* Posts by misterinformed

17 posts • joined 13 Jul 2015

Here we go again... UK Prime Minister urges nerds to come up with magic crypto backdoors

misterinformed

National key storage

How about this for a compromise: when two endpoints A & B negotiate a shared encryption key, make them use 3-way negotiation, between A, B and K where K is a national key storage facility which stores keys for a limited time and releases keys to security services following a suitable legal process.

By "3-way negotiation" I'm presuming it's possible to securely generate a key known by 3 parties but not by eavesdroppers.

I'm not advocating a facility to record the data (encrypted or unencrypted), just to record decryption keys (for a limited time) for cases when the security services already have wiretapped data for which decryption is likely to be in the national interest.

This is a compromise to privacy, and safeguards would need to be in place such as publishing the number of key requests, but it's better than forcing all encryption to have back doors, which any attacker could use.

Trebles all round! Intel celebrates record sales of insecure processors

misterinformed

Intel, quoted in the article: "... including as a result of side-channel exploits such as 'Spectre' and 'Meltdown,' ..."

By referring to security vulnerabilities as "exploits", Intel is not being entirely honest here.

Intel, Microsoft confess: Meltdown, Spectre may slow your servers

misterinformed

"... am I the only one who has a little sympathy with Intel et al?"

Possibly. Intel didn't invite sympathy when they blatantly lied in their press release to avoid taking responsibility for Meltdown.

They would be happy for people think their chips fall in some grey area between "perfect" and "flawed" but the documentation is very clear - they must prevent memory access via certain kinds of reference in certain conditions - and there is no grey area to hide in.

If you don't put the responsibility for Meltdown at Intel's door, you are expecting blameless organisations to take losses that they shouldn't have to, and setting a bad precedent for responsibility evasion that could lead to less reliable and less secure systems in the future.

If Intel started acting with integrity over this then I would probably start to feel sympathy for them.

misterinformed

Intel's responsibility

Meltdown is a CPU flaw and Intel should be paying for replacements or compensation for any server whose throughput can't be restored to pre-patch levels.

I know it's naive to expect Intel to do this willingly, but that just makes it more important for us to spread the message.

It shouldn't just be private compensation deals for their biggest customers.

Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

misterinformed

Re: You don't know all the possible ways...

"The issue here is that if you take a traditional view of processor "correctness", there is no real bug here: the software runs as it should and returns the right results."

I disagree with this, at least as far as Meltdown is concerned. The CPU is supposed to enforce a sandbox and there is a hole in it big enough to read privileged data. This is a bug, not a side-effect of correct operation.

Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs

misterinformed

Re: Hmm, If I was working at a secret agency

"... they did not design based on the assumption of bad actors abusing this."

I agree. For illustration, have a look at this Intel manual page from 1986, explaining why CPU-enforced sandboxing was introduced: the focus was entirely on detecting, and confining the damage of, "bugs". I think this is understandable because malware wasn't such an issue back then, but it has been obvious for a long time now that Protected Mode is a critical security defence, not just a stability feature, and there is no excuse for holes in its sandboxes in recent CPUs.

Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign

misterinformed

Re: PR gone wild

> Intel's press release is a masterpiece.

I think the word for it is "brazen".

misterinformed

Re: Y2K For Real This Time!

"- Websites / services becoming slow or going offline"

Good point about going offline. A server currently running under high CPU load could have its throughput reduced below the required workload and then there will be backlogs or service unavailability. This could be a headache for admins who will have to decide whether servers can tolerate the performance hit before installing the patch.

misterinformed

Re: I finally switch from AMD to Intel, and this is what happens.

> They are not slowing the processor, the OS is, so no comeback on Intel

I don't think that argument will work for Intel. Their chips are not working to specification: the user-mode/kernel-mode separation is supposed to be policed by the CPU, and it's leaky. There is no chance of them hiding this fact.

They could try to spread the blame by claiming that some of the slowdown is due to badly coded workarounds by Microsoft etc but they can't escape the blame for workarounds being needed.

Google's phone woes: The Pixel and the damage done

misterinformed
Unhappy

Re: Bring back Nexus!

My Nexus 5X stopped working yesterday after 14 months. Before that I had an LG G3 that stopped working after 18 months. It doesn't surprise me that the LG-built Pixel 2 XL also has build quality issues.

US-CERT's top tip: Hack your crap Netgear router before miscreants arrive

misterinformed

Some of the firmware updates (inculding R6400, R7000 and R8000) are now out of beta. The web interface of my R6400 showed a notification about the update. After installing, testing with the 'killall' URL led to a login prompt and, even after I authenticated, it still didn't execute the killall so the fix looks good.

misterinformed

Re: Authentication failed

The command you ran was intended to disable the web interface, so the "page not found" error is to be expected. When Netgear release the fixed firmware, you will have to switch your router off and on again to get the web interface running so you can install it.

Built-in LG smartphone app created data hack risk

misterinformed

Re: Grrr - so far I've been really happy with my G3

"The widget, sure, but I can't disable the app in Application Settings like you can some other "built-in" apps."

Oh I see, sorry.

"Samsung's fault because of their horrendous record of not releasing code for their Exynos chipsets. The G3 with its Qualcomm-based chipset should be much better."

OK. That's encouraging. Maybe when LG stop pushing updates I'll brave CM again.

I've just received the update to Smart Notice.

misterinformed

Re: Grrr - so far I've been really happy with my G3

On my stock unlocked G3 (software version V21a-EUR-XX), I can add and remove Smart Notice just like any other widget. Are you referring to the full-page Smart Bulletin instead? You can remove that from Settings->Display->HomeScreen.

But, like you, I can't see the Smart Notice update in the "Update Center". It's not helping that there is no "Check Now"/"Refresh" button in the App Updates panel, so all I can do is set it to check daily and wait.

My experience with Cyanogenmod (on Galaxy S2) is that it's great for scratching a nerdy itch and getting the latest Android fixes and features (continuing long after the OEM has stopped providing them) but bad for stability. Things may have changed since I tried it but, judging by a quick look at the G3 CM forums, they haven't changed much.

Android 5 lock-screens can be bypassed by typing in a reeeeally long password. In 2015

misterinformed
Pint

Re: And nobody considered...

It took a lot more than 32 characters - in the video, copy & paste are used to repeatedly double the password length. It starts with 10 characters, then gets doubled 10 times in the dialler, (an eleventh attempt is abandoned - it isn't copied), which makes 10240 characters. Then this is pasted four times into the password entry field, so the total is 40960 characters. I expect someone even more pedantic than me will correct me if I've miscounted.

Obviously it's stupid to allow entry of so many characters, so I'll join you on the Guinness.

Pan Am Games: Link to our website without permission and we'll sue

misterinformed
FAIL

"Deep linking" bans

Verizon Wireless say you can't link to any part of their web site except the home page: http://goo.gl/WFjYKK (see the paragraph under the heading "Requirements for linking to www.verizonwireless.com")

The same instructions appear on lots of other sites - example Google search: http://goo.gl/hDKBle

Biting the hand that feeds IT © 1998–2019