FAQ

On Sun, Jun 15, 2014 at 12:03:40PM +0200, demerphq wrote:
"What I am askign for is the evidence that shows the new method is
actually
secure against these attacks".
How do you propose we supply that without releasing the attack?
The same way as done for TLS, SHA-1, or anything else that isn't based on
obfuscation. If the method is sane, it works with or without published
attacks, because it is secure against them. What works for them surely
must work for Perl, too.

For example, you claimed perl uses a CSPRNG to generate randomness (so
that the internal state cannot leak), but you ignore me every single time
I ask you where it is (likewise for any other specific question, of which
there are many, but you prefer ad hominems over simple honest answers
every single time).

Surely pointing out a line number in a source file can't break the
security of Perl? Wouldn't that mean that the method isn't secure, if
you need to rely on obfuscation of the source code to protect it? It
surely seems that way, and that isn't reassuring. I for one came to the
conclusion long ago that your talk about "secrets" really means there
isn't anything you can point to.

That would be a start.

However, if your method furthermore depends on secret details rather than
complexity, it can't be secure, can it? It means you and some few select
people have knowledge that can be used to exploit the solution.

Or in other words, you know the "safety" of your solution depends on
keeping information secret, not on an effective method. It's already
broken, but since you don't release details, you hope nobody else will
break it.

That being the case, everybody else would need to trust you and the rest
of the secret cabal, which is a) unacceptable and b) unnecessary: Python
doesn't force me to trust certain of their developers. TLS doesn't force
me to trust it's designers keeping some secret - effective methods are
effective without having to keep any secrets about the algorithm (as
opposed to having a secret key of some kind that only exists on my
machine/in my process).

Having said that, I simply don't believe you have actual evidence. It's
all based on obfuscation and some ad-hoc hacks. The only "evidence" you
have is that some attack worked with older code, which is logically
unsound, as it only shows that the old method was insecure, while not
saying anything whatsoever about the new method.

--
                 The choice of a Deliantra, the free code+content MORPG
       -----==- _GNU_ http://www.deliantra.net
       ----==-- _ generation
       ---==---(_)__ __ ____ __ Marc Lehmann
       --==---/ / _ \/ // /\ \/ / schmorp@schmorp.de
       -=====/_/_//_/\_,_/ /_/\_\

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

People

Translate

site design / logo © 2021 Grokbase