Month: November 2010

Secure multi-party computations in Python?

Posted on Updated on

I am not into cryptography, but I recently heard through Professor Lars Kai Hansen of secure multi-party computations, where multiple persons compute on numbers they do not directly reveal to each other, – only in encrypted form.

It turns out that Aarhus has done some research in that area and even released a Python package called VIFF (Virtual Ideal Functionality Framework).

The December 14th, 2009 1.0 release can be downloaded from their homepage. They provide a standard Python setup file:

python setup.py install --home=~/python/

The installation complained as it required the gmpy package which is in standard Ubuntu:

sudo aptitude install python-gmpy

With the package is example files in the ‘apps’ directory. They require the generation of configuration files where you specify hosts and ports for the ‘persons’ that need to communicate for secure computation. To keep it simple I stayed on localhost:

./generate-config-files.py localhost:5000 localhost:5001 localhost:5002

In three different terminals you can then type (with the working directory being viff-1.0/apps):

./sum.py player-1.ini 42

./sum.py player-2.ini 3

./sum.py player-3.ini 5

This example program will sum 42, 3 and 5. Each of the running Python programs then report the result:

Sum: {50}

The three values are private to each person (here each terminal) and the result is public. If you go in the middle of the Python program and write print str(x) thinking that you can reveal one of the private values (42, 3 or 5) you only get something like:

Share at 0x9751b4c current result: {805}

Close to pure magic.

Speed benchmarking SQLite from Python

Posted on Updated on

Sqlite

On the SQLite homepage is a database speed comparison. There SQLite compares somewhat favorably to PostgreSQL and MySQL if you do not consider non-transactional inserts.

I have not yet gotten around to test PostgreSQL and MySQL, but I managed to get my first short SQLite benchmark written with testing from Python. As indicated on the SQLite speed comparison non-transactional inserts are expensive, and that is what I also find.

https://gist.github.com/701922

Performance enhancement through TMS and TDCS

Posted on Updated on

Today I heard in the Danish Radio (“Danmarks Radio”) that British researcher had improved mathematical performance on subjects by sending electricity through the head. It is presently even on the front webpage of the “P3” channel with the headline “Is it ok to dope the brain?”.

Poor Thomas Z. Ramsøy, that I know, was dragged early out of bed by the radio to comment on the story. He is neuropsychologist, but I don’t think the story is in his line of research.

I got the impression that the research was performed with transcranial magnetic stimulation (TMS), – a technique where you apply a strong magnetic field just outside the head. Performance enhancement through TMS has been carried out before. A few years ago neuroscientist Daniela Balslev and her cos put TMS (or rather repetitive TMS – rTMS – if you are in the know) at the somatosensory hand area in the brain. You know the area “located at 3 cm posterior to the motor hotspot”. With that she was able to enhance the performance in the so-called mirror tracing task. This is a task where you trace lines on a piece of paper or computer screen, but through a mirror (actual or computer programmed). If you turn the computer mouse 180 degrees around you will see how difficult that task is.

Danish Radio doesn’t link to the original article they talked about as far as I can see. They should learn something from British Radio BBC in that aspect. But luckily Google News manages to find a reference. New Scientist writes Electrical brain stimulation improves math skills and references research by Roi Cohen Kadosh. He has done a TMS experiment, – but the mathematical performance fell. Actually the new research is reported to be performance enhancement with so-called transcranial direct current stimulation (TDCS), – a technique where you apply a small current through the brain.

The original article is called Modulating Neuronal Activity Produces Specific and Long-Lasting Changes in Numerical Competence. Danish science museum Experimentarium had an article a few days ago linking to that article.

2010-11-29: Minor correction

The revenge of NemID: Try again later

Posted on Updated on

Itst

So a few days ago I wrote (again) about the Danish nation-wide authentication system NemID and the problems associated with it. Perhaps in a bit too sarcastic tone.

I have just enabled the NemID for my Internet banking account. I find it a bit more convenient than the login system I used before. However, just after I had enabled it I wanted to login again and see if it worked again, — and it didn’t! I received the following error:

Der er opstået en teknisk fejl. Prøv igen senere. (Fejlkode: 999)

(Translation: A technical error has occured. Try again later. (Error code: 999)

999 is not one of those numbers I am familiar with… So I emailed the hotline of the bank, which returned an answer the next day suggesting I should try another operating system…

In the meantime media reported that is was yet another error of the NemID system. Other media reported later that it was an error in one of the two redundant servers. Oh that one.

So if the company behind NemID cannot keep the system running does that give an indication of their ability to handle the security of the system? Should we be worried that all our money on our banking account suddenly disappear due to cracking of the NemID system?

According to Palle H. Sørensen from the IT & Communication Agency we shouldn’t be worried: There is independent and critical revision of the system. This is taken care of through so-called OCES certificat policies. So what is this OCES? I google a bit. The first significant information I could find was from DanID, that is the company behind NemID. eeeh? Ok, so a bit later I found information at the agency.

If you go to the agency main web site you will find that it is presently experiencing technical problems (see screenshot). (Apparently the web server runs the Debian Lenny system. I had my problems with that too.) The error message suggest one should try again later. Now I get this try-again-later-deja-vu feeling.

So is there a pattern behind all these NemID problems? When I tweeted about the 999-problem Ole Palnatoke suggested I turned the screen around… ;-) Palle H. Sørensen’s newspaper article about OCES was printed next to an advertisement where the three last digits in a printed phone number was 656. They are getting close…

DifficultID: Continuing troubles for NemID

Posted on

Introduced a few months ago our Danish national authentication system the Nets DanID’s “NemID” (easy ID) continues to bring new stories. Sometime in October it reached one million users. That’s around a fifth of the Danish population.

The crucial system continues to be discussed quite a lot, and nerds welcome each new crash and trouble with joyful schadenfreude.

Since I first wrote of NemID there as been new crashes, security issues and domain name/trademark issues:

Assemble A/S based in Hellerup Denmark applies 24 january 2010 for registration of a trademark: nemID. In the remarks it says “NemID has been used as address and identification of citizens (unique identifiers) in the system NemPost since 2006” (page 3). The company also owns the domain nemid.dk.
DanID uses nemid.nu for their NemID.

Searching on Internet Archive I find no results returned for either www.nemid.dk nor www.nemid.nu

Whois reports a registration on 28 May 2007 for nemid.dk. Assemble A/S is recorded as the owner. My whois on nemid.nu is not clear but replies “Record created on 2008-Nov-12”.

Nets DanID has also registered NemID (nemID) as a trademark. They have done that before Assemble and protested against Assemble’s trademark registration of nemID. So what will happen with ‘NemID’. It seems that Assemble has used it somewhat before Nets DanID, so there might be some priority.

The .nu domain is handled by the Niue island nation. It would seem strange that a site that is endosed so much by the government of Denmark chooses to rely on a foreign country on the other side of the planet. Libyan ly-domains have run into problems and the vb.ly domain has been closed as Libya didn’t like the pornography linked from this URL-shortener service Dorte Toft says. Could Niue close Danish nation-wide authentication?

The company Nets DanID has run into further problems with the domain nets.dk. They want it! Sten Axelsen who writes his first name backwards in the domain owns it. Poor Sten has had a great deal of stress since the lawyers of Nets DanID have attacked him. PBSNets, a fake Twitter account, has written funny tweets about the case.

Letters with first time access code and letters with the ‘papkort’ with the one-time pad are not suppose to be send on the same day. Two times DanID has not done that and had to block the account for several thousand people.

In October a 15 year old boy received NemID even though he had not requested one, and he dit not have an internet banking account (which would have meant that he got NemID automatically). Neither the Bank nor DanID seem to know why the boy had received NemID. It turned out the Internet banking solution provider for the Bank, Skandinavisk Datacenter, had send the information to DanID.

You can download a iPhone application that can store images encrypted on the iPhone. The developer Daniel Bahl has called the application GemID and the reason why he developed it was that he was “unbelievably tired” of the NemID papkort. This is of course unsafe, and DanID says it is really a no-no. Bahl says that he has plenty colleagues and friends that store an image of the papkort unencrypted on their mobil. That it is so easy to copy the card is a weakness of NemID.

European Union pilot project Secure idenTity acrOss boRders linKed (STORK) attempts to see if digital signatures can be used across European nations.
NemID is not part of that.

And now for a couple of crashes and other troubles:

  1. An afternoon in late September users could not login due to a server error.
  2. 21. October 2010 NemID had a several hours long breakdown. DanID did not want to reveal the details of why it happen. It is unfortunately that such systems of national importance can be “hidden” in private companies where the scrutiny of democratic institutions cannot get to them.
  3. On 28. October 2010 a Java error caused Danish banking tied to NemID to get into troubles.
  4. In the last weekend of October there were besides the Java problem, a login problem as well as a two-hour breakdown

Poor NemID… And now Charlotte, Minister of Science, is also angry, — well at least not satisfied.