On Saturday, June 27, 2015 at 10:01:15 AM UTC+5:30, Chris Angelico wrote:
> On Sat, Jun 27, 2015 at 2:11 PM, Rustom Mody wrote:
> Beyond that, I don't think I can much help you.
Yeah its more python-OT than I first thought...
Need to go through the ropes of linking github with
https://travis-ci.
On Sat, Jun 27, 2015 at 6:18 PM, Steven D'Aprano wrote:
> On Sun, 28 Jun 2015 06:30 am, Devin Jeanpierre wrote:
>
>> On Fri, Jun 26, 2015 at 11:16 PM, Steven D'Aprano
>> wrote:
>>> On Sat, 27 Jun 2015 02:05 pm, Devin Jeanpierre wrote:
>>>
On Fri, Jun 26, 2015 at 8:38 PM, Steven D'Aprano
>>>
On Sun, 28 Jun 2015 06:30 am, Devin Jeanpierre wrote:
> On Fri, Jun 26, 2015 at 11:16 PM, Steven D'Aprano
> wrote:
>> On Sat, 27 Jun 2015 02:05 pm, Devin Jeanpierre wrote:
>>
>>> On Fri, Jun 26, 2015 at 8:38 PM, Steven D'Aprano
>>> wrote:
Now you say that the application encrypts the data,
On Sun, Jun 28, 2015 at 4:51 AM, Steven D'Aprano wrote:
> On Sun, 28 Jun 2015 04:22 am, Randall Smith wrote:
>
>> The owner (client software) encrypts the data using AES. This is the
>> default behavior of the client software. If the client chooses to
>> disable encryption, that's their issue fo
On Fri, Jun 26, 2015 at 11:16 PM, Steven D'Aprano wrote:
> On Sat, 27 Jun 2015 02:05 pm, Devin Jeanpierre wrote:
>
>> On Fri, Jun 26, 2015 at 8:38 PM, Steven D'Aprano
>> wrote:
>>> Now you say that the application encrypts the data, except that the user
>>> can turn that option off.
>>>
>>> Just
On Sat, Jun 27, 2015 at 11:35 AM, Steven D'Aprano wrote:
> On Sun, 28 Jun 2015 01:09 am, Ian Kelly wrote:
>
>> On Sat, Jun 27, 2015 at 2:38 AM, Steven D'Aprano
>> wrote:
>>> Can you [generic you] believe that attackers can *reliably* attack remote
>>> systems based on a 20µs timing differences? I
On Sun, 28 Jun 2015 04:22 am, Randall Smith wrote:
> The owner (client software) encrypts the data using AES. This is the
> default behavior of the client software. If the client chooses to
> disable encryption, that's their issue for sure.
I cannot imagine what you think you gain from allowing
On Sun, 28 Jun 2015 03:08 am, Randall Smith wrote:
> Though I didn't mention it in the description, the storage server is
> appending a CRC32 checksum for routine integrity checks. So by the time
> the data hits the disk, it will have added both a 256 byte translation
> table and a 4 byte checksu
On Jun 27, 2015 11:51 AM, "Paul Rubin" wrote:
>
> Michael Torrie writes:
> > Furthermore you cannot prove a negative, which is what proving
> > security is for anything but the trivial case. Are you saying this is
> > untrue?
>
> I've always thought that there are no two even numbers that when yo
On 06/27/2015 07:38 AM, Grant Edwards wrote:
On 2015-06-26, Randall Smith wrote:
The only person who can read a file is the owner.
That's always the plan, but many a successful exploit has been based
on breaking that assumption. If privacy actually matters, that's not
a good assumption to r
On 06/27/2015 03:29 AM, Peter Otten wrote:
Would it be sufficient to prepend the chunk with one block, say, of random
data? To unmangle you'd just strip off that block.
BLOCK = os.urandom(BLOCKSIZE)
def mangle(source, dest):
dest.write(BLOCK)
shutil.copyfileobj(source, dest)
def un
On Sun, 28 Jun 2015 03:35 am, Steven D'Aprano wrote:
> On Sun, 28 Jun 2015 01:09 am, Ian Kelly wrote:
>> The time to obfuscate a single byte is constant,
>
> Are you sure about that? Bet your house? How about your computer?
Correction: the example I showed uses str, not bytes.
With bytes, the
Michael Torrie writes:
> Furthermore you cannot prove a negative, which is what proving
> security is for anything but the trivial case. Are you saying this is
> untrue?
I've always thought that there are no two even numbers that when you add
them together, give you an odd number. Are you saying
On Sun, 28 Jun 2015 01:09 am, Ian Kelly wrote:
> On Sat, Jun 27, 2015 at 2:38 AM, Steven D'Aprano
> wrote:
>> Can you [generic you] believe that attackers can *reliably* attack remote
>> systems based on a 20µs timing differences? If you say "No", then you
>> fail Security 101 and should step awa
On 06/26/2015 08:21 PM, Chris Angelico wrote:
On Sat, Jun 27, 2015 at 6:09 AM, Randall Smith wrote:
Give me one plausible scenario where an attacker can cause malware to hit
the disk after bytearray.translate with a 256 byte translation table and
I'll be thankful to you.
The entire 256-byte t
On 06/26/2015 03:11 PM, Johannes Bauer wrote:
> You misunderstand. This is now how it works, this is not how any of this
> works. Steven does not *at all* have to prove to you your system is
> breakable or show actual attacks. YOU have to prove that your system is
> secure.
Ahh the holy grail of
On Sat, Jun 27, 2015 at 2:38 AM, Steven D'Aprano wrote:
> Can you [generic you] believe that attackers can *reliably* attack remote
> systems based on a 20µs timing differences? If you say "No", then you fail
> Security 101 and should step away from the computer until a security expert
> can be ca
On Sat, Jun 27, 2015 at 5:33 AM, Chris Angelico wrote:
> On Sat, Jun 27, 2015 at 8:18 PM, Johannes Bauer wrote:
>> I've looked at your code even though I don't know pike. That's the
>> typesafe JavaScript derivative, isn't it?
>
> Not really; it's more like "Python semantics meets C++ syntax". Bu
In a message of Sat, 27 Jun 2015 15:23:07 +0300, Jussi Piitulainen writes:
>Laura Creighton writes:
>
>> Johannes, if you don't know "Yes, Minister" then you most likely do
>> not know the Politician's Syllogism (which now has its own wikipedia
>> page :) And I _didn't_ do it! Honest!)
>>
>> Some
On 2015-06-26, Randall Smith wrote:
> The only person who can read a file is the owner.
That's always the plan, but many a successful exploit has been based
on breaking that assumption. If privacy actually matters, that's not
a good assumption to rely on as a single point of failure.
--
Grant
In a message of Sat, 27 Jun 2015 20:16:47 +1000, Chris Angelico writes:
>Okay, Johannes, NOW you're proving that you don't have a clue what
>you're talking about. D-K effect doesn't go away...
>
>ChrisA
You need to read the paper again. That was the whole point -- when
Kruger and Dunning went an
Laura Creighton writes:
> Johannes, if you don't know "Yes, Minister" then you most likely do
> not know the Politician's Syllogism (which now has its own wikipedia
> page :) And I _didn't_ do it! Honest!)
>
> Something must be done.
> This is something.
> Therefore we must do it!
Surely that's
On Sat, Jun 27, 2015 at 8:18 PM, Johannes Bauer wrote:
> On 27.06.2015 11:17, Chris Angelico wrote:
>
>> Good, so this isn't like that episode of Yes Minister when they were
>> trying to figure out whether to allow a chemical factory to be built.
>
> I must admit that I have no clue about that sho
Johannes, if you don't know "Yes, Minister" then you most likely do
not know the Politician's Syllogism (which now has its own wikipedia
page :) And I _didn't_ do it! Honest!)
Something must be done.
This is something.
Therefore we must do it!
:)
Unfortunatetely, the Politician's Syllogism is
On 27.06.2015 12:16, Chris Angelico wrote:
> Okay, Johannes, NOW you're proving that you don't have a clue what
> you're talking about. D-K effect doesn't go away...
:-D
It does in some people. I've seen it happen, with knowledge comes
humility. Not saying Jon is a lost cause just yet. He's just
On 2015-06-27, Johannes Bauer wrote:
> On 27.06.2015 11:27, Jon Ribbens wrote:
>> Johannes might have all the education in the world, but he's
>> demonstrated quite comprehensively in this thread that he doesn't
>> have a clue what he's talking about.
>
> Oh, how hurtful. I might even shed a tear
On 27.06.2015 11:17, Chris Angelico wrote:
> Good, so this isn't like that episode of Yes Minister when they were
> trying to figure out whether to allow a chemical factory to be built.
I must admit that I have no clue about that show or that epsisode in
particular and needed to read up on it:
ht
On Sat, Jun 27, 2015 at 8:05 PM, Johannes Bauer wrote:
> On 27.06.2015 11:27, Jon Ribbens wrote:
>
>> Johannes might have all the education in the world, but he's
>> demonstrated quite comprehensively in this thread that he doesn't
>> have a clue what he's talking about.
>
> Oh, how hurtful. I mig
On 27.06.2015 11:27, Jon Ribbens wrote:
> Johannes might have all the education in the world, but he's
> demonstrated quite comprehensively in this thread that he doesn't
> have a clue what he's talking about.
Oh, how hurtful. I might even shed a tear or two, but it's pretty clear
to me that you'
On 2015-06-27, Chris Angelico wrote:
> On Sat, Jun 27, 2015 at 7:07 PM, Johannes Bauer wrote:
>> On 27.06.2015 10:53, Chris Angelico wrote:
>>> On Sat, Jun 27, 2015 at 6:38 PM, Steven D'Aprano
>>> wrote:
I'm not a security expert. I'm not even a talented amateur. *Every time* I
sugges
On 2015-06-27, Ian Kelly wrote:
> On Fri, Jun 26, 2015 at 7:21 PM, Chris Angelico wrote:
>> On Sat, Jun 27, 2015 at 6:09 AM, Randall Smith wrote:
>>> Give me one plausible scenario where an attacker can cause malware to hit
>>> the disk after bytearray.translate with a 256 byte translation table
On Sat, Jun 27, 2015 at 7:07 PM, Johannes Bauer wrote:
> On 27.06.2015 10:53, Chris Angelico wrote:
>> On Sat, Jun 27, 2015 at 6:38 PM, Steven D'Aprano wrote:
>>> I'm not a security expert. I'm not even a talented amateur. *Every time* I
>>> suggest that "X is secure", the security guy at work sh
On 27.06.2015 10:38, Steven D'Aprano wrote:
> Can you say "timing attack"?
>
> http://codahale.com/a-lesson-in-timing-attacks/
>
> Can you [generic you] believe that attackers can *reliably* attack remote
> systems based on a 20µs timing differences? If you say "No", then you fail
> Security 101
On 27.06.2015 10:53, Chris Angelico wrote:
> On Sat, Jun 27, 2015 at 6:38 PM, Steven D'Aprano wrote:
>> I'm not a security expert. I'm not even a talented amateur. *Every time* I
>> suggest that "X is secure", the security guy at work shoots me down in
>> flames. But nicely, because I pay his wage
On Sat, Jun 27, 2015 at 6:38 PM, Steven D'Aprano wrote:
> I'm not a security expert. I'm not even a talented amateur. *Every time* I
> suggest that "X is secure", the security guy at work shoots me down in
> flames. But nicely, because I pay his wages
Just out of interest, is _anybody_ active in
On Sat, 27 Jun 2015 03:47 pm, Ian Kelly wrote:
[...]
>> Just make the AES encryption mandatory, not optional. Then the user
>> cannot upload unencrypted malicious data, and the receiver cannot read
>> the data. That's two problems solved.
>
> And what if somebody else writes a competing version o
Randall Smith wrote:
> Chunks of data (about 2MB) are to be stored on machines using a
> peer-to-peer protocol. The recipient of these chunks can't assume that
> the payload is benign. While the data senders are supposed to encrypt
> data, that's not guaranteed, and I'd like to protect the recip
On 2015-06-27 08:58, Robert Kern wrote:
On 2015-06-27 04:38, Steven D'Aprano wrote:
Maybe you use Python's standard library and the Mersenne Twister. The period
of that is huge, possibly bigger than 256! (or not, I forget, and I'm too
lazy to look it up). So you think that's safe. But it's not:
On 2015-06-27 04:38, Steven D'Aprano wrote:
Maybe you use Python's standard library and the Mersenne Twister. The period
of that is huge, possibly bigger than 256! (or not, I forget, and I'm too
lazy to look it up). So you think that's safe. But it's not: Mersenne
Twister is not a cryptographica
39 matches
Mail list logo
