"Blockheads"
Gorgeous! Nice one Simon.
One of the world's most prominent planned uses of distributed ledger technology has been pushed back by a year. That application is a replacement for the Australian Stock Exchange's (ASX) core application, the Clearing House Electronic Subregister System (CHESS). The bourse was the first such operation in the world to commit …
Yes it does.
Do you know the location of the various US fleets ? China and Russia may know of one or two, but they don't know all the them. Those they do not know are secure.
Do you know the location of CIA safehouses in the world ? Neither does anyone else. They are secure, until the CIA thinks they're not and decommission them to create one somewhere else.
Security through obscurity works very well, just not on the Internet. At least, not if the target is interesting enough. I totally agree with the idea that the Itanium is not interesting for hackers.
That, plus the fact that the Stock Exchange is the most watched, audited and controlled place in the world - due to the overpowering flow of money - means that any hacking attempt will likely be flagged, traced and blocked faster than you can blink. On top of that, police authorities will treat it as a red alert priority one, putting every relevant asset on the case.
No, neither Russia nor China would be daft enough to mount an attack against any Stock Exchange, and no mere lone blackhat would dare try. So the fact that they're running Itanium is actually a very secondary concern.
The problem with all of the above is that you only THINK it is obscure, and thus "secure" ... until the miscreant shows his hand and blasts your safe-house into oblivion. All the power is in the hands of the attacker, not the defender.
This hacker has a couple dozen various model Itanium processors at his beck and call ... Feel lucky that I'm a white-hat, and not obscure at all :-)
In addition to the excellent rebuttal made above, observe that security through security does work AS AN ADDED LAYER in the context of other mitigations.
"I finally figured out their nonstandard encryption algorithm, but it requires just as much compute time to break as AES-256. Two weeks of my life wasted!"
So now, not only is your data secure, but it wasted two weeks of some poor cracker's life ;)
Yes, obscurity can be a part of security, but it should be a rather minuscule part.
I see your two weeks, and raise you a $5 wrench ... Or a simple telephone call (or "accidental"
meeting at a coffee shop or lunch counter) with an over-eager flunky.
+1 for proper use of Cracker, as opposed to the 'orribly misused and overloaded "hacker".
The main problem with security by obscurity is Kerckhoff's Principle: The information you're trying to keep hidden is in effect part of the secret key, and it's a part that 1) has lower information entropy than key material should have, and 2) can't be managed easily, because it's not pure key material. So it's inefficient security at best. Its contribution to security and resistance to attack can't be easily or accurately measured, and there's no recovery from compromise.
In any case, it's not so much the hardware platform as the OS that matters. The only currently maintained OS for Itanium I'm aware of offhand is HP-UX; I don't know if Linux or FreeBSD are still supported (and OpenVMS?). Because HP-UX is obscure relative to the market leaders there's less total reward for exploiting it, and it has an overall smaller attack surface; the same would be true of other non-Linux alternatives.
But I wouldn't even bother mentioning that, if I were in charge of security for these systems. It might reduce exposure to broad attacks - the typical portscanning script-kiddie stuff - but it won't help with targeted ones.
I agree. This sort of application needs to have scalability built-in from the start. To discover that "the application needs to be re-scoped to work at larger scale." so far down the line is just incompetent.
I think they have been too focussed on the "blockchain" technology and lost sight of the real world use of the application.
I am curious what OS the Itaniums (Itania?) are running. My only encounter with the chip was a 6U server from Bull, running Suse Linux, IIRC, but didn't (doesn't) HP have OpenVMS running on it? So in addition to having Itanium chops, the ideal candidate would have VMS experience.
(Not applying for the job. The only reason I was messing with that box was to test some rather bespoke hardware against it for one customer)
ASX Equity Trades JUL 2020: 32,481,895
NYSE Tape A Daily U.S Equity Matched Volumes 28 OCT 2020: 1,094.7 (millions)
Thus the NYSE has about (1094 X (say 20 trading days) = 21,880 / 32.5 = 670 times the volume of trades of the ASX.
The ASX is less than insignificant
Stock market transactions here in Australia can run into the millions of dollars per transaction especially if it's the large financial institutions doing the trading. Tracking all of those trades behind the existing computer transactions would be hordes of accounting folk familiar with the double entry book-keeping method invented by Luca Bartolomeo de Pacioli in the 15th century so chasing down any irregularities in transactions or payments is relatively straightforward because until you sort the matter out the books won't balance.
With blockchain which the majority of the population don't really understand including myself then say if one leg of a large $50 million dollar trade disappears into the ether or is maybe perhaps fraudulently diverted with a corrupt blockchain (assuming of course such a thing is possible) then who is going to be able to track down the errant transaction and fix it, and given blockchain is supposed to be immutable and irrevocable how would you even reverse anything.
I can readily understand that pretty much all of the ASX brokers and users weren't all that keen on this idea and I am also left wondering where exactly the reputed hundreds of millions of dollars in annual savings in using blockchain was supposedly going to come from.