ABX Comparator, with digital signature in the log Options

[Steve Forte Rio]

Hello, and sorry for my bad English.

Recently I have uploaded my ABX logs to the one of forums.
But people still don't trust me because the log is a simple text file with no signature and could be rewrited manually.

And I guess is there any ABX Comparator (that works on Windows) which can sign up the abx results log and then to verify it?

This post has been edited by Steve Forte Rio: Feb 22 2011, 09:28

[probedb]

It's probably not worth it as the sort of people that aren't believing you will say you forged any signatures anyways. Some people just don't want to believe

[Peter]

Even if you can write signatures confirming the results claimed in the log, you can still cheat by repeating the whole test until you get the results you want.

[Steve Forte Rio]

It's probably not worth it as the sort of people that aren't believing you will say you forged any signatures anyways. Some people just don't want to believe

So then we can say that logs aren't needed too. If people trust you.
The rules of this forum say that abx log is necessary. But what sense does it have, when it can be forged in a couple of seconds?

Other options of fraud are much less likely.

We must understand that when a dispute arises between people, we need as much hard evidence as possible and plain text is not best way out here.

This post has been edited by Steve Forte Rio: Feb 22 2011, 10:47

[dhromed]

An ABX log provides a starting point for the reproducibility of the results. It's a call to action that says "Hey guys, I measured this. You give it a try as well and see what you find."

Also, don't post an ABX log without providing samples of the audio you used (if necessary), the properties of those samples, and if relevant, the conditions under which you conducted the experiment. If you don't, it's indeed exactly as pointless as just claiming your hear a difference.

And yes, you can forge the audio samples as well and lie about your experiment, but it's a lot more work, and the more reputable, experienced members of this forum are more likely to see through the deception.

[PaJaRo]

It's probably not worth it as the sort of people that aren't believing you will say you forged any signatures anyways. Some people just don't want to believe

How can you forge Pgp signatures?

[benski]

It's probably not worth it as the sort of people that aren't believing you will say you forged any signatures anyways. Some people just don't want to believe

How can you forge Pgp signatures?

Because the private key will have to be embedded into the application and therefore is extractable.

[pdq]

A major purpose of posting ABX logs is that so many newcomers don't understand their results, so it gives us an opportunity to enlighten them.

[Steve Forte Rio]

But what about the case when I need to proof that I really hear the difference?

Note that not all people can guess to use such options of fraud like connecting oscilloscope to the soundcard's output, forging of Pgp signatures, and other tricks. But anyone can rewrite txt file.

So if we will introduce the ability of adding a signature, we'll achieve a significant reduction in the probability of a log forging.

It is not too difficult, but effective. I think we should do it.

[PaJaRo]

It's probably not worth it as the sort of people that aren't believing you will say you forged any signatures anyways. Some people just don't want to believe

How can you forge Pgp signatures?

Because the private key will have to be embedded into the application and therefore is extractable.

The test can be client-server (ie, via web), store private key on server.

[googlebot]

I think we should do it.

Nice, when will you start coding?

[googlebot]

The test can be client-server (ie, via web), store private key on server.

Great, now the key is on the server, which will happily sign anything that looks like an ABX result.

[PaJaRo]

The test can be client-server (ie, via web), store private key on server.

Great, now the key is on the server, which will happily sign anything that looks like an ABX result.

Client sends your answers to the sever, Server processes the answers and generates gped result. Nothing wrong.

This post has been edited by PaJaRo: Feb 23 2011, 00:51

[googlebot]

How does server know that what he signs is valid? A modified client can send fake results and it will happily sign them.

This post has been edited by googlebot: Feb 23 2011, 01:17

[PaJaRo]

{
Server sends audio to client and asks: is it A or is it B?;
Client: sends answer to server: it's A.
Server: check if its correct.
} repeat until n
Server generates report.
Server signs report.
Server sends signed report.

[googlebot]

{
Server sends audio to client and asks: is it A or is it B?;
FakeClient: detect if audio is identical to last received audio (trivial), display result, send answer to server.
Server: check if its correct.
} repeat until n
Server generates report.
Server signs report.
Server sends signed report.

This post has been edited by googlebot: Feb 23 2011, 01:41

[PaJaRo]

Here, you are not talking about signing robustness or possible use in this case. My reply was about that.
Now you are talking about another issue. Even if you use your fake client, you stil don't know if it is A or B.
Last but not least. As the OP stated, it's trivial to edit a text file (thing which prevents pgp), but it's not that trivial to develop a fake client.

[googlebot]

Your proposed client/server solution does not add any security over an embedded key. The whole extra effort to have a server running 24/7 is pointless.

In my experience, faking a simple protocol would even be easier than extracting a key, when it is implemented with some thought.

[PaJaRo]

-The server doesn't need to be 24/7, it doesn't even need to be web. Client can run OP computer and server on the other guy's computer.

Your proposed client/server solution does not add any security over an embedded key.

I've never stated that my solution adds security over an embedded key.
I only said that pgp signature(if private key is secure, iein a secure server) is not possible to forge. You were the one saying it was not true and showing you don't understand how private/public key encryption or client/server apps work

[googlebot]

-The server doesn't need to be 24/7, it doesn't even need to be web. Client can run OP computer and server on the other guy's computer.

It doesn't matter where or how long it runs if there is no benefit.

I've never stated that my solution adds security over an embedded key.

So it was senseless to mention it?

I only said that pgp signature(if private key is secure, iein a secure server) is not possible to forge.

The challenge in cryptography isn't getting it right in theory, where sufficiently long private keys are expected (not proven) to be unrecoverable from public keys or signatures, but actual implementation. Over 99.9% of all breaches happen because of flaws wrt the latter. The solution, that you have proposed to prevent forgery by key extraction, does in practice allow forged signatures, and even quite easily.

You were the one saying it was not true and showing you don't understand how private/public key encryption or client/server apps work

Please, read the thread again, and if you then still have an intense feeling of having been right the whole time - much louder than a few little snippets of reason that may (hopefully) have passed your mind briefly - please let me know, so that I don't waste my time on you again.

This post has been edited by googlebot: Feb 23 2011, 10:08

[RonaldDumsfeld]

With all due respect to the OP this proposal is not only unnecessary it's also possibly counter productive.

Whatever someone claims to have 'proven' with his 'evidence' ought to be less significant than you having the ability to repeat the test and decide for yourself. That's how scientific progress is made. In any field of inquiry.

Whats important is that the claimant provides the samples and methodology used so that the claim can be independently verified.