--- Log opened Sat Oct 26 00:00:45 2013
03:40 < warren> gmaxwell: I'm writing specifications for a next generation forum for theymos.  I figure it would need some kind of cryptographic timestamp with versioning of posts to serve as prior art in defeating patents?
03:40 < warren> think of crazy ideas you think forum TNG should have
03:41 < gmaxwell> warren: talk to nanotube and midnightmagic, they're likely to have more thoughts than I do.
03:41 < warren> nanotube: midnightmagic ^
03:41 < gmaxwell> I do think whatever it does it should enable cryptographic timestamping of posts, with some kind of efficient extraction so you can pull out a single timestamped post and have people verify it.
03:41 < gmaxwell> but thats not all that hard.
03:42 < warren> do you want the ability to permanently delte previous versions of posts?
03:42 < warren> that's a hard part
03:42 < warren> gmaxwell: that might be a good use to bring chronobit into the mainstream
03:46 < gmaxwell> Its fine if the server deletes them .. you should just be able to click a button on a post and get a timestamped and forum signed copy of your post (once one is available for it) which can always be verified, even if the post is deleted.
03:46 < gmaxwell> also means that if someone else saves your post before you delete it, they can prove to other people that it was previously there.
03:46 < gmaxwell> which I think is desirable.
03:46 < warren> yeah
03:46 < warren> very
03:47 < warren> accountability
03:48 < gmaxwell> well, I think allowing editing and stuff is fine, and I'm okay with old versions being throughly deleted... if you manage an edit before no one else sees it.. no harm no foul.
03:49 < warren> for most things yes
03:50 < warren> but if you're talking about priority dates
03:50 < gmaxwell> I think it might be interesting if the non-public forums were encrypted, with the keys stored encrypted with the accounts that have access to them, likewise for PMs.  Basically the goal there would be to reduce the incentive to compromise the server in order to obtain the little non-public data it has.
03:50 < warren> if someone edited a post to add a tiny correction, they lost proof of the earlier date
03:50 < gmaxwell> warren: nah, they just save the earlier proof.
03:50 < warren> gmaxwell: not everyone anticipates that their earlier proof will be important years laer
03:50 < warren> later
03:51 < gmaxwell> could be optional to delete old versions of messages. Dunno. Or maybe make them only accessible to the user who used them.
03:51 < warren> gmaxwell: interesting, client-side encryption of PM's?  You backup your own key.  if you lose it, iyou lost only your PM's.
03:51 < gmaxwell> Access to old versions of messages could make some moderation problems worse.
03:52 < gmaxwell> warren: you make your PM key encrypted with your login password, so it gets backed up on the site... but a hacker who compromises your site now has to bruteforce your login password to get your PMs.
03:52 < warren> could that increase the legal hazard to the forum?   forum has no ability to police using it as a medium for illicit activity
03:53 < gmaxwell> It has no legal responsibility to in the US, see S230. (in fact, forum spying on PMs is probably unlawful in the US) Besides, it could if it's made aware of it.
03:53 < gmaxwell> Though on that subject, retaining old versions accessible to all users has a moderation problem.
03:53 < gmaxwell> E.g. I fill a post with childporn links, then edit them out and replace it with puppy pictures.
03:54 < gmaxwell> Then I quietly tell all the other childporny people where to go find the hidden posts.
03:54 < gmaxwell> so if you do provide access to old versions it should probably be exclusively to the user or user + global admins.
03:55 < Luke-Jr> gmaxwell: meh, no different than a wiki
03:55 < gmaxwell> Luke-Jr: wiki provides good interfaces to view changes and find things in old versions.
03:55 < gmaxwell> (I describe that behavior because people were doing stuff like that in enwp at one point)
03:56 < gmaxwell> In any case, encrypted PMs wouldn't be there to have military grade security or anything, it's just a casual thing that reduces brittleness to hacking. I'd suggest that the forum not even tell users that their PMs are encrypted. If users want good security they should be doing GPG inside their PMs.
03:57 < gmaxwell> Another thing that should be supported: two-factor login via bitcoin signmessage. Hopefully devices like trezor will support that in a latter firmware. So then you could use your hardware wallet to auth you to the forum.. no more account hacks ever.
03:57 < warren> huh
03:58 < warren> sign message?
03:58 < Luke-Jr> gmaxwell: unless you sign every action, you can still get account hacks
03:58 < Luke-Jr> warren: …
03:58 < gmaxwell> Luke-Jr: hm? site is SSL.
03:58 < Luke-Jr> you maintain an altcoin and you don't know signmessage?
03:58 < Luke-Jr> gmaxwell: if the server is itself compromised..
03:58 < warren> Luke-Jr: oh, I missed that he said signmessage
03:59 < warren> Luke-Jr: that's impossible! =)
03:59 < gmaxwell> Luke-Jr: yea, sorry. I wasn't meaning also no server hacks I just meant not from user password stupidity.
04:00 < warren> the way I have his server setup right now it would be difficult for even remote php eval() to write anything to disk
04:00 < warren> forum TNG I'm going to suggest get rid of php entirely, either rails or node
04:00 < Luke-Jr> ew
04:00 < Luke-Jr> I'd do php before rails at least
04:00 < warren> ewwww, php
04:00 < gmaxwell> warren: a kind of dumb but easy feature: support some message parsing so that if you post a gpg signed message, the server will verify the signature, and if it can it strips out the gpg noise and puts in a Signed message icon. clicking it gets you the plaintext of the message so you can verify it yourself it you want.
04:00 < warren> php needs to die
04:01 < warren> gmaxwell: ooh, that sounds great.
04:01 < warren> gmaxwell: and board markup can be within that, parsed within the signed message box, but raw text for manual verification
04:02 < gmaxwell> this way people using their own gpg signatures on messages aren't a nusance adding kilobytes of base64 data to everyone's screens.
04:02 < gmaxwell> yea, exactly.
04:02 < gmaxwell> so it doesn't break markup either.
04:03 < gmaxwell> warren: rails?  Not go? :P
04:03 < warren> gmaxwell: whatever can be rapidly developed and is reasonably securable
04:04 < gmaxwell> most of the dynamic languages have been security disasters of various degrees. :(
04:04 < gmaxwell> rapidly developed and is reasonably securable ... = Java.
04:04  * gmaxwell ducks 
04:04 < warren> haha
04:06 < warren> SMF has the ability to grab avatars from arbitrary URL's
04:06 < warren> I'm not sure how someone thought that was a good idea.
04:06 < warren> there is no reason a forum should be able to make outgoing connections
04:06 < warren> also ... bitcointalk's outgoing e-mail is spam binned or blocked at many ISP's
04:07 < warren> because spam is sent in PM's
04:07 < warren> forum TNG needs a egress spam filtering with moderation
04:10 < gmaxwell> warren: it should use tor for that. :P
04:10 < gmaxwell> oh a feature I want: block @#$@#@ third party images in posts.
04:11 < gmaxwell> It's crappy that anyone on the forum can get the IPs of anyone who reads their threads by inlining an image!
04:11 < warren> yeah
04:11 < gmaxwell> I bet it even works in PMs too, but I haven't tried it.
04:11 < warren> I'm curious why that's allowed at all.
04:11 < gmaxwell> it will be awesome beyond belief if there is another browser PNG remote code bug...
04:11 < gmaxwell> (there have been ones in the past)
04:11 < warren> gmaxwell: ooh... let people upload images ... but that's a premium feature
04:12 < warren> no privacy problem that way
04:12 < gmaxwell> sounds fine to me. also would reduce fucking stupid meme images, which I think is ducky but others may not agree.
04:12 < warren> they can use stupid meme images, if they pay
04:12 < warren> pay to pollute
04:13 < gmaxwell> yea.
04:13 < gmaxwell> I wish there were a way to distinguish normal signatures from advertising ones. I wish I could block only the advertising signatures (though I guess they're a good way to identify idiots)
04:13 < warren> people will bitch about losing the feature, but easy to explain with "privacy"
04:14 < warren> gmaxwell: ooh, Ignore button only for signatures
04:14 < gmaxwell> it has that already, in fact.
04:14 < gmaxwell> oh but it's not per user.
04:14 < warren> huh
04:14 < warren> oh
04:14 < gmaxwell> ah, also, might be interesting if you could subscribe to other users ignore feeds.
04:15 < warren> hahahaha
04:15 < warren> that would be awesome
04:15 < gmaxwell> Or be able to do things like  ignore this if 2 out of {warren, theymos, gavin} has ignored.
04:16 < warren> don't want the logic to become too slow
04:16 < gmaxwell> (in theory you could replace a lot of banning with a default ignore subscription, though if mods were ignore subscribed, I'd want seperate personal and moderaor ignore lists.. as I ignore people pretty freely)
04:16 < warren> gmaxwell: would folks like a slashdot-like meta-moderation system?
04:16 < warren> good posts bubble up
04:16 < gmaxwell> I think slashdot has been an uniform disaster and I wouldn't use any forum that worked that way.
04:17 < warren> reddit is a disaster too?
04:17 < gmaxwell> I think my net karma in /r/Bitcoin is negative.
04:18 < gmaxwell> Because I've posted things like expressing concern about people centeralizing on popular web wallets or saying that I didn't think the promotion of illegal activity was good for bitcoin.
04:18 < gmaxwell> And I got groupthough downvote bombed.
04:19 < gmaxwell> (my reddit karma overall is very high, it's not like I do poorly in reddit in general... but it punishes strong voices who aren't in with the flow)
04:21 < gmaxwell> Now, ... a per subforum mode that let do a reddit style thing might be interesting.
04:21 < gmaxwell> E.g. press subforum would probably be neat with reddit ranking instead of most recent post bumps.
04:57 < midnightmagic> post bumps make me angry
04:57 < midnightmagic> aaaaangry
04:58 < midnightmagic> no..  wait, that's steven harper that makes me angry..  aaaaangry
06:19 < warren> gmaxwell: mind if we act as guinea pig for gmaxwell:external_ip?
06:26 < warren> gmaxwell: I'm going to make a bitcoin-0.8.5 branch with the large pile of stuff I backported/tested in litecoin-0.8.x too.
06:34 < petertodd> gmaxwell: make the forum have an underlying usenet-like architecture, so those interested can mirror whole copies. Prevent DoS w/ trusted signature schemes of the "maste server" and/or proof-of-sacrifice stuff
06:35 < warren> petertodd: with client-side encrypted warez ...
06:36 < petertodd> warren: heh, yup
06:36 < petertodd> warren: obviously moderators can handle that...
06:37 < warren> petertodd: can they? they have no idea what is stored there...
06:38 < petertodd> warren: right, and having no idea is grounds for them banning the message. (or not allowing it in the first place)
06:39 < warren> censorship!
06:39 < petertodd> allowership!
06:40 < petertodd> no seriously, I'm thinking you have what if fundementally a flood-fill, but use signatures to filter
06:40 < petertodd> *what is
06:40 < petertodd> and really, usenet is probably 95% of what we need...
06:42 < petertodd> heck, looks like there's some existing web-based usenet readers
06:43 < warren> ship it with monster truck sized training wheels
06:44 < petertodd> Exactly! it's totally ok if ther's still "bitcointalk.org", and if what it's usually doing is generating a PGP key on your behalf that it signs your posts with.
06:44 < petertodd> Also, you can still have ads: add them to messages the same way that bitcoin-development does in a separate mime bit. (you can have two sigs even...)
06:45 < petertodd> or just leave the ads on the http version - the usenet version doesn't have too
06:46 < petertodd> (kinda sad that my first thought with an awesome fully decentralized forum is how can we stick ads on it...)
07:26 < warren> gmaxwell: https://github.com/wtogami/bitcoin/commits/0.8.5-externalip  backported your patch to 0.8.5.  It seems to run ... no idea if it is working.
07:27 < warren> petertodd: any idea how to test if this is working?
07:27 < petertodd> warren: logs? tcpdump?
07:28 < warren> maybe a logprint when it transmits an advertisement?
07:29 < MoALTz> petertodd: figure out how to reward website operators for offering a service without using ads? not sure if there's a good way to do this though
07:29 < petertodd> yup
07:30 < petertodd> MoALTz: nah, real easy: we want to pay mods because they do useful moderation work, and we want to pay server operators because servers cost money
07:30 < petertodd> MoALTz: the latter is easy with http web stuff, just use ads! with nntp, charge for the service. For moderators, attach the ads to the messages they moderate if you want, or take money out of the other two categories.
07:35 < petertodd> crazy scheme: so moderators/forum operators are good for DoS attack control. Make people pay for that service by using a forgable digital signature, specifically one where between two parties, the receiver knows the sig is valid, but it's constructed in such a way that the receiver themselves can fake the signature. Thus when people stop paying for their feed, stop signing the data. Works best with a broadcast encryption scheme, though I don't know enough about the details of how to actually do that.
17:27 < warren> https://github.com/litecoin-project/litecoin/pull/81   we're going to guinea pig the externalip thing
17:27 < warren> anything else you want tested on <that other network>?
18:31 < adam3us> gmaxwell: less OT here it seems to me a pederson commitment can be used as a chameleon hash also have to check, maybe its well known - not sure
18:32 < gmaxwell> I was trying to come up with a way to use ECDSA as one (on the basis that people already have ECDSA code), but failed... I could only get one that worked for two messages and only if you knew them in advance.
18:33 < adam3us> yeah schnorr is just more flexible ... dsa is a bad algorithm
18:33 < adam3us> gmaxwell: pederson commitments are like two discrete logs and generalizes to many discrete logs called representation problem
18:38 < gmaxwell> adam3us: interesting, yea, I didn't think any of the other chameleon hashs failed to leak the private key. That was indeed also the claim of that paper.
18:44 < adam3us> gmaxwell: maybe its wrong... i find it hard to imagine i just invented two new chameleon hashes given how easy it was
18:45 < gmaxwell> it wouldn't surprise me, it's not the most in-demand cryptographic construct, and it's highly related to ZKPs, which you've been thinking about lately.
18:45 < adam3us> gmaxwell: check thread, but a=kG+mQ is hash, modified hash is a=k'G+m'Q which recipient can calc as he knows dG=Q, and k'=k+md-m'd
18:46 < adam3us> gmaxwell: u know there is a lot of interesting and practically useful stuff below what the academics call MPU minimum publishable unit
18:48 < adam3us> gmaxwell: its an interesting q if you can force that to be a valid ECDSA sig, would be like an existential forgery (sender) vs a real sig (rceipient) but i am not sure if an existential forgery can communicate anything other than a random number in place of a msg
19:31 < adam3us> gmaxwell: yeah i dont see how to make that work with ecdsa either.. oh maybe you can do this
19:33 < adam3us> gmaxwell: R=kG, r=R.x, s=k^-1(H(m)+rd) dsa sig = r,s (normal so far) a verify relation is sR =? H(m)*G+rQ
19:35 < adam3us> gmaxwell: so work backwards, choose r random, compute R=[r,f(r)], then H(m)*G, calc T = H(m)*G+r*Q
19:35 < adam3us> gmaxwell: ok now chose random s compute sR = T (ie s^-1*T = R)
19:36 < adam3us> gmaxwell: so far the R value is random and wrng and doesnt match r
19:38 < adam3us> gmaxwell: so set r'=R.x, and find a new Q' =cQ that matches ie its true that sR=H(m)*G+rQ' = sR=H(m)*G+r*c*Q
19:40 < adam3us> gmaxwell: for that to work rc = r', so c=r'*r^-1 mod n; now you have a standard DSA sig but on a multiple of the recipients public key, the factor c is secret as the random factor in the chameleon hash
19:45 < adam3us> gmaxwell: forgery by the recipient would be again sR=?H(m)G+rcQ to find a different c' that matches a different H(m') ie to find sR=?H(m')G+rc'Q but as the recipient knows d from dG=Q he can write that sR=?[H(m')+rc'd]G vs [H(m)+rcd] so H(m')+rc'd=H(m)+rcd, so c'=(H(m)-H(m')+rcd)/rd
19:45 < adam3us> gmaxwell: seems to work (though I am tired so i may have screwed something)... did you have an app in mind?
19:46 < adam3us> gmaxwell: maybe more direct bitcoin integratability because it already understands and serializes ECDSA sigs?
19:46 < gmaxwell> adam3us: yea my thought there is that people already have ECDSA code, so a chameleon hashs based on one would be easy to integrate.
19:47 < adam3us> gmaxwell: makes sense and kind of convenient it provisionally seems to work
20:05 < Luke-Jr> http://siliconsaint.blogspot.se/2012/07/temperature-inversion-in-deep-sub.html
--- Log closed Sun Oct 27 00:00:48 2013