User Controlled Encryption (UCE) taking the internet by storm

page: 3
6
<< 1  2   >>

log in

join

posted on Feb, 25 2013 @ 02:45 PM
link   

Originally posted by XPLodER
reply to post by HattoriHanzou
 


Heh, you don't understand how these big web sites think. Their users are their PRODUCT. For this magical UCE technology to be put in place, you have to show a benefit for the site owners AND the users. If there is anything that impacts Twitter or Facebooks chances of seeing the user's private data, they will not implement it.

I don't feel sorry for the users of most web sites. They are usually oblivious and oblivious people do not deserve pity. And the site owners? I have been in a war with them for a decade, blocking their ads and cross site tracking schemes that they all seem to favor.


well twitter uses HTTPS for user privacy and security, in that case the "tweets" themselves are the advertising

and the public facing nature of tweets are the product, not the private user information, yes it does help with "directed" advertising, but when you can "tweet" you dont need exterior "direction of advertising"

well only "first party advertisers" would be able to push ads at you and third party tracking would be denied.

with UCE cross sight scripting would be virtually imposable.
facebook is not interested in privacy, and should not be confused with sights that consider privacy as "important"



ps i wound not use Facebook if you payed me

xploder


If you think Twitter and Facebook are not using all the information you provide them, including your passwords, to build a profile of you, you aren't paranoid enough. People often reveal very personal details of their lives and minds in their passwords, and this is valuable for building a marketing profile. It follows that this information is used.

Cross site scripting is the only way that site owners and ad-companies can cooperate, because they mutually distrust each other. Basically their priorities, at any for-profit web site, put users last because they are merely a product.




posted on Feb, 25 2013 @ 03:27 PM
link   
reply to post by HattoriHanzou
 



If you think Twitter and Facebook are not using all the information you provide them, including your passwords, to build a profile of you, you aren't paranoid enough. People often reveal very personal details of their lives and minds in their passwords, and this is valuable for building a marketing profile. It follows that this information is used.


id rather fill in a question-air than have my password and private information exposed.
but that is IMHO


Cross site scripting is the only way that site owners and ad-companies can cooperate, because they mutually distrust each other. Basically their priorities, at any for-profit web site, put users last because they are merely a product.


CSS is a real problem for security and privacy,

you point out that security and privacy is being sacrificed for the sake of revenue,
at the moment this causes alot of the security problems.

why cant there be some sort of compromise?


Jonathan Mayer, a researcher at Stanford, has contributed a patch for Firefox that will block third-party cookies from installing on the user's browser. The patch is set to be incorporated into Firefox 22. For some sense of timing on the project, Firefox 19 was released on Tuesday.

With the patch, Firefox would allow all cookies from sites that a user actively visits, but it would block cookies from third-party sites if a user has not visited that cookie's origin site. Advertisers generally place third-party cookies and can collect data about a user across several websites with them. This is used to serve more targeted ads or refine where an advertising firm should spend its money.

Blocking third-party cookies would not be new or unheard of among browsers; Apple's Safari already rejects cookies from third parties. In a blog post on Friday, Mayer called the Firefox patch “a slightly relaxed version of the Safari policy.” Chrome allows all cookies, and Internet Explorer blocks some third-party cookies, although not all.


arstechnica.com...

from what you have said,
the only way to increase security on most sights is to find another "funding model"
ie
to sign up to a service and NOT be tracked, you must fill out a questionair, so that the correct ads are served to the correct user. without the need for CSS

how many people would put up with that?

xploder



posted on Feb, 25 2013 @ 03:32 PM
link   
reply to post by XPLodER
 


I think you're missing my point. At this juncture, using a web site is not akin to negotiating with another person. You must accept that not only will the site owner do whatever they want to extract all possible revenue from you, but that they will sell this information to anybody and everybody. Additionally, they will change their terms of service continually in order to exploit their users more and more.

The problem, though, is ultimately that the users of these web sites are by and large unconcerned about the implications of all of this. Until the vast majority of users start becoming concerned with their privacy, and show that they will not longer use web sites that gather, sell, or use their personal data in order to make a profit, nothing will change.

People in the know will continue to protect their privacy and most will go along with the program, happy in their ignorance.



posted on Feb, 25 2013 @ 03:42 PM
link   

Originally posted by HattoriHanzou
reply to post by XPLodER
 


I think you're missing my point. At this juncture, using a web site is not akin to negotiating with another person. You must accept that not only will the site owner do whatever they want to extract all possible revenue from you, but that they will sell this information to anybody and everybody. Additionally, they will change their terms of service continually in order to exploit their users more and more.

The problem, though, is ultimately that the users of these web sites are by and large unconcerned about the implications of all of this. Until the vast majority of users start becoming concerned with their privacy, and show that they will not longer use web sites that gather, sell, or use their personal data in order to make a profit, nothing will change.

People in the know will continue to protect their privacy and most will go along with the program, happy in their ignorance.


it is my belief that more and more people will become concerned about privacy as more and more information comes out about the practices of the advertisers.

in fact mega.co.nz shows that that there is a market for privacy services,
and more and more people are using add blockers,
and more and more web browsers will block third party cookies by default.

so maby the could be a market for "ethical" advertisers over time,
and this would increase privacy over time.

now would be a good time to start an "privacy by design advertising company"
where customers "choose" who can advertise to them



xploder



posted on Feb, 25 2013 @ 05:12 PM
link   

Originally posted by XPLodER

Originally posted by HattoriHanzou
reply to post by XPLodER
 


I think you're missing my point. At this juncture, using a web site is not akin to negotiating with another person. You must accept that not only will the site owner do whatever they want to extract all possible revenue from you, but that they will sell this information to anybody and everybody. Additionally, they will change their terms of service continually in order to exploit their users more and more.

The problem, though, is ultimately that the users of these web sites are by and large unconcerned about the implications of all of this. Until the vast majority of users start becoming concerned with their privacy, and show that they will not longer use web sites that gather, sell, or use their personal data in order to make a profit, nothing will change.

People in the know will continue to protect their privacy and most will go along with the program, happy in their ignorance.


it is my belief that more and more people will become concerned about privacy as more and more information comes out about the practices of the advertisers.

in fact mega.co.nz shows that that there is a market for privacy services,
and more and more people are using add blockers,
and more and more web browsers will block third party cookies by default.

so maby the could be a market for "ethical" advertisers over time,
and this would increase privacy over time.

now would be a good time to start an "privacy by design advertising company"
where customers "choose" who can advertise to them



xploder


People like the idea of privacy, but are unwilling to undergo any difficulties or expend any effort to achieve it. They like placebos. Take Mega - the encryption keys to any given file are held not just by the user, but by Mega as well. This means they are susceptible to a court ordered seizure. Slashdot had a good article a few weeks back on the security missteps that Kim Dotcom made. He's just trying to protect his own ass and benefit by leeching ad bucks off pirates, same as with his old site, but now he is saying that because the files are encrypted, that Mega can't tell if they are pirated, so it's a CYA maneuver and nothing more.

Unlike you I am not hopeful, because people by and large don't even think about privacy. Since 9/11 we have endured a police state with deeper surveillance than East Germany, and ever more intrusive activities by the government and companies alike.

You're still working under what I think is an incorrect assumption, which is that the users are in control of their interactions with sites and advertisers. I mean, they could be if they wanted to be, but they don't so they aren't. This is why privacy has been suffering.

For my own benefit, I'll keep blocking the ads and using my hosts file and ad-busting proxy and such, but I am clearly in the tiniest of minorities here.



posted on Feb, 25 2013 @ 07:08 PM
link   
reply to post by HattoriHanzou
 



People like the idea of privacy, but are unwilling to undergo any difficulties or expend any effort to achieve it. They like placebos. Take Mega - the encryption keys to any given file are held not just by the user, but by Mega as well.


this is actually incorrect, mega.co.nz is not able to decrypt any stored data,
excuse the term but mega is a "dumb pipe" style provider, they dont know what transverses or is stored in their network.


This means they are susceptible to a court ordered seizure.


all lawful companies should comply with court orders,
in saying that the only thing mega can do under a court order is supply encrypted files.


Slashdot had a good article a few weeks back on the security missteps that Kim Dotcom made.


all of the cryographic flaws (actual or theory) outlined on slashdot have been corrected,
and as yet mega is 6 weeks old and even with the cash bounty has not being hacked



He's just trying to protect his own ass and benefit by leeching ad bucks off pirates, same as with his old site, but now he is saying that because the files are encrypted, that Mega can't tell if they are pirated, so it's a CYA maneuver and nothing more.


actually my government (new Zealand) recommends in its latest "privacy commissioners report 2013" that any cloud service provider should provide "connection" and "storage" encryption.
and if mega wanted to deal with law enforcement or government departments,
they would have to provide a service very similar to what you see with mega,

in NZ there are heavy fines for disclosing personally identifying information,
see the link in previous posts^^^^^^ if anything mega is trying to comply with nz legislation requirements


Unlike you I am not hopeful, because people by and large don't even think about privacy. Since 9/11 we have endured a police state with deeper surveillance than East Germany, and ever more intrusive activities by the government and companies alike.


i feel for you, but i think times are changing



You're still working under what I think is an incorrect assumption, which is that the users are in control of their interactions with sites and advertisers. I mean, they could be if they wanted to be, but they don't so they aren't. This is why privacy has been suffering.


privacy by design is a philosophy that is already spreading



For my own benefit, I'll keep blocking the ads and using my hosts file and ad-busting proxy and such, but I am clearly in the tiniest of minorities here.


privacy is the fastest growing market online
simple privacy tools are required,

xploder
edit on 25/2/13 by XPLodER because: (no reason given)
edit on 25/2/13 by XPLodER because: (no reason given)



posted on Feb, 25 2013 @ 07:12 PM
link   

Originally posted by XPLodER

Originally posted by kwakakev
To safely store private information on the internet, UCE is the most common sense method. A big problem with encryption is how to safely transfer keys. If the key does not need to go anywhere and just remain with the user then there is no need to transfer it and risk potential exposure of it.

If the users system has been compromised with key loggers, packet sniffers and other system monitors then there is still a risk of the key being stolen. For Mega's system it does provide an added level of safety as each users system will need to be hacked to decrypt the whole lot. With a 2048 bit key it is going to take a lot of grunt to brute force it. If Mores law is still in effect, but the latest developments are under a national security blanket then the exponential growth of computer power will hack it some time in the future. With some of the proposed claims of quantum computing power, new algorithms and techniques will have to be developed. But the core concept of the key and encryption taking place on the users machine will remain strong.


hi bud


another interesting idea is the public/ private key combination becomes the public key for a second public/private key pair,


you are correct about key loggers, there are screen based keyboard software, with mulitipule mouse pointers moving around, so that key loggers and screen shots are much less effective. but even with packet sniffers or a "man in the middle attack" you would find it difficult to collect enough of the hand shake exchange to do much good.

as for quantum computation, i dont think its as far off as we think,



xploder


Quantum will be kept out of the hands of everyday people for as long as possible. I would estimate that it will be decades before you can buy off-the-shelf quantum anything, even though it's operational in labs today and we have the technology for mass production now.



posted on Feb, 25 2013 @ 07:21 PM
link   
reply to post by HattoriHanzou
 



Quantum will be kept out of the hands of everyday people for as long as possible. I would estimate that it will be decades before you can buy off-the-shelf quantum anything, even though it's operational in labs today and we have the technology for mass production now.


phys.org...


Quantum algorithm breakthrough February 24, 2013 An international research group led by scientists from the University of Bristol, UK, and the University of Queensland, Australia, has demonstrated a quantum algorithm that performs a true calculation for the first time. Quantum algorithms could one day enable the design of new materials, pharmaceuticals or clean energy devices.

Read more at: phys.org...


i have read about other teams that are also having promising results,
worth the read.......

xploder



posted on Feb, 25 2013 @ 07:28 PM
link   

Originally posted by XPLodER
reply to post by HattoriHanzou
 



Quantum will be kept out of the hands of everyday people for as long as possible. I would estimate that it will be decades before you can buy off-the-shelf quantum anything, even though it's operational in labs today and we have the technology for mass production now.


phys.org...


Quantum algorithm breakthrough February 24, 2013 An international research group led by scientists from the University of Bristol, UK, and the University of Queensland, Australia, has demonstrated a quantum algorithm that performs a true calculation for the first time. Quantum algorithms could one day enable the design of new materials, pharmaceuticals or clean energy devices.

Read more at: phys.org...


i have read about other teams that are also having promising results,
worth the read.......

xploder


Oh, I follow that lab developments quite closely. My point was merely that they are still in the lab.

I remember in the early 1990s how 3d crystal holographic storage and optical computers were successfully used in the labs, and about how promises were made about how both technologies were 5 years from being on my desktop. Quantum is the same in this regard.

The only thing that could push these devices into the hands of users any time soon is if China made them and sold them at Wal-Mart.



posted on Feb, 25 2013 @ 07:52 PM
link   
It's not the implementation of UCE by Mega that matters, it's the concept.

Someone is going to make millions by coming up with an easy to implement version of this to protect digital rights in content.

The obstacles are all surmountable. The cert authorities who were compromised should be taken out of the CA business. It's not difficult to keep your master hash seeds and certs in a sterile server (a sterile server or PC is a computer which is booted from a non writable image such as vmware, VPS, etc which has no browser plugins or even web browser if it's not needed, no java, etc. Ideally it is not even connected to the internet or company network). Human laziness always seems to be the break in the chain....

Apparently Mega did a poor job of implementing the concept but they've already begun fixing those issues and by releasing it to the Unis they hope it will be developed to it's full potential.

I'm tired of watching the modern day example of industry holding up progress for the sake of preserving their business model that passes for Hollywood and the music industry. Anyone who thinks the energy companies, auto companies and biotech are not doing / have not been doing the same is blind to what's right in front of you. Anything Hollywood can do the big oil companies can do much easier and much better, see?

People don't realize how much is held up by this issue. Faster internet in the US, for example. Make it possible for HWood to distribute new releases via the Internet and you'll see fiber internet spread like copper. It's about damn time someone came up with an idea that has the potential to solve the problem.



posted on Feb, 25 2013 @ 08:17 PM
link   
As someone currently developing a website, the issues of protecting private information greatly concern me. Passwords can easily be protected through hashing, but as for the other user data like names and email addresses, this data does need to be searchable and accessible through the database. Sure I could encrypt the whole database as well, but if someone gains administrator or copy rights to the website, they also get access to all the source code which will make any further encryption ineffective and easily defeated.

Since most of the content in the website will be accessible by the public, this information effectively becomes public domain. As a website administrator, I do have grave concerns with the integrity of the information if I am to provide a user controlled encryption for this site. What happens if the users machine is damaged or they lose their password? then all of their private content becomes corrupted and unusable. How popular would facebook, twitter or even ATS be if they had to permanently lock you out of your account because it is impossible to verify any personal information?

For sites like Mega, UCE is a great way to provide plausible deniability and establish reduced responsibility for the website administrator with the content that does pass through their site. For other sites, UCE does create a multitude of problems for the website administrators in fulfilling user access requirements.



posted on Feb, 25 2013 @ 08:21 PM
link   

Originally posted by ecoparity
It's not the implementation of UCE by Mega that matters, it's the concept.


yes,
spot on, this concept can be used in all sorts of environments



Someone is going to make millions by coming up with an easy to implement version of this to protect digital rights in content.


you buy a temp password that expires after a period of time.
mega could already achieve this, or some similar implenentation


The obstacles are all surmountable. The cert authorities who were compromised should be taken out of the CA business. It's not difficult to keep your master hash seeds and certs in a sterile server (a sterile server or PC is a computer which is booted from a non writable image such as vmware, VPS, etc which has no browser plugins or even web browser if it's not needed, no java, etc. Ideally it is not even connected to the internet or company network). Human laziness always seems to be the break in the chain....


or a network interface controller that has hardware for send on the sterile server and receive on the distributing server, hardware level isolation, it just means physical access is required to administer the cert server


Apparently Mega did a poor job of implementing the concept but they've already begun fixing those issues and by releasing it to the Unis they hope it will be developed to it's full potential.


i agree this is a great product, and has potential to change privacy and security world wide.
the next logical step is to supply it to universities,
one point to make is that by its design, it can be updated centrally in hours without requiring updates downloaded to all end users



I'm tired of watching the modern day example of industry holding up progress for the sake of preserving their business model that passes for Hollywood and the music industry. Anyone who thinks the energy companies, auto companies and biotech are not doing / have not been doing the same is blind to what's right in front of you. Anything Hollywood can do the big oil companies can do much easier and much better, see?


disruptive innovation brings about change by its very nature, UCE is better faster and less expensive,
if it saves money and time it will be adopted



People don't realize how much is held up by this issue. Faster internet in the US, for example. Make it possible for HWood to distribute new releases via the Internet and you'll see fiber internet spread like copper. It's about damn time someone came up with an idea that has the potential to solve the problem.


at this point its either adapt or be left behind,
the technology has progressed passed the point of being suppressed,
it offers savings and people find it fast and easy to use.

the way of the future


xploder



posted on Feb, 25 2013 @ 08:45 PM
link   

Originally posted by XPLodER

Originally posted by ecoparity
It's not the implementation of UCE by Mega that matters, it's the concept.


yes,
spot on, this concept can be used in all sorts of environments



Someone is going to make millions by coming up with an easy to implement version of this to protect digital rights in content.


you buy a temp password that expires after a period of time.
mega could already achieve this, or some similar implenentation


The obstacles are all surmountable. The cert authorities who were compromised should be taken out of the CA business. It's not difficult to keep your master hash seeds and certs in a sterile server (a sterile server or PC is a computer which is booted from a non writable image such as vmware, VPS, etc which has no browser plugins or even web browser if it's not needed, no java, etc. Ideally it is not even connected to the internet or company network). Human laziness always seems to be the break in the chain....


or a network interface controller that has hardware for send on the sterile server and receive on the distributing server, hardware level isolation, it just means physical access is required to administer the cert server


Apparently Mega did a poor job of implementing the concept but they've already begun fixing those issues and by releasing it to the Unis they hope it will be developed to it's full potential.


i agree this is a great product, and has potential to change privacy and security world wide.
the next logical step is to supply it to universities,
one point to make is that by its design, it can be updated centrally in hours without requiring updates downloaded to all end users



I'm tired of watching the modern day example of industry holding up progress for the sake of preserving their business model that passes for Hollywood and the music industry. Anyone who thinks the energy companies, auto companies and biotech are not doing / have not been doing the same is blind to what's right in front of you. Anything Hollywood can do the big oil companies can do much easier and much better, see?


disruptive innovation brings about change by its very nature, UCE is better faster and less expensive,
if it saves money and time it will be adopted



People don't realize how much is held up by this issue. Faster internet in the US, for example. Make it possible for HWood to distribute new releases via the Internet and you'll see fiber internet spread like copper. It's about damn time someone came up with an idea that has the potential to solve the problem.


at this point its either adapt or be left behind,
the technology has progressed passed the point of being suppressed,
it offers savings and people find it fast and easy to use.

the way of the future


xploder


One thing's for sure - we're all on a train that is headed down a set of tracks to somewhere, but nobody knows quite where yet.



posted on Feb, 25 2013 @ 10:41 PM
link   

Originally posted by kwakakev
As someone currently developing a website, the issues of protecting private information greatly concern me. Passwords can easily be protected through hashing, but as for the other user data like names and email addresses, this data does need to be searchable and accessible through the database. Sure I could encrypt the whole database as well, but if someone gains administrator or copy rights to the website, they also get access to all the source code which will make any further encryption ineffective and easily defeated.


you could use UCE just to manage just "access" to the web page, it would depend on the "function" of the sight


Since most of the content in the website will be accessible by the public, this information effectively becomes public domain. As a website administrator, I do have grave concerns with the integrity of the information if I am to provide a user controlled encryption for this site. What happens if the users machine is damaged or they lose their password? then all of their private content becomes corrupted and unusable. How popular would facebook, twitter or even ATS be if they had to permanently lock you out of your account because it is impossible to verify any personal information?


you would have to balance usability with security,
if ATS was the example, what would be worse, losing the ability to "log on" or
having all your user accounts hacked?


For sites like Mega, UCE is a great way to provide plausible deniability and establish reduced responsibility for the website administrator with the content that does pass through their site.


it also allows updates to be managed in one place without having to "update" each end user,
and means there is no central password store to be a target for hackers,


For other sites, UCE does create a multitude of problems for the website administrators in fulfilling user access requirements.


if users are accessing the same resources each time they visit,
then you can provide an extra level of security to access of resources.

it would depend on the usage of each web sight, and if password resets were more important than the extra layer of security

xploder

edit on 25/2/13 by XPLodER because: (no reason given)
edit on 25/2/13 by XPLodER because: (no reason given)



posted on Feb, 25 2013 @ 11:00 PM
link   
reply to post by HattoriHanzou
 



One thing's for sure - we're all on a train that is headed down a set of tracks to somewhere, but nobody knows quite where yet.


this technology was designed with something big in mind,
a sub network layer encrypting half the internet
with all the features that the unencrypted net now provides.

but with privacy by design baked into ease of use.
and speeds that "blow you away"



xploder

edit on 25/2/13 by XPLodER because: (no reason given)



posted on Mar, 3 2013 @ 01:03 AM
link   
correction,

i had stated that the https used for initial connection was only required for verification of server side certs,
this is incorrect and other functions beside server side cert verification takes place.

the API does not need https for bulk file transfer, however but does use it for other reasons. (not going into details)

xploder



posted on Mar, 18 2013 @ 01:06 AM
link   
 


off-topic post removed to prevent thread-drift


 





new topics

top topics



 
6
<< 1  2   >>

log in

join