Re: Almost ready
https://www.youtube.com/watch?v=uL2gxb-TcLM
Zoltan!
Bubblewrap jumpsuits!
Posts by donk1
78 publicly visible posts • joined 28 Mar 2013
Turning it off and on again IN SPAAACE! ISS animal-tracker kit needs oldest trick in the book
Tech rookie put decimal point in wrong place, cost insurer zillions
This is not, repeat, not an April Fools' Day joke: 5 UK broadband vendors agree to pay YOU daily rate for fscked internet
Intel: Let's talk about SGX, baby. Let's talk about 2U and me. Let's talk about all the good things, and the bad...
Thursday 28th February 2019 11:09 GMT
Hmmmm..
The idea is to put your decryption code in the enclave and then then send encrypted text and a description of the operation you want to perform to the enclave.
The unencrypted data never leaves the enclave, not even the hypervisor sees the unencrypted data.
E.g. to search encrypted data in sql server
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sqlallproducts-allversions
What I do not get is how you get the decryption keys into the enclave securely!
"The client driver sends the column encryption keys required for the operations to the secure enclave (over a secure channel)."
What secure channel which the hypervisor cannot see? Hmmm..
Artificial Intelligence: You know it isn't real, yeah?
Scottish brewery recovers from ransomware attack
Foreshadow and Intel SGX software attestation: 'The whole trust model collapses'
What if tech moguls brewed real ale?
Microsoft and boffins cook up hardware-secured database
Saturday 26th May 2018 12:37 GMT
Sounds like "Always Encrypted with Enclaves http://smooth1.co.uk/sqlbits2018/sqlbits2018roundup.html#2
1. Is this protected against https://www.theregister.co.uk/2018/03/28/intel_shrugs_off_new_sidechannel_attacks_on_branch_prediction_units_and_sgx/ with "utilization of an appropriate side channel attack-resistant crypto implementation inside the enclave"
2. has it been rebuilt with https://www.theregister.co.uk/2018/03/01/us_researchers_apply_spectrestyle_tricks_to_break_intels_sgx/ " Enclave code will need to be rebuilt and redeployed using the updated development kit to be protected from malicious sysadmins."
3. As per my blog entry above "On first use the client driver and enclave negotiate a shared secret and then setup the secure tunnel" Surely to negotiate a shared secret there is a small initial window where you first have to trust the hypervisor?
Legal tech startup tries to haul 123-Reg to court over 24-hour backup claims
My Tibetan digital detox lasted one morning, how about yours?
UK.gov to plough £67m into gigabit broadband for all and sundry
Patch LOSE-day: Microsoft secures servers of the world. By disconnecting them
Thursday 15th March 2018 05:24 GMT
Re: Oh dear
Really?
https://docs.microsoft.com/en-us/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server
"In a production environment, we recommend that you use static IP addresses in conjunction the virtual IP address of a Failover Cluster Instance. We recommend against using DHCP in a production environment. In the event of down time, if the DHCP IP lease expires, extra time is required to re-register the new DHCP IP address associated with the DNS name. "
My PC is broken, said user typing in white on a white background
Spectre haunts Intel's SGX defense: CPU flaws can be exploited to snoop on enclaves
Thursday 1st March 2018 09:04 GMT
Just checking Wikipedia https://en.wikipedia.org/wiki/Software_Guard_Extensions#cite_note-14 we see that
a) There was a Prime+Probe attack which used "certain CPU instructions in lieu of a fine-grained timer to exploit cache DRAM side-channels" and a coutermeasure was published
b) The LSDS group at Imperial College London showed a proof of concept that the Spectre speculative execution security vulnerability can be adapted to attack the secure enclave and the code is dated 2 months ago.
I wonder if the "compiler-based tool, DR.SGX" which was a coutermeasure for Prime+Probe could be extended to handle Spectre?
Amazon S3-izure cause: Half the web vanished because an AWS bod fat-fingered a command
Wednesday 28th February 2018 10:16 GMT
6000 machines...so run 200 machines at a time for 30 times.
What is this obession with 10,100,2000,rest and doing a massive population in 5 steps?
Even if 2110 machines worked fine how long would it take to fix the last 3900 machines if enough of them broke?
For failures it is not the number of times you have done it before but the size of the failure domain and how long it takes to fix.
it should be possible to rollout automatically in small batches and even had multiple upgrades rolling out at the same time on an automatic schedule, ripple across the farm!
If it is automated and scheduled who cares how many batches of upgrades are run?
You would catch errors with less impact that way as the failed batch size would be smaller and it would be minimal extra work if designed correctly.
This is the next stage in cloud service design - being able to have slower rolling upgrades with smaller batches!
Wednesday 28th February 2018 10:00 GMT
Re: Makes me wonder how many others in the "playbook" have this capacity.
1st prompt
This will shutdown 1040 servers, please type 1040 to continue.
2nd prompt
This will reduce capacity enough to cause a service failure for the following 8 services
A
...
G
Please type "8 SERVICE FAILURES" to continue.
Intel adopts Orwellian irony with call for fast Meltdown-Spectre action after slow patch delivery
Meltdown/Spectre week three: World still knee-deep in something nasty
Microsoft's SQL Server 2014 early code: First look
Wednesday 19th March 2014 22:24 GMT
Re: Nice summary of my main thoughts @SVV @Charlie Clark
(Transactions) or (integrity checks).
Integrity checks i expect are unique/primary/check/foreign key constraints. We used to disable them when doing data migrations until the end.
"You can't disable logging on mssql.".
Pity, you can on Informix!
Biting the hand that feeds IT
