Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: ABX Comparator (Read 9148 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

ABX Comparator

Hello, and sorry for my bad English.

Recently I have uploaded my ABX logs to the one of forums.
But people still don't trust me because the log is a simple text file with no signature and could be rewrited manually.

And I guess is there any ABX Comparator (that works on Windows) which can sign up the abx results log and then to verify it?

ABX Comparator

Reply #1
It's probably not worth it as the sort of people that aren't believing you will say you forged any signatures anyways. Some people just don't want to believe

ABX Comparator

Reply #2
Even if you can write signatures confirming the results claimed in the log, you can still cheat by repeating the whole test until you get the results you want.

ABX Comparator

Reply #3
It's probably not worth it as the sort of people that aren't believing you will say you forged any signatures anyways. Some people just don't want to believe


So then we can say that logs aren't needed too. If people trust you.
The rules of this forum say that abx log is necessary. But what sense does it have, when it can be forged in a couple of seconds?

Other options of fraud are much less likely.

We must understand that when a dispute arises between people, we need as much hard evidence as possible and plain text is not best way out here.

ABX Comparator

Reply #4
An ABX log provides a starting point for the reproducibility of the results. It's a call to action that says "Hey guys, I measured this. You give it a try as well and see what you find."

Also, don't post an ABX log without providing samples of the audio you used (if necessary), the properties of those samples, and if relevant, the conditions under which you conducted the experiment. If you don't, it's indeed exactly as pointless as just claiming your hear a difference.

And yes, you can forge the audio samples as well and lie about your experiment, but it's a lot more work, and the more reputable, experienced members of this forum are more likely to see through the deception.

ABX Comparator

Reply #5
It's probably not worth it as the sort of people that aren't believing you will say you forged any signatures anyways. Some people just don't want to believe

How can you forge Pgp signatures?


ABX Comparator

Reply #7
A major purpose of posting ABX logs is that so many newcomers don't understand their results, so it gives us an opportunity to enlighten them.

ABX Comparator

Reply #8
But what about the case when I need to proof that I really hear the difference?

Note that not all people can guess to use such options of fraud like connecting oscilloscope to the soundcard's output, forging of Pgp signatures, and other tricks. But anyone can rewrite txt file.

So if we will introduce the ability of adding a signature, we'll achieve a significant reduction in the probability of a log forging.

It is not too difficult, but effective. I think we should do it.

ABX Comparator

Reply #9
It's probably not worth it as the sort of people that aren't believing you will say you forged any signatures anyways. Some people just don't want to believe

How can you forge Pgp signatures?


Because the private key will have to be embedded into the application and therefore is extractable.

The test can be client-server (ie, via web),  store private key on server.


ABX Comparator

Reply #11
The test can be client-server (ie, via web),  store private key on server.


Great, now the key is on the server, which will happily sign anything that looks like an ABX result.

ABX Comparator

Reply #12
The test can be client-server (ie, via web),  store private key on server.


Great, now the key is on the server, which will happily sign anything that looks like an ABX result.

Client sends your answers to the sever, Server processes the answers and generates gped result. Nothing wrong.

ABX Comparator

Reply #13
How does server know that what he signs is valid? A modified client can send fake results and it will happily sign them.

ABX Comparator

Reply #14
{
Server sends audio to client and asks: is it A or is it B?;
Client: sends answer to server:  it's A.
Server: check if its correct.
} repeat until n
Server generates report.
Server signs report.
Server sends signed report.

ABX Comparator

Reply #15
{
Server sends audio to client and asks: is it A or is it B?;
FakeClient: detect if audio is identical to last received audio (trivial), display result, send answer to server.
Server: check if its correct.
} repeat until n
Server generates report.
Server signs report.
Server sends signed report.

ABX Comparator

Reply #16
Here, you are not talking about signing robustness or possible use in this case. My reply was about that.
Now you are talking about another issue. Even if you use your fake client, you stil don't know if it is A or B.
Last but not least. As the OP stated, it's trivial to edit a text file (thing which prevents pgp), but it's not that trivial to develop a fake client.

ABX Comparator

Reply #17
Your proposed client/server solution does not add any security over an embedded key. The whole extra effort to have a server running 24/7 is pointless.

In my experience, faking a simple protocol would even be easier than extracting a key, when it is implemented with some thought.

ABX Comparator

Reply #18
-The server doesn't need to be 24/7, it doesn't even need to be web. Client can run OP computer and server on the other guy's computer.
Your proposed client/server solution does not add any security over an embedded key.

I've never stated that my solution adds security over an embedded key.
I only said that pgp signature(if private key is secure, iein a secure server) is not possible to forge. You were the one saying it was not true and showing you don't understand how private/public key encryption or client/server apps work



ABX Comparator

Reply #19
-The server doesn't need to be 24/7, it doesn't even need to be web. Client can run OP computer and server on the other guy's computer.


It doesn't matter where or how long it runs if there is no benefit.

I've never stated that my solution adds security over an embedded key.


So it was senseless to mention it?

I only said that pgp signature(if private key is secure, iein a secure server) is not possible to forge.


The challenge in cryptography isn't getting it right in theory, where sufficiently long private keys are expected (not proven) to be unrecoverable from public keys or signatures, but actual implementation. Over 99.9% of all breaches happen because of flaws wrt the latter. The solution, that you have proposed to prevent forgery by key extraction, does in practice allow forged signatures, and even quite easily.

You were the one saying it was not true and showing you don't understand how private/public key encryption or client/server apps work


Please, read the thread again, and if you then still have an intense feeling of having been right the whole time - much louder than a few little snippets of reason that may (hopefully) have passed your mind briefly - please let me know, so that I don't waste my time on you again.

ABX Comparator

Reply #20
With all due respect to the OP this proposal is not only unnecessary it's also possibly counter productive.

Whatever someone claims to have 'proven' with his 'evidence' ought to be less significant than you having the ability to repeat the test and decide for yourself. That's how scientific progress is made. In any field of inquiry.

Whats important is that the claimant provides the samples and methodology used so that the claim can be independently verified.

 
SimplePortal 1.0.0 RC1 © 2008-2021