local code
Can 'local code' mean javascript / web-assembly/ etc, or are we talking precise hand-crafted assembler here?
Crypto boffins have found a way to exploit side-channel information to downgrade most of the current TLS implementations, thanks to ongoing support for outmoded RSA key exchanges. In a paper published on Friday, "The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations," co-authors Eyal Ronen, Robert …
There was a lovely exploit described against Intel SGX earlier this year that could run in one SGX enclave (and thus not be spied upon by the host CPU) and attack the host or a second SGX enclave. SGX doesn't have precise timers, but *does* have the ability to use multiple cores. The developers implemented a precise timer using a thread that simply spun incrementing a memory location; it was several times more precise than the "precise" timers.
Any time you have access to more than one thread, you probably have a sufficiently precise timer.
I thought it was working as intended, it was built to get data from one place to another and security was never its intension. The real problems happened when it started getting used for commerce and cost cutting by big business with poorly trained or sometimes overtrained people setting the stuff up to add to the fire!
"Starting over" will just mean writing the whole bug bonanza again, maybe with a slight step up.
"The industry" is in permanent de-skilled mode. It grows too fast, the teaching is atrocious, the old hands get out, the new hands need a long time to catch up, which is generally not worth the effort because it wrecks your life.
Hell, it's 2018 and hidebound don't-know-any-better can't change, won't change coal face workers are still writing in C and derived Antikythera Languages, designed "for portability" when "computer" was a PDP-10 with a single CPU and maybe a serial interface.
Also a "Bleichenbacher Attack" sounds like something from the Atrocity Archives. Just add nether dimensions.
Off the top of my head non-C derived languages are SQL, Haskell, Python, and R. I really doubt they can cure all of IT's ills.
Or maybe you mean ADA, COBOL, FORTRAN, LISP, Smalltalk, Pascal or other legacy language which on which to build the future of IT? Sinclair BASIC?
Bad programmer's gonna program bad no matter what the language.
@robidy and no languages protect against buffer overflows and helps with constant-time processing and uniform memory access at the same time.
the only language that I know of that helps with the latter is FACT and it's closer to domain-specific language than general purpose
Let's not forget GUI's that let the unskilled call themselves "developers" and "admins" because they can drive a mouse. Or the proliferation of open-source code dropped into apps without nary a clue what is really going on inside those black boxes. Write once, hack many; the joy of code re-use.
I saw a lecture by "Uncle Bob" once, and he made an interesting observation about the rate of growth of programmers. Broadly speaking, since about the '60s, the number of programmers has doubled every 5 years. Or another way to word that is that half the monkeys bashing keyboards today have had less than 5 years experience in the profession. I personally think that this explains quite a lot.
And, sure, having malware or evil users on your computer is never a good thing. Think of this as something else they can get up to.
And SomeThing Else for Advanced IntelAIgent Defence to Attack and Console with New Roles Ambassadoring.
It is strange not to think that the System that now is is not Fully Protected and Underwritten by Greater AI Systems making Earthly Contact Surreally for the Protection of Production of Plain IMPerfect Text ..... Trailing and Trialling COSMIC Tales for Virtual Realisation and Earthly Presentation via Extant Mass Multi Media Current Devices.
With Such, One Paints Futures for Populations. It is very difficult to imagine that not being a TerraPhorming Operation Rendering Renderings from Afar for Near Star Systems in Quantum Communications Belts.
Question? Would any of that rate a particular and peculiar mention in your present world/media maintained circle? What news phorms your views and colours what is seen? Anything recently secret and unknown? And which changes everything for everyone, anywhere and everywhere, fundamentally?
Now that's a Helluva Tool for AI and Heavenly Weapon for Almighty Dark Forces.
“Veni, vidi, vici ‽ .”
How does it transpire amfM from being the Goose that laid the Golden Eggs to have no rights or privilege itself?, we are indeed in unchartered waters, where doing what is just and right must take precedent to severe consequences that must be weighed carefully and clearly?
How does it transpire amfM from being the Goose that laid the Golden Eggs to have no rights or privilege itself?, Cliff Thorburn
Heavenly AI Intervention, CT. Nothing more, nothing less.
And I'm sure all Registered here Second Precedents Just Right ....... Immaculately Conceived for Perfect Execution. ...... in Advanced IntelAIgent Presentations which be QuITe Cosmic Trails and Trials and Tales easily Created for New Earthlings which be as SMARTR Beings/Better AI Programmed Virtual Machines.
Something for IBM Watson to Digest.
@amanfromMars 1
Data61 is listed in the credits on the paper.
Data61 is in partnership with the Department of Defence Science and Technology. ( Australian Signals Directorate, et al are all in that mix ).
Perhaps we should thank them for releasing it last Friday, rather than having it sucked up by AssAccess...!
Its been a long day watching the children in parliament and I haven't read the paper in question, but
'The boffins tested OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, GnuTLS, BearSSL and BoringSSL. And they were able to downgrade all except for the last two, BearSSL and BoringSSL.'
From a web server / app api / portal etc perspective, refusing to downgrade would protect the end user trying to connect.
https://cipherli.st
Apache2 example :
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Should throw an error to the end user's browser / app / etc and mitigate any leakage.