This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • Favorite 9 June 2021
      bobjonkman favorited something by lnxw48a1: Last year, while visiting #sonTwo and meeting #GS3 in person for the first time, I asked my daughter-in-law about smoke and carbon monoxide detectors. She said they had one of each, but she wanted more. So I ordered a few of each and they put them up. Tonight, the gas […]
    • New note by bobjonkman 2 May 2021
      But human labour only produces surplus value when it's being exploited. If humans are paid a fair value for their labour then there is no "surplus", ie. no profit for the corporate owners. This is why I favour worker-owned co-operatives instead of capitalist-owned corporations.
    • bobjonkman repeated a notice by lxo 2 May 2021
      RT @lxo the greatest challenge of automation for a capitalist economy is that machines don't produce surplus value, only human labor does
    • Favorite 2 May 2021
      bobjonkman favorited something by lxo: the greatest challenge of automation for a capitalist economy is that machines don't produce surplus value, only human labor does
    • bobjonkman repeated a notice by lnxw48a1 31 January 2021
      RT @lnxw48a1 @geniusmusing Yeah. :-( I think the #blockwars folks may have indirectly caused this. There are people who file complaints against client apps that don’t build in blocklists against specific servers whose moderation policies they dislike. I think that #Matrix / #Element competes with one or more Google-owned chat-type services. Since they gatekeep the […]
    • Favorite 31 January 2021
      bobjonkman favorited something by lnxw48a1: @geniusmusing Yeah. :-( I think the #blockwars folks may have indirectly caused this. There are people who file complaints against client apps that don’t build in blocklists against specific servers whose moderation policies they dislike. I think that #Matrix / #Element competes with one or more Google-owned chat-type services. Since […]
    • New note by bobjonkman 30 January 2021
      And I can't figure out how to connect to a particular server. The #Patchwork #SSB client I'm using has a "+ Join Server" field, but it requires an invitation code. Which I can't generate unless I have a pub server. Which I can't join until I have an invitation code... Sigh. #SSB: Concept: A+ ; […]
    • New note by bobjonkman 29 January 2021
      I was on #SSB Secure Scuttlebutt for a while (attended an #SSB seminar at last year's LibrePlanet conference), but the application was so resource intense that my laptop couldn't keep up. And, there wasn't the network effect I needed to make it useful. While there are probably interesting people to converse with, I have no […]
    • New note by bobjonkman 23 January 2021
      Oh, hang on. It's @joeyh who reveals the inadequacy of #journalism. Not the article author, @Jonemo@twitter.com #ReadingComprehension
    • New note by bobjonkman 23 January 2021
      @lnxw48a1 writes "In this post, Joey H. accidentally reveals a major reason why #news_media / #journalism is so bad today." This didn't leap out at me. Is it because good, in-depth reporting requires A LOT of research and hard work, and that modern journalism is adequately rewarded by re-Tweeted sound bites?

The cost of long GnuPG/PGP keys

Posted by Bob Jonkman on 25th March 2014

Never Eat That Green Food At The Back Of The Fridge

Never Trust Anyone Over Thirty

and

Never Sign A GnuPG/PGP Key That’s Older Than You Are

Face peeking into fridge

Looking for green food at the back of the fridge

OK, only one of those is true, and it’s not the last one. At the University of Waterloo Keysigning Party last fall, some of the people signing my key were younger than the key they were signing!

At the keysigning I was having a discussion with someone about key lengths. In particular, choosing 4096 bits instead of 2048. I was reading that GnuPG has a limit of 4096 bits, but that 4096 should be enough for all time to come.

I’ve read online that GnuPG does actually support larger key sizes but that there is a const in the source code limiting it to 4096. The reasons for doing so are supposedly speed, 4096 would be very slow to generate and use, and comparability with other implementations that may not support larger keys. Personally I think it’s an inevitability that this will be increased in time but we’re not there yet.

In 1996 when I started with PGP a 1024 bit key was considered adequate, by 1999 a 2048 bit key was still considered large.

Consider Moore’s Law: every 18 months computing capacity doubles and costs halve. I’m not sure if that means that over 18 months x flops increases to 2x flops at the same price, or that in 18 months the cost of x flops is half of today’s cost, or if it means that in 18 months the cost of 2x flops will be half the cost of x flops today. If the latter, then today’s x flops/$ is x/4 flops/$ in 18 months. That factor of four is an increase of two bits every 18 months, or four bits every 3 years.

So, the cost in 1996 to brute-force crack a 1024 bit key is the same as the cost in 1999 to crack a 1028 bit key. And in 2014, 18 years later, it’s the same cost as cracking a 1048 bit key (an additional 24 bits).

An increase in key size from 1024 bits to 2048 bits buys an additional 768 years of Moore’s Law. And going from 2048 bits to 4096 bits buys an additional 1536 years of Moore’s Law.

Is Moore’s Law overestimating the cost of cracking keys? Are there fundamental advances in math that have dropped the cost of cracking 1024 bit keys to near-zero? What’s the economic justification for crippling keysizes in GnuPG, anyway?

–Bob, who is not trolling but really wants to know.

Day 57 / 365 – refrigerator by Jason Rogers is used under a CC BYCC BY license.

This post is based on a message to the KWCrypto Mailing List.

Tags: , , , , , , , , ,
Posted in Crypto, PGP/GPG | 1 Comment »

Shutting down ServiceOntario kiosks could be Considered Harmful

Posted by Bob Jonkman on 9th November 2012

Service Ontario kiosk with "Temporarily shut down" notice

ServiceOntario kiosk

The Ontario government has announced it is shutting down the ServiceOntario kiosks.

Closing the kiosks won’t do any good if the web site is no better secured. ServiceOntario had control over the hardware and software running on the kiosks, but they have no control over the computers people use to access the ServiceOntario web site. User PCs will have all sorts of malware running on them, and malusers can far more easily spend time breaking into a web site than a kiosk. Unless ServiceOntario has much better security on their web site, it is far more vulnerable than a kiosk.

In his article Government to discontinue ServiceOntario kiosks, Sameer Vasta asks if the ServiceOntario web site is ready to pick up the slack. His conclusion is yes, and although the web site user experience could be improved, he considers closing the kiosks a prudent move. But if the kiosk interface was so much easier to use, then the web site could use that interface too. Security isn’t created by the user interface — security needs to be built into the servers. Malusers are unlikely to use the web interface to launch their attacks; they’ll have more sophisticated tools to try to break into the servers.

Of course, since the ServiceOntario web site was already in place while the kiosks were operational it has been a potential vector for attack all along. Closing the kiosks doesn’t increase that vulnerability. And the vulnerability that prompted the government to shut down the kiosks was card skimming, which is not an issue on a Web site accessed from home. But shutting down a fully managed kiosk to be replaced by home users’ PCs that are full of malware does not look like a prudent move to me.

However, it should be cheaper to manage security on one web site than on 72 kiosks. The government reports that shutting the kiosks will save taxpayers about $6.3 million in one-time upgrading costs and $2.2 million in annual maintenance costs. The Star reports that Minister of Government Services Harinder Takhar says the kiosks cost $4 million to deploy, and it will cost $250,000 to remove them.

And shutting down the kiosks has one other benefit: If a security breach occurs as a result of using our own computers then ServiceOntario has successfully shifted blame, hasn’t it? Surely there will be a disclaimer in the fine print on the website somewhere!

–Bob.


ServiceOntario kiosk "Permanently Closed" notice

“Permanently Closed” notice Service Ontario kiosk.

The picture above shows a ServiceOntario kiosk with a notice indicating the kiosk is temporarily shut down. A new notice has been posted, which reads:

ServiceOntario Kiosks Are Now Permanently Closed.

After a thorough investigation into the safety and security issues surrounding ServiceOntario kiosks, it has been decided to permanently shut down the network.

All former kiosk services are conveniently available online, including:

  • License plate sticker renewal
  • Address change
  • Driver abstract

Fermeture permanente des kiosques ServiceOntario.

À la suite d’une enquête approfondie sur les problèmes de sécurité survenus dans les kiosques ServiceOntario, il a été décidé de fermer le réseau de façon permanente.

Tous les services anciennement founis dal les kiosques son offerts en ligne, notamment les suivants:

  • Renouvellement de la vignette d’immatriculation
  • Changement d’addresse
  • Résumé de dossier de conducteur.

We look forward to serving you.
For these services, and more than 40 other online services, or for a complete list of our locations and available services, please visit ServiceOntario.ca

Au plaisir de vous servir.
Pour ces services, et plus de 40 autres services en ligne, ou la liste complète de nos centres et de leurs services, visitez ServiceOntario.ca

Images courtesy of lothlaurien.ca used under a CC BYCreative Commons Attribution 2.5 Canada License license.

Thanx to my friend RW for the idea for this post, and her contributions.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in considered harmful, Politics, security | 4 Comments »

 
Better Tag Cloud