Category: Crypto / security

Public key cryptography wish list (by )

I have opined in the past about how I'd like better support for public key infrastructure in applications and user interfaces, and a few ideas for how to generalise the signature infrastructure a bit, but I've since been accumulating even more things I think should happen to bring the benefits of strong public-key crypto to the masses.

  • I should be able to use a PGP key to sign my HTTP requests, as an HTTP authentication mechanism. For web apps that support it, the option of choosing a PGP key from my private keyring should appear on login boxes.

  • I mentioned before that I'd like to be able to sign blog comments and posts and other content I submit to web apps in text areas; but I feel like re-iterating it, and point out that this could be handled more neatly by having an extra HTML attribute on the <textarea> suggesting that it accepts signed content, thereby causing my browser to send a detached signature in the submission (as if placed in a second text area, whose name is the value of the attribute, but which does not need to actually exist as an HTML element) if I opt to take it up on the offer. That would be better than the hack recommended in my previous post.

  • Seamless support for signing all, or part, of a Web page, using an element wrapping the content which also refers to the signature (as a URI, or including it inline). For cases like where Markdown has been used to process the original entered content to make it into a Web page, the app should offer a link to the original content wrapped in the original signature; the app could have access to its own private key in order to sign the generated HTML as well, but that's orthogonal to the issue of the original author of the content signing it. Indicating to the user that a region of the page is signed needs to be done in a way that the page itself can't fake with CSS and JavaScript! Given the presence of canvas elements, this will presumably mean it has to involve some UI element outside of the rendering area of the web page - eg, in the browser toolbar.

  • Signing should really be the default state for files, messages sent via various means, etc - my user interface should be marking unsigned messages and files in red!

  • Public key management user interfaces should learn from Petnames, in order to provide a nice user interface while making impersonation attacks hard to do.

  • Seamless support for PGP-signed tar files. No need for a detached signature to download (it's in the tar file itself). Basically, I'd like to have tar able to detect a signed file and check the signature and seamlessly unwrap it to feed into the decompressor and then onto the actual tar file reading itself. This would be particularly pleasing, but in general I'd still argue for every app that reads a file to silently accept PGP-signed files without needing to explicitly unwrap them!

Needless to say, I am mulling infrastructure in ARGON to make public-key infrastructure an integral part of CARBON, and I'd suggest a Petname-based user interface for the management of entity IDs and CARBON global names!

Building an online currency exchange (by )

The biggest currency exchange market in the Bitcoin world is MtGox. When it goes down, either due to a DDoS attack or sheer high load due to everyone panic-selling, then people who hold bitcoins and care about their value in dollars get the panicky realisation that they can't easily sell them - which causes two things:

  1. A drop in the value of bitcoins; people care about their ability to turn them back into fiat money, and will continue to do so until lots of things can be bought directly with bitcoins.

  2. Widespread angst that MtGox is a central point of failure for the Bitcoin economy, complaining that they are vulnerable to DDoSes and get high trading lag when under load, and so on.

So, as a high-performance systems developer, I thought I'd write some notes on how to build a more resilient exchange platform. Perhaps MtGox will do something like this, but perhaps more ideally, one of their competitors will, and thereby win some of MtGox's market share, and thus decentralise the exchange market somewhat.

Read more »

Turing Centenary (by )

Alan Turing 100 yrs

Alan Turing one of the most important people in the history of the computer would have turned 100 today if he had lived. Though the chances of living to 100 are not great Turing didn't even manage to get as far as he should have.

It is occasionally argued about but it is considered that he committed suicide due to being hounded by the powers that be and given chemicals to subdue his sex drive. The reason for this was that he was Gay and in 40's and 50's being homosexual was not just illegal but thought to be a security risk.

Alan was faced with the choices of chemical castration or prison and exclusion from his work. He chose the chemicals. They had nasty side effects but he seems to have taken his treatment mainly in his stride.

Mr Turing wasn't just a mathematical genius he was a war hero having worked at Bletchley Park during the second world war cracking codes and thus saving at least allied lives. He is most often mentioned in association with the enigma machine.

His contributions to modern computing are huge and he is considered one of the founders of the subject Computer Science.

His achievements are great and yet the first time I heard of him was when I picked up one of Alaric's computing books after our move to Gloucestershire. It is strange that like Ada Lovelace he seems to have fallen through the cracks some what. And worse than that his centenary year is plagued by arguments of how to portray him.

Is it good or bad for those on the autism spectrum to know of him and so on. If he had been alive to day he would have probably been diagnosed with Aspergers syndrom but why is this a problem? Yes that was a facet of his personality but that is all. Use him to show others in the same situation as him that they can achieve by all means but that is not what is happening - I think there needs to be a gear shift in society. After all with the modern world lets face it the Geek shall inherit and that is all geeks, the meek, mild, argumentative, know it alls and the distracteds.

His achievements are his and he should be being portrayed as a founder and hero to everyone and I mean everyone. I will twist Alaric's arm into writing a blog post about Alan's achievements.

We made a Turing Machine Cake and drew the shamefully bad picture at the top of the post.

Wind Up Turing Machine Cake State Table on top of Turing Machine Cake Marker on side of Turing Machine Cake

The Tooth Fairy Left a Letter (by )

The Tooth Fairy's response to Jean's letter in Tooth Fairy Language

Jean lost her second tooth in the new house yesterday and spent the day worrying that they wouldn't find it as we still haven't found the tooth cusion I'd made her. She was also doing lots of wondering about how the tooth fairy would get into the house and lift the tooth and swap the money and did they go big/small, or could they walk through walls and were they a boy or a girl?

So she left a letter.

And the tooth fairy answered it. I thought it was just pictures but Jean pointed out it was a letter written in Fairy Language so she immediatly demanded to go on the computer to see if wikipedia could help her translate it. But after some google searching it became evident that there are lots of different fairy languages and dialects and when Jean looked closer she found that the symbols were very toothy and so we came to the conclusion that this is a specific tooth fairy language.

There are teeth and pliers and ladders and pillows and moons.

I told Jean we would probably have to wait until Daddy got home and she could work at translating it with him. She looked very serious and took the letter and sat staring at it about ten minutes later she announced that this symbol was M and this symbol N and before long she had worked out the second word was Jean.

'It now sort of looks like Jean as well Mummy' and she's right it does. She got the first few lines translated before school. And there was me thinking I would have to phone Tooth Head Quarters and ask for a key so we could find out what the letter ment.

Of course as the fairy borrowed one of mummy's pens Jean did initially accuse me of writing the letter until I pointed out I couldn't read what it said.

Cloud Storage (by )

Currently, you can go to various providers and buy online storage capacity (IMHO, rsync.net is best, after research I did to find an offsite backup host for work). It's more expensive than a hard disk in your computer, and miles slower, but it has one brilliant advantage: it's remote. So it's perfect for backups.

And that's the heart of a free market - storage is cheap to the cloud providers (they just buy disks, and in bulk at that), but their storage has more value to you than your own storage because of it's remoteness. So they can rent it to you at a markup, and you get a benefit, and everyone is happy. Money flows, the economy grows, and one day we'll get to have affordable space tourism et cetera.

But large, centralised, cloud storage providers are attractive targets for people who want to steal data. They become centralised points of failure; if they go bankrupt, lots of people lose their backups. Therefore, it's smart to do your backups to more than one of them, just in case. But that means setting up your systems to talk to each one's interfaces, arranging payment and agreeing to terms and conditions with them all individually, and so on.

Surely this state of affairs can be improved? With ADVANCED TECHNOLOGY?

Well, I think it can, and here's how. Read more »

WordPress Themes

Creative Commons Attribution-NonCommercial-ShareAlike 2.0 UK: England & Wales
Creative Commons Attribution-NonCommercial-ShareAlike 2.0 UK: England & Wales