Posted on 12/25/2017 8:36:44 PM PST by bitt
Two ways. Someone hacks your PC and obtains your private key and masquerades as you. I haven't heard of that happening mainly because the private key is encrypted and only decrypted by the application using it (e.g. the email client) upon your approval (you get a dialog asking for use of the private key.
Second possibility is ID theft via a certificate request. Instead of you creating a private key in your browser and sending the cert request to be signed, someone else generates a private and cert request pretending to be you. The way we get around it at work is that the new cert request corresponding to the new private key is signed with the prior private key which only you have access to. There's an initial problem of vouching for a new employee, but there are out-of-band ways to verify identity.
The registration problem is quite common across all ID systems. For example, how to you verify who someone is when they sign up as a voter (never mind looking for duplicates, checking for citizenship, etc). It's very easy to check IDs when someone votes and then look them up on the voter list. It's very hard to make an accurate list.
They have it all, Palmer.
Exactly. Not exactly money laundering, but a semi-sneaky way to bribe McCabe and his cohorts to sabotage Trump and assist PIAPS. They are disgusting PsOS.
“What if they had private e-mail that they used for the ugly stuff?”
Why wouldn’t they have private emails? We’ve heard of so many others who did. Wasn’t it Loretta Lynch who had one using an alias? I figure they all did.
As far as logging in, it doesn't matter if they require a domain login or not (I decided not to use domain login since I didn't need it). That's because the stores with the private keys are protected with a user's master key that the domain admins cannot access.
On government networks that I am familiar with, they use almost all Windows and domain logins with double encryption of the master key. Here's a doc explaining the implications: https://eca.orc.com/wp-content/uploads/ECA_Docs/IE_Instructions/Password_Tips.pdf Read "Seventh".
Good explanation. I may start a separate thread to discuss these matters more fully because there is now an ongoing heist of historic proportions by white-collar crooks connected to Wall St. trading of certain securities.
They use individual investor’s electronic signatures and identities to form bonds of our collateral, all done without the knowledge of the affected investor, taking profits, earnings. proceeds, insurances, credits, and tax credits, most going to offshore tax shelters leaving the unwitting victims exposed to debt and taxes. But they defer taxes for as long as they are accumulating, then stick it to the targeted victims in a timed process to keep the process from generating headlines and causing a general pattern of theft from being uncovered.
Uninformed consent and unjust enrichment lie at the base of this heist now into the trillions.
You’ve never heard of this. It is to say an enormous scandal that is quite complex.
But there is remedy, which is digital in nature. Everything is going digital, as you well know, but the digital evolution has brought a virtual world of ‘our digital identities’ operating in a virtual world we don’t see.
There are now millions of people invested all over the place and they don’t even know it. Their 401ks are compromised.
The remedy has to do with PKI Public/Private Keys in a government regulatory setting. In the context of this great crime, the victims are suddenly stuck with enormous debt that they had no knowledge existed. Public Keys are used for transferring the debt to the unknowing victims. With Private Keys, the credit side, which is enormous, lays hidden. But there are pathways to reveal that side and lay claim to it.
When we are debtors, our government is against us. When we are creditors, the government, for example, Treasury and IRS, are our best friends. They will work with us, right alongside us.
You will hear more about this in 2018. The news of it will dominate unless there is a war that supplants it. But this scandal. in and of itself, may cause a war. When you hear rumblings of 401ks at risk, you will know it’s coming.
The remedy will be in people managing both their Public and Private Digital Keys. They will need education and help. Your knowledge of digital keys will increase your value even if you’re not experienced in the context of what I’m writing about here. Once you see it, you will get it.
Our digitally evolving world is bringing huge risks never seen before. You and others like you are in the hot seats of what will be unfolding as most of the public is clueless. This scandal that I’ve only alluded to, is so enormous that it leaves all other scandals as secondary, but it lays hidden and incomprehensible for now. It is complex which creates a barrier to its dissemination. The criminals behind it are having a field day with their perfect crime. They have become so rich and so emboldened that they have contracted attorney firms globally to do their bidding. My group has a plan to take these law firms down by taking back the virtual base they control causing claims so large on their malpractice insurance, that they will be uninsurable and thus unable to practice. They will also be stuck with a tax bill so large they will never be able to get out from under it.
The criminals at the top of this ring are like a group of Al Capone’s on steroids. They are digitally savvy or have underlings that are. That’s all I’ll say for now.
The public key is also used to verify that you signed something with your private key. That's a completely separate function. The act of signing with a private key is an acknowledgement that you "manage" that key. There's where the ID theft scenarios may come into play. Someone else may pretend to be you and manage a bogus private key with a corresponding bogus public key. Or someone else may steal your private key and use it to sign transactions to their benefit verified by your good public key.
One way to think about the signing/verification case is to consider cryptocurrency (CC). There is no encryption and decryption with CC, only signing and verification. You use your "managed" private key to sign a transaction. The transaction includes your public key so that the CC miners can verify that your private key was used to sign it. If you don't manage your private key properly, then someone else can use it to sign a transaction to their benefit.
PKI is almost certainly the "remedy" to ID theft problems, but it has languished for over 20 years due mostly to complexity. The biggest problem is registration as I just discussed above and the complexity that comes with certification signing and revocation. X.509 is a terrible mess and has been for over 20 years.
But now we have CC and blockchain and the X.509 signing and revocation can be replaced by immutable transactions on the blockchain. That is the one thing that makes blockchain valuable, nothing more and nothing less.
> “ Or someone else may steal your private key and use it to sign transactions to their benefit verified by your good public key.”
Yes, that’s what is happening on a very large scale without victims knowing anything about it.
> “If you don’t manage your private key properly, then someone else can use it to sign a transaction to their benefit.”
Exactly, most people today are clueless. They haven’t any idea what a digital key is, public or private. Even if they start to wake up to the existence of such digital objects and processes, they have no clue as to how to manage it. Hence, society is about to get schooled on a whole new thing, a paradigm shift is in the works.
The people that are behind the current crime are killers. Have to be very careful to lay low when moving against them. Similar to the Al Capone crime syndicate from a century ago, they control judges, some law enforcement, investment bankers, hedge funds, and offshore banks.
The scheme works digitally. A simplified description is that of signing up an investor to a hypothecation agreement using electronic signatures, electronic records, using the identity and signature to create a digital Power of Attorney that bars the investor from seeing the private side (firewall) and using the investor’s private digital keys hundreds of times over in different investment vehicles. In a sense, a person, their corporate person becomes a fractionalized digital entity that is abused.
Traceability is not through contract or agreement assignments and transfers. The handoffs are abusively executed via the USPTO via copyright and trademark assignments. That way others in the scheme gain rights to the systems using the identities of pooled investors. It’s identity theft done inside the esoteric world of investment bond issuance processes. One thing they do is to sell the investors into Treasury strips hundreds of times over creating a huge Ponzi scheme. By using strips, no payment stream of interest is due, only the face value at maturity.
All of this scheme is supported by the illicit use of digital private keys. Investors including 401k account holders are going to have to learn to reclaim the PKI private digital keys that were stolen from them, then repudiate all others holding those private keys and to remove all POAs to see what has been done in their names. Finally, they will need to collapse the tax shelters containing the assets in their names that they previously had no knowledge of. They do this by following certain IRS procedures. The IRS will then work with them (because they are now a secured creditor) to recover taxes that were not paid because of tax evasion.
If a 401k account holder uses an investment fund by proxy (as many do), the investment advisor may not be in on the crime but the information flow can at some point in the chain get in the digital world of those that work this scheme.
You should really learn about end-to-end encryption. There is no private key (or symmetric key) "management". That is an 90's concept that was pushed by the statist government and corporations, but it failed miserably when PGP and similar tools came out. Private keys are stored encrypted on people's computers only.
The only possible way you can be correct is if administrators get a network backup and then crack a user's master key that is used to encrypt the private keys. You mentioned it and I considered it, but dismissed it, mainly because I decline to use the company backup (encouraged, but not required at my company). Now that you have dropped that idea and gone back to "key management" which you clearly don't understand, I know my private key is safe from your FUD. My email cannot be decrypted by anyone other than my recipients and myself.
It's been around for decades: https://en.wikipedia.org/wiki/S/MIME and I have not only used it for two decades, but I have worked on related software. It encrypts end-to-end, can only be decrypted with private keys of the recipients or sender. My email cannot be read by anyone else in the middle or in storage on the company server.
I've established power of attorney with a small bank in another state and that required faxed signatures, phone calls, more faxed identity documents, etc. Very difficult for me to fake an identity and do that. But that's a small local bank who actually cares about their customers. I can see how what I did might be possible on an industrial scale with giant banks that don't give a crap. But I don't know how the rest of what you are describing works.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.