3
0

coding thread


 invite response                
2022 Oct 18, 8:27pm   10,990 views  95 comments

by richwicks   ➕follow (2)   💰tip   ignore  

Since there are a significant number of nerds here, I wanted to start a thread for projects.

People seem to INSIST on using cloud storage, which removes your ability of privacy, so I'm going to write a strong encryption program using the NaCL librarary;

https://nacl.cr.yp.to/

The goal here is that the resulting encrypted data is impossible to recover without getting the original key. Keys are changed regularly, and being able to brute force one block will give the attacker no advantage in cracking the next block.

Also, it will be computationally expensive to attempt to crack even with specialized hardware. This increases energy consumption and slows down the encryption and decryption, but also will make brute force attacks 1000's of times slower.

« First        Comments 74 - 95 of 95        Search these comments

74   richwicks   2024 Jan 17, 10:43pm  


richwicks I suspect there is a way to make a replacement for SSL/TSL which is so simple that it's hard to leave any holes.


@Patrick - Do you want to dump TLS/SSL entirely? That CAN be done I believe. I think. I want to patent it. I don't believe central authorities should exist and I THINK I know how to accomplish that. Basically with TLS, you are depending on a Certificate Authority to say "yes, this OTHER certificate really does belong to Google, YouTube, Patrick, whomever".

Do you want to eliminate the need for a Central Authority (CA)? If you still need a CA, what's the point of moving from TLS to something else? ECC is part of the TLS standard, although I've never set up an ECC key for my webserver. I know it's possible.

Patrick says


For identifying the remote server to prove it's not a fake, how do you trust that your DNS gave you the right IP back?


You don't need to identify the IP or keep it constant. There's always a threat that the secret key can be stolen or guessed which is the weakness. I think DNS needs to be done away with, perhaps using a DHT instead. The problem with DHTs is that they are slow. DHT is how a file is found on bit torrent, it's just a distributed database across multiple computers. DHT could be combined with an instant database, that AFTER you connect it warns you "maybe this site isn't legit", limiting input during that time.

Patrick says


You just need something that only real the owner of the domain can do, l like creating a file on the server.


That's how certbot works, BUT you could do a man-in-the-middle attack. This is when somebody just receives and forwards traffic. They aren't the endpoint, but they appear to be and they just eavesdrop on the communication HOWEVER you can prevent a M.I.T.M.A with certificates and with Diffie-Hellman. The client needs to know that they are CERTAINLY talking to the server at this point.

If you have any interest in trying to setup ECC for TLS on Nginx, I can help you do that on a Linux machine at your home. You'd have to modify settings on your router (this is super easy) and get what is called a "dynamic name" - you need to use DNS with certificates. This is maybe a hassle, but it's not difficult. You'd have to open port 80 and 443 and forward that to a target machine where you're setting up ECC. Again, the advantage of ECC is that it's very fast in comparison to RSA.

YouTube and probably Google use ECC because it drastically reduces computational time during Diffie-Hellman.

NuttBoxer says


Mentioned this before, Corbett did a solutions watch last year where he spoke with a few people pioneering new messaging and internet. I'm sure they worked through some of these same questions.


@NuttBoxer I've heard them. There seems to be tons of people working on this on and off.
75   richwicks   2024 Jan 18, 12:30pm  

Here is an example of how point and scalar multiplication is used in ECDSA which is a method of making a digital signature:

1) Choose an elliptic curve and a generator point G.

2) Choose a private key k.

3) Calculate the public key Q = kG using point multiplication.

4) To sign a message m, choose a random number r and calculate the point R = rG using point multiplication.

5) Calculate the value s = (H(m) + k * x) / r mod n, where H(m) is the hash of the message, x is the private key, and n is the order of the curve.

6) The signature is the pair (R, s).

7) To verify the signature, calculate the point W = sG - H(m)Q using point addition and point multiplication.

8) The signature is valid if R == W.
76   Patrick   2024 Jan 19, 10:09am  

richwicks says

Do you want to eliminate the need for a Central Authority (CA)?


@richwicks Yes, exactly.
77   richwicks   2024 Jan 19, 10:44am  

Patrick says


richwicks says


Do you want to eliminate the need for a Central Authority (CA)?


richwicks Yes, exactly.


@Patrick

The best that I can do is use either a distributed hash table which is what bitcoin uses which is just a distributed database, OR use a 16 byte number which is entirely randomly generated to identify an entity.

I've been going through a lot of math of probabilities for the last couple of months and studying encryption. With TRUE randomness, there is no need for central authorities. The chances that two people in this world would pick the same random number, when they are told to pick a random number in a field of 0-0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF is one out of trillions of trillions and that number isn't that large.

There would at least be no need to register your ID, but PROVING who you are, that's another problem. I think proof of identity may always require a Central Authority of some sort. The number above can easily be represented as a QR code:



That's just an example to demonstrate how easily that can be represented.
78   Patrick   2024 Jan 19, 10:46am  

richwicks says

PROVING who you are, that's another problem


Is there a way to rely on DNS for that?

I can see that DNS normally has no encryption, so your request could be intercepted and you could be given a bogus IP. Fix that, and things are good, because people trying to hit, say, patrick.net would know they really hit it.
79   richwicks   2024 Jan 19, 10:55am  

Patrick says

richwicks says


PROVING who you are, that's another problem


Is there a way to rely on DNS for that?

I can see that DNS normally has no encryption, so your request could be intercepted and you could be given a bogus IP. Fix that, and things are good, because people trying to hit, say, patrick.net would know they really hit it.


I think DNS should be eliminated. It's a central point of failure. With DNS a single authority can deny access to communication, and I have seen this done where websites have been blocked by removing them from the DNS database.

Encryption doesn't matter with DNS, what you are talking about is a signature, to verify it's authentic.
80   Patrick   2024 Jan 19, 11:00am  

But how do you know which signature is, say, really the one from patrick.net?
81   richwicks   2024 Jan 19, 11:21am  

Patrick says


But how do you know which signature is, say, really the one from patrick.net?


You need a central authority, or at least a consensus.

If we had a different system than this fucked up system, I would have the ID of the system posted on the site, but that could easily be substituted by a man in the middle attack.

You basically have the same problem with a phone number. If your number is 555-123-4567 but your friend believes it is 556-123-4567 an eavesdropper can substitute speech when the true number is given out over the phone line - this is possible with AI today, but it's trivial with a computer to do a string substitution. I've been trying to figure out how to do this for a long time, I think it's impossible without an authority of some sort, but DHT can do that, which is "truth by consensus", and of course that is flawed as well.

The only way to prevent this is to advertise your site with around 16 characters which isn't that much and that is "your contact" information. This puts everybody on the same playing field, instead of having a well recognized name, you end up in the sea of completely random numbers. There's no advantage to anybody.

You can eliminate the need to register, but authentication - I believe you need a central authority for that but you can have multiple central authorities.

You can simply be removed from DNS databases as of today, what I'm suggesting is contact information isn't www.patrick.net but rather something like e5725089ef32b85aa3e35d4d67c70e7f. Your computer or personal database should save the information. There could be several patrick.net's each a unique site, but the identifier is that number. Websites can be forged, but I think with a certificate you can verify that say in a purchase agreement you can guarantee you are talking to a particular seller.

Storage is so cheap today. I can't go over it and I can't get others to appreciate it, that a single SD Card can contain all my knowledge. The storage we had in the 1980's is so trivial compared to what we have today. Want every single NES video game ever made? You can download it in less than an hour, and store it on a device smaller than your fingernail and that's an enormous amount of data. I could post every single video game ever made for the Atari 2600 video game system here, and this site wouldn't choke on it. It's insane where we are at.
82   fdhfoiehfeoi   2024 Jan 19, 3:07pm  

richwicks says

but PROVING who you are, that's another problem.


Fuck proving who you are. You wanna surf the web, do it at your own risk. No authority, no verification other than what users agree on amongst themselves. Back to newsgroups!
83   HeadSet   2024 Jan 20, 8:47am  

richwicks says

I have seen this done where websites have been blocked by removing them from the DNS database.

Could that DNS block be defeated by having the web site put out its actual IP address?
84   richwicks   2024 Jan 20, 11:15am  

NuttBoxer says

Fuck proving who you are. You wanna surf the web, do it at your own risk. No authority, no verification other than what users agree on amongst themselves. Back to newsgroups!


I want to resurrect newsgroups. I think the angle to do this is to make it hard for stupid people to get on it. People complain that sites like BitChute and Rumble aren't taking off ans aren't "real competitors" to YouTube, the reality is, all the dumb people are on YouTube and you really don't want them migrating to BitChute and Rumble anyhow.

HeadSet says

richwicks says


I have seen this done where websites have been blocked by removing them from the DNS database.

Could that DNS block be defeated by having the web site put out its actual IP address?


It's easy to get around, every computer has a list of files that you can use to map IP addresses to a name.
86   richwicks   2024 Jan 20, 5:08pm  

The_Deplorable says






There should be a push to move to simpler browsers. What we have today are as complex as operating systems, and 10000 times more insecure.
87   richwicks   2024 Jan 20, 5:20pm  

Patrick says


richwicks I suspect there is a way to make a replacement for SSL/TSL which is so simple that it's hard to leave any holes.

Maybe we could all browse via a local http proxy which takes in http requests and generates sftp requests. That would take care of encryption and there would be no certificates needed.

For identifying the remote server to prove it's not a fake, how do you trust that your DNS gave you the right IP back?

You just need something that only real the owner of the domain can do, l like creating a file on the server.


@Patrick - I wanted to mention there are several weaknesses in OpenSSL which I'm convinced are purposeful weaknesses. One that was (relatively) recently identified is during the TSL handshake process, an attacker can overflow a BUFFER to execute code which is a junior mistake but it's been there for decades.

This buffer is meant to contain all the possible methods available between the connection, and can overflow. I work mostly in C++ now, and it's impossible to overflow a buffer because storage is done differently and any attempt to overflow causes a crash. Even if people prefer to work in C, they should use the vector and string methods for arrays and strings. This eliminates 99% of security issues.

C++ can be (actually can? IS) far more complicated than it needs to be, but like C, you can organize your code well and make it well ordered and easy to understand. The major fault of C++ is that classes are just enormous, for methods (class functions) that are hardly ever used. The result is getting an enormous executable for many calls you will never make. The scattering of code throughout memory also slows down execution although I don't know if that's such a big deal with the size of cache we have today.

It's very different than when I was a kid. Execution speed isn't as much dependent on memory fetches, and if you optimize the hell out of code, you just end up with wait states and no increase in execution speed.
88   AD   2024 Jan 20, 8:20pm  

richwicks says

There should be a push to move to simpler browsers. What we have today are as complex as operating systems, and 10000 times more insecure.


how about Brave and Firefox ? or Chromium ?

.
89   richwicks   2024 Jan 21, 7:06pm  

ad says


richwicks says


There should be a push to move to simpler browsers. What we have today are as complex as operating systems, and 10000 times more insecure.


how about Brave and Firefox ? or Chromium ?

.



No I mean much simpler. Something like NetSurf:

https://www.youtube.com/watch?v=MoM2bzzsAcY

The Internet is extremely bloated and unnecessarily complicated. There should be a subset of html supported. Basically, I find that the actual utility and usefulness of a site is inversely proportional to its complexity. The more polished and whiz bang a site, the less I have a tendency to use it, because form follows function. Whenever I can get a video on BitChute instead of any other site, I go to BitChute.

The Internet was built in this gross hurry. Force XML to be standard (you can use standard XML on the Internet now), make WYSIWYG editors for pages, if you like support WebAssembly (this allows you to literally run ANY program in a web browser, you just have to compile it for it) get rid of JavaScript (unless it's WebAssembly) get rid of Java (unless it's WebAssembly) - it can be TREMENDOUSLY simplified and retain all the current functionality.

We have this now, people just don't use it. Instead of making browsers support all this legacy crap, get rid of the legacy crap.

There is literally no reason for all this junk. You know how many cookies you REALLY need for any website? 1. To identify you, the rest can be stored on the server. There's no reason to have more than one other than coder's laziness (and I can't blame them), and to track you around to other sites.
90   AD   2024 Jan 21, 7:32pm  

richwicks says

No I mean much simpler. Something like NetSurf:


I run Linux (Ubuntu) on my HP desktop (2017 model). Chromium and Firefox crash sometimes. I'll try NetSurf.
91   richwicks   2024 Jan 21, 7:44pm  

ad says

richwicks says


No I mean much simpler. Something like NetSurf:


I run Linux (Ubuntu) on my HP desktop (2017 model). Chromium and Firefox crash sometimes. I'll try NetSurf.


You might have to compile it.

I'm not saying NetSurf is a usable program, I doubt it is, but I'm saying browsers should be as simple as that. I wouldn't install NetSurf on my machine, but I've played with a few very simple browsers before. Some don't even support the ability to play video inline.
92   AD   2024 Jan 21, 8:07pm  

richwicks says

You might have to compile it.

I'm not saying NetSurf is a usable program, I doubt it is, but I'm saying browsers should be as simple as that. I wouldn't install NetSurf on my machine, but I've played with a few very simple browsers before. Some don't even support the ability to play video inline.


I am using NetSurf now. Seems rather crude or overly simple, but it is fast and does not crash.

.
93   Patrick   2024 Jan 21, 8:14pm  

richwicks says

what I'm suggesting is contact information isn't www.patrick.net but rather something like e5725089ef32b85aa3e35d4d67c70e7f


I had a similar idea, but something which can be remembered by a human, like 4 or five words. The average person knows about 25,000 words, so four of those gives 390625000000000000 distinct combinations. That should make a sufficiently large space of four-word names that people can remember.
94   richwicks   2024 Jan 21, 8:21pm  

Patrick says


richwicks says


what I'm suggesting is contact information isn't www.patrick.net but rather something like e5725089ef32b85aa3e35d4d67c70e7f


I had a similar idea, but something which can be remembered by a human, like 4 or five words. The average person knows about 25,000 words, so four of those gives 390625000000000000 distinct combinations. That should make a sufficiently large space of four-word names that people can remember.



If you want to talk privately, I can arrange that through my computer. I'd give you a temporary username and password, and you'd then setup your own username and password, and delete the one I gave you. I want to explain something to you at a point. We really don't need DNS at all.

Should be 10 words as well, and picked by a machine, not a person. People have a tendency to quote other people, most people are parrots. I have a password "TheBearAteATreeAndBarked". You know how often that's been written in history? Never. This is the first time you've seen it. It makes no logical sense, but it's easy to remember. Still the entropy could be higher however the phrase would require at minimum a dictionary attack.

Passwords are done wrong. People are lazy and want a short one, what they should do is aim for ludicrous phrases "Eat a bug or a hair, I like to dance with flair". That's pretty easy to remember and nobody has ever said it before, and nobody will ever say it again.
95   richwicks   2024 Jan 21, 8:25pm  

ad says


I am using NetSurf now. Seems rather crude or overly simple, but it is fast and does not crash.


I'm sure it lacks polish, but that's not the point. I frequently make throw away interfaces just so I can worry about more important things than if it's pretty or not. I've got the design taste of post modern art appreciator which is to say, none.

Remember when lots of people had tiny little pages with "About Me" posted and so on, and their interests, etc? I really want to bring that back. FaceBook, YouTube, and Twitter will ALL disconnect you from a person without even notifying you. They don't allow free association.

A simple web browser that follows a few rules will prevent you from accessing much of the Internet - well, GOOD! The VAST MAJORITY of the Internet is just centralized corporate garbage. If people want to promote their website to the "real web" fine, but I think there should be a simple, easy to access, little web that doesn't require any setup other than to install a program on your computer and leave your machine running and maybe not even leave it running, the webpage can be cached on somebody's machine that recently visited your site.

« First        Comments 74 - 95 of 95        Search these comments

Please register to comment:

api   best comments   contact   latest images   memes   one year ago   random   suggestions   gaiste