
forget ths fbi
I want the nsa to dump their collected password database into HIBP...
The creator of the Have I Been Pwned (HIBP) website, which alerts you if it turns out your credentials have been swiped and leaked from an account database, has open sourced the project's internals. Troy Hunt set up HIBP in 2013, and the dot-com is now said to be getting a billion requests a month. Last year, the man Down …
All those web sites that use the Google CAPTCHA system to "protect" login pages, has anyone ever thoroughly reviewed the code to check that Google are not keystroke-sniffing what the user enters into the login fields, and then exfiltrating the data for other Eyes to use...?
It's nice to be warned but when your name, DOB, address, or something like NI or social security number is out there, what can you do at that point? It's not like you can easily change them.
There needs to be real consequences for the directors of companies involved in data leaks, it's the only way.
> real consequences for the directors of companies involved in data leaks
There are millions in lobbying dollars making sure this won't happen anytime soon.
Selling peoples' personal information is an emerging market which has everybody salivating, since it doesn't require any big investments; So everybody will try to make sure nothing stands in the way of making a quick buck selling whatever PI they happen to collect in their core business. Free enterprise man! It never has been that easy to "monetize" masses of people since slavery was made illegal!
> industry partners to work together to develop lasting solutions
Or just leave it just as it is, covered by a software Band-aid, it's not like customers can go elsewhere...
Or am I wrong? Genuine question, have all those bugs been fixed in recent CPUs (and by "fixed" I mean in a better way than by simply deactivating the offending parts of the CPU and slow it down)?
(Yes I know this is about RAM, but I shove it in the same "hardware bugs" category as Spectre & Company.)
Pretty much. There's been a couple of iterations of hardware fixes now for Intel & AMD. If you want either software to not have to care about security compartmentalisation, or increased security without any performance impact at all you're going to be waiting forever because those things aren't desirable/possible.
I don't see how RowHammer/etc will ever be 'fully' fixed because it's essentially probabilistic and the surest ways to mitigate it significantly increase latency, power consumption, or silicon area in ways fundamentally linked to the physical laws of the universe. It could perhaps become the purest example of a security/cost/performance trade-off. The other dimension potentially worth trading against is uptime, because if hardware detects it might have been successfully Hammered the last line of defence is to halt execution rather than cede control to the attacker. Hard decisions.
Not entirely. Standard ECC can fix one bit flips & detect two. For the last two decades. Two-bit-fix ECC (& detect 3&4) would only be marginally more expensive, and would be strongly resistant to this class of attacks.
But I was a validator, not a designer, so I don't have specifics.