Theo Verelst Diary Page

Mon sept 10 2001, 11:53 PM

I've decided after good example to write some diary pages with toughts and events.

Oh, in case anybody fails to understand, I'd like to remind them that these pages are copyrighted, and that everything found here may not be redistributed in any other way then over this direct link without my prior consent. That includes family, christianity, and other cheats. The simple reason is that it may well be that some people have been ill informed because they've spread illegal 'copies' of my materials even with modifications. Apart from my moral judgement, that is illegal, and will be treated as such by me. Make as many references to these pages as you like, make hardcopies, but only of the whole page, including the html-references, and without changing a iota or tittel...

And if not? I won't hesitate to use legal means to correct wrong that may be done otherwise. And I am serious. I usually am. I'm not sure I could get 'attempt to grave emotional assault' out of it, but infrigement on copyright rules is serious enough. And Jesus called upon us to respect the authorities of state, so christians would of course never do such a thing. Lying, imagine that.

Previous Diary Entries   |   List of Diary Pages   |   Home Page

Mon 10 Sept 2001, 11:54 PM

I'm making this page from a new place, stay tuned.

Not millions

I'm not making millions as I probabably should normally be able to, but currently there are two good enough pc's on a pretty decent desk and office, which makes me capable of doing some serious work, and there is (currently) isdn to hook up with the rest of the world, though I don't agree with the domain name server, that usually works.

I should be working instead of writing pages like this, maybe, though they're pretty much work, for certain, I've been even into cia servers lately to make sure I'm into the stuff people probably should have some attention for, and at least what I write is usually informed enough and relevant for the intended audience of people with a serious interest in the subjects I raise.

Funny enough, I last week also found a PC in some garbage, which makes me tick 75 MHz or so in the pentium area on a old compaq, which I simply charged with the ide disc from my older 486, and suddenly came to life again with it. Yesterday I got an old 486 sx, not running, but with a working 1/2 G ide disc with windows 95 on it, and that too I got to run, meaning I can even do windows now, though there are some installation issues to be solved, and the resolution currently sucks, and there is a soundcard from the same broken machine which should work even with a cd player on it, which did work, but windows somehow has a lame driver in its installation path, so it starts only in safe mode, of course without loading the cd driver, which sucks. Hobby stuff, but at least a bit of windows can be handy, and the tcl scripts and the synth programs work quite fast in comparison with the 486.

Some time back I worked the library (public) index to look for some of the books I read lets say in highschool, because they were relevant, and I found back a book on electronic organs, which is quite worth the read, contentwise, "bouw zelf uw electronisch orgel" (build your electronic organ yourself), drawbars, generators, dividers, filters, the whole thing in discrete electronics, meaning transistors, capacitors, resistors, etc., but no chips or special parts. 20 years ago, meybe even longer, that tought me much about electronics, I knew, also from other books like it, what a generator is, how one can make a divider circuit for real from simple components (are transistors simple?), what certain filter types sound like (I tried them), and how the musical notes in an organ are generated, or lets say what they can be made like.

I knew the ratio between octaves is a factor of two, and that one octave of semi tones as a top octave could be made with 12 oscilators, for instance of the stable LC kind, and that adding sines is a good idea to do additive organ note synthesis.

I developed on the basis of such knowledge, and found it quite satisfactory at the time to think about such things in terms of the knowledge and part access I had some years later, including digital dividers and gating and filter circuits I knew.

Internet security ?

As a good means of organizing some knowledge, this chapter could be worth quite a bit for various lets say companies, organisations and individuals, when it is good, well written, preferably reasonably conclusive and prepared for the future.

Should such knowledge be like Linus, for free, though to complicated to simply copy, apprehend and do again or claim, or like lets say a cheap enough copy of windows, not so well written, often buggy, with certain name behind it where probably help can be gotten as well as books by the dozens about it, or otherwise?

Some knowledge should be clear enough, I think, such as some general knowledge about what is technically reasonable and possible, and some theoretical foundation about encryption and lets say statistical analysis, because that together can at least make reasonably clear what the outer limits for technical development, installation and parameter ranges can be. The latter is including lets say non existing technology, though not that hard to conceive, such as ways of making random numbers which cannot be 'cracked'.

In short, all data which goes from or to your web browsing machine in some form passes some input/output terminals, and can be tapped from anywhere in between there and the server or other machine it reaches in the end.

Technically, that is usually like tapping a phone line, meaning an extra wire is connected, with some monitoring device reading the data which passes the line, and which can interpret for instance the data as web pages, ftp-ed files, or what it is.

The internet provides two major means of preventing such activities, which is the spreading of the data stream over more than one path, not known beforehand (one of the major characteristics of the darpa originating tcp/ip protocol stack), and as always, it is possible to encrypt data in such a way that the data is passed in 'code', meaning the tapper must be able to crack the code before the content of the data is disclosed.

Both techniques have limitations, the spreading of the data stream over various paths may be circumvented by subparts of the internet being put into the hands of to few parties, possibly making all data between certain parties always pass certain lines and in-between servers (such as collection lines which run over the ocean, or simply the connecting terminals of your isdn lines), while encryption may be based on an encryption algorithm which can be tried easy enough over some parameter variations to decode the data having been tapped.

These are of course technical means, and there are also organisational issues, because it simply is illegal to for instance tap a line containing email messages, under both dutch and I think US law such is forbidden just like opening paper mail, it is punishable by law.

When computers are connected with many others, and data streams pass many in between stations, as is often the case when browsing for instance, the path over which data flows can be different even for parts of the data stream, and not so predictable, it depends on computer and line availability, loads of both, and can even contain a random factor. In a network with thousands of machines and more than a few hands full of 'hops' that can make for many possible paths, which cannot easily all be traced and recorded. Without question that was a well thought of idea in the thinking phase of tcp/ip.

Encryption means data is encoded somehow to become illegible. Many algorithms can be made to effectuate some coded data form, as an example letters may be shifted such that a becomes b, b becomes c, ... and z bcomes a. That is easy to crack, but when a table is used to to substitutions like this which is random, for a normal reader is becomes hard to follow, but a few statistical considerations can make on extract the character for 'e' for instance and some other common letters, do some try decodings, and work until legible text appears, which is not unreasonable.

Computers enable incredibly more complicated encodings, and when it concerns known types of data of course also cracking to be done in fractions of a second, it is what such machines are sort of made to do. That is where things get a bit tricky at least, because the issue gets blurred easily. When data is encoded, one may achieve coding which is very hard to crack, but often certain methods are used to arrive at the coded form of a piece of data, and those methods are known, and can be tried with certain 'keys'. When the number of possible keys is such that they can all be tried in some overseable amount of time, the coding scheme can be cracked, and when there are so many of them that it would take forever, even on fast computers, to try them, or when the data is hard to decipher, a code is hard or virtually impossible to crack. The assumption of the 'key' is not too accurately defined, because when one simply defines a certain encryption algorithm, the whole algorithm is the key.

A password to access a system is a simple enough example of a key, except not for data encryption but for system access, to log on for instance. A password can be remembered, and assuming no other person knows it, there are many possibilities when it is well chosen. Lets say we take 5 letters, we have 26 to the power of 5 possibilities, which is over a million. Lets say we try a password per second, which is fast, we would de 3600 per hour, so we would spend 300/24 is roughly 12 days and nights on a row to get in, assuming the system we try to log into allows so many errors on the connection. Another letter, and it takes 26*12 days, maximum, and of course this is under the assumption that we also use hard to remember passwords like rpdjq or xtywq, instead of lets say all 5 letter words from an english or dutch dictionary. Including numbers increases the base of the power of the number of possiblities with 10 to get more possiblities when including words like h12ks9.

Clear enough, without luck, such a system will not be easily broken in to, except of course when a user or operator is uncareful or somehow the password is disenclosed to a malicious party. To prevent human error, when one logs ono from a fixed machine, the password could be generated automatically and not even known to the user, which leaves security to the network link and the probability of someone else getting their physical or networked hands on it. Clearly, when passwords for other machines can be found on an accessible machine, there is trouble.

The biggest situation arises when every machine in principle can 'talk' to every other machine, such as the case with the internet. The limitation of many 'user' type machines is that a web browser may give some information to the web, but that normally only concerns url's, and of course possibly the content of email, and passwords for web services, but not machine information and random files or passwords from it, and a browser has been compiled such that that normally cannot be changed from a party on the outside of the machine, on the web.

Java applets and worse: downloaded software (not data) which is run on a internetted machine can change that situation. In principle, Java applets can be programmed to transfer information from a machine where it runs in a web page to another party on the web, but to make that more than a specific directory and to other parties than the site hosting the page where the applet is on, installation measures have to be taken, and usually the user of the browser is asked before even that sort of data can be transfered if he wants to authorise that that can happen.

Any program downloaded from the web or from elsewhere in principle can establish a connection with every reachable internet machine, and usually the whole file system is open and bare on for instance a windows95 machine, so everything from complete disc erasure to copying of every bit of data can be done by a program thus programmed, from a (seemingly) screen saver to an I love you virus, a funy application, a boobytrapped word processor, anything. So a program from the web is always a possible source of major damage, except on a system where a program's access to the system is limited, by limiting disc and web access. A linux machine for instance could run a program in its own 'user' space, where only a limited, irrelevant part of the disc is available, so no damage can happen, and as far as my information reaches, such scheme can work even pretty hacker safe in practice.

Limiting web access is not so easy, at least not in completely well defined closed form. Of course it is possible to limit access to 'trusted' sites, such as certain well known '.com's and assuming the internet provider and the in between nodes who resolve (find) a url and connect to the target machines can be trusted, only data from those sites could be accible, and no other links made, so to practical risc can be limited, though browsing over a such strictly limited set of sites may be quite dissatisfactory.

From a intranet maintainers point of view, one may want another type of security, being the seperation of a subnet from the outside world except for well defined cross-border traffic.

To do very hard to crack encoding, one may want very random numbers, of which the sequence is practically impossible to predict, which in computer terms is hard because when one knows the program that made them, one can find the source of the sequence, no matter how random the numbers may seem. To make that harder, something random, called a seed, can be derived from some not tracible source, such as the time of day in milliseconds, but then the seeds can be tried, and once the seed is known, the whole sequence of alledgedly random numbers can be regenerated using the same semi random generator algorithm.

Electronics or physics can come in handy when 'real' randomness is desired, an electronic noise source can be sampled, which gives number sequences which are definately very hard to predict, and probably even to correlate (meaning the source can be identified), which as a principle to my knowledge is not used often but is completely worth the consideration. I may make a sound sample of FM in-between station-noise as an example: receiver-->soundcard-->wav file recorder--> random numbers, 44100x2 of almost 16 bits per second. A zener diode with amplifier a AD converter could be a little usb device as add on for the same purpose, quite impossible to predict.

About encription algorithms, based on input data, some key, and a processing step to generate the encripted data, literature exists, and various ideas in the area are used to for instance to bank connection data encription, and for instance credit card information encryption when information is passed over the internet. Long enough keys with know algorithms can achieve reasonably secure encryption, but this is always subdued to the computer power used to try to crack an encryption scheme, and maybe even to luck, though probably that shouldn't be of much concern.

As an extreme example, one may add numbers to the letters in a text file taken from a long random seqence of a new random number for each letter, and decode by having a CD with those random numbers on the other end of the connection. When such a CD and the file on it with 600 million random numbers can be made in a random way, such scheme already may be quite hard to crack. Such CD must then be hidden well, and probably be used only once, but the idea is clear enough.

When one browses to a site or makes some connection to a certain system, one does not have such a reservoir of agreed on secret data, so it is hard to exchance information without it being decodable.

I got the SuperStack II Switch Management Guide laying on my desk waiting for it to test my snmp, (spanning tree) routing algorithm and other background knowledge on, and I saw it has certain specific internet parameters as well, lets see what that can do. It's still on top of two windows 2000 books, which somehow achieved less popularity at the moment, but who knows what their routing possibilities include.