Your honest opinion...

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
robokoder
Forum Newbie
Posts: 13
Joined: Wed Jan 04, 2006 9:23 am
Location: London, UK

Your honest opinion...

Post by robokoder »

I've spent the past week or so perfecting a 'string transformation project'- e.n.c.o.d.e

Basically, I'm opening it to the public for around 24 hours (user and pass 'tester') and I'd really like to know what you think.

It's at http://encode.fusionnx.com

Let me know what you think by replying, PMing or emailing robokoder@gmail.com

Thanks!
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Well, a definition of what transformation is being applied would be helpful. The site simply says it "transforms" an input. Is it a two-way, one-way, encryption, encipher, encoding, ...

What does it do, and why would it be interesting to me?
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

It *sometimes* screws up on question marks, reports them as 'qf' in reverse-transformation. I can't test it further because someone ( :x ) put time limits on this script.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

So it takes a string and transforms it into a different string .. and it puts so much strain on the server you need to restrict it's use? WTF? If that restriction isn't some silly gimmick then you must have written this thing really, really badly.
mickd
Forum Contributor
Posts: 397
Joined: Tue Jun 21, 2005 9:05 am
Location: Australia

Post by mickd »

i noticed that if you transform upper case letters, they come lower case.

it was probably intended that way but some users may require their string to have upper case letters.
robokoder
Forum Newbie
Posts: 13
Joined: Wed Jan 04, 2006 9:23 am
Location: London, UK

Post by robokoder »

It's not perfect, but I reckon it serves most of its purposes.

Just to deal with the point about time restriction- if you knew my host (supanames), you'd understand my need to be careful. They stopped my ENTIRE site when too many people used a php script, and the transformation process has quite a lot of steps, and is easily about as complex as the other script. Much as I like this project, it can't let it interfere with other operations I run.

When I first devised it, it only used lower-case letters. When I decided to add support for upper-case letters, it was simply imposible to change the entire fundemental base of the script. That's why it makes them lower-case. About punction- again that's a new addition, and my idea was to replace all punction with a code beggining in 'qf' (replacing them in the final stage of the detransformation). I am aware that question marks can screw up and I am trying to fix that problem

Granted, there's not a whole load of need, but I made it for three reasons:

1. For friends, most of whom would look at me blankly if I talked in any way as to how to encrypt/decrypt stuff with different php functions (or any other systems for that matter- Basically none of them know what php even is). This site allows them to disguise email messages, for example, from our networks automatic content filtering. Its about privacy.

2. My thinking is, if nobody knows the algorithm, how can they crack it?! Once I've finished working on allowing people to encrypt with specfic keys, I'm pretty sure that the transformed string will be prety secure, even from brute-forcing. (Due to fact that queries are restricted to one per 2 mins)

3. The heck of it. It's pretty satisfying to have made a function yourself that takes a regular string (with punction and spaces) and returns it as complete nonsense. Then when the detransformer returns the original string form the nonsense, that brought a smile to my face lol!

Incidentally, the reason it's not labled as an encryption project is due to possible legal issues
mickd
Forum Contributor
Posts: 397
Joined: Tue Jun 21, 2005 9:05 am
Location: Australia

Post by mickd »

btw, brute forcers can use proxies to avoid the 2 minute wait.
pilau
Forum Regular
Posts: 594
Joined: Sat Jul 09, 2005 10:22 am
Location: Israel

Post by pilau »

What does it do? :P
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

robokoder wrote:Just to deal with the point about time restriction- if you knew my host (supanames), you'd understand my need to be careful. They stopped my ENTIRE site when too many people used a php script, and the transformation process has quite a lot of steps, and is easily about as complex as the other script. Much as I like this project, it can't let it interfere with other operations I run.
There are plenty of algorithms that can be run in a single step that are sufficiently secure for most purposes. Further, if your host has that behavior, I'd change hosts. Running a script shouldn't have that much impact, and if it does, then you coded it poorly, or you shouldn't make it available to the world.
robokoder wrote:1. For friends, most of whom would look at me blankly if I talked in any way as to how to encrypt/decrypt stuff with different php functions (or any other systems for that matter- Basically none of them know what php even is). This site allows them to disguise email messages, for example, from our networks automatic content filtering. Its about privacy.
That privacy requires trust - they have to trust that your site doesn't log input to it.

Or as the cryptography faq says: "If the vendor won't tell you exactly and clearly
what's going on inside, you can be sure that they're hiding something, and
that the only one to suffer as a result will be you, the customer"
robokoder wrote:2. My thinking is, if nobody knows the algorithm, how can they crack it?! Once I've finished working on allowing people to encrypt with specfic keys, I'm pretty sure that the transformed string will be prety secure, even from brute-forcing. (Due to fact that queries are restricted to one per 2 mins)
Again, from the crypto faq:
CryptoFaq wrote:Avoid software which uses secret algorithms. This is not considered a safe
means of protecting data. If the vendor isn't confident that its encryption
method can withstand scrutiny, then you should be wary of trusting it.

A common excuse for not disclosing an algorithm is that ``hackers might try
to crack the program's security.'' While this may be a valid concern, it
should be noted that such ``hackers'' can reverse-engineer the program to
see how it works anyway. This is not a problem if the algorithm is strong
and the program is implemented properly.
robokoder wrote:Incidentally, the reason it's not labled as an encryption project is due to possible legal issues
Such as?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

If i wanted to do my friends such a favor i'd redirect them to something as http://www.pgpi.org/.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

robokoder wrote:It's not perfect, but I reckon it serves most of its purposes.

Just to deal with the point about time restriction- if you knew my host (supanames), you'd understand my need to be careful. They stopped my ENTIRE site when too many people used a php script, and the transformation process has quite a lot of steps, and is easily about as complex as the other script. Much as I like this project, it can't let it interfere with other operations I run.

When I first devised it, it only used lower-case letters. When I decided to add support for upper-case letters, it was simply imposible to change the entire fundemental base of the script. That's why it makes them lower-case. About punction- again that's a new addition, and my idea was to replace all punction with a code beggining in 'qf' (replacing them in the final stage of the detransformation). I am aware that question marks can screw up and I am trying to fix that problem

Granted, there's not a whole load of need, but I made it for three reasons:

1. For friends, most of whom would look at me blankly if I talked in any way as to how to encrypt/decrypt stuff with different php functions (or any other systems for that matter- Basically none of them know what php even is). This site allows them to disguise email messages, for example, from our networks automatic content filtering. Its about privacy.

2. My thinking is, if nobody knows the algorithm, how can they crack it?! Once I've finished working on allowing people to encrypt with specfic keys, I'm pretty sure that the transformed string will be prety secure, even from brute-forcing. (Due to fact that queries are restricted to one per 2 mins)

3. The heck of it. It's pretty satisfying to have made a function yourself that takes a regular string (with punction and spaces) and returns it as complete nonsense. Then when the detransformer returns the original string form the nonsense, that brought a smile to my face lol!

Incidentally, the reason it's not labled as an encryption project is due to possible legal issues
Security through obscurity.... :P

Unfortunately...cryptanalyst's are usually amazing problem solvers and excellent at recognizing patterns...

Therefore it doesn't matter if your alogirthm is unknown...by feeding your engine known strings and having returned encoded strings and visa-versa is likely enough for a professional to figure out your algorithm and find loop holes...etc...

Other than for pure introduction into the world of cryptography, I dought your algorithm is viable for anything more than shoots and giggles :)

Cheers :)
robokoder
Forum Newbie
Posts: 13
Joined: Wed Jan 04, 2006 9:23 am
Location: London, UK

Post by robokoder »

mickd wrote:btw, brute forcers can use proxies to avoid the 2 minute wait.
I've implemented protections against web proxies- tell me if you find one that works, 'cos you should get an error.
Roja wrote:robokoder wrote:
Incidentally, the reason it's not labled as an encryption project is due to possible legal issues

Such as?
Something to do with suggesting that it is safe way of disguising data- this is not an encryption standard
Roja wrote:robokoder wrote:
Just to deal with the point about time restriction- if you knew my host (supanames), you'd understand my need to be careful. They stopped my ENTIRE site when too many people used a php script, and the transformation process has quite a lot of steps, and is easily about as complex as the other script. Much as I like this project, it can't let it interfere with other operations I run.

There are plenty of algorithms that can be run in a single step that are sufficiently secure for most purposes. Further, if your host has that behavior, I'd change hosts. Running a script shouldn't have that much impact, and if it does, then you coded it poorly, or you shouldn't make it available to the world.
I am stuck with them until september
Roja wrote:robokoder wrote:
1. For friends, most of whom would look at me blankly if I talked in any way as to how to encrypt/decrypt stuff with different php functions (or any other systems for that matter- Basically none of them know what php even is). This site allows them to disguise email messages, for example, from our networks automatic content filtering. Its about privacy.

That privacy requires trust - they have to trust that your site doesn't log input to it.

Or as the cryptography faq says: "If the vendor won't tell you exactly and clearly
what's going on inside, you can be sure that they're hiding something, and
that the only one to suffer as a result will be you, the customer"
Sommat to do with them being my friends- trust is kinda implied.

Also, remeber that I've yet to build in support for keys, so releasing the algorithm would be kinda pointless, seeing as its the only thing that keeps the messages private

Finally, i'd like to challenge anybody and everybody to try and crack my algorithm, short of hacking into the site and stealing it. I strongly doubt anyone will manage!
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

robokoder wrote:Finally, i'd like to challenge anybody and everybody to try and crack my algorithm, short of hacking into the site and stealing it. I strongly doubt anyone will manage!
You asked for honest opinions, and you got them.

A "Secret" algorithm isn't trustable, isn't secure, and doesn't secure anything, except your ability to access the data of the people submitting it.

Your challenge doesn't stand up - if you want a secure algorithm, release it for public scrutiny. Crypto algorithms don't get challenged behind a time-locked, ip-locked, limited site. They get challenged by having math PHD's pour over the delicate interactions of the bits to ensure that you didn't make any errors, any where in your implementation.

Congratulations on making a site that does what you want. However, it falls far short of what people would want to use it for.
Post Reply