A useful instrument to have

On a sunny day (Sun, 24 Sep 2017 16:09:37 -0700 (PDT)) it happened kevin93 wrote in :

Exactly.

If I modify one bit, it's a completely different password. NSA will never find it. Say it's upper and lower case plus 0 to 9, and I change it. You don't know the new password.

That's (26+26+10)^64 = 5.164e+114 possibilities. If you can try one billion passwords per second, it would take 5.164e+114/1e9 = 5.164e+105 seconds.

There are 3600*24*365 = 31,536,000 seconds in a year. It would take

5.164e+105 / 31,536,000 = 1.637e+98 years.

The universe is around 13.5 billion years old. It would take 1.637/13.5e9 =

1.212e+88 universes to go through all the combinations. So brute force won't work. Most sites cut you off after a certain number of wrong tries.

In addition, most of the important sites have an additional challenge question. They use this if your computer changes or you try to log on from a different url. Someone trying to log on to my account would have a different url and a different computer.

I use a different random number for these challenges.

My birthday may be dO%1,H>EW+XVsy36eb]$Ho!MBMJ_]umrEZ^K]Uhh>^- ITbH=&cA_Rj|C"Gtt'qc. Nobody is going to guess that.

I think you are making a molehill out of a mountain.

I should have been more precise in my statement.

The RC modellers who introduced me to the point made it in the context of getting finger in an already rotating prop. I accept the situation with a stationary prop is different.

Agreed, but sometimes people actively avoid training :(

There are interesting philosophical problems that will confront the people that design and licence such machines. I suspect they will be "wished away" in the name of (manufacturers') convenience.

The concerns are more widespread than that.

With many of the neural-net based systems, /nobody/ understands why they decision is reached nor if an insignificant change to the input will produce a significantly different decision. Predictability? We don't need no steenkin' predictability/

ISTR reading about some US courts that use proprietary commercial software to indicate the sentence for convicted felons. The decisions are reached for invisible reasons, and the manufacturer refuses to allow independent examination of the software.

I get a string from the web. This is only the starting point. Then I modify it.

There are no words in the string. Nobody knows how long it is. Nobody knows if it is upper and lower case, or if it includes punctuation, or if it includes characters above ASCII 128.

Let's go for all the characters above ASCII Space. That's 256-32 = 224. Say I use 64 characters. Thats 224^64 = 2.605e+150 combinations.

You are not going to find that password.

On a sunny day (Mon, 25 Sep 2017 08:41:32 GMT) it happened Steve Wilson wrote in :

Does not matter, unless you modify _all_ of it, and then you do not really need it now do you? You have reduced the security.

You don't know how I modified it, or what I have added. All I have to do is change one bit, and it's a completely different password. It will not show up in any search.

You have to try all the combinations. Figure out how many ages of the universe it would take.

On a sunny day (Mon, 25 Sep 2017 08:56:22 GMT) it happened Steve Wilson wrote in :

I dunno, you have 64 bytes 8 bits each. You changed 1 bit. I have the original random string fromn the webserver you got it from. You just gave away the 1 bit clue.

64 x 8 = 512 possiblities, few us computer time. With 1 minute wrong login delay is hacked in 512 minutes or 8.5 hours, is TODAY. Congratulations. ;-)

No, 12 digits of 0 to 9 means 10^12 combinations - 1e12.

Still, that's more than enough when the device locks itself after a few failed attempts, or has a suitable minimal time between tries.

Is there much about nuclear weapons that could be called /sane/ ? We currently have two kindergarten brats engaged in a Calvin and Hobbes name-calling contest, each of which has the ability to send off nuclear missiles. These devices should not be protected by 12 digit codes, but by an exam in political affairs, a pop quiz on international law and the Geneva Convention, and a requirement to make a public speech that doesn't make your own staff cringe in embarrassment.

Your math is wrong. There are 64 characters. Each character could have

256-32 = 224 combinations.

Say I only use two characters. That is 224^2 = 50,176 combinations. But I'm using somewhere between 32 and 65 characters. You will never find it.

See

--------------------------------------------------------------------- When a thing has n different types ... we have n choices each time!

For example: choosing 3 of those things, the permutations are:

(n multiplied 3 times)

More generally: choosing r of something that has n different types, the permutations are:

(In other words, there are n possibilities for the first choice, THEN there are n possibilites for the second choice, and so on, multplying each time.)

Which is easier to write down using an exponent of r:

---------------------------------------------------------------------------

Right. I had it backwards. Up all night.

Well, simply require the same as in aviation. The software for a self- driving car should be developed and certified to DO-178 Level A. This would stop all this AI, where nobody understands what does and how it is working and nobody bears any responsibility

--
Reinhardt

Steve, here is a suggestion. Generate a password and give it to Jan (as if he got it from the Web site). Then change one bit and ask him to find your modified password.

Still susceptible to physical attack. Reverse-engineering firms are _good_.

Cheers

Phil Hobbs

--
Dr Philip C D Hobbs 
Principal Consultant 
ElectroOptical Innovations LLC 
Optics, Electro-optics, Photonics, Analog Electronics 

160 North State Road #203 
Briarcliff Manor NY 10510 

hobbs at electrooptical dot net 
http://electrooptical.net

I was there too, alt.tv etc I cracked the origianl Sky PPV that was in a 'protected' '51 processor but sky never went ahead with it. Great fun :)

--
This email has been checked for viruses by Avast antivirus software. 
https://www.avast.com/antivirus

On a sunny day (Mon, 25 Sep 2017 09:57:27 GMT) it happened Steve Wilson wrote in :

No, I do not think so, if you changed 1 bit. If it was 0000 0000 and you changed it to 0000 1000 by changing 1 bit, the '1' can only be in 8 positions. Multiplied by 64 characters is 512 positions If the original character had code 0, then your choices for one character are:

0000 0000 0 orginal 0000 0001 1 0000 0010 2 0000 0100 3 0000 1000 4

LOL. You don't know which bit in which character. You don't know if I added or deleted a character.

Try your math with ASCII 117, lower case u. You don't know if I went up one character or down, and which character in the string.

Then try it with different lengths of strings. Tell us your result.

On a sunny day (Mon, 25 Sep 2017 15:56:56 GMT) it happened Steve Wilson wrote in :

That problem is different from what you described. You stated you only changed 1 bit in a 64 character string, basically the same as 1 bit in a 512 bit field, makes that many possibilities.

If you indeed patched parts of the original website data together in some way to make the 64 bit string, then you did MORE than just flip one bit. Then it becomes a bit more complex. It does not make any more sense however, getting random data from your potential enemy is insane by default.

LOL. Gibson is not a potential enemy. NSA could care less what I do.

The string is only a starting point. You don't know what I do with it.

You don't know if I flipped a bit or changed the string length. Any change I make will destroy their search. A single bit is all it takes. NSA is not going to walk down the sring to see if a bit was flipped.

Let me give you a random 64-character string. Then I tell you that I changed it. Try to find out what I did.