Can someone explain the point of SGX? I’m sure there is probably some cloudy explanation for it, but from where I’m sitting, the only people looking to run code in ways invisible to the rest of system are malware authors. Maybe DRM too, but as far as I’m concerned that pretty much falls under the definition of malware, as code that is serving no conceivable benefit to the user who is (normally unwittingly) running it.
16 posts • joined 18 Aug 2018
Intel: Let's talk about SGX, baby. Let's talk about 2U and me. Let's talk about all the good things, and the bad...
Ready for another fright? Spectre flaws in today's computer chips can be exploited to hide, run stealthy malware
Bad news for WannaCry slayer Marcus Hutchins: Judge rules being young, hungover, and in a strange land doesn't obviate evidence
What was he thinking
"I wrote code for a guy a while back who then incorporated it into a banking malware." - This could be true of just about anyone contributing to open-source libraries.
“I used to write malware“ - maybe not so smart...
Anyway, how long does it take to actually get to court in the US?! He was arrested 18 months ago for a crime he apparently carried out in 2014. Also, does this time forced to stay in the States (away from friends, family and job) against his will count against any potential sentence?
Much as I tend to agree that a memorable long password beats a non-memorable short one, I can’t help but worry that these aren’t really that much stronger. Yes, there are (apparently) upwards of 170,000 words in the (Oxford) English Dictionary, making this on paper appear to be 170,000 to the power 4 (a roughly 70 bit number) but the reality is that most educated native English speakers only know a fraction of this number. Assuming a 35,000 word vocabulary (a number I’ve seen mentioned as an upper bound on real vocabulary size), this quickly reduces to only 60 bits. Assuming all 4 words are fairly common, as with “correcthorsebatterystaple”, the vocabulary size required falls to less than 10,000, rendering this weaker than the random 8 character (53-bit) password, though obviously more memorable.
Another issue with the long password, and one I’ve fallen foul of many times, is whilst they are fine when typing on a real keyboard. Try entering one with your thumbs on a phone screen, or worse, using a PlayStation / Xbox controller and they start feeling less of a great idea. Even more so if there’s a risk of shoulder surfing (the extreme case is with the PlayStation / Xbox), where the random mess of letters and numbers is relatively quick to type and tricky for an onlooker to remember. A set of English words, they may struggle to forget even if innocently observed.
My personal favourite scheme (though I must confess, not one I always employ) is taking initials from a memorable sentence. Ie, the password “ihpcrbtmplm”, can be simply remembered by the phrase “i hate password complexity requirements because they make passwords less memorable”, which is roughly the same strength as each of the above mentioned schemes but obviously quicker to type than “correcthorsebatterystaple” and far easier to remember than “ff3sd21n” (which, being all numbers and lowercase, I can’t see being much better than 41 bits anyway).
This must be some kind of elaborate joke. How does the bear-chested one think anything is going to work following this move? Does Russia not use credit cards? Or international banking (they sell oil, how do they get paid for this)? In fact, are Kaspesky themselves not rather reliant on connectivity to their millions of international customers (updates / cloud AV)? Or is the real plan to simply cut the plebs off from the outside world?
Re: It will create a new market
Who gets to use it at weekends / Christmas / take on holidays etc? This might be OK for the work commute (though not if their shifts are consecutive) but I can’t really see this working in practice. Also, none of this cuts down on actual vehicle mileage (energy usage / lifetime of vehicle) so I don’t really see how sharing with others at work makes a great deal of sense. The real fix is to address the reason everyone has to work the same hours in the same places, where nobody can afford to live. I suspect this will be sorted long before self driving cars are allowed en mass on city streets.
Drawer full of buttons
My biggest gripe with these buttons has always been the sheer number of products which would “require” them. If you’re going to bother getting a button for, let’s say, washing powder, logically you should probably grab one for washing up liquid, bog roll, fabric softener, furniture polish, scouring pads, multi surface cleaner, kitchen towels, glass cleaner, dishwasher tablets, rinse aid... and that’s just the under sink cupboard. The question is, where are you supposed to store all these buttons? Maybe what we really need is an Amazon keyboard. Or, better yet, perhaps some kind of touch screen device we could carry around in our pockets...
As others have mentioned, at least they’re better than subscribe and save, where you seem to end up entering an agreement to make future purchases at a price that will be determined (by Amazon) at some later date. If the buttons are deemed illegal, where at least you can cancel / return the order if you seriously disagree with the price, how is this subscribe and save feature OK?
Amazon exec tells UK peers: No, we don't want to be dominant. Also, we don't fancy being taxed on revenues
If you accept payment by your employer as non-taxable loans, whilst I’m trying to remain open-minded, I’m struggling to summon much sympathy. I’d actually be very interested to know what happens in such an arrangement were the employer to become insolvent. I would imagine when the liquidators spotted those “loans”, the tax man would be the least of your worries!
Given the public key for this is shared via DNS, prior to the TLS connection, why not encrypt the whole handshake with it? Presumably this would help protect against downgrade attacks and the like as well? As it stands, this seems a lot of effort to encrypt just one of the many fields in a client hello. Especially when, in the vast majority of cases, that field is (and will continue to be) announced in a cleartext DNS request. Also, unless I am completely misreading that draft, there appears to be no suggestion of encrypting the server certificate, meaning that this will likely also be observable in the CN / SAN returned by the server, which would appear to make the whole venture rather pointless?
Re: Why do we need IPv6
That’s in addition to 240.0.0.0/4 (268 million addresses) “reserved for future use”, in addition to 126.96.36.199/4 (same again) multicast addresses. Given multicast is realistically only usable in highly limited environments (not across the public internet), does this really necessitate a 16th of the total IPv4 address space? As for future use, how is now not the “future”? That’s not even getting into why we need 16 million addresses for localhost (127.0.0.1 is merely the most commonly used from 127.0.0.0/8). I realise many OSes / network devices couldn’t cope with these addresses being publicly routable, but would assume it would be a relatively minor software / firmware upgrade to fix that?
I’m going to start pushing IPv5. The crucial difference being 64-bit addresses. These will obviously more or less halve the network overhead, are twice as easy to write / remember, halve memory requirements on network gear and, rather handily fit into current 64-bit CPU artitectures. The one downside being, only 2.5 billion IP address per person on the planet, so we’ll have to be frugal with our IOT devices!
Just for fun, might as well make it backward compatible with IPv4 (6 can go whistle).
Re: Single figure entry
Thumbs up for the idea of storing hashes of different combinations. Though there’s no way I credit many banks with coming up with (or caring about) doing so. Realistically if, like my bank, they only ask for 3 characters at a time, it wouldn’t take much to brute force those hashes anyway... My bank does ask for a secondary password (I think they call it a memorable word), which I guess (again, assuming a massive amount of faith in their security / engineering teams) they could be storing hashed with these different pre-chosen combinations...
Re: Problem-solution dichotomy
I’m with you on avoiding excessive and often unnecessary technology. Keyless entry being a case in point. How hard is it to press a button on a remote to lock / unlock your vehicle, a remote virtually all “keyless” systems still require. Such buttons have the rather handy features of knowing whether you’ve actually locked your car, and rather neatly preventing relay attacks from your hallway / coat pocket. However, going back to physical keys is a step too far even for me. Car thefts have decreased rather dramatically since the 90’s (last I looked, they were down over 80% in the UK) and I can’t help but suspect this may be related to swapping old-school key barrels (which are all too easily old-school hot-wired) for more electronically integrated remote systems. Whilst I’m sure there are some professional car thieves taking advantage of such holes in current technology, I’m pretty sure there are far more teenage oiks with a brick and a pair of pliers looking for some quick thrills.