[crazy][spam][crazy][spam] [thread for further deliberations regarding akash certs]

Sun Jul 30 05:25:40 PDT 2023

On 7/30/23, Undescribed Horrific Abuse, One Victim & Survivor of Many
<gmkarl at gmail.com> wrote:
> On 7/30/23, Undescribed Horrific Abuse, One Victim & Survivor of Many
> <gmkarl at gmail.com> wrote:
>> it is nice that i am old enough that somebody is saying this clearly
>> and overtly:
>>
>> https://github.com/tlsfuzzer/python-ecdsa#security
>>
>> **This library does not protect against side-channel attacks.**
>>
>> Do not allow attackers to measure how long it takes you to generate a key
>> pair
>> or sign a message. Do not allow attackers to run code on the same
>> physical
>> machine when key pair generation or signing is taking place (this
>> includes
>> virtual machines). Do not allow attackers to measure how much power your
>> computer uses while generating the key pair or signing a message. Do not
>> allow
>> attackers to measure RF interference coming from your computer while
>> generating
>> a key pair or signing a message. Note: just loading the private key will
>> cause
>> key pair generation. Other operations or attack vectors may also be
>> vulnerable to attacks. **For a sophisticated attacker observing just one
>> operation with a private key will be sufficient to completely
>> reconstruct the private key**.
>
> why cipherpunks write code:
> Somehow this information seems easily forgotten.
> What is possible in the world is based on what can actually be done.
> Generally, this is different from what people _say_ is possible,
> because they haven't tried it.
> Code shows what, on a computer, is possible. People who write code,
> see that many many things are possible.
> So, long ago, there were arguments around what was relevant or not,
> for example whether or not it is appropriate to secure a system. If
> you are familiar with writing code, you can tell whether a system is
> vulnerable or not, and know how easy it is to engage that situation.
> If you aren't, you are likely to instead be parroting misinformation
> from an oppressive body that is infiltrating things.
> Things that can be done by code can be done by _anybody_, _if_ they
> learn to write code. This is still true if a language model is writing
> your code for you.
>
> Nowadays we understand more clearly that many spy agencies will send
> people into security groups (there is a history of trying to send
> people into _all_ groups), and spread this misinformation, disrupting
> productive conversations on what is important to protect everyone's
> safety. We also understand more clearly that these people may have
> undergone intense trainings that cast misinformation as harshly true
> for reasons of protecting security.
>
> This misinformation pales in the face of real code, because real code
> says and demonstrates clearly what is actually real. Similarly, since
> _anybody can learn to use real code_, it is what is appropriate to
> protect against, when protecting security.
>
> This is why this project posts this information, and it is why the
> tendermint protocol cryptographically verifies every peer. Because
> what is possible, can and does actually happen, no matter how much
> misinformation is spread.
>
> And the only way to see that clearly is to get into the code, look for
> yourself, and write some code, and try it.

Completely dropped this part:
Because it is so easy to show what is true with real writing of code,
the behavior of these oppressive bodies has been to suppress
intelligent and free engagement and discussion of code in general. You
can see this some near public security audits ... This is maybe most
clearly prevalent in the history of this list, and its present state.
Where I am the only person on it discussing writing code.