On 7/6/23 4:50 AM, Paul wrote:
> On 7/6/2023 3:13 AM, Xavier Aguirre wrote:
>
>> Which is why encryption would seem to be the best bet for uploaders.
>>
>> But what encryption can everyone use that the TLAs don't already crack?
>>
>> I don't know of any. Do you?
>
> If I knew the answer to that, I would be a very rich guy :-)
>
> This article shows they nibble around the edges, and
> all this means, is you have to pick a method which
> is bigger than the cracked ones.
>
> https://www.computerworld.com/article/2550008/the-clock-is-ticking-for-encryption.html
>
>
>     Mar 21, 2011
>
>    "But RSA messages with keys as long as 768 bits have been broken,
> says Paul Kocher,
>     head of security firm Cryptography Research in San Francisco. "I
> would guess that
>     in five years, even 1,024 bits will be broken," he says."
>
> That's why today, you'd use RSA4096. But you also have to remember,
> that progress on these is non-linear. One year there might be two papers,
> then you could have several years of radio silence.
>
> It's when something is severely broken (MD5 collision computation),
> that everyone knows it and they stop using it. It takes
> less than a minute on a Pentium 4, to modify a message in such a
> way, that it has the same MD5 hash as it had originally (before
> being modified).
>
> SHA1 is assumed to be "breakable, with enough effort", but
> nobody is really sure whether that's been done yet or not.
> If SHA256 is ever cracked, $70 billion worth of Bitcoins
> go down the toilet :-) The person who discovers that, is
> going to keep that quiet for a bit, while they make
> some retirement money.
>
> Try an article like this, to see how close they are getting. Not very
> close.
> Putting malware on your computer, is a much better method for
> decoding your stuff. A rubber hose is also a good method.
>
> https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
>
>    "This is a very small gain, as a 126-bit key (instead of 128-bits)
> would
>     still take billions of years to brute force on current and
> foreseeable hardware.
>     Also, the authors calculate the best attack using their technique
> on AES with
>     a 128-bit key requires storing 2^88 bits of data. That works out
> to about
>     38 trillion terabytes of data, which is more than all the data
> stored on
>     all the computers on the planet in 2016. As such, there are no
> practical
>     implications on AES security. The space complexity has later been
> improved
>     to 256 bits,[28] which is 9007 terabytes (while still keeping a
> time complexity
>     of 2^126.2)."
>
>    "At present, there is no known practical attack that would allow
> someone without knowledge
>     of the key to read data encrypted by AES when correctly implemented."
>
> To meet the conditions of the last paragraph, that's why Igor
> had to correct his implementation (the key generation steps
> presumably).
>
>    Paul
Would a binary news group work with good encryption?

On 7/7/2023 2:50 PM, Nic wrote:

> Would a binary news group work with good encryption?

If you're talking about transmissions between a USENET server
and your computer, Port 119 is unencrypted. Any "observer"
along the path, can see your user:pass, as well as the (text)
messages that you are reassembling to make some binary thing.

When you use port 563, that's encrypted. First, an SSL/TLS
session is lashed up between you and the server, then, if
the server needs user:pass , that is exchanged as usual.

You are relying in that case, on SSL/TLS. Only the latest
TLS is secure, and it depends on using one of the good
crypto standards.

If the server lifts the standard too high, then no clients
would be able to connect on port 563.

You see this very occasionally, on some web servers, where
the web server is set to TLS 1.3 and only a couple crypto
methods are accepted. And then, almost no browser in your
"fleet" will work with it.

I don't know any more details about it, than that. Like,
right now, what standard is my USENET client using ? I don't
know. It is probably TLS, but I don't know which one.

Paul

On Fri, 7 Jul 2023 14:50:09 -0400, Nic <Nic@none.net> wrote:

>Would a binary news group work with good encryption?

When it comes to binary files, Usenet is a one-to-many type of service,
as you probably know. Upload once, download any number of times by any
number of clients, anywhere in the world where there is Usenet access.

What would make me uncomfortable is the fact that Usenet binary file
uploads never expire. Some of the mid-level NSPs might expire files *on
their server*, but the bigger players stopped expiring binary uploads in
the early 2000s, give or take a few years. Files that were uploaded
15-20 years ago are typically still available today.

It used to be that some groups, such as alt.binaries.test and a few
others like it, would have an intentionally short retention time, but
that doesn't appear to be the case anymore. (My NSP currently has files
in a.b.test dating back to 14.8 years, and going forward nothing is
being deleted.)

Encryption of the file itself, as well as encryption of the connection
needed to upload/download the file, have been addressed by others.