Forgot your password?

Comment: A Vexing Problem We Can Force Facebook To Fix (Score 2) 305

by logicnazi (#48066613) Attached to: The Single Vigilante Behind Facebook's 'Real Name' Crackdown

Obviously the current system in which individuals with ideological axes to grind can negatively impact communities where people don't go by their legal names. However, it's not obvious what the right rule should be. Of course I think you should be able to use psuedonyms, nicknames, stage names etc.. etc.. on facebook but how do you deal with facebook identity theft.

So I have Jane Mary Tyler Doe. I go create a facebook account pretending to be her and, if she isn't a huge celebrity, it wouldn't be too hard to convince a large number of people (probably anyone not already friends with the real individual) that I'm really Jane Mary Tyler Doe. I can then use that account to make her look like a racist, ruin relationships with coworkers and potential employers etc.. etc... unless my fake account can be suspended quit quickly. Alright how can facebook do this.

1) A real names policy. True, this has all the bad consequences above but it allows them to immediately suspend accounts but isn't vulnerable to serious DOS type attacks since a since credit card transaction or the like can quickly confirm someone's legal name and prevent any false impersonation accusation from ever causing another suspension. Given the low probability that someone with the same name wants to engage in the impersonation facebook has enough human hours to evaluate these rare situations in reasonable detail.

But this undermines an essential purpose of facebook. To let people present themselves online to the same people they know offline meaning stage names, nicknames etc.. etc..

2) A no impersonation rule. Alright now someone asserts the account Jennifer Doe is impersonating her. What can facebook do? If the suspend the existing account things are even worse since instead of creating a fake account someone with ill-intent asserts that the current account holder is an imposter gets their account suspended and now controls the only account representing itself to be Jennifer Doe's. Given the size of facebook they simply can't stop anyone from creating any new account with that name and the impersonator could create an account Jen Doe.

The very fact that people are allowed to use names other than their legal names means there is no good heuristic to see who is likely the deliberate imposter. After all Jennifer Doe might be the name she goes by in school but the name on her birth certificate could well be Bertha Jennifer Doe and Jennifer might not even appear on things like credit cards meaning facebook doesn't even have a good guess as to the imposter.

Also this creates the possibility of a DOS attack against any account (keep claiming it is an imposter account from accounts). If facebook eventually stops viewing such imposter accusations as real then any imposter who gets their before the real user can simply launch a bunch of accusations of imposterization at themselves until they insulate themselves against any accusation from the person they are actually impostering (after all they can be a perfectly legit Jennifer Doe account then change their picture and other details later to impersonate a target).


What they should do is basically implement a web of trust style infrastructure. Facebook can start occasionally asking people who frequently message or are listed as close friends whether the person they talked to or the person with that email address really went to school such and such. Also friend requests should include a couple of selected bits of public info (like email address and the like) which, would hopefully make impersonization more difficult.

Ultimately, however, facebook needs to have a attestation system akin to key signing. You get your close friends to attest that the person whose picture and details appear in the facebook account really controls the account. Details will be a pain in the ass but it's the only plausible way since impersonization is a matter of details like schools, pictures etc.. etc.. not real names and facebook just can't check those themselves. They can only create tools to indicate potentially untrustworthy representations.


We can force them to do this by using their real name policy against immigrants. Even my immigrant friends from places like Russia are known by significantly different names than are on their legal documents (and those are often inconsistant). Chinese immigrants often have legal names that even many close friends don't even know. If we start a campaign to force all these people to use real names both the spector of being seen as discriminatory plus the real risk to their business will change the policy damn quick.

Comment: Multiple master secrets (Score 1) 76

by logicnazi (#47962983) Attached to: Researchers Propose a Revocable Identity-Based Encryption Scheme

Of course you can have as many master secrets as you want with each controlled by a different entity but those master public keys need to be distributed somehow. However, if you try and allow any master secret to work with any email you have exactly the system we have with ssl certs and we know that won't work for things like email. After all if any master secret can generate a private key for any email that means that if any master key is compromised so is the whole system. I believe it also requires that anyone encrypting messages needs information about all the master keys so it really is like certs, you trust all the root certs in the list that comes with your software.

On the other hand if each email address can specify the master key to use with it we are back to the problem of key distribution as the choice of master public key for your email address functions just like a public key (to send you encrypted messages the sender needs to know it and if they are tricked into using the wrong one you get a MITM attack).

Obviously, I use email to stand in for whatever identifier one has in mind.

Comment: No better than using gmail (Score 1) 76

by logicnazi (#47962967) Attached to: Researchers Propose a Revocable Identity-Based Encryption Scheme

As any such identity based encryption requires a master secret (or secrets) that is used to generate the private keys (if not anyone who knows your email can generate a private key for that public key and thus read anything encrypted to you) you might as well just be using gmail and counting on google not to get hacked. After all, you can't compromise every gmail account by gaining access to a few servers but anyone who hacks the server with the master secret brings down the whole system in IBE. And gmail also provides transport security and tls for your web connections so why even bother with IBE unless your correspondent doesn't have transport level security.

MAYBE you could create some kind of large distributed infrastructure for storing the master key but at that point it seems easier just to distribute standard public keys directly.

Comment: Re:How does the decrypter know what to send out? (Score 1) 106

by logicnazi (#46107861) Attached to: Building Deception Into Encryption Software

It will only work for data that is so well characterized you can find the information theoretic optimal representation for it, i.e., you can bijectively map each message onto the integers mod n so that each integer is equally likely to be seen.

Other than CCNs I can't think of much which satisfies this condition.

Comment: Very narrow use (Score 1) 106

by logicnazi (#46107849) Attached to: Building Deception Into Encryption Software

The only cases in which this approach can work are those where the distribution of plaintext is known in advance.

Since the algorithms used to generate CCN are largely public one can map the class of apparently valid CCNs (suppose it has n members) bijectively into the integers mod n and assuming the CCNs are uniformly distributed over the apparently valid CCNs (likely) their images in the integers mod n are uniformly distributed. Assume that ENC_k is any standard encryption function (public or private) with key k operating on inputs from the integers mod z >= n-1 (usually a power of 2 for a symmetric encryption function). Given a CCN c map it to a value c' in mod n arithmetic and generate a random value 0 = r z. We can now encrypt our CCN as the pair r + c' mod n, ENC_k(r).

This will ensure that no statistical test will be able to distinguish a correct choice of the key from an incorrect one.

This is useless, however, for data like english text or names which don't have an easily describable distribution. The construction above relied on our ability to select an information theoretic optimal compression function for CCNs, i.e., one which bijectively maps the message into a uniform distribution on the integers mod n for some n. This is impossible for things like proper names or english text.

Comment: Re:Sounds like a lawsuit waiting to happen (Score 1) 448

by logicnazi (#46101613) Attached to: Developer Loses Single-Letter Twitter Handle Through Extortion

No, this is irrelevant.

If paypal was neither negligent with his data nor violated any privacy laws the fact that in an ideal world they shouldn't have allowed this information to become available is irrelevant.

I mean the law has to have a single answer for whether companies need to keep last four digit info on their super secure system because access to that information would allow affected users to sue or not.

Comment: Sue PayPal and GoDaddy!! And why believe hacker? (Score 1) 448

by logicnazi (#46101563) Attached to: Developer Loses Single-Letter Twitter Handle Through Extortion

This was a thing of substantial value and his own willingness to trade it for his custom domains is a compelling argument they too are worth a similar amount.

Thus, if he can prove negligence or some other cause of action against payal or godaddy he should be able to receive at least 50k damages. Personally, I suspect paypal is the better target as various privacy laws may have been violated. Of course a real lawyer would have a better idea of whether he has a case.


Frankly, it's hard to see what could have made this trade a worthwhile deal. I mean, either the hacker already had control of his email through a dns change or he didn't. If the hacker didn't what about the trade would make the extortion victim believe the hacker would behave differently if he turned over the domain than if he didn't? I mean he could presumably still decide to be a dick and use his access to delete the data.

And why not simply pretend not to be at his computer? He could have called godaddy and the like to lock down all the domains.

Comment: Re:Rude != Troll (Score 1) 298

by logicnazi (#43194763) Attached to: Why Trolls Win With Toxic Comments

I understand that religion is detrimental for modern humans,

False, most assuredly. Detrimental? I'm unconvinced.

Sure, if the alternative was for everyone to read CSICOP and become skeptical scientifically minded individuals then sure religion would be harmful to society. However, that's not the alternative. You undermine religiosity and people remain just as `spiritual' and seek out more harmful, less stable forms of mystical thought, e.g., homeopathy, belief in spirits, medium etc...

The failure of any major world culture to exist without substantial religious, spiritual or otherwise mystical beliefs (even a semi-mystical view of the benefits of great literature or the wisdom to be found in meditation) casts doubt on your claim that religion itself is detrimental. Perhaps the harm done by religion is balanced by the comfort it gives to many people who can't or won't find the truth comforting. Perhaps religion is merely the least bad outcome of underlying psychological tendencies we all share pushing us to interpret the world as `speaking' to us and to inject emotion into our evaluation of claims. In the long run with appropriate genetic engineering it might be desirable to phase our religion but for the moment it may be better than things like homeopathy, talk about Chakras and other spiritual interests that aren't religion.

that teaching religion to children is a form of abuse, and therefore indoctrinating anyone under 18 should be illegal.

This is a very very different claim. Sure, in the long run weaning humans off of religion may be desirable but now the question is what will that child be best served by?

As much as I feel that religious indoctrination before adulthood is brainwashing people into holding certain extremely implausible beliefs in most cases it is probably beneficial for the child. Most of America is highly religious and if you deny them that cultural belonging religion provides in these area you hurt them far worse than the harm done from carrying around comforting but incorrect beliefs for their lives. Just make sure there are ample opportunities for them to consider the question later and reach a more informed decision when they are capable.

What is most important is to make sure atheist views, socialization etc... become widely distributed so it's viewed as just another kind of belief. Furthermore, tackling the very hard problem of providing community unity and socialization without any masses is important..

Atheists visibly taking roles in community service programs would be much more useful than viewing religious indoctrination (as are most lessons from parents) would be much more useful.

Comment: Re:Freedom? Safety? Privacy? Where? (Score 1) 307

by logicnazi (#43194481) Attached to: Should We Be Afraid of Google Glass?

And people inferring what you do from your public behaviors is slavery how?

This only seems so awful because we imagine continuing to apply the same social standards in place now to a new world of massive transparency and data mining. These technologies will shift our social norms so it's considered impolite to condemn others for personal choices and we'll view it as rude to use data about someone's personal life to affect the hiring process or how you treat them professionally.

Comment: Re:Let me see... (Score 1) 307

by logicnazi (#43194471) Attached to: Should We Be Afraid of Google Glass?

And if google doesn't do this what do you forsee happening in the future?

High res cameras not only will get cheap but by the miracles of integrated circuit fabrication (and the high cost of running multiple processes/designs) eventually it will be cheaper to buy the standard high-res camera rather than the uncommon low-res camera. It's only a matter of time before all security and ATM cameras are high-res and the price of storage falls so low that they keep all that data in digital form online.

Now is every storeowner, photographer and bank going to use their own security camera management system? Save the images all themselves? Of course not, they will pick some company to manage it for them and that will centralize a great deal of this video information.

There is an inescapable collusion in the works between our expectations of anonymity and our write to free speech. Even if no one goes out and creates a central repository all it takes is many internet accessible public sites hosting this information and anyone with sufficient computer hardware can data mine your life.

Comment: Re:FUCK two-way "transparency". (Score 1) 307

by logicnazi (#43194437) Attached to: Should We Be Afraid of Google Glass?

Most professional cameramen (including artists who want to capture scenes of city life) have their cameras set to take pictures at quite a high rate. What number of FPS is too much? 1? 5? 30? When does taking lots of photos become taking video? I don't think that is a line you can reasonably draw.

Hell, the better data mining gets the easier it is to infer actions in between photos so even if you insist that photography be capped at once every minute or 15seconds eventually the same info will get out.

Comment: Re:Irrationally berserk: Seattle's 'Creepy Cameram (Score 1) 307

by logicnazi (#43194417) Attached to: Should We Be Afraid of Google Glass?

I doubt it.

There is every difference between respecting the usual social norms of looking away from private business, not staring at people etc... and recording what you see and sticking a camera in everyone's face and deliberately invading conversations, behavior and interactions obviously not meant to include you. The content captured may not be much different but the social reaction will be.

The reaction to google glass will be "Cool what's that thing" as long as those wearing it don't bring it into sensitive areas (lockerrooms) and don't shove it into other's buisness.

Any given program, when running, is obsolete.