[crazy][spam][crazy][spam] [thread for further deliberations regarding akash certs]

Sun Jul 30 05:22:10 PDT 2023

On 7/30/23, Undescribed Horrific Abuse, One Victim & Survivor of Many
<gmkarl at gmail.com> wrote:
> it is nice that i am old enough that somebody is saying this clearly
> and overtly:
>
> https://github.com/tlsfuzzer/python-ecdsa#security
>
> **This library does not protect against side-channel attacks.**
>
> Do not allow attackers to measure how long it takes you to generate a key
> pair
> or sign a message. Do not allow attackers to run code on the same physical
> machine when key pair generation or signing is taking place (this includes
> virtual machines). Do not allow attackers to measure how much power your
> computer uses while generating the key pair or signing a message. Do not
> allow
> attackers to measure RF interference coming from your computer while
> generating
> a key pair or signing a message. Note: just loading the private key will
> cause
> key pair generation. Other operations or attack vectors may also be
> vulnerable to attacks. **For a sophisticated attacker observing just one
> operation with a private key will be sufficient to completely
> reconstruct the private key**.

why cipherpunks write code:
Somehow this information seems easily forgotten.
What is possible in the world is based on what can actually be done.
Generally, this is different from what people _say_ is possible,
because they haven't tried it.
Code shows what, on a computer, is possible. People who write code,
see that many many things are possible.
So, long ago, there were arguments around what was relevant or not,
for example whether or not it is appropriate to secure a system. If
you are familiar with writing code, you can tell whether a system is
vulnerable or not, and know how easy it is to engage that situation.
If you aren't, you are likely to instead be parroting misinformation
from an oppressive body that is infiltrating things.
Things that can be done by code can be done by _anybody_, _if_ they
learn to write code. This is still true if a language model is writing
your code for you.

Nowadays we understand more clearly that many spy agencies will send
people into security groups (there is a history of trying to send
people into _all_ groups), and spread this misinformation, disrupting
productive conversations on what is important to protect everyone's
safety. We also understand more clearly that these people may have
undergone intense trainings that cast misinformation as harshly true
for reasons of protecting security.

This misinformation pales in the face of real code, because real code
says and demonstrates clearly what is actually real. Similarly, since
_anybody can learn to use real code_, it is what is appropriate to
protect against, when protecting security.

This is why this project posts this information, and it is why the
tendermint protocol cryptographically verifies every peer. Because
what is possible, can and does actually happen, no matter how much
misinformation is spread.

And the only way to see that clearly is to get into the code, look for
yourself, and write some code, and try it.