back to article One of the world's most prominent distributed ledger projects has been pushed back by a year

One of the world's most prominent planned uses of distributed ledger technology has been pushed back by a year. That application is a replacement for the Australian Stock Exchange's (ASX) core application, the Clearing House Electronic Subregister System (CHESS). The bourse was the first such operation in the world to commit …

  1. Mike 137 Silver badge

    "Blockheads"

    Gorgeous! Nice one Simon.

  2. jake Silver badge

    Security by obscurity?

    That trick never works ...

    1. Pascal Monett Silver badge

      Re: Security by obscurity?

      Yes it does.

      Do you know the location of the various US fleets ? China and Russia may know of one or two, but they don't know all the them. Those they do not know are secure.

      Do you know the location of CIA safehouses in the world ? Neither does anyone else. They are secure, until the CIA thinks they're not and decommission them to create one somewhere else.

      Security through obscurity works very well, just not on the Internet. At least, not if the target is interesting enough. I totally agree with the idea that the Itanium is not interesting for hackers.

      That, plus the fact that the Stock Exchange is the most watched, audited and controlled place in the world - due to the overpowering flow of money - means that any hacking attempt will likely be flagged, traced and blocked faster than you can blink. On top of that, police authorities will treat it as a red alert priority one, putting every relevant asset on the case.

      No, neither Russia nor China would be daft enough to mount an attack against any Stock Exchange, and no mere lone blackhat would dare try. So the fact that they're running Itanium is actually a very secondary concern.

      1. jake Silver badge

        Re: Security by obscurity?

        The problem with all of the above is that you only THINK it is obscure, and thus "secure" ... until the miscreant shows his hand and blasts your safe-house into oblivion. All the power is in the hands of the attacker, not the defender.

        This hacker has a couple dozen various model Itanium processors at his beck and call ... Feel lucky that I'm a white-hat, and not obscure at all :-)

    2. Doctor Syntax Silver badge

      Re: Security by obscurity?

      ... but refuses to die.

    3. nintendoeats Silver badge

      Re: Security by obscurity?

      In addition to the excellent rebuttal made above, observe that security through security does work AS AN ADDED LAYER in the context of other mitigations.

      "I finally figured out their nonstandard encryption algorithm, but it requires just as much compute time to break as AES-256. Two weeks of my life wasted!"

      So now, not only is your data secure, but it wasted two weeks of some poor cracker's life ;)

      1. jake Silver badge

        Re: Security by obscurity?

        Yes, obscurity can be a part of security, but it should be a rather minuscule part.

        I see your two weeks, and raise you a $5 wrench ... Or a simple telephone call (or "accidental"

        meeting at a coffee shop or lunch counter) with an over-eager flunky.

        +1 for proper use of Cracker, as opposed to the 'orribly misused and overloaded "hacker".

        1. nintendoeats Silver badge

          Re: Security by obscurity?

          Ah, but then at least you will know who to http://www.catb.org/jargon/html/F/flame.html

          ;)

    4. Michael Wojcik Silver badge

      Re: Security by obscurity?

      The main problem with security by obscurity is Kerckhoff's Principle: The information you're trying to keep hidden is in effect part of the secret key, and it's a part that 1) has lower information entropy than key material should have, and 2) can't be managed easily, because it's not pure key material. So it's inefficient security at best. Its contribution to security and resistance to attack can't be easily or accurately measured, and there's no recovery from compromise.

      In any case, it's not so much the hardware platform as the OS that matters. The only currently maintained OS for Itanium I'm aware of offhand is HP-UX; I don't know if Linux or FreeBSD are still supported (and OpenVMS?). Because HP-UX is obscure relative to the market leaders there's less total reward for exploiting it, and it has an overall smaller attack surface; the same would be true of other non-Linux alternatives.

      But I wouldn't even bother mentioning that, if I were in charge of security for these systems. It might reduce exposure to broad attacks - the typical portscanning script-kiddie stuff - but it won't help with targeted ones.

  3. yoganmahew

    Scalability not in the specification?

    "The pandemic also created market volatility that led to record levels of trading, which means the application needs to be re-scoped to work at larger scale."

    Er, what?

    1. steamnut

      Re: Scalability not in the specification?

      I agree. This sort of application needs to have scalability built-in from the start. To discover that "the application needs to be re-scoped to work at larger scale." so far down the line is just incompetent.

      I think they have been too focussed on the "blockchain" technology and lost sight of the real world use of the application.

    2. Pascal Monett Silver badge

      Re: Scalability not in the specification?

      Yeah, that caught me as well.

      A Stock Exchange already handles billions of transactions per day. How is it that they didn't have enough scalability in the specs already ?

      1. vtcodger Silver badge

        Re: Scalability not in the specification?

        Scalability? No problem. We'll just do a bit of DevOps an add some AI and put the whole thing in the cloud and use blockch ... ehrr ... uh ... scratch that last bit.

      2. fajensen

        Re: Scalability not in the specification?

        Because, that would exclude blockchain, and they wanted to have it!

        1. sgp

          Re: Scalability not in the specification?

          You know what works real well processing billions of transactions? Cobol on mainframes. Oh.

    3. fidodogbreath Silver badge

      Re: Scalability not in the specification?

      They could let GPU-equipped inernet randos mine stock certificates.

  4. fidodogbreath Silver badge

    The ASX has previously told your correspondent that it knows Itanium is an oddity, but that's not necessarily a bad thing seeing as criminal hackers are unlikely to waste much effort attacking the platform.

    Gauntlet thrown. Hackers, do you accept the challenge?

    1. Mike 16 Silver badge

      Obscurity and gauntlets

      I am curious what OS the Itaniums (Itania?) are running. My only encounter with the chip was a 6U server from Bull, running Suse Linux, IIRC, but didn't (doesn't) HP have OpenVMS running on it? So in addition to having Itanium chops, the ideal candidate would have VMS experience.

      (Not applying for the job. The only reason I was messing with that box was to test some rather bespoke hardware against it for one customer)

      1. jotheberlock

        Re: Obscurity and gauntlets

        They can also run HP-UX.

        1. jake Silver badge

          Re: Obscurity and gauntlets

          And they really aren't all that obscure.

  5. sbt
    Meh

    If you're running THE exchange, why ...

    ... do you need a distributed ledger? Not seeing the problem here. Seems like 'gee-whiz' factor at play.

  6. Anonymous Coward
    Facepalm

    Hit me with your vision stick

    This will not end well for ASX.

  7. julian.smith
    FAIL

    The Woop Woop Stock Exchange

    ASX Equity Trades JUL 2020: 32,481,895

    NYSE Tape A Daily U.S Equity Matched Volumes 28 OCT 2020: 1,094.7 (millions)

    Thus the NYSE has about (1094 X (say 20 trading days) = 21,880 / 32.5 = 670 times the volume of trades of the ASX.

    The ASX is less than insignificant

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022