Guessing game
Posted: Wed Jun 25, 2008 10:12 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
How am I feeling at this exact moment?
Answer in MD5 checksum: ef97b40b2245d3690c745cd6e8c663db
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIYvf/YKLKXJTvB1MRAjNWAJ4sp4lduajrcdZMtfwdnG06KEJzPwCcDRNZ
VeyPsqqeth8jGZzAld6O5Q4=
=QM+7
-----END PGP SIGNATURE-----
Observations:<ul><li>I’ve given the MD5 checksum of my answer, meaning I’ve set the answer in stone without actually giving you the answer. (If someone I didn’t like guessed the right answer, I couldn’t just change the answer.)</li><li>I can’t change the checksum either, because the “This post has been edited by Chris Vogel” thing would show.</li><li>Administrators could edit my checksum without anyone knowing, but that would invalidate my OpenPGP signature.</li></ul>
Flaws:<ul><li>I could give the administrators a different signed message and bribe them to secretly replace it. Alternatively, I could hack into an administrator account. (Administrators can optionally edit messages without the little “edited by” message.)</li><li>The administrators could get their hands on my private key and crack the passphrase, letting them sign a new checksum with my key.</li><li>The administrators could sign their own message and replace it with mine, fooling anyone who validates the signature (or just assumes it’s valid) without actually checking to see who owns the key.</li><li>The administrators could change the key information I have listed in the post signature to match theirs. They could also hack into my Web site and change the key information there, as well as my phone number, address, etc. This would fool people who actually did try to make sure the OpenPGP key belonged to me.</li><li>Obvious words, e.g., the English words for different moods, are probably in an MD5 hash database.</li></ul>
I’d like to turn this into a discussion of security instead of my mood, hence this topic’s location. If one wants to play such a guessing game over the Internet, what’s the best way to carry it out?
Archived topic from Anythingforums, old topic ID:3601, old post ID:66231
Hash: SHA1
How am I feeling at this exact moment?
Answer in MD5 checksum: ef97b40b2245d3690c745cd6e8c663db
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIYvf/YKLKXJTvB1MRAjNWAJ4sp4lduajrcdZMtfwdnG06KEJzPwCcDRNZ
VeyPsqqeth8jGZzAld6O5Q4=
=QM+7
-----END PGP SIGNATURE-----
Observations:<ul><li>I’ve given the MD5 checksum of my answer, meaning I’ve set the answer in stone without actually giving you the answer. (If someone I didn’t like guessed the right answer, I couldn’t just change the answer.)</li><li>I can’t change the checksum either, because the “This post has been edited by Chris Vogel” thing would show.</li><li>Administrators could edit my checksum without anyone knowing, but that would invalidate my OpenPGP signature.</li></ul>
Flaws:<ul><li>I could give the administrators a different signed message and bribe them to secretly replace it. Alternatively, I could hack into an administrator account. (Administrators can optionally edit messages without the little “edited by” message.)</li><li>The administrators could get their hands on my private key and crack the passphrase, letting them sign a new checksum with my key.</li><li>The administrators could sign their own message and replace it with mine, fooling anyone who validates the signature (or just assumes it’s valid) without actually checking to see who owns the key.</li><li>The administrators could change the key information I have listed in the post signature to match theirs. They could also hack into my Web site and change the key information there, as well as my phone number, address, etc. This would fool people who actually did try to make sure the OpenPGP key belonged to me.</li><li>Obvious words, e.g., the English words for different moods, are probably in an MD5 hash database.</li></ul>
I’d like to turn this into a discussion of security instead of my mood, hence this topic’s location. If one wants to play such a guessing game over the Internet, what’s the best way to carry it out?
Archived topic from Anythingforums, old topic ID:3601, old post ID:66231
