some ideas from Corona Virus "Stay at Home" order

Fairlight fairlite at fairlite.com
Mon Mar 23 15:40:49 PDT 2020 

And in the 'totally missing the point' territory...

No, theoretically, in an ideal system, the CA's cert can't be forged.

Irrelevant.

Comodo certifiies a -lot of SSL certificates, and the chain of trust goes
straight up to their root certificate.  So -what-?  Anyone can get their
stuff covered under a certificate.  And by 'stuff', I mean it could be
anything, including pirated software, ITAR-restricted code, treasonous
document leaks...name it.

Case in point, Wikileaks' site defaults to encrypted, which means someone
along the chain of trust is theoretically on the hook for it, even though
they had no hand in the payload, and can't vouch for the legitimacy of the
documents.  The payload being 'hardened' doesn't -at all- legitimise the
contents.

Certifying something after-the-fact is patently useless.  This is why
they invented notaries public.  Even -that- is only as good as their
word, and actually means squat, if you can find an unscrupulous one.

The only way this gets solved is a methodology which creates a
temperproof record of the information at the time of creation of the
actual payload.

You would literally need to have something like...Samsung's camera app
creating a digitally signed block within the metadata, which also
contains the checksum of the entire image/metadata set.  It would have
to be signed with -their- private key.  Oh, but wait...that requires the
private key to be stored on your phone.  Well that's a -problem-.  I can
think of a few solutions which would let it work via an API at creation,
but they're all subject to being cracked, because you're introducing
fault points at every necessary interaction between systems.

The only way I see this working affordably -and- securely is if the system
relies upon something like an iLok or eLicenser type dongle, and the dongle
becomes literally part of the processing chain, and the software literally
cannot operate without code that is only available via that dongle.  I'm
talking algorithmic executable code, not just a key or something.  Same way
Cubase is locked down since version 5, I believe.

It's nothing your ordinary consumer is going to be willing to put up
with.  You should hear the moaning in Cubase circles about the
eLicenser dongles.  :b~~~

m->


On Mon, Mar 23, 2020 at 02:50:51PM -0700, Bob Rasmussen thus spoke:
> The premise of a certificate from a certificate authority is that it can not
> be forged.
> 
> On Mon, 23 Mar 2020, Fairlight via Filepro-list wrote:
> 
> > I don't see how that hardens it.  If you forge someone's signature, then
> > lock the document you just signed their name to in a safe, it doesn't
> > make the document any more valid.
> > 
> > Until/unless they implement something like blockchain for photos, it's
> > going to be an issue of trustworthiness.
> > 
> > m->
> > 
> > 
> > On Mon, Mar 23, 2020 at 01:43:42PM -0700, Bob Rasmussen via Filepro-list thus spoke:
> > > Insurance photos is something I have thought about. Maybe for damage to a
> > > car.  Maybe before and after photos. Meaning you might need to verify
> > > geolocation and also date/time the photo was taken. Maybe even the direction
> > > the camera was pointing.
> > > 
> > > To "harden" the proof, you could embed the JPG photo (containing the GEOTAG,
> > > etc.) inside a PDF, which can then be certified (tied to a certificated
> > > individidual, tied to a validated date/time clock, encrypted, and password
> > > protected. When a certificate is applied to a PDF, that process hashes the
> > > entire PDF, so that contents within can not be changed. I think this could
> > > prove when and where the the picture was taken. I'm not sure what the
> > > mechanism could be for validating the date/time clock.
> > > 
> > > On Mon, 23 Mar 2020, Bruce Easton via Filepro-list wrote:
> > > 
> > > > One might be extracting that info from photos for insurance purposes
> > > > (i.e, homeowner's).  I think underwriters want to store the geotagging
> > > > info and not just store info like "more than five miles from the
> > > > ocean".  (Of course, I would think that info would be more readily
> > > > available from something other than a photo.)
> > > > 
> > > > On 3/23/20 1:41 PM, Bob Rasmussen via Filepro-list wrote:
> > > > > On the topic of GPS coordinates: what use case can you think of for
> > > > > this? I've been aware of geotagging (an dother EXIF data) in photos
> > > > > and videos for years, and have written code to extract that data
> > > > > from the files, but have not come up with many use cases. Ideas?
> > > > > 
> > > > > On Mon, 23 Mar 2020, Richard D. Williams via Filepro-list wrote:
> > > > > 
> > > > > > Sometimes I think of some neat things I've done over the years
> > > > > > and just feel like sharing.
> > > > > > 
> > > > > > Here are a few: (linux OS)
> > > > > > 
> > > > > > Merge PDFs into a single new PDF:
> > > > > > /usr/bin/gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite
> > > > > > -sOutputFile=file_new.pdf file1.pdf file2.pdf
> > > > > > 
> > > > > > Extract Pages from a PDF:
> > > > > > i.e. page 1-4
> > > > > > /usr/bin/gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -dFirstPage=1
> > > > > > -dLastPage=4 -sOutputFile=file_new.pdf file1.pdf
> > > > > > 
> > > > > > Extract Pages from page # to end:
> > > > > > /usr/bin/gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -dFirstPage=2
> > > > > > -sOutputFile=file_new.pdf file1.pdf
> > > > > > 
> > > > > > Get the numbers of pages in a PDF:
> > > > > > /usr/bin/pdfinfo file1.pdf | grep "Pages:" | sed s/"Pages:"//g |
> > > > > > sed s/" "//g
> > > > > > i.e.
> > > > > > 8
> > > > > > 
> > > > > > Get the Lat/Long from a JPG image:
> > > > > > exiftool -n -gpslatitude -gpslongitude file2.JPG
> > > > > > i.e.
> > > > > > GPS Latitude                    : 31.4998652777778
> > > > > > GPS Longitude                   : -100.448014444444
> > > > > > 
> > > > > > I hope someone finds this useful.
> > > > > > 
> > > > > > Be safe out there,
> > > > > > 
> > > > > > Richard D. Williams
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > --
> > > > > > This email has been checked for viruses by AVG.
> > > > > > https://www.avg.com
> > > > > > -------------- next part --------------
> > > > > > An HTML attachment was scrubbed...
> > > > > > URL: <http://mailman.celestial.com/pipermail/filepro-list/attachments/20200323/3ebd008c/attachment.html>
> > > > > > _______________________________________________
> > > > > > Filepro-list mailing list
> > > > > > Filepro-list at lists.celestial.com
> > > > > > Subscribe/Unsubscribe/Subscription Changes
> > > > > > http://mailman.celestial.com/mailman/listinfo/filepro-list
> > > > > > 
> > > > > 
> > > > > Regards,
> > > > > ....Bob Rasmussen,   President,   Rasmussen Software, Inc.
> > > > > 
> > > > > personal e-mail: ras at anzio.com
> > > > >  company e-mail: rsi at anzio.com
> > > > >           voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
> > > > >             fax: (US) 503-624-0760
> > > > >             web: http://www.anzio.com
> > > > >  street address: Rasmussen Software, Inc.
> > > > >                  10240 SW Nimbus, Suite L9
> > > > >                  Portland, OR  97223  USA
> > > > > _______________________________________________
> > > > > Filepro-list mailing list
> > > > > Filepro-list at lists.celestial.com
> > > > > Subscribe/Unsubscribe/Subscription Changes
> > > > > http://mailman.celestial.com/mailman/listinfo/filepro-list
> > > > 
> > > > 
> > > > _______________________________________________
> > > > Filepro-list mailing list
> > > > Filepro-list at lists.celestial.com
> > > > Subscribe/Unsubscribe/Subscription Changes
> > > > http://mailman.celestial.com/mailman/listinfo/filepro-list
> > > > 
> > > 
> > > Regards,
> > > ....Bob Rasmussen,   President,   Rasmussen Software, Inc.
> > > 
> > > personal e-mail: ras at anzio.com
> > >  company e-mail: rsi at anzio.com
> > >           voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
> > >             fax: (US) 503-624-0760
> > >             web: http://www.anzio.com
> > >  street address: Rasmussen Software, Inc.
> > >                  10240 SW Nimbus, Suite L9
> > >                  Portland, OR  97223  USA
> > > _______________________________________________
> > > Filepro-list mailing list
> > > Filepro-list at lists.celestial.com
> > > Subscribe/Unsubscribe/Subscription Changes
> > > http://mailman.celestial.com/mailman/listinfo/filepro-list
> > > 
> > 
> > -- 
> > Audio panton, cogito singularis.
> > _______________________________________________
> > Filepro-list mailing list
> > Filepro-list at lists.celestial.com
> > Subscribe/Unsubscribe/Subscription Changes
> > http://mailman.celestial.com/mailman/listinfo/filepro-list
> > 
> 
> Regards,
> ....Bob Rasmussen,   President,   Rasmussen Software, Inc.
> 
> personal e-mail: ras at anzio.com
>  company e-mail: rsi at anzio.com
>           voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
>             fax: (US) 503-624-0760
>             web: http://www.anzio.com
>  street address: Rasmussen Software, Inc.
>                  10240 SW Nimbus, Suite L9
>                  Portland, OR  97223  USA


-- 
Audio panton, cogito singularis.

More information about the Filepro-list mailing list