 All right, folks, you survived the midterm, or at least some of you have, physically, but I don't know if it's not great yet, so we'll wait on deciding on that. Okay, so before we get started on the next part we're gonna talk about, which is network security, I wanted to get your rooms opinion what you thought about the public trust part of the third assignment. So it's the first time I've ever tried something like that of making adversarial components to this to try to get you to scan each other, so, and I think it definitely has pros and cons, so I'd like to hear your feedback on how it can be better depending on the future or what you thought about this. So if you don't want to share your opinion in front of the class, that's totally fine. If you want to send me an email, I'm really happy to get that feedback so I can kind of improve this or find this for next year or so, or next semester or whatever this is talking about. And one thing was when I got my adversarial key the name on it was like a woman's name, and then I heard some people that are like a woman they got a name and I thought it'd be like better maybe if we got like the same gender name so it wouldn't be so obvious because if I try to like give people to sign my adversarial key then see like it's like it'd be pretty obvious like Natalie Russell is like obviously not my name it's like the woman's name, so. I mean it feels, it just feels a little bit odd and fair maybe, I don't know. Just how interesting. That's like a 50-50 chance of which gender you got I think, at least name-less. Yeah. Hey, this is a comment. I also felt like it was sort of an unfair. I thought the common name you could probably have that made it a little unfair too, but. Yeah, I thought about throwing initial names in there to throw you guys off. I didn't mean that, but. I actually thought what would be kind of a cool idea in the future is, you said the adversarial part really had a gender-like role in terms of what we could do so I thought I'd just try and bring a valid key that you saw. The key part I guess is, at least from my perspective, the idea is I want to encourage people to to be careful when signing keys, right? So the default action if you just sign anything that anybody gives you that's not really doing the assignment, right? And actually like understanding and verifying I definitely understand that. I feel like it would have been really different and you really would have had to pay attention. Instead of creating a whole different name with the same exact name but with an additional character. That way you actually had to check and see if I type this name into the student registry that name doesn't pop up and I can't trust it. Or if it's just close enough I feel like that was one of the hard things too. It's trying to identify someone against the registry and they may be in a completely different even majors. I don't know if they're in IT but they're taking this. So how do you verify that yes they're in the class unless you actually have the time to shake them down and get their ID. Yeah that's also another tricky thing. I mean some people aren't open in this class but in general, right, so the name like one of my PhD students, the ASU name is not their actual name. So their documents actually say a different name. It's very similar you could easily tell why but yeah and I don't know so I actually don't know where these ASU names come from. I just have the information that's given to me on the course the thing that tells me on my ASU that says you're all in this course. So yeah interesting. Yeah. We'll make it a little bit more difficult when we do not specify not to put your ASU ID. Do you have ASU email in there? Because ASU email you just go to the ASU email type in the email address. It gives you the ASU name. And so that's an easy way to check to see if that person's legitimately who they are. And that's why I went over to the ASU email to look at it and put it in the email. I said oh this is the right name. Yeah the email would be tricky so maybe I could let you pick or something. Oh yeah I'll just say to specify you can't do ASU email. Ah, I see what you're saying. Another way to do it is that you have all the students' names for the route roster. So this keeps that person's email the same but just randomly selects another person as their class roster. I think that could cause problems. I don't know that I want you necessarily impersonating someone else in the class. Maybe the last semester's class roster. Maybe the last semester's class roster. Yeah I don't know. That's also a tricky one. Maybe. Any other thoughts? Yeah. My only thing was it just got kind of tedious. I think he's typing the same thing over and over again. Did you write a script for it? What's that? Did you write a script for it? No. So let's take a lesson in the future. Your science is writing a script for it. No no I understand. I mean that's actually part of the intention of the assignment is to understand that these things are tedious and easy to get wrong and really knowing what to actually do like GPG in my opinion is a pretty terrible interface so doing all this is difficult. So. Okay. I miscied on GPG. Like I tried someone else like when I pulled my key off the GPG the server we were using and I had like 17 keys to why I look at my key ring even after cleaning it up I had like 30 keys. 3 separate keys. I was kind of mystified by how that happened. You had more or less? She pulled it down and I had 17 keys on hers that were separate keys and I pulled I was looking at mine and I had like 30 and even I just pulled it off too and it was very odd to me. I mean that's probably because your key, your local copy will only grow over time right so if you ever somebody ever signed your key not on the key server right and they just emailed you a signature and you imported it. Another clear thing too is it would duplicate keys too. Like I would have like one person supposedly signed my key at this time and then again at this time. That's an implementation. I was kind of mystified. I'm assuming this hasn't been updated in a while. Interesting. I don't know how GPG deals with that. Any other general? So then I have a question for those that will say chose. Cause I've been through some of the reviews and some people for reasons I brought earlier didn't want to do the adversarial part because they don't want to cause their other fellow students to lose points. I definitely understand. On the flip side you could see it and maybe I should have pitched it as a as a peer grading scheme right because the idea is if nobody's acting as an adversary then you just sign whatever anybody sends you and it's not very interesting right. So you need some adversaries an alternative approach. Let me flip this to what if I signed like 10% of you as adversaries like randomly how many people they scam? Yeah I don't know that's another question. I don't know. It makes sense to have a portion say like I just randomly I even necessarily 10% of people randomly saying oh yeah you're playing as the adversary you're playing as the right person. Yeah the tricky part is then at least from my perspective there are people who want to do the adversarial part right and so if they don't get the opportunity or maybe you can opt in to do that I don't really know but I'm still struggling with that. I'm not sure how you would do the adversarial that way though without actually getting more work because you still have to have a regular key possibly. Because then at that point it's like how is your adversarial key not a regular key? Yeah well I could if I really wanted I could start this at the beginning of class and choose 10% of the class tell them at the start of the class we're going to be doing this assignment you will be in charge of this adversarial identity so and give them the name and let them choose an email address or something and then that way they could then build up from the course. I have a style to see from one assignment to a semester yeah you should do it where if they get caught you can choose another random person and then if someone survives the longest interesting okay so that did brought up another comment that's another suggestion that somebody had because for people who were doing the adversarial component if you identified that clearly somebody else's key was adversarial you had no incentive to actually tell the rest of the course because they actually made that tell on you right so one idea would be to restrict like create a pot of let's say some amount of extra credit and then that fixed amount is distributed among all the people that do the adversarial component so that way you actually have an incentive to stop other people and protect like as an adversary your goal is to get more people to trust you than other people so I could the weird thing about that is in this assignment like it's not that hard to definitely find out if a key is fake and I appreciated that nobody liked boxed I saw one instance where somebody said I signed this key don't sign it that was like one obscure post in the mailing list because in this case we didn't get points for saving other people but if that happened it would eliminate the fun of the adversarial because it wouldn't work because if you actually understand how do you think you work you can find out in like 30 seconds maybe that would be a good way to fix the minus point maybe if you had a way to upload a list of keys that you were certain were adversarial then you can maybe offset your points from accidentally signing other adversarial keys that would be interesting kind of like that idea but you don't have to say it publicly I think that would be another this would add another layer right and I guess I don't want to get into the thing of people fake saying that somebody's key is an adversarial key but it's a real person or a person can't get into it not exactly but like fake docs they are a legitimately real person and can't get any way to sign their keys are we going to get a visualization like can we do a database on how the graph of the whole game so we can see what happened on the statistics yeah I can do something like that yeah I haven't looked at it yet but I will look at that yeah interesting because it does have a time stamp of when things are signed right so I'm sure the best visualization for that it's going to be cool turn it over again anything else that I was closing I had a really hard time with the graph like at first I tried keeping track of it and then I got a bit just got just kept signing things yeah that's another tricky part maybe maybe I can have you upload those signatures too and get stored each of those because that's the other part that's difficult to grade because you may have signed 20 keys but all 20 of those people didn't import your signature or didn't want to do the assignment or let's say dropped the course or something that signature didn't make its way to our servers that would be not good and so another option would be we could actually run a key server so instead of having you guys use this other key server the public one we could actually run one and then we have all we could just pull the data from there but I like that you guys found the key servers independently and that it wasn't part of the assignment because that makes it a lot easier to just email stuff back and forth I also noticed that once in a while I know for a fact my friend signed my key and I kept pulling it down and it took like five or six hours to get that so any of those last minute people that were trying to get signatures it's entirely possible that they were never showing signs yeah that's the problem with the key server because I don't know exactly how it works but I know there's essentially like basically a distributed network of these systems so the key server you may be talking to may not be exactly the key server there's different people run different key servers and so the time it takes with data to propagate can be a while yeah these are free servers that are running right so feel slightly doubted that we took over but you can now use these keys and you have what needs to be considered alright again any other thoughts that you want to share with me please do so just on the on the second cipher I wanted to make that like ridiculously difficult programming code oh that'd be interesting no it'd be interesting so basically the idea would be to do a different distribution right so as long as you're upfront about what it is that's encrypted right that could be or you can encrypt the actual algorithm you think I could see your cipher or something like that it's all about what you want to test like I don't want to test that part I don't want to test the actual breaking of the cipher but I also wanted to be that you couldn't just take it and throw it into some online cipher which I think was mostly done that's why base64 coded it and used 256 and axler so it would be just traditional I wonder how much code you would need in statistical there's play if you did it in python the code was python that was encrypted it wouldn't be running as long open source python out there interesting I was thinking more of like x86 or arm or something there's got to be some kind of distribution of bytes based on the character plus definitely like two bytes and three bytes frequencies there's going to be a lot to have in python more spaces depending on your flavor but that's okay that's yeah that could be interesting I think I'd also if I did that I wouldn't want to provide a repository of similar looking documents so that you could calculate a similar frequency I think that would be cool to pitch that into something it would work for the TA next time