Nope.


Oh, please.

My position is now and always has been that I don't believe your assertion; I believe I've offered plenty of evidence to that end and I dare anybody to disprove it. I'd be happy to be convinced otherwise, but the evidence offered thus far seems to support the debate more than than the conclusion (the recently-linked paper, for example, has a number of fallacies itself, and uses a lot of correlation and hedging; I'd offer a real critique, but I don't really have the time or interest). I'd much rather see evidence that conclusively supports your point, not what has been posted.

The problem is the system has to be vulnerable otherwise the identity system wouldn't be vulnerable. Both are build by the same people and important infrastructure components.

You should be able to come up with a counterpoint to that on your own, too.

I'm somewhat reminded of the old arguments back in the day over gods and such in DnD.

Something like this:

"Hey, what's Odin's AC?"

"Why does it matter?"

"Well, I want to kill him."

"Why?"

"Ummm, because then I'd be really tough and everybody would know it."

"You can't kill him."

"Why not? I have x, y, z, ad infinitum magic items, maxed out stats, and all sorts of neat spells and stuff."

"Yeah, but he's a god, so you can't kill him. If you could kill him, he wouldn't be a god, and pretty much the whole campaign world wouldn't work."

"So what? This sucks! So unrealistic!"

"Yeah, tell me all about realistic, Gandalf/Conan/Elric boy."

I thought about it a bit. The first logical point was that SINs are held invidually. But SIN issuers are of sufficient scale - most of them are bigger than current major issues of currency - to support the same redundancy model. In most cases the issuers of currency (corp script) are the SAME as the issuers of identity (megacorps)

Also, like cash, identity has the same trust requirements, so there is sufficient impetuous to 'conform' to expectations - otherwise your identities will be held in the same regard as someone with a Sealand passport - you'll require additional special screening and the issuance of some sort of visa affirming your identity.

I just cannot see the driver that applies to currency and doesn't apply to identity. Given the prevelance of e-commerce, I actually think they are pretty much the same because if I can effectively fake your identity I can steal your money.

In summation, given the

A) Identicial nature of the issuring authorities

B) Identitical requirements for trust between issuing authorities

I see that the level of security would be identical.

Possible exceptions

A) The crash. But that would have also destroyed the financial system if they were hosted identically, which doesn't seem to have happened.

B) Inserting people at the point of registration, but again money is 'inserted' into the financial system all the time (issuance of debt) so that doesn't hang together either.

All I know is money shouldn't work in theory, but I still can buy my lunch every day with it,

DireRadiant, that's probably the best answer, over all.

But for the intellectual exercise, Cthulhudreams, you've got the start of a pretty good analysis going. What happens if you factor in some of the situational states, such as who issues each, who uses each, and how many entities have a vested interest in tracking each kind of data chunk?

Money works perfectly well in the modern world because we have absolute trust in the issuing authorities (Australian Federal Reserve) and when we don't it doesn't (Zimbabwe)

The entire system of money today is based on the system of trust.

@Aaron

Well, both are issued by the same people (corps and governments), both are used by the same people (everyone, because etailing is a cornerstone of SR), and the same authorities have the same vested interests (ie Ares only cares about ares scrip and ares' ID -- but it has to be confident in the integrity of everyone else's currencies and identities otherwise it is impossible to conduct a transaction with them, which they need to have because they are by definition focused on conducting successful transactions).

With the assurance of integrity by other issuing authorities - for both currency and identification - the entire system breaks down.

The two are very strongly interlinked, but are we positing that one is radically vulnerable to a weeks work by some guy, and the other one isn't.

I think you may be making a false assumption. Money and Identity are different systems, issued by different groups. Yes generically, the government issues me money and a passport, but they are separate branches of the government with separate operating parameters.

Every dollar bill has a unique identifier, based on serial number, date of printing etc. This same way, currency systems track each nuyen by a unique identifier--it may be possible to falsify funds on a system that is outside of the network, but once it connects to the verification system your fake money gives up the ghost. This is possible today with manual credit card transactions during terminal failures, or when banking firms have database corruption issues. With the distributed network, each of the systems that has a vested interest in a specific nuyen block will be queried and a consensus reached as to whether it's a trusted source.

On the other hand, Social security numbers aren't unique. They are re-used post-humously and the systems which track those changes are not always updated. Likewise, identity systems link numbers to other numbers--this is part of why identity theft works. If I'm born outside of the system, it's possible for me to steal someone else's number and use it as my own. Eventually based on transaction usage, it can become possible to identify pluralistic usage of an SSN, but there aren't as many counter-checks against that. Often, it's a simple query--John Doe says his SIN is 8675309. System responds that 8675309 is a valid SIN and because there is no need to probe deeper, the system doesn't.

In cases where a deeper probe is necessary, that's where fake SINs out themselves because the information on file does not match the presented information. This can even happen in the cases of legitimate access of a SIN, when the SIN has been compromised and is used criminally.

Joe Runner intercepts John Doe's information and sets up a fake ID. Joe Runner does a series of "legal" purchases on that SIN. Later gear that Joe Runner purchased on that SIN is found by LoneStar during a criminal investigation. They find that it was purchased by John Doe, they go to his residence and find that his SIN data has been stolen. The system destroys that SIN data and starts a fresh SIN for John Doe. Joe Runner's fake SIN has outlived it's usefulness and must now be replaced.

If Joe Runner, using John Doe's SIN information before it was compromised, also managed to get John Doe's bank routing number and biometric data, it may be possible to screw much more deeply with John Doe's life. This way he could access John Doe's bank accounts, move funds around, etc. Credit pattern analyzation may notice a distinct change in John Doe's spending patterns and flag his account (thank you Horizon) or if done subtly, no one may notice until John Doe goes to pay for his lunch and finds that his account balance is off.

At least that's my two cents on the matter.

It's an interesting approach. I've seen some articles discussing doing reversible block cypher systems to avoid some side channel attacks based on power consumption. However encryption is computationally a lot easier than breaking encryption.

The italicized limitation in "The existence of logically reversible automata suggests that physical computers might be made thermodynamically reversible, and hence capable of dissipating an arbitrarily small amount of energy per step if operated sufficiently slowly" suggest some minor issues if you are intending to perform an exercise that requires 1.7 * 10^38 operations on average and plan on success before the sun becomes a red giant. And that's 128 bits, it's perfectly possible to do a 1024 bit or longer crypto system.

And storage of 1.7*10^38 copies of the message with the current key try sounds like it might occupy a lot of storage too.

Two points

A) I'm not saying materially they are the same system. For starters, the transactional processing rate on the monetary system has to be higher. I am saying that the same principles apply to both.

B) This has clearly changed with the eventuating of the megacorp - they are definitationally one organization. if you want to get fincky about business divisions, i'll counter with the point that currency and identity is shared services and will be managed directly by head office.



Well, the SSN system in the US is stupid. In SR4 computers remember my SSN. My SSN can be significantly more complex as a result. I would have to be some sort of moron to come up with a scheme that reuses numbers under any circumstances. It would be like reusing numbers when I'm printing nuyen.

I certainly wouldn't do it in either system.

Edit: Also, you say that the systems arn't always updated. I'm clearly saying that the idea is to reuse the technology & principles that underpins the currency tracking system for the identify system and one of the posits of Aaron's position is that the database will also be consistent. So updates will happen.

Edit2: Also, why doesn;t the system probe deeper? Are you saying that it's never going to check if my nuyen are legit if I just restrict myself to 4 yen purchases?

Well, yeah. If it costs you 2 nuyen to do a Valid/Invalid SIN check, and 20 nuyen to actually verify the name and face (which requires a few more database queries), you're only going to use those in-depth services when the purchase will still offer a profit. It's a bit silly to assume that the megas offer free background checks, so it's fair to assume that retail businesses will only pay for those services when they stand to be implicated in identity fraud (by helping the runner steal John Doe's money).

This might be better than the previous one: here

Quote concerning your point, pg. 503:

"The second objection, that even logically reversible data-processing operations
cannot be accomplished in a thermodynamically reversible fashion, I believe has
largely been overcome by explicit models, proposed by myself and others, of physical
mechanisms, which obey the accepted conventions of thermodynamic or mechanical
thought experiments, and which accomplish reversible computation at zero cost (socalled
ballistic computers, such as the Fredkin-Toffoli hard sphere model; Fredkin &
Toffoli, 1982), or at a per-step cost tending to zero in the limit of slow operation (socalled
Brownian computers, discussed at length in my review article; Bennett, 1982).
These questions were revisited and vigorously debated in an exchange in Physics
Reviews & Letters (Porod, Grondin, Ferry, & Porod, 1984). Of course, in practice,
almost all data processing is done on macroscopic apparatus, dissipating
macroscopic amounts of energy far in excess of what would be required by
Landauer’s principle. Nevertheless, some stages of biomolecular information
processing, such as transcription of DNA to RNA, appear to be accomplished by
chemical reactions that are reversible not only in principle but in practice."

I am coming into this late, and for that I apologize. My responses here will be disorganized as I will be addressing multiple points on this very interesting piece of thread drift.

First off, I will qualify my statements that I am not degreed in mathematics, computer science, information technology or information management. I will not be linking people to interesting articles on the nature of flipping bits, thermodynamics etc. Know ye now that I am an 'uneducated' (amusing bit of irony there, ain't it?) party in this.

On the topic of the nature of cryptology, data security and the ability of anyone to find out anything. While the history of the world is one of oblivion, that the world we live in has long since been producing more data than can be processed, viewed, recorded or otherwise manipulated for as long as the world has turned, information has had this nasty trait of being 'known'. Epistemologically speaking, knowledge of any kind 'wants' to be known and has an interesting and observable habit of becoming known. At the same time, once information reaches a certain sublime magnitude it has an equally amazing quality of becoming unknowable for all intents and purposes. Take the two metaphors of a a deadly family secret - these come out into public view almost inevitably (though a rare few are carried to the grave, but mostly by accident). The second is the construction of a cultural and technological monolith - the Windows operating system, the space shuttle, a 3rd generation nuclear powerplant. In these instances information has accumulated in a physical and verifiable form that far exceeds the ability of any party observing or participating to parse, learn, handle, interact with or otherwise know the subject in its entirety. Individual engineers and men of great genius may know a great deal about many of the parts involved but ultimately they will not have the slightest clue how the whole thing works together besides the most vague and knowledge-effacing/repudiating generalities.

What this means for data security is immense. First off, any cryptographic method that intends to be transmitte in a meaningful fashion to other users and eventually decoded suffers from the immediate flaw of being decodable and thus knowable in some fashion - ie is obtainable by a 3rd (interested) party. Secondly, only be achieving a magnitude so enormous that it becomes unmanagable by the individual, thus becoming the suzerian responsibility of a larger body (wherein individuals fail to comprehend the whole and thus the whole is not comprehended at all), does information achieve a measure of oblivion so sought after by 'security'.

When applying this to the concept of money or identification (which I will address in a moment), I would suggest that there is a strong trend towards a misleading kind of transparency that is often more opaque than one might wish. By this I mean that in a modern society where there is a vast amount of information easily available at any given moment achieving a minimum level of knowledge on a topic is rediulously easy (again with the irony. I really should stop.) while gaining meaningful and significant knowledge on that same topic runs into an exponential growth in difficulty, often with rapidly diminishing returns. As the seeker taps out each information source that will naturally lead to another a profound shift away from truth begins to occur. One individual source's knowledge is for all intents and purposes finite but as the number of sources increase so does disagreement, shift in focus and origin and ultimately in content.

In terms of money or information, in this case identity - in the modern world, including the 6th world, the two are nearly identical. Money is information in a modern society. I mean this on several levels. First and most crudely, money is no longer backed by gold or some other physical object whose agreed upon value props up a currency. Long, long ago this changed. Instead our currency, in abstract, is linked more heavily to securities of a more ephemeral form - companies in particular, large banking and loan institutions etc. All of these eventually lead to some form of embodiment - a house, the property of the company etc. but what matters is that the value of these goods fluctuates in a far more liquid way than the value of gold ever did. The value of these properties fluctuates based on their utility rather than intrinsic value. This is extremely important to understand when dealing with information - value is proportionate to its utility. Information that is extremely useful but known only to one person is in fact almost entirely useless (though it may have huge potential value - much like an excellent company that is undervalued until it gains public respect). That value has as its core vehicle the utility of a given thing has immense implications on the ways of financial institutions and the interplay between information and currency. Hell, just consider the 'identity' of a given person in 2008 America, much less in 2070s fictional Seattle... 98% of the datapoints tied to our social security number are financial records having to do with my credit card, my checking account, my insurance, my taxes etc...

Data, value and identity are intrinsically related in such a fashion that arguing that they function differently matters only in terms of their embodiment, not necessarily in their core behaviors. Identity is not 'issued' - the folder or filter or container or whatever is 'issued'. The actual identity is populated by the user. Analogies to stock are close at hand here.

In practical terms the unifying of these two concepts produces a hide in plain sight strategem and reality. As one user noted, can you be tracked if you spend only 4 nuyen over and over? God yes. Would it be easy? Depends. 4 nuyen is but a smal ldot in a sea of small dots. 1500 of these dots in close proximity stops being data points and becomes a point of analysis. Data naturally creates convergence, creates patterns, prepares conclusions to be discovered and ultimately leads to more data (which can ultimately obscure the intial intentions, meaning and goals of the first contact!).

The system will always check transactions relative to the magnitude of information being transacted (since information = value). 4 nuyen will pass under the radar because to verify it will place the analyzer smack dab in the middle of a sea of datapoints and white noise. 40,000 nuyen, however, reduces the field considerably. That 40,000 nuyen can by one transaction or 10,000 four nuyen transactions. If the correlation can be made a primary event occurs which then leads to other events. This is why a decentralized data system is so unbelievably robust. It at once protects information and at the same time makes vulnerable certain kinds of information by way of query. To make any significant impact on the value of anything you either have to make changes on a nearly infinite scale OR make changes on such a finite scale that the discovery by reasoning parties is nigh on inevitable.

That seems enough for this post. Let the sharks feed.

There are hundreds of thousands of people who have access to SIPRNET. Thousands of these have access to KH-11 images, hence everyone should be able to get them. As proof of your premise, please send me a KH-11 image obtained in the last 3 months of Iranian or NK nuclear weapon sites. I'm sure you'll have no trouble obtaining one.

I think it's fair for the person you quoted to wait on your request for you to offer an argument that isn't fallacious first. I was going to point out a specific one, but I stopped when I realized I was trying to choose between three.

I know this is off-topic, and I might get thumped by a mod for it, but the amount of intellectual dishonesty in this otherwise relatively technical topic is almost embarrassing. I think an appeal to reason is worth a warning. Yes, I know it's Dumpshock, and yes, I know DS has a reputation for being full of idiots, but I'd like to believe that Shadowrun players are a cut above those typically found in the discussion of other role-playing games. Futile though it may be, I will shake my tiny fist and hope it can get better.

This undermines the currency system though. If you don;t check (ever) on small transactions, I can undermine the entire system by buying crap from vending machines and apple itunes. Each individual actor has no incentive to ever check, so no-one will ever check collectively.

Also, incidentally, its not like a free background check. Its more like me showing you my passport and you checking that the face matches the photo. However in this case what you probably do is collect my biometrics and check them against the database.

Its actually difficult to posit a world in which encryption doesn't work and that does though because how do I stop the middle man just stealing all my details? Normally I'd use cryptographic hashes, but they don't work.



Well, to me its obvious that you'll be tracked if you spend 4 nuyen a go. Its only a problem with the previous posters suggestion when there is a unit cost for checking. Because to conduct your analysis you need to segregate funds and conduct multiple checks - if you aggregate, all you'll find out is that people are defrauding you.

So I'm sying that your ID and cash would be checked every time, and when you can forge one, you can forge the other, but if you cannot forge both, your screwed.

Also, identification is definatly issued, it is a very seperate concept from an 'identity'. Identification is something you present to assert your identity - You have a passport and drivers license and maybe a building pass and they all have issuing authorities - who people trust to certify that you are person XYZ.

Witout that trust (say, sealand) that identification is worthless, even if it has substance.

If someone makes an unreasonable and intellectually dishonest claim I don't feel obliged to make a reasonable test for them to show it's accurate. I know they can't.

The guy who likes to pretend to never use fallacious arguments should recognize one when he sees one. The argument he uses, partially included below, is a combination of (at least): Appeal to probability, Begging the question, and False dilemma. Hence I'm unimpressed with the intellectual dishonesty shown in this thread too.

I'm putting this here because it's tangentially relevant to the discussion. Plus some injustice has been shown toward someone else, and while that's something I know I should let slide, I find that I lack the restraint. If you (kzt) find fault with anything in this post, I invite you (kzt ... well, okay, or anybody else, I suppose) to PM me so we can come to some conclusion about rhetoric and logical argument without spamming the boards with irrelevant material.


That would be a base assertion fallacy you're using, there. The argument you're defending with this fallacy is itself fallacious in at least that it relies on negative proof.


I love irony. The arguments quoted above demonstrate an ad hominem attack and quoting out of context, and those are fallacies I can prove off the top of my head on the first reading.

Of course, the proof is up to the reader, since as is the case with the main offender, I have offered no proof of my claims of fallacy. I have other, more productive things I should be writing, so I will have to simply offer this as an opinion, and let us here let it lie. Or else.

And now we step in to the Cranial Rectal Inversion Mode?

"Get Some, Pogue"

WMS

As I pointed out in the begining of the post I was doing so from the delightfully simple point of view of complete ignorance of the technical side of this topic. Forgive me for viewing several users lost in the technical weeds and opening my mouth without linking to at least several journals. If it is academically dishonest to produce an opinion or summary on a topic while first advising that the entire thing is a fabrication I am not entirely sure what it is that you are upset about, kzt, but that is nothing new.

In the case of information theory, as far as I know it, there is a certain quality of probability fallacy built into it. To pesume that you can create information that can be transmitted without being decoded removes the condition of information from what you have just sent - it is now just datapoints without any rhyme, reason or correlation to anything. Without having the tenor of information - a pattern, for example - there is naught but vehicle - the data points. As far as I have known any cryptology is breakable given the time, inclination and resources. If it is not breakable now, it will become breakable as resources develop. Information, like technology, is a process of accumulation. Should the encrypted information reamain completely unknowable it is just that - unknowable and thereby useless with perhaps potential value. Crypto is but a facet of the process I am speaking of in that you may encrypt something utterly while other, cursory bits of information on the subject will crop up elsewhere, will be leaked by human sources, will find a way of being known through all manner of sources.

Lastly, if I cared to bludgeon people with the 'logical fallacy' stick with any sort of regularity I would soon tire and be unable to raise my arm. I leave that to rhetoricians and lawyers. You can call me an idiot, a pedant and naive all you want.

This is not the case. Nothing we know about can defeat a properly managed 1 time pad. (Unless you define 'resources' to include a 'copy of the key' but thats really a bit shallow.)

People don;t use OTPs all the time because its a difficult and annoying process.

OTPs are vulnerable, but only by user error. If a key is used more than once, messages that are encrypted with that key become vulnerable. With perfect protocol security, though, yeah, it's pretty damn secure.

Agreement is defitely part and parcel to the process of identification or currency exchange, though I am not entirely sure that I agree with you that the two are extremely seperate. The identification gains its worth from an issuer who is able to back up the identification with parity. If the issuer is unable to regularly produce reliable agreements on information then the value of their information plummets. The strength of American ID against that of a 3rd world country with little to no information tracking and storage system is that the idenity of the US citizen is a search filter that yields massive amounts of potentially correlated data. The trust inherent in either currency exchange or identification relies on the issuer or backer to be able to reliably produce correlated data. Just saying that you are trustworthy and that you are who you say you are does not go a long ways towards proof and does not a passport make. The reason that a, for example, British passport is a powerful form of identification relies on the British information processing method. The passport is linked to tons of supporting information which the passport itself can make possible a check of. The 'identification' here is just a little booklet that says "these are the various claims being made on behalf of this party, they can be checked against these verifiable systems to indeed be true (or in the case of Sealand, are unable to be checked in a meaningful fashoin). They are who they say they are because their information checks out."

As far as societal interaction goes, we are but lumps of data on this or that which is queried. I am me, but me is only my DoB, my SSN, my bank accounts with their huge histories of usage on this or that, my subscriptions to various services, my educational records etc. when it comes to a system checking my veracity. A person is viewed as data points and the identification is suggesting that these data points be organized in this recongizable fashion to have this meaning attached to that person.

The issuer, however is, as you say, extremely important. Though I think that the issuers importance is directly related to the way that the issuer gathers and handles information. I would consider this trend to be similar to that of currency no longer being backed by gold.

That is entirely my point. Methods may exist but they have many weaknesses that facilitate the transfer of information in spite of themselves. I am coming from the point of view that a OTP may be unbreakable but consider what happens when you lose the other half of the pad to decode that information? Does the presence and avaialability of the means to decode the information then present its own vulnerabilities? While this is not necessarily directly related to the practice of crypto as such, it is relevant to the ways in which information is processed and handled.

No more so than identity theft or credit fraud already does. As it stands, credit agencies don't verify transactions under a certain threshold, that's why you can buy fast food without a signature. The fast food places consider the expense of tracking signed receipts greater than the expense of eating disputed charges.

Why would that change in the future? There's no real difference in business operations between credit fraud and shoplifting. If an item is lost or a charge disputed, the cost gets eaten by the store. If the cost of loss is acceptable relative to the expense of improved security, the company continues operating as-is. Only a swing in the balance sheet or some external force (like Visa threatening to retract card rights at a store) will justify implementing better security.

Market forces would almost guarantee that some vendors of low margin items in low-crime areas would operate using low-cost/high-risk transactions to either undercut the competition or increase margins.

The only time it becomes an issue is if it afflicts a significant percentage of an economy's GDP.

But they do track them. They just don't require Id for them. The transactions go into their main data base and get run through the anomaly detection routines like all other transactions. If you want to see for yourself, go to a gas station with 6 friends and their cars and use your visa card to pay for all of their gas, one right after another. You won't sign anything, but it's pretty unlikely that you'll get gas in all 7 cars, as you'll hit one of the anti-theft tripwires used by the credit card companies.

That's because if a single charge is disputed, the store takes a hit for not verifying the identity by checking the buyer's ID and signature. But if a card is stolen it becomes a liability to the credit card company as they often promise credit protection to their users. In this case the risk/damage to the bank is very high while the expense of tracking is relatively low given they already have the massive servers in place.

So if a flurry of un-verified requests come through that are atypical, the card gets flagged, the card holder contacted and/or the card is temporarily frozen.

But if you visit six different gas stations over the course of a couple hours with that stolen card to buy $30 worth of stuff, nothing happens at all because that isn't really atypical behavior for someone out driving around so it won't twig a security alert.

Going back to the original example, hitting a couple of vending machines isn't necessarily enough to cause an alert. It would be even less so if you spoof multiple people.

As long as there is profit after the losses and the cost of improved security is greater than the value of those losses, there will be plenty of unverified transactions in the world.