Gorgeous! Nice one Simon.
One of the world's most prominent planned uses of distributed ledger technology has been pushed back by a year. That application is a replacement for the Australian Stock Exchange's (ASX) core application, the Clearing House Electronic Subregister System (CHESS). The bourse was the first such operation in the world to commit …
Yes it does.
Do you know the location of the various US fleets ? China and Russia may know of one or two, but they don't know all the them. Those they do not know are secure.
Do you know the location of CIA safehouses in the world ? Neither does anyone else. They are secure, until the CIA thinks they're not and decommission them to create one somewhere else.
Security through obscurity works very well, just not on the Internet. At least, not if the target is interesting enough. I totally agree with the idea that the Itanium is not interesting for hackers.
That, plus the fact that the Stock Exchange is the most watched, audited and controlled place in the world - due to the overpowering flow of money - means that any hacking attempt will likely be flagged, traced and blocked faster than you can blink. On top of that, police authorities will treat it as a red alert priority one, putting every relevant asset on the case.
No, neither Russia nor China would be daft enough to mount an attack against any Stock Exchange, and no mere lone blackhat would dare try. So the fact that they're running Itanium is actually a very secondary concern.
The problem with all of the above is that you only THINK it is obscure, and thus "secure" ... until the miscreant shows his hand and blasts your safe-house into oblivion. All the power is in the hands of the attacker, not the defender.
This hacker has a couple dozen various model Itanium processors at his beck and call ... Feel lucky that I'm a white-hat, and not obscure at all :-)
In addition to the excellent rebuttal made above, observe that security through security does work AS AN ADDED LAYER in the context of other mitigations.
"I finally figured out their nonstandard encryption algorithm, but it requires just as much compute time to break as AES-256. Two weeks of my life wasted!"
So now, not only is your data secure, but it wasted two weeks of some poor cracker's life ;)
Yes, obscurity can be a part of security, but it should be a rather minuscule part.
I see your two weeks, and raise you a $5 wrench ... Or a simple telephone call (or "accidental"
meeting at a coffee shop or lunch counter) with an over-eager flunky.
+1 for proper use of Cracker, as opposed to the 'orribly misused and overloaded "hacker".
The main problem with security by obscurity is Kerckhoff's Principle: The information you're trying to keep hidden is in effect part of the secret key, and it's a part that 1) has lower information entropy than key material should have, and 2) can't be managed easily, because it's not pure key material. So it's inefficient security at best. Its contribution to security and resistance to attack can't be easily or accurately measured, and there's no recovery from compromise.
In any case, it's not so much the hardware platform as the OS that matters. The only currently maintained OS for Itanium I'm aware of offhand is HP-UX; I don't know if Linux or FreeBSD are still supported (and OpenVMS?). Because HP-UX is obscure relative to the market leaders there's less total reward for exploiting it, and it has an overall smaller attack surface; the same would be true of other non-Linux alternatives.
But I wouldn't even bother mentioning that, if I were in charge of security for these systems. It might reduce exposure to broad attacks - the typical portscanning script-kiddie stuff - but it won't help with targeted ones.
I agree. This sort of application needs to have scalability built-in from the start. To discover that "the application needs to be re-scoped to work at larger scale." so far down the line is just incompetent.
I think they have been too focussed on the "blockchain" technology and lost sight of the real world use of the application.
I am curious what OS the Itaniums (Itania?) are running. My only encounter with the chip was a 6U server from Bull, running Suse Linux, IIRC, but didn't (doesn't) HP have OpenVMS running on it? So in addition to having Itanium chops, the ideal candidate would have VMS experience.
(Not applying for the job. The only reason I was messing with that box was to test some rather bespoke hardware against it for one customer)
ASX Equity Trades JUL 2020: 32,481,895
NYSE Tape A Daily U.S Equity Matched Volumes 28 OCT 2020: 1,094.7 (millions)
Thus the NYSE has about (1094 X (say 20 trading days) = 21,880 / 32.5 = 670 times the volume of trades of the ASX.
The ASX is less than insignificant
US government sponsored research is casting new light on the security of blockchain technology, including the assertion that a subset of a distributed ledger's participants can gain control over the entire system.
The finding is part of a study [PDF] conducted by IT security researchers at Trail of Bits and commissioned by the Defense Advanced Research Projects Agency that points to several ways in which the immutability of blockchain – the distributed ledger on which Bitcoin and other cryptocurrencies rely – can be called into question.
Investigators at a blockchain analysis outfit have linked the theft of $100 million in crypto assets last week to the notorious North Korean-based cybercrime group Lazarus. The company said it had tracked the movement of some of the stolen cryptocurrency to a so-called mixer used to launder such ill-gotten funds.
Blockchain startup Harmony announced June 23 that its Horizon Bridge – a cross-chain bridge service used to transfer assets between Harmony's blockchain and other blockchains – had been attacked and crypto assets like Ethereum, Wrapped Bitcoin, Binance Coin, and Tether stolen.
According to blockchain analytics company Elliptic, the attacker immediately turned to Uniswap, a decentralized exchange, to convert most of the assets into 85,837 Ethereum, which researchers said is a common method used by hackers to avoid the stolen assets from being seized.
Executives at China's Blockchain-based Service Network (BSN) – a state-backed initiative aimed at driving the commercial adoption of blockchain technology – labelled cryptocurrency "the biggest Ponzi scheme in human history" in state-sponsored media on Sunday.
"The author of this article believes that virtual currency is becoming the largest Ponzi scheme in human history, and in order to maintain this scam, the currency circle has tried to put on various cloaks for it," wrote Shan Zhiguang and He Yifan in the People's Daily.
He Yifan is the CEO of startup Red Date Technology – a founding member and architect behind BSN – where he serves as executive director. Co-author Zhiguang Shan is chair of the BSN Development Alliance.
Comment Microsoft co-founder Bill Gates has declared that "expensive digital images of monkeys are going to improve the world immensely."
He was joking, obviously, though considering Gates's supposed connection to microchips in vaccines, one can never be too careful. What he's talking about are non-fungible tokens (NFTs), which came up at a TechCrunch event in Berkeley, California, on Tuesday. Specifically the Bored Ape Yacht Club variety.
You know those kids' books where the picture is divided into three (head, body, legs) so you can turn different sets of pages to get a different image? That's what the Bored Ape Yacht Club is for those willingly parted from large amounts of money for the right to stand next to a picture of a cartoon chimp.
China’s Supreme People’s Court has issued an opinion calling for massive adoption of blockchain across China’s judiciary, financial sector, and government, and for the technology to underpin intellectual property in the nation.
Published last week, the opinion* reveals that the Court has already recorded 2.2 billion items on a judicial blockchain. The Court now suggests 32 more initiatives, most of which concern using blockchain to enhance efficiency of, and trust in, the nation’s judiciary.
But the recommendations also go far wider, calling for the creation of “an interoperation collaborative mechanism with blockchain platforms”. That effort will allow “market regulation, property registration … and enable inquiry about and verification of information related to the ownership registration and status of transactions, such as basic business profile, variation of corporate equities, correlation between businesses, ownership of immovables and movables, financial leasing, precious metal trading, to facilitate the identification of ownership and transactions of property rights, so as to intensify the development of the classified and categorized supervision system based on data and credit, and to further improve the national business environment.”
A flaw detected in the browser version of the Ever Surf cryptocurrency wallet could have given hackers who exploited it full control over a targeted user's wallet, say threat hunters at Check Point Research.
The security vulnerability made it possible for threat actors to decrypt the private keys and seed phrases found in the browser's local storage, opening the door to cracking the victim's wallet and accessing the cryptocurrency stored there, the researchers wrote in a blog post Monday.
"As the browser's local storage is unprotected, the data stored there must be securely encrypted," they wrote. "Despite the fact that Surf uses reliable cryptographic libraries for the key derivation and the encryption, the sensitive data in the web version of Surf doesn't appear to have adequate protection."
HPE has lifted the lid on two new AI products, one aimed at enterprises wanting to build and train machine learning (ML) models at scale, and a second that introduces a decentralized ML system to enable distributed or edge deployments to share updates to their models.
Now rebadged as the HPE Machine Learning Development Environment, this is integrated with HPE compute infrastructure to deliver a system that HPE claims can speed up the typical time-to-value from building and training machine models from weeks or months to days.
Miscreants exploited a now-fixed design flaw in the Rarible NFT marketplace to steal a non-fungible token from Taiwanese singer and actor Jay Chou and sell it for about $500,000.
That's according to folks at Check Point, who on Thursday said the vulnerability could have been abused by crooks to gain full control of victims' marketplace accounts and the funds in them. Earlier this month, Chou said his NFT was stolen in what looked like a phishing attack.
When researchers Roman Zaikin, Dikla Barda and Oded Vanunu investigated the security shortcoming they found that fraudsters could lure users to click on a link to malicious NFT, enabling them to take control of their marks' Rarible accounts using a standard called EIP-721.
The Australian Securities Exchange (ASX) is attempting to replace its core trading systems with a blockchain-powered alternative – an effort often touted as one of the world's most significant blockchain implementations. Unfortunately, the project has struck trouble, again.
The application in question is called "CHESS" – the Clearing House Electronic Subregister System. ASX trading data suggests it handles 39.7 million trades in an average month. The Register understands the platform was built in COBOL and runs on servers running the discontinued Itanium processors cooked up by HPE and Intel in the 1990s – a combination that saw the ASX announce a blockchain-based rebuild in 2017, with a planned go-live in 2021. That was subsequently revised to April 2022, then April 2023.
The ASX liked the idea of a blockchain-powered bourse because it would mean market participants could store their own copy of the distributed ledger that recorded the state of the market. Orders placed on participants' own systems would be mirrored across the network of participants, with all entries immutably recorded – just the way traders and regulators like it.
Analyst firm Forrester Research has had a look at Web3 – the buzzword describing blockchain-powered decentralized metaverse-y stuff – and decided there's not a lot to like.
The firm this week issued a pair of documents assessing Web3.
The first, titled "Web3 And Web 3.0 Are Synonymous Today – But This Wasn't Always True", points out that the term "Web 3.0" was first used in the mid-2000s, when it was used interchangeably with Sir Tim Berners-Lee's vision of a "semantic web". The term re-emerged in 2014 when Ethereum cofounder Gavin Wood suggested the Ethereum blockchain become the foundation for a decentralized web.
Biting the hand that feeds IT © 1998–2022