The fourth amendment is directed to searches and seizures and enumerates a list of places and things that are to be secure against unreasonable searches and seizures.

Perhaps you are referring to constitutional interpretation instead?  If that is the case, then yes, there have been Supreme Court cases which have interpreted a right to privacy in certain circumstances.

Further, the constitution does not prescribe any remedy for a infringement of fourth amendment rights.  The remedy to violations of fourth amendment rights have been judicially created.

I guess I don't understand why you think "right to privacy from the government," and "right to be secure against unreasonable searches and seizures" are different. I am using the terms to mean the same thing. I've openly admitted that the right to privacy is not absolute and can be abridged by a search warrant. The right for you to keep your personal effects secure from unreasonable searches from the government is the right to keep them... private from the government.

Okay... Since it does not say "right to privacy from the government," then that is your constitutional interpretation of what the fourth amendment means.  You are using different terms in order to say something which is not actually said in the constitution.

You didn't answer the question. How are they different? Because the constitution only describes keeping things private but doesn't use the word "privacy"? What's the point of this distinction? That everyone has to say "right to be secure against unreasonable searches" all the time instead of "right to privacy"? That's the whole thing?
« Last Edit: March 24, 2018, 08:31:49 PM by sherr »

Ben Hogan

  • Stubble
  • **
  • Posts: 128
  • Location: Texas
Re: Crypto Skeptics Thread
« Reply #133 on: March 25, 2018, 09:47:24 AM »
Yep, root certificate leaks are definitely a weak spot.

Many companies have proxy servers that mitm HTTPS.    Another big weak spot, especially if you're using the company's network for something personal.

As long as everyone understand for someone to "break" https, the endpoint has to be Pwned. A proxy does not decrypt https traffic, only a trusted Cert authority allows this.

Which ultimately means the endpoint is Pwned whether by being hacked, or enterprise cert deployed via GPO. The encryption negotiated with todays browsers means HTTPS is not "Breakable" with today's hardware and computing power.

scottish

  • Magnum Stache
  • ******
  • Posts: 2727
  • Location: Ottawa
Re: Crypto Skeptics Thread
« Reply #134 on: March 25, 2018, 09:48:52 AM »
Just like the dead bolt on your front door, I think decent encryption should be good enough to be a sufficient deterrent to most people, but not perfectly impenetrable by the US military.  If you're doing something horrible behind that deadbolt, you should not be protected.

This was tried by the US government in the 1990's with the Clipper chip and key escrow and it was never adopted.   Cryptography even used to be controlled under export regulations for weapons.    It's like trying to stop the tide with a sand castle, never going to happen.

The status quo seems to be that government agencies horde vulnerabilities and use them, along with other means, to eavesdrop on people trying to secure their communications.   Eventually the vulnerabilities are discovered by the larger community and fixed.

I'd never heard anyone espouse that this is a good state of affairs before.   It's an interesting point of view.   I don't think I agree with it, but thank you for bringing it up, it's a good thought exercise.

scottish

  • Magnum Stache
  • ******
  • Posts: 2727
  • Location: Ottawa
Re: Crypto Skeptics Thread
« Reply #135 on: March 25, 2018, 09:55:44 AM »
Yep, root certificate leaks are definitely a weak spot.

Many companies have proxy servers that mitm HTTPS.    Another big weak spot, especially if you're using the company's network for something personal.

As long as everyone understand for someone to "break" https, the endpoint has to be Pwned. A proxy does not decrypt https traffic, only a trusted Cert authority allows this.

Which ultimately means the endpoint is Pwned whether by being hacked, or enterprise cert deployed via GPO. The encryption negotiated with todays browsers means HTTPS is not "Breakable" with today's hardware and computing power.

All the corporate proxy servers I've run into *do* decrypt HTTPS traffic.   They don't break HTTPS though.   The enterprise will install the proxy's certificate on the enterprise computers and the proxy will pretend to be the endpoint you're connecting to.    All of your traffic gets decrypted in the proxy and re-encrypted before going out on the internet.



sherr

  • Handlebar Stache
  • *****
  • Posts: 1541
  • Age: 39
  • Location: North Carolina, USA
Re: Crypto Skeptics Thread
« Reply #136 on: March 25, 2018, 02:29:59 PM »
As long as everyone understand for someone to "break" https, the endpoint has to be Pwned. A proxy does not decrypt https traffic, only a trusted Cert authority allows this.

Which ultimately means the endpoint is Pwned whether by being hacked, or enterprise cert deployed via GPO. The encryption negotiated with todays browsers means HTTPS is not "Breakable" with today's hardware and computing power.

All the corporate proxy servers I've run into *do* decrypt HTTPS traffic.   They don't break HTTPS though.   The enterprise will install the proxy's certificate on the enterprise computers and the proxy will pretend to be the endpoint you're connecting to.    All of your traffic gets decrypted in the proxy and re-encrypted before going out on the internet.

Right, he said that, and without that critical step it's not possible so it's not something that can be applied to the generalized internet because you can't force everyone to install your software. Furthermore things like browser cert-pinning (which may be the next step) would keep that from working. I agree with Ben, in general things are not "broken" now, and the process of "breaking" things requires "the good guys" from acting indistinguishably from "the bad guys" (through exploiting security vulnerabilities and installing what can only be described as malware).

scottish

  • Magnum Stache
  • ******
  • Posts: 2727
  • Location: Ottawa
Re: Crypto Skeptics Thread
« Reply #137 on: March 25, 2018, 03:53:30 PM »
Ben also said this:

Quote
A proxy does not decrypt https traffic, only a trusted Cert authority allows this.

Cert pinning actually isn't sufficient to stop this as I found out at work last week when I was struggling with access to github through our proxy server.

But I'm not arguing with you guys, just picking nits on the details.    You're right, HTTPS is not broken right now and the best way to attack it is through the end points.

Ben Hogan

  • Stubble
  • **
  • Posts: 128
  • Location: Texas
Re: Crypto Skeptics Thread
« Reply #138 on: March 25, 2018, 10:07:38 PM »
Sherr is spot on, the only way https can be broken is by the endpoint being compromised. There is no outside products that can intercept and decrypt without the endpoint being pwned. The good guys are staying ahead of the bad guys on the encryption space. Endpoint is a different story. Https is not where an attacker would start.

sherr

  • Handlebar Stache
  • *****
  • Posts: 1541
  • Age: 39
  • Location: North Carolina, USA
Re: Crypto Skeptics Thread
« Reply #139 on: March 25, 2018, 11:14:20 PM »
Sherr is spot on, the only way https can be broken is by the endpoint being compromised. There is no outside products that can intercept and decrypt without the endpoint being pwned.

Agreed and "endpoint", for clarification, being either the computer you are talking to (vanguard.com or whatever) or your own computer. "Your own computer" being the most likely of the two, usually, considering how tech-clueless the average person is and how infrequently people read the EULAs and how the average joe doesn't care about things like "security breaches" so the press dosn't care about things like for example Lenovo's blatant and completely inexcusable subversion of all things important for internet security (and I say this as a person who has a Lenovo work laptop, but of course I don't run any piece of their software).

The best advice I can offer is, if you care about privacy and security and the US 4th Amendment (this is an ordered list by importance):
  • Vote for people who also care (IMHO, the political lines in the US are currently drawn between the 2nd Amendment and "all of the others without any other exclusion." Pick your side I guess.)
  • Use an ad blocker like "uBlock Origin" or similar for all websites regardless of the manipulative language they use to beg you to not
  • Stay up-to-date on security updates (also use open source whenever possible (like maybe linux as an operating system for example, and all the way down the stack (I may be biased, but I work for a company I believe in (intentionally, I am on this forum and have been for a while, I can afford to work wherever I want))))
  • Pay attention to a "tech news" source like arstechnica or similar and at least listen for things that may be relevant to you
  • Use a javascript blocker like NoScript or similar (Yes it's a pain, Yes it makes a bunch of stuff not work right, Yes it's important)
  • Learn to recognize and reject the totalitarian propaganda of "no really our government is different, we only want to spy on the bad guys, not you the patriotic freedom-loving(?) anti-pedophile anti-terrorist good-citizen" (Note: I am specifically not saying "sol" is part of this, in my lifetime the biggest spewer of this nonsense has been G.W.Bush and I have a feeling sol would not like to be associated with him (nor would I). Sol is merely incorrect.)

I think this will be my last post on the subject.

Ben Hogan

  • Stubble
  • **
  • Posts: 128
  • Location: Texas
Re: Crypto Skeptics Thread
« Reply #140 on: March 26, 2018, 06:47:15 AM »
Solid points Sherr, add to that maybe a proxy software.

GuitarStv

  • Senior Mustachian
  • ********
  • Posts: 24011
  • Age: 43
  • Location: Toronto, Ontario, Canada
Re: Crypto Skeptics Thread
« Reply #141 on: March 26, 2018, 07:23:50 AM »
Solid points Sherr, add to that maybe a proxy software.

Well, there's also security through obscurity.  But in that case, I guess that you would probably (erroneously) be counted among those who don't care about security.

Scandium

  • Magnum Stache
  • ******
  • Posts: 2917
  • Location: EastCoast
Re: Crypto Skeptics Thread
« Reply #142 on: April 04, 2018, 12:42:38 PM »

Well that's a gross simplification, isn't it?  A perfect deadbolt does not make your house secure, because a breaching team can come straight through the walls if they want to.  They can also peer through your windows or monitor you with cameras that see right through walls.  They can bug your phone or internet line at the junction, put a laser mic on your window glass, fly a drone over your airspace to keep tabs on who comes and goes 24/7, open all of your mail, bribe your bodyguard, and set up a perimeter and then set your house on fire ala David Koresh.  Encrypting your data stream, like a deadbolt, is only one kind of protection and ignores lots of other vectors.  Perfect encryption may seem black or white, but you only protect one single point of access.  Your privacy can and does get violated a thousand other ways.  The anarchist hard-on for cryptography as panacea has always seems woefully misplaced to me.

The deadbolt analogy is flawed. First of not only the government can break in, also anyone with a battering ram or other tools. Including criminals. But they have to be there, risk getting spotted, caught later etc.

Government-mandated back doors in encryption will be found by hackers, and this means every person on the planet with a computer can break into all your devices! Drain your bank, randsomware your PC/phone, spy through your cameras/blackmail, track your family, scam your grandmom, etc etc. They can do this from the comfort of a Moscow office, attempting hundreds of times a day, with virtually zero risk. That's not comparable to knocking down your physical door.

Even the consequences are not the same. Someone break your door and steals all your stuff; sucks but get insurance and buy new stuff.
Someone steals your ID, falsify your government records, claim your taxes, plant criminal materials on your PC, and/or drain your assents? That's an insane mess that can take years to fix!