Developer Porn

There is a terrible phenomenon of developers getting excited by any new technology, framework or gadget regardless of its quality or utility. For example, every time a new Javascript framework is released, developers flock to it with drooling mouth. I think this fire is fueled by a prejudice against older technologies, the desire to be the guy who is most up-to-date on tech, and sensationalist reporting by tech blogs.

I often here comments like “Mongo is the best”, “ES6 is so cool”, “Lets build this app using ____”. I always respond to these remarks with a casual “Why?” and am usually met with dumbfounded looks and substance-less answers.

I wish developers would think more critically about what they decide to get excited about.


Exploiting the Android Bitcoin Vulnerability

In August 2013 a serious flaw in the Android random number generator was discovered. Due to a number of bugs, Android’s SecureRandom function only produced a random number with 31 bits of entropy. For reference 2^31 = 2,147,483,648, which is a very small amount of entropy. This caused a few transactions to show up on the block chain that were signed with the same random number. Signing a transaction with the same random number is not supposed to happen as it allows anyone to recover the private key and steal the bitcoins. Fortunately this led to the vulnerability being discovered and fixed.

In the end only 55 or so bitcoins were stolen using this vulnerability.

A better a attack:
There is another attack that can be made which is much more powerful and would allow even more coins to be stolen. One could easily generate all 2^31 random numbers and their associated public and private keys and then search the block chain for wallets that correspond to those keys. Once found all the coins in the corresponding wallets can be stolen. If performed at the time of the vulnerability in 2013 this type of attack would have resulted in far more coins being stolen. As far as I know no one has tried implementing this attack. I am very interested to see how many coins could be stolen if this attack was used on the August 11th, 2013 blockchain. If you end up testing this attack please email me the results.



Achieving something great

Some people are cursed with the desire to achieve something great.

If you want to achieve something great, then start by working on being a great person.


Open Democracy

Imagine a government that is 100% transparent. Every expense, every document, every meeting is available online to the public. Imagine laws being crowd-sourced, edited and voted on by the public. This is open democracy. This I believe can be our future.


Chomsky on Capitalism

See, capitalism is not fundamentally racist-it can exploit racism for its purposes, but racism isn’t built into it. Capitalism basically wants people to be interchangeable cogs, and differences among them, such as on the basis of race, usually are not functional. I mean, they may be functional for a period, like if you want a super-exploited workforce or something, but those situations are kind of anomalous. Over the long term, you can expect capitalism to be anti-racist-just because it’s anti-human. And race is in fact a human characteristic-there’s no reason why it should be a negative characteristic, but it is a human characteristic. So therefore identifications based on race interfere with the basic ideal that people should be available just as consumers and producers, interchangeable cogs who will purchase all of the junk that’s produced-that’s their ultimate function, and any other properties they might have are kind of irrelevant, and usually a nuisance.

Noam Chomsky – Understanding power.


To Bed

I am supposed to write a poem
Emancipate a creative muse
Fuck it.
I’m going to bed


Voting with untrusted servers: A new architecture

This is the only proposed design for an anonymous, verifiable voting system in which the server is untrusted.

Requirements:

  1. There is a public list of voters who are real and eligible to vote.
  2. The voters’ computers are secure.

A Basic Outline

Voters connect to a central voting server establishing a secure connection. The server places registered voters into groups of 30 or so. The server then shares the IP addresses of all the group members with each other. The voters then disconnect with the server and vote on their local machines. Each user must enter an passphrase(footnote 1) that will pair with their vote. The votes along with pass-phrases are then encrypted using the servers public key. These encrypted vote/passphrase pairs are sent from each member of the group to every other member of the group.  Votes are also randomly forwarded between members so that no group member can know from whom the packet is coming.

After the encrypted vote/pass-phrase pairs have been shared between all the group members, each member having all 30 encrypted votes on their machine. Each voter then sends all 30 vote/passphrase pairs, the groupID back to the server. The server then decrypts the pairs, verifies that the votes coming from each of the group members are not contradictory and then publicly publishes the decrypted votes, the members of each group and the pass-phases.

Voters can then verify that their vote was counted by going to the public vote list, finding their group ID and checking that they are listed as a member of the group and that their pass-phrase corresponds to their vote. If their pass-phrase does not correspond to their vote they can challenge the entire group’s votes and force the whole group to be broken up and re-vote.(footnote 1)

 

Possible areas of attack:

  • If all of voters of a given group minus 1 collude the anonymity of the trustworthy voter is lost.
  • An untrustworthy server can falsify groups. Sending untrustworthy IPs to each of the group members and compromise anonymity. This can be solved by publishing the IPs along with the group. Voters record the IPs of their group members and can check that they are the same as the ones published.

Footnotes

  1. A passphrase is just a string like “doggy”