3
0

coding thread


 invite response                
2022 Oct 18, 8:27pm   11,236 views  95 comments

by richwicks   ➕follow (2)   💰tip   ignore  

Since there are a significant number of nerds here, I wanted to start a thread for projects.

People seem to INSIST on using cloud storage, which removes your ability of privacy, so I'm going to write a strong encryption program using the NaCL librarary;

https://nacl.cr.yp.to/

The goal here is that the resulting encrypted data is impossible to recover without getting the original key. Keys are changed regularly, and being able to brute force one block will give the attacker no advantage in cracking the next block.

Also, it will be computationally expensive to attempt to crack even with specialized hardware. This increases energy consumption and slows down the encryption and decryption, but also will make brute force attacks 1000's of times slower.

« First        Comments 64 - 95 of 95        Search these comments

64   gabbar   2023 Jul 28, 10:48am  

Tenpoundbass says

I would tell the kid to put himself out there.

Thank you very much. He appreciates this recommendation.
65   richwicks   2023 Aug 2, 3:20pm  

gabbar says

Tenpoundbass says


I would tell the kid to put himself out there.

Thank you very much. He appreciates this recommendation.


I would also suggest your kid to make use of ChatGPT - it's not the wizard being sold to the public - I've used it.

It's tremendously good at basics, but ask it a hard problem, and it will produce nonsense.

For example, I asked it to produce a program to create two windows using curses (that's a very old library for terminals), and it did it. That saved me hours of work. I asked it to write a program to take in characters using Apache as they were typed, this is websockets, it suggested CGI which doesn't work.

It's great for a STARTING point, but worthless at new solutions. Apache can do this, but it requires a plugin. It didn't recognize this.
66   AD   2023 Aug 26, 10:43pm  

Open source AI that helps you write code, it is offered by Facebook and called "Llama AI for Coding"

https://about.fb.com/news/2023/08/code-llama-ai-for-coding/
67   Tenpoundbass   2023 Aug 27, 9:10am  

richwicks says


It's great for a STARTING point, but worthless at new solutions.


New Solutions, require using existing technology or libraries, in an off label fashion.
I'm often impressed, that I reuse a Library I wrote for one solution, but was able to tweak it to handle another problem that I originally didn't intend it to do.
AI will not make that connection. It uses the code libraries out there, in accordance to the documentation. I think it starts producing nonsense, because it took documentation too literal, with a broader stroke than intended.

I could write a parser that could pull relevant code out of documentation and provide a starting point.
I employ a method to crank out the working prototype and starting point, in a day or two that would take a team of 3 developers a couple weeks to do.
I build a few tables that hold meta data of the data models and structures, and then I script a SQL script to spit a long concatenated string that provides the Classes needed. .I have several flavors, for making the class objects, the data classes, code for the forms, as well as appropriate html, and javascript.
This is where I impress myself on how with a little tweaking these scripts bang out code for totally different methodologies, and design patterns for various solutions. I mean I can see it wouldn't be a far stretch to take what I have and convert it into some AI code gen thingy, that would impress the Hype Tech consumers..
68   richwicks   2024 Jan 9, 3:21pm  

ECC encryption and why it's superior to RSA.

ECC works with an elliptic curve, a quick explanation of what such a curve is can be found here:

https://www.youtube.com/watch?v=dCvB-mhkT0w

It works over a Galois Field (i.e. using modulo arithmetic). The video above explains point addition. Point multiplication is repeated addition just like it is with standard math. Scalar multiplication is when you have only one point - this is a special condition when you're adding the point P to P X number of times.

To understand why point addition follows the commutative property, you have to understand number theory to know why - just accept it does. The commutative property means that

G +
2G +
4G
----
7G

Where G is the generator point, which is the initial point where you do scalar multiplication. In order to quickly calculate any scalar point multiplication G is computed, then 2G, 4G ... 256G etc - but just doing repeated point addition. Again, see the video.

The secret key of ECC is just a random number usually in the range of:

0 - 2^{252} +27742317777372353535851937790883648493 (for Curve25519)

ECC curves have an order normally called n, which is the total number of points a generator G can reached with scalar multiplication. You can have a larger secret key than this, it doesn't matter, since it uses modulo addition, but you end up with a key that is larger than it needs to be. Generally the private key is a 256 bit number.

You can easily do scalar multiplication using the commutative property, but division is (so far) impossible.

To do Diffie-Hellman key exchange:

Alice picks a random number for her private key, and then computes the scalar multiple of this private key. The result of this calculation is the public key. Bob does the same. When Bob and Alice share their public keys, Alice takes Bob's public key (which is a point on the curve), and does scalar multiplication with her private key. Bob takes Alice's public key, and does scalar multiplication with his private key. The result is both end up with the same point on the curve.

For additional security, the result of the shared secret is hashed sometimes with a shared OPEN secret (a nonce), and the public keys in a given order.

The advantage of ECC key generation is that unlike RSA, it's immediate. Generating a private key is just picking a random number, and scalar multiplication is also very fast on the order of milliseconds, they keys are also smaller.

In short, RSA is crap, although ECC might have a fatal weakness. RSA depends on the inability to factor very large numbers, ECC depends on the inability to do point division although it's trivial to do point subtraction.
69   Patrick   2024 Jan 9, 3:31pm  

Is it possible to implement a replacement for SSL with no change to browsers and no centralized certificate authorities?

That would take care of encryption and MITM attacks and leave all the spook agencies out of it.
70   fdhfoiehfeoi   2024 Jan 9, 5:45pm  

There are a few guys out there with alternatives to typical internet protocols that touch on this. I think Corbett had a few on in the past year. There's onion routing, although it should always be pointed out, majority of the funding comes from the government.
71   richwicks   2024 Jan 16, 6:32pm  

Patrick says

Is it possible to implement a replacement for SSL with no change to browsers and no centralized certificate authorities?

That would take care of encryption and MITM attacks and leave all the spook agencies out of it.


@Patrick, TSL has superseded SSL and yes, certbot (which I believe you use from Let's Encrypt) can do ECC, although I've never tried to set it up. From here:

https://eff-certbot.readthedocs.io/en/latest/using.html

I if you search for "ecc" you'll find:



It looks like it might be a little nonstandard, and the main advantage of ECC is the speed. You can absolutely instantly generate a new keypair.

The weakness of ECC (possible weakness) is that the random number generator could be compromised. I'm working with libsodium, and will probably use the offered private key, and then grab a random number myself, then do something like an sha256sum on the result, so even if the random number generator IS compromised, the resulting generated number should be impossible to work out backwards.

There are cautions against doing your own thing. With libsodium for example, you have to lock the page to prevent it from being swapped from memory, and clearing secret keys before it's returned to memory. I'm not so concerned about security right now, I'm just trying to understand the concepts.

What I'm finding is that the complexity of all this shit, isn't complicated at all, it's just explained very poorly. I can condense my explanation of ECC much further.

Private key a = random number = Pa
Public key A = PKa = Pa G where is defined as G raised to the Pa'th power in scalar multiplication on an ECC field

Private key b = random number = Pb
Public key A = PKb = Pb G where is defined as G raised to the Pb'th power in scalar multiplication on an ECC field

Shared secret = PKa b == PKb a == shared secret.

Shared secrets are only about 2^252 bits large, so you can do some additional obsfucation on it, and using the shared secret AS a key is not recommended. For example: the true shared secret to be used as a hey might be HASH (PKa Server_Public_key Client_Public_key)

There's a lot of non obvious mistakes you can make, which is what cryptography is all about.
72   Patrick   2024 Jan 16, 7:19pm  

@richwicks I suspect there is a way to make a replacement for SSL/TSL which is so simple that it's hard to leave any holes.

Maybe we could all browse via a local http proxy which takes in http requests and generates sftp requests. That would take care of encryption and there would be no certificates needed.

For identifying the remote server to prove it's not a fake, how do you trust that your DNS gave you the right IP back?

You just need something that only real the owner of the domain can do, l like creating a file on the server.
73   fdhfoiehfeoi   2024 Jan 17, 6:36am  

Mentioned this before, Corbett did a solutions watch last year where he spoke with a few people pioneering new messaging and internet. I'm sure they worked through some of these same questions.
74   richwicks   2024 Jan 17, 10:43pm  


richwicks I suspect there is a way to make a replacement for SSL/TSL which is so simple that it's hard to leave any holes.


@Patrick - Do you want to dump TLS/SSL entirely? That CAN be done I believe. I think. I want to patent it. I don't believe central authorities should exist and I THINK I know how to accomplish that. Basically with TLS, you are depending on a Certificate Authority to say "yes, this OTHER certificate really does belong to Google, YouTube, Patrick, whomever".

Do you want to eliminate the need for a Central Authority (CA)? If you still need a CA, what's the point of moving from TLS to something else? ECC is part of the TLS standard, although I've never set up an ECC key for my webserver. I know it's possible.

Patrick says


For identifying the remote server to prove it's not a fake, how do you trust that your DNS gave you the right IP back?


You don't need to identify the IP or keep it constant. There's always a threat that the secret key can be stolen or guessed which is the weakness. I think DNS needs to be done away with, perhaps using a DHT instead. The problem with DHTs is that they are slow. DHT is how a file is found on bit torrent, it's just a distributed database across multiple computers. DHT could be combined with an instant database, that AFTER you connect it warns you "maybe this site isn't legit", limiting input during that time.

Patrick says


You just need something that only real the owner of the domain can do, l like creating a file on the server.


That's how certbot works, BUT you could do a man-in-the-middle attack. This is when somebody just receives and forwards traffic. They aren't the endpoint, but they appear to be and they just eavesdrop on the communication HOWEVER you can prevent a M.I.T.M.A with certificates and with Diffie-Hellman. The client needs to know that they are CERTAINLY talking to the server at this point.

If you have any interest in trying to setup ECC for TLS on Nginx, I can help you do that on a Linux machine at your home. You'd have to modify settings on your router (this is super easy) and get what is called a "dynamic name" - you need to use DNS with certificates. This is maybe a hassle, but it's not difficult. You'd have to open port 80 and 443 and forward that to a target machine where you're setting up ECC. Again, the advantage of ECC is that it's very fast in comparison to RSA.

YouTube and probably Google use ECC because it drastically reduces computational time during Diffie-Hellman.

NuttBoxer says


Mentioned this before, Corbett did a solutions watch last year where he spoke with a few people pioneering new messaging and internet. I'm sure they worked through some of these same questions.


@NuttBoxer I've heard them. There seems to be tons of people working on this on and off.
75   richwicks   2024 Jan 18, 12:30pm  

Here is an example of how point and scalar multiplication is used in ECDSA which is a method of making a digital signature:

1) Choose an elliptic curve and a generator point G.

2) Choose a private key k.

3) Calculate the public key Q = kG using point multiplication.

4) To sign a message m, choose a random number r and calculate the point R = rG using point multiplication.

5) Calculate the value s = (H(m) + k * x) / r mod n, where H(m) is the hash of the message, x is the private key, and n is the order of the curve.

6) The signature is the pair (R, s).

7) To verify the signature, calculate the point W = sG - H(m)Q using point addition and point multiplication.

8) The signature is valid if R == W.
76   Patrick   2024 Jan 19, 10:09am  

richwicks says

Do you want to eliminate the need for a Central Authority (CA)?


@richwicks Yes, exactly.
77   richwicks   2024 Jan 19, 10:44am  

Patrick says


richwicks says


Do you want to eliminate the need for a Central Authority (CA)?


richwicks Yes, exactly.


@Patrick

The best that I can do is use either a distributed hash table which is what bitcoin uses which is just a distributed database, OR use a 16 byte number which is entirely randomly generated to identify an entity.

I've been going through a lot of math of probabilities for the last couple of months and studying encryption. With TRUE randomness, there is no need for central authorities. The chances that two people in this world would pick the same random number, when they are told to pick a random number in a field of 0-0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF is one out of trillions of trillions and that number isn't that large.

There would at least be no need to register your ID, but PROVING who you are, that's another problem. I think proof of identity may always require a Central Authority of some sort. The number above can easily be represented as a QR code:



That's just an example to demonstrate how easily that can be represented.
78   Patrick   2024 Jan 19, 10:46am  

richwicks says

PROVING who you are, that's another problem


Is there a way to rely on DNS for that?

I can see that DNS normally has no encryption, so your request could be intercepted and you could be given a bogus IP. Fix that, and things are good, because people trying to hit, say, patrick.net would know they really hit it.
79   richwicks   2024 Jan 19, 10:55am  

Patrick says

richwicks says


PROVING who you are, that's another problem


Is there a way to rely on DNS for that?

I can see that DNS normally has no encryption, so your request could be intercepted and you could be given a bogus IP. Fix that, and things are good, because people trying to hit, say, patrick.net would know they really hit it.


I think DNS should be eliminated. It's a central point of failure. With DNS a single authority can deny access to communication, and I have seen this done where websites have been blocked by removing them from the DNS database.

Encryption doesn't matter with DNS, what you are talking about is a signature, to verify it's authentic.
80   Patrick   2024 Jan 19, 11:00am  

But how do you know which signature is, say, really the one from patrick.net?
81   richwicks   2024 Jan 19, 11:21am  

Patrick says


But how do you know which signature is, say, really the one from patrick.net?


You need a central authority, or at least a consensus.

If we had a different system than this fucked up system, I would have the ID of the system posted on the site, but that could easily be substituted by a man in the middle attack.

You basically have the same problem with a phone number. If your number is 555-123-4567 but your friend believes it is 556-123-4567 an eavesdropper can substitute speech when the true number is given out over the phone line - this is possible with AI today, but it's trivial with a computer to do a string substitution. I've been trying to figure out how to do this for a long time, I think it's impossible without an authority of some sort, but DHT can do that, which is "truth by consensus", and of course that is flawed as well.

The only way to prevent this is to advertise your site with around 16 characters which isn't that much and that is "your contact" information. This puts everybody on the same playing field, instead of having a well recognized name, you end up in the sea of completely random numbers. There's no advantage to anybody.

You can eliminate the need to register, but authentication - I believe you need a central authority for that but you can have multiple central authorities.

You can simply be removed from DNS databases as of today, what I'm suggesting is contact information isn't www.patrick.net but rather something like e5725089ef32b85aa3e35d4d67c70e7f. Your computer or personal database should save the information. There could be several patrick.net's each a unique site, but the identifier is that number. Websites can be forged, but I think with a certificate you can verify that say in a purchase agreement you can guarantee you are talking to a particular seller.

Storage is so cheap today. I can't go over it and I can't get others to appreciate it, that a single SD Card can contain all my knowledge. The storage we had in the 1980's is so trivial compared to what we have today. Want every single NES video game ever made? You can download it in less than an hour, and store it on a device smaller than your fingernail and that's an enormous amount of data. I could post every single video game ever made for the Atari 2600 video game system here, and this site wouldn't choke on it. It's insane where we are at.
82   fdhfoiehfeoi   2024 Jan 19, 3:07pm  

richwicks says

but PROVING who you are, that's another problem.


Fuck proving who you are. You wanna surf the web, do it at your own risk. No authority, no verification other than what users agree on amongst themselves. Back to newsgroups!
83   HeadSet   2024 Jan 20, 8:47am  

richwicks says

I have seen this done where websites have been blocked by removing them from the DNS database.

Could that DNS block be defeated by having the web site put out its actual IP address?
84   richwicks   2024 Jan 20, 11:15am  

NuttBoxer says

Fuck proving who you are. You wanna surf the web, do it at your own risk. No authority, no verification other than what users agree on amongst themselves. Back to newsgroups!


I want to resurrect newsgroups. I think the angle to do this is to make it hard for stupid people to get on it. People complain that sites like BitChute and Rumble aren't taking off ans aren't "real competitors" to YouTube, the reality is, all the dumb people are on YouTube and you really don't want them migrating to BitChute and Rumble anyhow.

HeadSet says

richwicks says


I have seen this done where websites have been blocked by removing them from the DNS database.

Could that DNS block be defeated by having the web site put out its actual IP address?


It's easy to get around, every computer has a list of files that you can use to map IP addresses to a name.
86   richwicks   2024 Jan 20, 5:08pm  

The_Deplorable says






There should be a push to move to simpler browsers. What we have today are as complex as operating systems, and 10000 times more insecure.
87   richwicks   2024 Jan 20, 5:20pm  

Patrick says


richwicks I suspect there is a way to make a replacement for SSL/TSL which is so simple that it's hard to leave any holes.

Maybe we could all browse via a local http proxy which takes in http requests and generates sftp requests. That would take care of encryption and there would be no certificates needed.

For identifying the remote server to prove it's not a fake, how do you trust that your DNS gave you the right IP back?

You just need something that only real the owner of the domain can do, l like creating a file on the server.


@Patrick - I wanted to mention there are several weaknesses in OpenSSL which I'm convinced are purposeful weaknesses. One that was (relatively) recently identified is during the TSL handshake process, an attacker can overflow a BUFFER to execute code which is a junior mistake but it's been there for decades.

This buffer is meant to contain all the possible methods available between the connection, and can overflow. I work mostly in C++ now, and it's impossible to overflow a buffer because storage is done differently and any attempt to overflow causes a crash. Even if people prefer to work in C, they should use the vector and string methods for arrays and strings. This eliminates 99% of security issues.

C++ can be (actually can? IS) far more complicated than it needs to be, but like C, you can organize your code well and make it well ordered and easy to understand. The major fault of C++ is that classes are just enormous, for methods (class functions) that are hardly ever used. The result is getting an enormous executable for many calls you will never make. The scattering of code throughout memory also slows down execution although I don't know if that's such a big deal with the size of cache we have today.

It's very different than when I was a kid. Execution speed isn't as much dependent on memory fetches, and if you optimize the hell out of code, you just end up with wait states and no increase in execution speed.
88   AD   2024 Jan 20, 8:20pm  

richwicks says

There should be a push to move to simpler browsers. What we have today are as complex as operating systems, and 10000 times more insecure.


how about Brave and Firefox ? or Chromium ?

.
89   richwicks   2024 Jan 21, 7:06pm  

ad says


richwicks says


There should be a push to move to simpler browsers. What we have today are as complex as operating systems, and 10000 times more insecure.


how about Brave and Firefox ? or Chromium ?

.



No I mean much simpler. Something like NetSurf:

https://www.youtube.com/watch?v=MoM2bzzsAcY

The Internet is extremely bloated and unnecessarily complicated. There should be a subset of html supported. Basically, I find that the actual utility and usefulness of a site is inversely proportional to its complexity. The more polished and whiz bang a site, the less I have a tendency to use it, because form follows function. Whenever I can get a video on BitChute instead of any other site, I go to BitChute.

The Internet was built in this gross hurry. Force XML to be standard (you can use standard XML on the Internet now), make WYSIWYG editors for pages, if you like support WebAssembly (this allows you to literally run ANY program in a web browser, you just have to compile it for it) get rid of JavaScript (unless it's WebAssembly) get rid of Java (unless it's WebAssembly) - it can be TREMENDOUSLY simplified and retain all the current functionality.

We have this now, people just don't use it. Instead of making browsers support all this legacy crap, get rid of the legacy crap.

There is literally no reason for all this junk. You know how many cookies you REALLY need for any website? 1. To identify you, the rest can be stored on the server. There's no reason to have more than one other than coder's laziness (and I can't blame them), and to track you around to other sites.
90   AD   2024 Jan 21, 7:32pm  

richwicks says

No I mean much simpler. Something like NetSurf:


I run Linux (Ubuntu) on my HP desktop (2017 model). Chromium and Firefox crash sometimes. I'll try NetSurf.
91   richwicks   2024 Jan 21, 7:44pm  

ad says

richwicks says


No I mean much simpler. Something like NetSurf:


I run Linux (Ubuntu) on my HP desktop (2017 model). Chromium and Firefox crash sometimes. I'll try NetSurf.


You might have to compile it.

I'm not saying NetSurf is a usable program, I doubt it is, but I'm saying browsers should be as simple as that. I wouldn't install NetSurf on my machine, but I've played with a few very simple browsers before. Some don't even support the ability to play video inline.
92   AD   2024 Jan 21, 8:07pm  

richwicks says

You might have to compile it.

I'm not saying NetSurf is a usable program, I doubt it is, but I'm saying browsers should be as simple as that. I wouldn't install NetSurf on my machine, but I've played with a few very simple browsers before. Some don't even support the ability to play video inline.


I am using NetSurf now. Seems rather crude or overly simple, but it is fast and does not crash.

.
93   Patrick   2024 Jan 21, 8:14pm  

richwicks says

what I'm suggesting is contact information isn't www.patrick.net but rather something like e5725089ef32b85aa3e35d4d67c70e7f


I had a similar idea, but something which can be remembered by a human, like 4 or five words. The average person knows about 25,000 words, so four of those gives 390625000000000000 distinct combinations. That should make a sufficiently large space of four-word names that people can remember.
94   richwicks   2024 Jan 21, 8:21pm  

Patrick says


richwicks says


what I'm suggesting is contact information isn't www.patrick.net but rather something like e5725089ef32b85aa3e35d4d67c70e7f


I had a similar idea, but something which can be remembered by a human, like 4 or five words. The average person knows about 25,000 words, so four of those gives 390625000000000000 distinct combinations. That should make a sufficiently large space of four-word names that people can remember.



If you want to talk privately, I can arrange that through my computer. I'd give you a temporary username and password, and you'd then setup your own username and password, and delete the one I gave you. I want to explain something to you at a point. We really don't need DNS at all.

Should be 10 words as well, and picked by a machine, not a person. People have a tendency to quote other people, most people are parrots. I have a password "TheBearAteATreeAndBarked". You know how often that's been written in history? Never. This is the first time you've seen it. It makes no logical sense, but it's easy to remember. Still the entropy could be higher however the phrase would require at minimum a dictionary attack.

Passwords are done wrong. People are lazy and want a short one, what they should do is aim for ludicrous phrases "Eat a bug or a hair, I like to dance with flair". That's pretty easy to remember and nobody has ever said it before, and nobody will ever say it again.
95   richwicks   2024 Jan 21, 8:25pm  

ad says


I am using NetSurf now. Seems rather crude or overly simple, but it is fast and does not crash.


I'm sure it lacks polish, but that's not the point. I frequently make throw away interfaces just so I can worry about more important things than if it's pretty or not. I've got the design taste of post modern art appreciator which is to say, none.

Remember when lots of people had tiny little pages with "About Me" posted and so on, and their interests, etc? I really want to bring that back. FaceBook, YouTube, and Twitter will ALL disconnect you from a person without even notifying you. They don't allow free association.

A simple web browser that follows a few rules will prevent you from accessing much of the Internet - well, GOOD! The VAST MAJORITY of the Internet is just centralized corporate garbage. If people want to promote their website to the "real web" fine, but I think there should be a simple, easy to access, little web that doesn't require any setup other than to install a program on your computer and leave your machine running and maybe not even leave it running, the webpage can be cached on somebody's machine that recently visited your site.

« First        Comments 64 - 95 of 95        Search these comments

Please register to comment:

api   best comments   contact   latest images   memes   one year ago   random   suggestions   gaiste