Re: Surrogate factoring, update
From: Tom St Denis (tom_at_securescience.net)
Date: Thu, 15 Jul 2004 00:04:40 GMT
[Replying for the fun of it...]
James Harris wrote:
> David C. Ullrich <email@example.com> wrote in message
>> On 11 Jul 2004 17:15:33 -0700, firstname.lastname@example.org (James Harris) wrote:
>> >I contacted the NSA. I didn't hear back from them. If that sounds
>> >crazy, ok, but I hope you understand that it's really about the
>> >seriousness of the situation as I see it.
>> Yes, that sounds crazy.
> Well, I don't think so, as any responsible researcher who finds
> something that worries them should feel free to contact the government
> agency that covers that area.
The NSA doesn't care about domestic crypto. I mean... they follow it [Hey
Brian Snow what's up? ;-)] but they don't regulate it.
If anything you should have contacted NIST not the NSA. Of course you'd
know that if you spent 8 seconds looking around the field to see how people
use, work with and develop crypto.
> Now I'm sure some of you might be terrified at the idea of contacting
> the NSA just because you're worried you discovered something that
> might affect public key encryption, but I figure it's just prudent.
Um, I've talked with people at DoD and NSA before [in person]. It's nothing
special. They're just people who work for the government. Occasionally
they brag about it but I would do if I had a cushy job too ;-)
> After all, what I found might be important, and better to contact them
> now, than have to debate about it later.
Or, alternatively you could hold a rational open minded discussion in a
public forum and determine if the idea is not only *valid* but *worthwhile*
>> You should contact them again, warning them that there
>> may be Big Trouble if they continue to ignore you. I
>> doubt that that would lead to a reply either, but it
>> could get you onto a list of people to watch carefully...
> Actually, I pointed out that if a viable approach comes from this idea
> of surrogate factoring, and people lose millions of dollars or worse,
> to hackers, then some might wonder if there was any warning possible,
> if someone might have sounded the alarm *before* the intruders walked
> through systems.
Not really true. First off switching to some other system [ECC for example
see below] takes time. You can't just do
in OpenSSL and use ECC instead of DSA/RSA
> Then, if they check back and find out that the ideas discussed here
> were acted upon and expanded on by people outside the mainstream,
> while mainstream mathematicians failed to consider these ideas, then
> they can look back at the discussions that took place here.
Nobody really looks to sci.crypt for "authorative information". I mean
there are useful discussions here but mostly things take place off-usenet.
> Then they can consider statements by mathematicians made here as
> expert testimony. As mathematicians are by definitions expert in
> mathematics so their statements are given a substantial amount of
> weight when they cover mathematics.
Um, you do realize that the bulk of usenet [well sci groups] is comprised of
hobbyists, amateurs and students right?
But that aside nobody here "owes" you anything. I could say "AES is weak
use DES-ECB instead" and not be held accountable for anything [though it
would look stupid]. If you [or anyone else] uses material posted here as
"authorative" that's their own fault.
> That expert testimony is public and can be reasonably inferred to
> affect debate.
Perhaps but not liable for the outcome.
> An expert need not testify about a particular idea, but once they make
> a public statement, they can be held liable for their position, if
> others suffer a tort that can be related to their expert statements.
> It's just the law.
Really? Which specific law? In which jurisdiction?
> Ignorance of the law is not an excuse, nor is it a protection.
Ignorance of the law is not something somoene who protests legal injustice
should have either. Hmm tit for tat I guess.
> Here's an example. Let's say that it is your expert opinion that a
> building is safe, though some residents of that building proclaim that
> they are worried that it is unsafe.
You only can authoratively say a building is safe if you sign off on it.
You also have to enter into a binding agreement to analyze it.
This goes back to "I owe you nothing" clause. I'm not responsible for you.
if you make poor judgements [say based on my lies] you're at fault not me.
By your logic you could sue strangers on the streets who claimed "eyes wide
shut" was a good movie.
> Expert status comes with a weight of responsibility.
So does net access.
> I am not a legal expert and none of my statements here should be
> construed to be expert opinion. I am not a lawyer nor do I pretend
> to be one. Those interested in the law in this area should consult
> with an attorney or an appropriate legal expert.
Well hold on here. You're saying things in public here James. I should be
able to form a law firm based off your posts. When I lose all of my cases
I guess I should sue you. You did after all post in a public forum stating
things as fact. Or are you cutting a loop hole "I am not a legal expert".
Well I'm not a Ph.D. in math and I still think your idea is worthless.
* About ECC. It's funny that no cranks seem to attack ECC. I guess
anything that requires a bit more than a modicum of grade 10 math does
attract the trolls. I mean RSA is relatively simple so everyone claims to
break it. ECC on the other hand is tricky and requires hard work to learn
and understand. Same could be said for DSA and NTRU. I guess that's a
sure-sign of a troll. Anything that requires "work" is avoided.
James you sure are a funny guy. Sadly though you're funny in the sense "I
can't believe there are people like you in the world."
Why can't you simply accept you're not gods gift to the world and actually
do some hard work for a change? I mean sure if you designed a real
algorithm, implemented it, analyzed it and wrote it up properly that would
be a welcome discussion in sci.crypt. As it stands you're just trying to
get all the attention you can. Well you're getting it. Sadly none of
these threads will help you get a job, that nobel or even a nod from a hot
crypto chick at crypto conference ... er... ;-)