 So, oh you can't see anything. Cool. Even better. How about that? Awesome. Cool. So, fun stuff I'm applying with today is grading the web trust assignment. This was an 155 megabyte PNG file that was made from all of these signatures that you all made. Not just the 120 of you that participated, but that and all the adversarial keys as well. This actually took like an hour to build on this computer and it's crashed this a few times. It crashed Safari. I tried to open it up in Safari and Safari said, oh reloading this page. It's using a lot of memory doing that. So, you can see like all the interconnections here which is pretty cool. I think this has names so I won't post this, but I'll probably try to figure out how to redact the names on here because I think this would be something cool to to share out there. And now you're saying this, so I have no idea what this means. I think the computer said, please, please, please. It has eight gigs of memory. Like what more does it want? Or 16? I don't even know. It's got a lot. It's like a weird blue screen of death inside of this preview. It's not like a reload because my screen went all blue for some reason. Okay, so that's kind of cool. And then so I found some interesting stuff out. So I looked, so okay, full disclosure. I just wrote this code this morning. I'm not 100% certain that it's actually correct. This actually was a real pain to try to count and go through all the signatures on all the keys and figure out, okay, this key ID that signed it maps to this fingerprint, which means is this person's adversarial, which means they need to increment a counter of how many their adversarial sign, whatever. But that's not your problem. That's my problem. But they just mean to take these with a grain of salt. So that's not your fault. Oh, I think I need to reverse it. So this is actually super interesting. So this is the list of not, so there's no people actually don't even know who this is, but these, I think these are the total counts of valid real signatures on their adversarial keys. So, so this is real keys that signed it. So obviously, if you sign adversarial key, the adversarial key, that shouldn't count. That doesn't make any sense, right? You're trying to trick real people. So some super interesting things from here. We have this insane distribution where one person had 40 signatures from real people. That's cool. Let's see, 18, 16, 15, you can see kind of drops off 5, 32 and 1. So the other thing is that 1, 2, 3. There's only eight people. So only eight people are actually able to trick other people to sign their adversarial keys, which I think is kind of an interesting question. So what other things do you think would be interesting that you want to look at? Does it make you all nervous that you all got scanned really hard? So I thought that too. So then I tried to look for the sheep. The sheep being, so this is the count of all of them. So for each person, how many times did they sign an adversarial key, right? So the way to think about this is if one person signed has eight signatures from their real key on adversarial keys, then this person was just signing everything that anybody said. So it's actually a really nice, just a much better distribution than I thought. So good job on everyone else. The max anyone got scanned would sign four adversarial keys. So think about that, like four out of 20 keys that you signed. That's actually pretty, that's a legit, legit number. And then let's see, it goes to about, so yeah, you can see that like, well, 30 people signed, but some of them only a few, right? And so like 35. So obviously it goes back to 40 because one person got 40 people to sign their keys, right? So 45, I don't know, we still get into there. Wow, that's cool. 60. So actually, that's pretty, I don't know, I need to go about that. That's like 50% of the glass like got scanned, but only got scanned by one person, right? So that's actually pretty good. So you guys did a good job in, maybe it was, I don't know, too hard to sign adversarial keys, or I'm not sure that I was expecting this to be higher, to be honest, but I'm happy that it wasn't. I think it'd be really interesting to know, but I don't know that the data would be stored, but the time that like the fake keys were signed, you know, like as then you'd find where those 46, the person that got 40 keys that evenly distributed through the whole thing, or was it like the very last moment that become fun data? Yeah, the problem is that it's tied in with all of your grades. So I don't think I can release like, because I have an archive here now with a key ring with everyone's signatures and public keys and adversarial keys in there. So you could probably run that analysis, but then I think that would leak too much. I think that would be considered like great, bad at it. I'm not sure how that works. I don't think you could probably do that, but I can, if you come up with an interesting thing, you can send it to me. Maybe I'll do it. Let's see. Oh, the other thing that was interesting, so this is scanned. Yeah, number required. So this was interesting one. So this was the number of, I think, any type of signatures real or adversarial on a real key. So this was interesting that the top 10 people had like 55 real signatures on their key, right? And this again does not include your own keys and does not your real and adversarial key. And it also doesn't include the core signatures. So these are just, so these people, one person got 55 other people in the class, either adversarial or not to send their key. Yeah. Yeah, it's not counted. Why would that count? It doesn't make any sense. It would be a good try, but cool. Any questions on this? So I think writing this will be pretty easy. I think everyone got most of the stuff done. So and there wasn't a lot of adversarial scanning. So don't freak out on that. Yeah. What was the method that the person that had 40 years? I don't even know who it is. So I don't know. If any of you would like to help themselves and tell us. Are you talking about a total number of signatures required or are you talking about this? I'm talking about adversarial. I know the 55 is me for valid signatures, but I was, yeah. When you submitted it, tell you how many you get and then it just said for me like 48,000 signatures. Is that that one? The possible. I don't know. I probably shouldn't confirm that. So actually, I don't think this is a new degree. And I don't even know how this matters to anything else. So it's not like that person is the same as this person, right? So yeah, so how did you get that many people to sign? How did you get that many signatures on your key? Well, I posted it in the post that Eric posted. But the weird thing was I didn't even include my ID. I didn't include it in my program, which had my ticket, which I thought was kind of funny. So people may be searched for you then. I was talking about that. Yeah. So if anybody in the, or things there in the top would like to tell us their method, that's totally fine. If you want to keep it secret, that's also fine. If you want to send an email to me detailing your method and I can send it out anonymously to the class. So nobody knows that was actually you that did that. So my adversarial key, I removed the user from it that was given by the system. And then I signed it with a fake CSE. So what does that do then to your key? So it resets it. So it causes the signature to no longer be there that was signed by CSE 340 admin. 465. 465. Yes. One of those classes. So I created a fake one and started signing different people's keys with the fake one as well so that everybody would recognize it and got it out to the repository. And then submitted mine on the last like three days with several signatures that were faked from other people to give it more legitimacy. So you created other fake people to sign your key and then put it on the key signing server just giving weight to that key? I think if I had created the same one which was a valid person at ASU in the computer science program and created an email and posted to the mailing list then I would have definitely gotten a lot more. Interesting. Yeah that's a oh yeah so that was actually something from reading through maybe I don't know if I mentioned this but reading through the reports of some of the people who did this adversarial stuff I actually did not realize you could do this but on GBG the UID is just a field that's associated with the key right so even though we generated a public private key pair for you with a randomly generated name you could actually delete that UID but what that would do would remove the course's signature so in a perfect world if everybody's a hundred percent vigilant they would never sign that key because it's not signed by the course server and that may have been some of the chatter on the mailing list of people saying like hey your your key's not signed by the course server I'm not going to sign it until it's it's on there right. So that was super interesting so then the way around that is you create your own UID with whatever you want and then create a fake CSE 465 key have it sign that UID and then if people aren't actually checking with the fingerprint matches then they're gonna if they're lazy they're gonna sign it. Yeah because I saw my key got signed six times by CSE 465 with all the keys. Yeah that's interesting yeah that's a good tip off. I did come in a couple minutes late but is there a way that we can determine right now how many times our adversarial key was signed? That's this so not you yet but this is a overall so this is of all the people who've gotten valid signatures on their keys sorted by greatest police so I actually don't even know who these people are yet this is just kind of like the raw data I've been playing with this morning and I showed this graph that you'll see in the video that showed my computer looks like. So yeah so then like the top most adversarial person got 40 signatures on their real peoples so so we take that so track out all the signatures on your adversarial key that was from other adversarial keys so it's only other real users who signed the key and so it's like yeah so this is the distribution there and the flip side of that is the top 20 so these were the top 20 top 20 people that got scammed so that signed an adversarial key with their real key it's actually surprisingly a long tail but also not very like it's not like one person fell for all eight scams or something like that so it's a pretty interesting distribution. So on that adversarial key um what if someone signed you with a fake CSE 465 key with that actually with that calendar? Because I know every valid fingerprint right because I've generated all the adversarial ones and I made you upload your public key so only those fingerprints are the ones that matter right so you could create a bunch of you could create 30 fake keys and sign your own thing but that's I don't really care about that because we as a class only care about stuff that's signed by the CSE 465 key that has the fingerprint that's on the webpage. So if someone changed their key to CSE 465 like change your adversarial key with that. You could do that but the fingerprint still doesn't match right because the fingerprint uniquely identifies the key so that that is I think an interesting lesson that came out of that even from me I didn't know you could delete UIDs and the fingerprint would still remain the same so that was super interesting. And I don't mind talking about it I have the benefit of knowing a guy in the CSE program that had a valid email address so I just did the same thing changed the UID generated the fake CSE 465 and then this stuff was an eye search and so people could find it it seemed reasonable to me the only thing short about it was checking the fingerprint of the 465 key you're trying to look at it in person. Right so that's interesting so if you think about it in terms of like mechanisms and policies right the court like you the students in the class kind of auto started to create these kind of ad hoc policies and mechanisms of you started sharing like ASU IDs on the mailing list and linking to your eye search page to prove that you're a student and a real person and not a randomly generated username and so then the adversarial way around that is to either with the permission of another student impersonate them who's not in the class but is an active ASU student delete your user ID put there user ID there sign it with a fake 465 key and convince people to sign it cool all right I thought I would share that because it's interesting I'm just so curious how many people like photoshopped an ID to put up on the mailing list? Do you want to pass up to that? Like I know particularly there was at least one at the last one. That was good I would approve if anybody signed that key just give that person extra points because that's hilarious so you don't have to out yourself because mine don't don't you know okay whatever you think being anonymous it's cool um maybe you're like 10 year ASU reunion you'll be like yeah