Richard Heathfield<rjh@cpax.org.uk> wrote:
On 16/12/16 06:24, Neodome Admin wrote:
<snip>
I already stated it in this thread, but I guess I'll have to do it again. >>> The source of randomness is publicly available, but it's impossible for
attacker to know what I'm receiving and processing *right now* unless he >>> controls all my upstream servers, and all people who connect directly to my >>> server to post an article, including myself.
No, he wouldn't have to control anything. He'd need read access to the
machine that your ISP has at the other end of your broadband connection,
that's all. Given that, he knows exactly what you're getting and when
you're getting it.
How about this, Richard.
I have I2P anonymous network router running on my machine. I will setup a tunnel via I2P, I'll buy another VPS, and I'll forward all I2P traffic through that second VPS. I'll give you access to it, so you can intercept
all the traffic. I'll download some Usenet articles via the tunnel, and you'll tell me what I downloaded and from where. If you're able to do that, I'll pay you money. If you're not, you pay me. I'm sure it would not be
much harder than to decrypt Tor connection, which you guys probably already did, since you are so sure about MITM attacks.
Same goes to Karl Frank.
On 17.12.16 22:16, Neodome Admin wrote:
Richard Heathfield<rjh@cpax.org.uk> wrote:
On 16/12/16 06:24, Neodome Admin wrote:
<snip>
I already stated it in this thread, but I guess I'll have to do it again. >>>> The source of randomness is publicly available, but it's impossible for >>>> attacker to know what I'm receiving and processing *right now* unless he >>>> controls all my upstream servers, and all people who connect directly to my
server to post an article, including myself.
No, he wouldn't have to control anything. He'd need read access to the
machine that your ISP has at the other end of your broadband connection, >>> that's all. Given that, he knows exactly what you're getting and when
you're getting it.
How about this, Richard.
I have I2P anonymous network router running on my machine. I will setup a
tunnel via I2P, I'll buy another VPS, and I'll forward all I2P traffic
through that second VPS. I'll give you access to it, so you can intercept
all the traffic. I'll download some Usenet articles via the tunnel, and
you'll tell me what I downloaded and from where. If you're able to do that, >> I'll pay you money. If you're not, you pay me. I'm sure it would not be
much harder than to decrypt Tor connection, which you guys probably already >> did, since you are so sure about MITM attacks.
Same goes to Karl Frank.
Apart from the fact that your setup is a massive effort in order to
generate some kilobyte of potential random byte
- which can be better
achieved by drawing them from /dev/urandom or /dev/random - and ignoring
all the good arguments against your scheme brought forward by others in
this thread, it brings me straight back to my initial question:
Did you implement any precaution measurement in order to prevent the
flat falling of your sources?
If someone is able to control your gateway through the internet he can control whatever kind of information reaches your server.
Neodome Admin <admin@neodome.net> writes:
Karl.Frank <Karl.Frank@Freecx.co.uk> wrote:
On 17.12.16 22:16, Neodome Admin wrote:
I have I2P anonymous network router running on my machine. I will
setup a tunnel via I2P, I'll buy another VPS, and I'll forward all
I2P traffic through that second VPS. I'll give you access to it, so
you can intercept all the traffic. I'll download some Usenet
articles via the tunnel, and you'll tell me what I downloaded and
from where. If you're able to do that, I'll pay you money. If you're
not, you pay me. I'm sure it would not be much harder than to
decrypt Tor connection, which you guys probably already did, since
you are so sure about MITM attacks.
Apart from the fact that your setup is a massive effort in order to
generate some kilobyte of potential random byte
My setup is a proof of concept. And I don't really need a lot of random
data. As long as there is enough to seed some PRNG, I'm good.
Your I2P tunnel already depends on having an adequate randomness source, making the whole thing rather a lot of effort for no apparent gain.
Which render I2P useless for your scheme because of the lack of Usenet postings.
And just a remark on I2P. Out of curiosity I have connected to this
darknet more than a decade ago and apart from finding rubbish there were nearly no to nothing of useful information and I doubt that this has
changed since then.
A hint to simplify your scheme: just grab random byte from the completeThis approach raises two questions right away:
data stream that reaches your server, fill your pool or seed whatever
PRNG you think of being reliable enough and you're done.
Apart from the fact that in my opinion no source of randomness should by publicly available
the above described theoretical attack on TOR would
be more suitable for surveillance of course.
Karl.Frank<Karl.Frank@Freecx.co.uk> wrote:
Which render I2P useless for your scheme because of the lack of Usenet
postings.
Are you sure? :-)
And just a remark on I2P. Out of curiosity I have connected to this
darknet more than a decade ago and apart from finding rubbish there were
nearly no to nothing of useful information and I doubt that this has
changed since then.
You are correct. I just would like to add that all articles you recently posted to Usenet are also available in I2P with all the other rubbish.
A hint to simplify your scheme: just grab random byte from the completeThis approach raises two questions right away:
data stream that reaches your server, fill your pool or seed whatever
PRNG you think of being reliable enough and you're done.
1. How would you choose the very first random byte?
2. Is byte big enough to be safely used? It seems you missed why exactly
I'm producing such small amounts of random data over time, even though
input stream is much bigger. I'm processing big chunks of the stream at
once to ensure that not all of the data in the chunk is provided by
potential attacker. If I were processing 512 bytes at once, attacker might send to Usenet a lot of articles with a small body, but huge header consisting of the same bytes (let's say, letter "A"). It will be safe for
him to assume that my random data that I'm producing right now is actually
a checksum of 512 same characters. Right now such attack won't work because chunk I'm processing is bigger than headers can possibly be. If you take a random byte from data stream you receive, attacker might start sending you packets consisting mostly of the same bytes.
Apart from the fact that in my opinion no source of randomness should by
publicly available
Opinions like that were exact reason I did my experiment. I should say so
far you didn't convince me that you are right.
the above described theoretical attack on TOR would
be more suitable for surveillance of course.
On 28.12.16 12:03, Neodome Admin wrote:
Karl.Frank<Karl.Frank@Freecx.co.uk> wrote:
This *hint* was merely a joke, because otherwise it would contradict my
opinion that the source of randomness for encryption should never be
publicly available.
So, RANDOM.ORG is not really random? They use publicly available
source of
randomness.
Anybody with a clear mind would *never* *ever* use their data for
encryption purposes.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 36:36:18 |
Calls: | 6,648 |
Calls today: | 3 |
Files: | 12,193 |
Messages: | 5,329,035 |