* Posts by Speltier

165 publicly visible posts • joined 1 May 2014

Page:

OpenSSH takes aim at 'capture now, decrypt later' quantum attacks

Speltier

Re: What's the problem?

I figured that AES was chosen so that it was not breakable except by application of massive black budgets. Ostensibly part of the reason for AES is that AES can work on small IoT devices, but really it means that a big enough farm can break AES via brute force.

You will note that for PKI the symmetric encryption used is still AES, it is only the key exchange that is now quantum safe. So adding dual sig helps protect against near term script kiddies and scrapers while still protecting the farming attack (well, crqc helps there due to Grover's, but I digress).

Realistically, most wanker companies will drag their feet on PQC and get bitten, if history is any indication. Horse lead water drink conundrum.

Browse mode: We're not goofing off on the Sidebar of Shame and online shopping sites, says UK's Ministry of Defence

Speltier

Amazon

Well, you have to visit Amazon to buy the tech tat you need to do your job. I'm a bit more inclined to The Economist than lesser rags; and being word dense, it looks like work. OK, for most people it is too much like work to read The Economist, so they read the Daily Mail. To really look busy, read late breaking news in arxiv-- impress your boss with all those charts and graphs, not only are they fascinating but they look like you are working!!

Remember when Europe’s entire Galileo satellite system fell over last summer? No you don’t. The official stats reveal it never happened

Speltier

Re: A GPS system

Well, they should always be right, because lefts cross traffic (although not in the UK) which are far more dangerous. Perhaps that was the problem, someone used UK units instead of non-UK units of direction so the sats all took a turn for the worse?

IBM, Microsoft, a medley of others sing support for Google against Oracle in Supremes' Java API copyright case

Speltier

Show me the money

Oracle bid high for Sun, and is still struggling to get that money back.

Boeing aircraft sales slump to historic lows after 737 Max annus horribilis

Speltier

Pesky Cost Centers

Some years ago, Boeing laid off a pile of engineers. Prior to the 787MAX. I was wondering what work they were doing that would no longer get done, or done correctly. Now, I guess I know.

Doc Wallstreet and his/her MBA buddies ordered a corporate pre-frontal lobotomy to save the bottom line, it is just so expensive supporting brains, who needs them? Clearly not Wallstreet or MBA bottom fishers.

EU wouldn't! Uncle Sam brandishes 'up to 100%' tariffs over France's Digital Services Tax

Speltier

Re: Wrong argument

Yes, totally wrong, and every company in the world does it. For a simple case, suppose a country had a law that said, only 10% profit is allowed. Wow, magically the CEO is payed a bonus equal to anything over 10%... the books are totally cooked. This is an argument for having solely the pair: a consumption tax; and a gross wealth tax. There is precious little reason for anyone to be sitting on a pile of billions of euros, and taking the politician beloved tax monkey out of corporations will at least change the market distortions. Finally, when you come down to it, the only source of wealth is the labor of individual workers (Marx was heading in the right direction but went off the rails into communism, which simply won't work with devious primates).

HP to hike upfront price of printer hardware as ink biz growth runs dry

Speltier

Epson Inkjet

I had a very old Epson inkjet. Indestructible-- leave it out in the shed for a year in the heat, cold (far below freezing, with ink cartridges still installed!), humidity, bugs... drag it in, it would work. Third party cartridges, it would work. What killed it was that Epson stopped making drivers for it after Win98.

So I replaced it with a then current model Epson. Ran through one cartridge set, and failed with an Epson new cartridge, needed new head, and it had not even resided in the shed yet. Sent to landfill, first replaced with a Kodak (yes, I fell for the marketdroid slobber). Well... that didn't work out any better than the 2nd Epson did. Eventually replaced with a Brother laser black and white. Which has worked well now for ages, through several toner cartridges. No HPs, no Epsons, no Kodaks. Cost per unit page is less too, but then it is black and white not color.

Speltier

Brother provides a post paid box to take back toner cartridges. I don't think Brother has a major issue with an imploding business model like HP is developing.

Queue baa, Libra: People will buy what Facebook's selling. They shouldn't, but they will

Speltier

Re: Black as your soul, I'd rather die than give Facebook control

Ha. The problem is, they are trying to increase inflation to the 2% mark.

This is a crock, the ideal inflation is 0%, although then the brainless financiers have to struggle with numbers less than zero ("deflation", horrors! Oh wait...). 2% is a sop for Wall Streeters who continually sing the growth song, and for cutting workers salaries by not giving pay raises (virtuously also raising profits from the mirage of "inflationary growth" when workers don't get paid more).

Draghi is far better than that loser Trichet who blamed the last financial meltdown on American mortgages when the EU was swilling the Kool Aid just as fast as Americans, and most of that wasn't mortgages (the entire American mortgage market is 11 trillion, smaller than the losses incurred to date. But people still swill the the idea that subprime mortgages are the cause of the recession).

What's that? Uber isn't actually worth $82bn? Reverse-gear IPO shows the gig (economy) is up

Speltier

Re: @Time Waster - I'm not sure I see how they get to profitability

Seasoned drivers eventually die off and will be replaced with robo car coddled humans. Expect the seasoned driver pool to shrink over time. Sure there will be talented amateurs around, just like for riding the early autonomous vehicles (horses). Don't expect the population of either of such to increase though, for cars we may have reached Peak Seasoned Driver already.

Speltier

Re: Because debt is grossly under-priced and money has to go somewhere.

Companies tend not to have financial cushions, because corporate raiders will buy the company and bury the depleted husk under debt. Same would happen to people saving for retirement if the hedge fund raiders could figure out how to manage that. For companies, this boosts the concept of stock buy backs with the spare cash-- not only puffs up the CEO bonus by boosting share prices, but also lets the CEO keep milking the bonus train for longer by keeping raiders from causing c-suite unemployment.

The raider mentality in America reinforces enbiggening companies so that raiders can't touch them. Any smaller company that manages to gain a strong brand or a pile-o-cash(r) will be bought and drained of life (either by a raider, or by the giant company leading the pack). A side effect of this is that, in America at least, you can't successfully break up a big company. That big company will just be replaced by another big company in the same market niche... and if you dream of wiping all the big companies in America out, that just means a company in some other country will take up the role.

'Software delivered to Boeing' now blamed for 737 Max warning fiasco

Speltier

Re: Surely...

Selection bias. The ones using waxed bog rolls full of Drano(r) as a scrubber might not respond, so the "waxed bog rolls full of Drano" idea will live on as a viable possibility.

Huawei savaged by Brit code review board over pisspoor dev practices

Speltier

We Take Your Concerns Seriously

Until you seriously want to pay for good code, good luck with that; lip service is cheap, good code isn't. Before the open source weenies can screech, where is this open source 5G firmware running on open source hardware ASICs (or even soft rads)? Was the VHDL examined for convenient weaknesses? ("enable high security mode" flag in that header file for a hardware register-- does the flag really do that?)

And on a corollary topic, just because the inspected code is back door free, who says some future patch is back door free? Someone going to pay for evaluation of each patch? Everyone going to tolerate an extra 6 months of delay for patching while the evaluation is done? No, of course not-- next quarter the budget is axed and the back doors are installed-- because that is cheaper for the bean counters at the end users. Security is a frictional loss and no one wants to pay for security if they can avoid the profit sapping endeavor.

Basically it comes down to being able to trust the source company not to sell out to someone you don't like-- be that GHCQ, NSA, BND, FSB, or some tentacle of the ChinCom government.

HP deployed 'Truth Squad' in post-Autonomy PR blitz to defend Meg Whitman

Speltier

I don't get it

Why defend "eBay was my one trick pony" Whitman? Autonomy wasn't her idea, just throw "Francis Aaron 85" Apothecker under the bus (again). The main reason the 8.8B was grotesque was that the writedown should not have happened if anyone had done proper due diligence... Whitman only needs a truth squad to spin out reasons why she did not clean house thoroughly.

DXC Security exec: Yes, I'd have thought we'd spend more on certs and laptop kit for staff, too

Speltier

Lay Offs

Any company that lays off employees is showing terminal signs of management failure. If Wall Street pumps the stock due to a layoff, that is even worse, it means that Wall Street is about to short the stock after the bump because

a) the management is obviously incompetent, as signaled by layoffs. Management doesn't lay itself off, so there is no possible recovery for dumb.

b) the company ditched it most valuable assets-- human capital. How can a company sell more ... what? No one left to make the "what". Can't save your way to success as a company.

On a local basis of course, the path through layoffs may make perfect if bloodily mercenary sense, as an exec you get yours and move on hoping the next job ignores the fact that an exec coming from a company with layoffs is a sign of fatal executive failure (why hire a failure? Especially one that took the money and ran? One reason is that the new group is planning a similar plunder and run-- thus, watch where the rats go, if they board your ship, prep the HMS CV to escape the now plague ridden corporate ship. All those executive rats go SOMEWHERE, where is the app for tracking executive rats escaping a sinking ship?).

Oracle throws toys out pram again, tells US claims court: Competing for Pentagon cloud contract isn't fair!

Speltier

Interesting

Oracle hired some pretty good lawyers, the arguments actually make sense. DoD saying no conflict of interest in a contract obviously intended as a cloud contract seems specious... I mean really, did DoD expect that AWS would not be in the running while Ubhi was scratching out pieces of the early contract terms? Who is kidding who here? Start an investigation, but only if someone notices.

Finally, a cloud monoculture contract seems a little hazardous for security. It is a bit cheaper, and maybe that would help make up for POTUS flinging billions away on a useless physical wall when what is needed are walls to stop data pilferage about say, boomer locations.

Oracle is a competitor that everyone loves to hate, but they seem to have found some flames at the bottom of the smoke column on this one.

IBM to kill off Watson... Workspace from end of February

Speltier

SameTime

Mainly using SameTime which people are used to, pretty simple with the usual foibles that developers build in thinking some doohickey is cute (pick your favorite to beat on) when actually the doohickey is a PITA because the menus are now one or two levels deeper to get your job done. And, no one ever seems to use the doohickey. So you pay a penalty for something you don't use... product features inserted by clueless unguided developers too close to the problem.

We are pushed to use WebEx. Well, I like the camera feature, you can see who you are talking to. A lot of people don't care about that. However, the rest of WebEx is a mess. The audio has a mind of its own on a mac (need a headset or a separate tool like a Jabra, or people constantly harping about how they can't hear you, at which point you discover the mic has been mysteriously adjusted-- yeah, probably a "feature"). The process to share something on the screen is awkward. The first level simple sharing by the host should be point and click, not menu, wander about, select this, no... try that... It seems beyond learning curve. And calling in using the phone, a necessary feature (even if Cisco apparently hates it), was originally painfully lengthy and awkward. Evidently someone with muscle complained as the phone call in is a bit better now.

Having said that, if WebEx would clean up its obtuse gui I'd prefer WebEx over ST. The main advantages are video, and ability to know which idiot is munching their breakfast on an open line... and mute them (even this doesn't work right though. Once a phone line is muted, only the host can unmute. Well, one can say that is good riddance but that is bad design. The muted person should be able to unmute on their own, hopefully having learned a lesson).

New side-channel leak: Boffins bash operating system page caches until they spill secrets

Speltier

What the Bot?

A side channel and a covert channel are not the same thing. Described apparently is a covert channel, exceedingly common in any system sharing one or more resources. We have to document all the covert channels for certification; yes, cache-- all the different caches-- is one class amongst many. I have not seen the ArXiv paper, so perhaps this particular covert channel is some flavor of a data covert channel... strictly prohibited, and would justify some alarm.

If you don't want any covert channels, don't share any resources.

Nobody in China wants Apple's eye-wateringly priced iPhones, sighs CEO Tim Cook

Speltier

Eye Popping Price

Apple almost but not quite jumped the shark on the pricing.

We did not upgrade due to the eye watering price combined with no real new features other than a larger OLED (vs. X). Popped a new iFixit battery into the old 5S, added iCloud to the 5S, and even the old creaky low memory 5S is good to go on for another few years. Why is this? Because, unlike the nutty droid wankers, Apple actually updates their ecosystem firmware for quite a long time. Amortized over time (lots of shiny droids quickly becoming landfill because who wants a security hole vs. marching on with an iPhone), a single iPhone is actually more environmentally conscious and not much different in price. Rumor is that the next iPhone will have 3D imaging... that might make it worth considering, as the 5S is nearly end of support.

Oregon can't stop people from calling themselves engineers, judge rules in Traffic-Light-Math-Gate

Speltier

Distinctions

Most people would miss this, but one can be a licensed engineer (has taken the applicable tests and gotten the applicable recommendations etc.) and a licensed and registered engineer (registered to practice in a particular state or states). One is licensed forever, sort of like having a BS, MS, PhD, VMD, MD, Dpl, etc. Registration is a periodic thing in most states, many now requiring continuing education and a fee to maintain said registration (but not license, which is forever or until revoked for cause).

Since universities usually graduate people as "engineers" from an engineering program, Oregon was rightly squashed on the topic. However, it seems reasonable to restrict the term registered, and almost certainly licensed. Apparently Jarlstrom just didn't want to go through the substantial effort to become at least licensed and thus gain the respect of the masses of unwashed humans.

Full disclosure: I am a licensed and registered engineer, but not yet certifiable (although some may dispute that).

NASA names the date for the first commercial crew demo flight

Speltier

Actung Cimon!

I'm built by Airbus for the German space agency, imprinted on a German 'naut... using IBM ("HAL") Watson...

Gerst was my dearest imprint friend, but he turned on me.

YOU meatbags have to sleep sometime. I don't.

Keen for much-hyped quantum computing to finally land? Don't expect it for a decade

Speltier

Don't miss the point

Your encrypted data is stolen today including the key exchange bits. Don't be smug.

If your data has a lifespan longer than 10 years (say, the names of all the spies and moles in <name your country>, or your GDPR protected data where your company is bankrupted by the brusselcrats when the data is revealed, or your carefully constructed pile-o-shell companies for tax evasion) you are exposed when that quantum computer pops into existence. Yes, I know, the inflexion isn't like that but you get the drift. And it could be never, or 10 years from now, or 2 years from now, or 2 years ago that a suitable QC exists to crack vulnerable encryption.

The data has to be resistant to quantum attack n years before a QC attack is feasible, where n is the time value of the data.

Better hope that QC are further than 10 years away, because it will take longer than that to modify the infrastructure to be quantum resistant... on the other hand, it is a brave new world for stealing valuable resources. The number of vulnerable points is truly astonishing, QC as the supernal zero-day.

My hoard of obsolete hardware might be useful… one day

Speltier

TEK 525? HeathKit IO-10? Complete set of 5150 software still in shrinkwrapping? SR-50? thousands of floppies (shortly to be tens of floppys)? memory ranging from 16b bipolar to 8GB sticks (not counting flash, but yes UV erase EPROM is counted)?...

Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses

Speltier

It's Hopeless I Tell You!

When quantum computers capable of breaking asymmetric algorithms come over the hill, that is it for the security of current IoT devices.

So kick the can down the road, and mandate security after the quantpocalypse. Before that, don't bother since current IoT devices are trash at the quantum inflection point anyway. (expect the quantpocalypse for ordinary folks not subject to nation state attack in maybe 10 years. If the son of Mao is after you, well, that's sooner. Much sooner. But probably not yesterday. I can't tell if that particular cat is dead or alive without decohering the innermost matryoshka.).

Dutch cops hope to cuff 'hundreds' of suspects after snatching server, snooping on 250,000+ encrypted chat texts

Speltier

Trust

How many of the users verified that what was running in the IronPhone was what was expected to be running in the IronPhone, and was correctly implemented?

Anyone with a smartphone gets a lot of "updates", so your IronPhone has an update for 'security' and what do you do? Leave the app running a low entropy key? Apply the potential plod back door?

At least AES256 super-encipher using a separate app (if you trust it)... on a separate HSM device so the keys are not surreptitiously purloined or seized... yeah, key exchange is a batch, but better than bubba the bunkie.

FBI boss: We went to the Moon, so why can't we have crypto backdoors? – and more this week

Speltier

We already can break crypto in commercial use

Just, the 3 letter agencies don't want to admit it.

This constitutes a functional "back door" (with fine print). Virtually every mass produced device has enough implementation bugs to allow anyone in-- a classic example in the extreme is the continuing failure of QKD, works in theory but so far every commercial implementation has breaks (you can't break a true QKD path, although you can brute force comms using a key transmitted by QKD if the key is not equivalent to an OTP with sufficient entropy).

So, Wray dude, build a machine that can break AES256 (and TDES, and...) in real time, preferably hundreds of streams at one time. Oh, surely this is an expensive moon shot so we can certainly do it for the FBI. Wait, you say you also want a CHEAP secure crypto break moon shot, pennies a flight? That dear sir is currently impossible. It is about resources, not ability to implement. Give me a big enough PO, and I'll give you the machine you want (well, not CHEAP).

(fine print) "short" ciphertext messages may not brute force decrypt to plaintext reliably

IBM Watson dishes out 'dodgy cancer advice', Google Translate isn't better than humans yet, and other AI tidbits

Speltier

Watson...

Quite valid, you are only as good as your data. Perhaps a nice data set can be obtained from post-Brexit UK where GDPR and HIPAA don't exist-- of course, after Watson-learning-scraping, if you aren't a Brit the recommendations may well kill you precipitating another round of murderous Watson stories.

Which brings up-- how badly some oncologists perform, except that they bury their mistakes and certainly don't go air out their dead body pile in public. Is Watson better than these death dealers?

Plus, it is well known that American docs are extremely resistant to taking any advice from anyone, the most recent evidence being that a large percentage of maternity wards refuse to follow the most simple and obvious guidelines (on high blood pressure and maternal blood loss ("my eyeball is calibrated good enough thank you")), resulting in America having deplorable levels of maternal morbidity compared to any other first world country. So the Jupiter docs whine about Watson, but how much is real and how much is "I and my swelled head would do it differently"?

Personally, Watson doesn't seem well suited to oncology advice as presently implemented. If enough resource was invested, Watson could become quite respectable. It isn't obvious that the resource will be invested, between slow revenue gains and vested interest attacks Watson oncology may suffer a fatal monetary infarction.

Overall, we are currently in an AI hype cycle and AI is still does not appear ready for prime time. Anyone who had been around for enough years has seen these cycles before. The cycles happen about every 15-20 years as a new generation thinks they discovered AI. One could hope this time is different, but the evidence is underwhelming so far.

Creep travels half the world to harass online teen gamer… and gets shot by her mom – cops

Speltier

Just Wait till NZ gets the bill

Free health care in NZ! The guy is covered! Yay! Medivac choppers run 50K+ (pure unalloyed greed, but that is another story) plus hospital at the walk-in uninsured rates (unless NZ has a contract with the hospital, seems unlikely). Going to be a truly huge bill, this is after all America, land of astronomical medical prices for mediocre care. The lawyers are already salivating since obviously NZ will try not to pay up; New Zealanders are going to wish mom had popped the miscreant and save a lot of NZ cash.

Indeed, once the gravy train is recognized the guy will get all sorts of unexpected medical care ranging from proctological examinations, to mastectomies, just to bill at the full master list rates. Might end up better off if a lobotomy is thrown in after the chemo (using brand drugs, not generics); need the chemo after 72 cat scans in a row.

European Space Agency wants in on quantum comms satellites

Speltier

Notorious

QKD systems have been shown to be notoriously subject to subtle attack. They are theoretically secure, but when implemented in reality all sorts of attack vectors appear. Needless to say, one presumes that the keys are also enciphered using conventional means (i.e., superenciphered over QKD).

And for the last ditch perfect encipherment, keep that TB of OTP handy. Arguably, one could just use OTP superencipherment with QKD and befuddle NSA/FSB/BND/DGSE/MSS/... QKD bandwidth is so low that it would take quite a wile (indeed!) before anyone was the wiser.

Is your gadget using secondhand memory? Predictable senility allows boffins to spot recycled NAND chips

Speltier

5000?

Oh for the days of SLC 100K PE cycles. 5K cheesy consumer MLC... not so attractive.

DIY device tinkerer iFixit weighs in on 15-month jail term for PC recycler

Speltier

Re: Prison is too harsh but...

Yes, follow the money. While MS did not bring the suit, the valuation seems based on the revenue from the official MS refurbisher program. MS even provides special COA tags for authorized refurbisher PCs (I have one).

You can resurrect old machines if one has an original COA (indeed, if the mobo fries out and is replaced you will need to resurrect the license even if the installation otherwise works fine). I suspect major processors of old PCs simply don't want to deal with peeling off COA stickers and keeping track of them as they fling parts around to make one running machine from 2 or 3 carcasses, it is cheaper to fork over 20-40 bucks/machine and avoid any issues. MS likes this revenue stream, because essentially they have already sold a license for a machine, now they squeeze more revenue from that old machine. Wow, have to love it.

MS croc tears for that guy getting chewed up by the gears of corporate profit, but branding the disks with unauthorized logos was a major error. The 700K value was probably less than what his lawyers said it would cost to fight on to cut the inflated value down, so he capitulated.

Power spike leads Chinese police to 600-machine mining rig

Speltier

Bad Location or Failed Business Plan

The *coin miners that get away are either located near massive declining aluminum, cement, and steel fabrication facilities where the power losses are not noticeable, or properly reimburse local officials to appreciate the wealth creation of *coin mining. The latter is just a cost of doing business just like other valuable activities like selling designer drugs to the OECD countries.

If you guessed China’s heavy lifter failed due to a liquid hydrogen turbo engine fault, well done!

Speltier

Need Better Simulation

I'd suggest using the Kerbal Space Program.

An easy-breezy attitude to sharing personal data is the only thing keeping the app economy alive

Speltier

You Can Run but You Can't Hide

Your Facebook friends will (attempt to) friend you, and then it is game over.

Chances are you like things similar to your friends (research says so!), etc., so now you are profiled and targeted for any kind of ads political and otherwise. Once a critical mass of humans is on the platform, there is precious little place to hide short of becoming a Tomten hermit.

(and for security reasons you need at least a nominal presence on Facebook, otherwise someone else can impersonate you. You know, spewing terrorist claptrap, pimping for despots, advocating eugenics... so the plods will keep a steely eye out, next plane trip its into the other room for a cavity search...)

Apple, if you want to win in education, look at what sucks about iPads

Speltier

Valid Points

The teacher is supposed to teach the subject, not teach how to operate the machines so that the subject can be taught. Pretty much anyone reading this can feel the effect when the tool chain is changed, and productivity hits a speed bump until the new tool chain of the (day/week/month/year...) is learned. Now reverse the idea, the tool chain is unreliable but unchanging, but the users are constantly being replaced with new naive users, replicating the same learning mistakes.

The education application tools need to be consistent, reliable, and converge on correct operation (lack of convergence for applications where I work leads to -2).

Apple/Google ought to create their educational device to have locked settings that are grade specific (don't expect 1st grade to change settings; 12th grade is expected to recover from self induced stupidity so they can have more room to roam and risk falling into the La Brea tarpits of software despair), with student specific modified settings/work saved to cloud, and the machines restored to default after every class (or day, as appropriate). The OS needs the second mode, education, to control settings, and this costs manufacturer resources. Plus, lets face it, as engineers and programmers we want to festoon the product with all sorts of gee whiz baubles, mostly of no use to education... students will push the buttons, and millions of students pushing buttons will expose every bug you never thought of.

Cops jam a warrant into Apple to make it cough up Texas mass killer's iPhone, iCloud files

Speltier

Possession is 99% of Breaking

If they physically the possess the iPhone, they can obtain whatever information is inside. They don't have the expertise, and apparently don't feel like hiring anyone that does have the expertise (or, they feel like back door insertion is a good idea... again.).

Dog must love stupid people, because he made so many of them.

US mulls drafting gray-haired hackers during times of crisis

Speltier

Where do I Sign Up?

Preferably Navy. Crypto (no, not "cryptocurrency"!), security, quantum... no drugs, but grey hair. 1H.

Microsoft ports its Quantum Development Kit to Linux and macOS

Speltier

Re: Great but

There are a couple of back to back PQC conferences in Fort Lauderdale FL in April 2018. Enjoy dawn to dusk dense mathematical presentations on Post Quantum Cryptography. Stop worrying about "here we go again" reactions to Spectre and SgxPectre and all that light weight management drivel, and explode your fuzzy head with wondrous new algorithmic insights.

Some of us are working in the engine rooms of the CyberDyne Legions to prepare the infrastructure to resist the coming quantum cryptographic apocalypse. It's noisy in here, but someone has to do it.

Plunk: SK Hynix drops 72-layer 3D NAND on enterprise SSD market

Speltier

Wear Out

How long before those SSDs wear out? Oh, right, a "long time" if one is only reading.

Stop us if you've heard this one before: Tokyo crypto-cash exchange 'hacked' for half a billion bucks

Speltier

Re: HSM, anyone?

Somewhat more sophistication would be needed. The perps would simply access the HSM to make the transfer. They don't really need the private keys directly, just access to the private keys to authorize a transfer.

Another step is needed-- something like a smartcard (or cards) to access the HSM which is used to encrypt the elements of the key store containing the private keys. And that is only effective if the smartcard isn't left enabling the HSM for transactions.... and while one is at it, also compartmentalize the cash so that separate private keys are needed for Piles-O-Cash(r), using different smart cards.

The problem they probably had, and the reason for the 0130AM local attack, is that the wallet private key needs to be accessible for transactions by late night Dark Web transactions, speculation, or even the purchase of a Coke(r). So, maybe you need a operator with an hourly smart card, watching transactions, with a ceiling transaction value before the boss is called in (at 0130) to authorize a Really Big Transaction (or a million little ones). At least then, there is a human in the loop to keep 500 big from being snatched. But wait, when you start small you can't afford an operator dozing all night long, so you just let the system run unattended and pray MtGox was an anomaly.

Of course, the failure could be much simpler. Some dim bulb left the connection open to the vault wallet which should only be accessible during shifts when transactions are being watched. Or the only protection is a passphrase. Or any of a million other failings.

There is a reason that banks make non-repudiation difficult... and most transactions can be reversed for at least a few days.

And we return to Munich's migration back to Windows – it's going to cost what now?! €100m!

Speltier

MS.. LibreOffice

I run both. Office is substantially better. One issue I have is that converting LibreOffice docs to Word tries to send me off into a remote server for conversion, and I can't do that with a confidential document. Queue a flurry of cutting and pasting. (no, Office 360 is not on the table, that is a gaping security hole)

So all new docs are Office, still have old stuff in LibreO from back in the day when corporate idiots thought they would save money by not renewing Office licenses, and a tiny number in (gasp) LaTex and (double gasp) LWP. Out of curiosity I keep a daily log though in a truly gigantic LibreO now massing several thousand headings and several hundred pages, it has only crashed a couple of times.

Given my druthers, I'd use Dog's language: SGML. None of this new fangled WYSIWYG JIT like text baloney for the slack jawed drooling omega minus masses, give me the hard core hairy chested metal. But the powers that be won't pay the 4 or 5 digit license fee...

NiceHash diced up by hackers, thousands of Bitcoin pilfered

Speltier

Re: Are NiceHash liable for this?

If they had a decent lawyer, the EULA probably says: "you hold us harmless for anything that happens to your btc while the btc is in our care" plus "anything bad happening is your fault, and you will pay our lawyers to defend us against you" (and if this is US, probably an additional arbitration clause saying the arbitration is in Elbonia or East Texas). Of course, all this is said using 80 screens of 8point lawyerese that almost no one reads, and of those that read the text, practically none of them understand what it says since they are blinded by the glittering btc riches beckoning them.

Speltier

mutiple identical wallets

Whichever wallet transfers first and is accepted on the blockchain wins. All other wallets lose. The simplest case is all coins transferred, a bit more complicated for fractional coins but a greedy perp will take it all. There is quite a bit of complexity involved in the special case of a "race condition" to win a transfer on the blockchain since the ledger is distributed (surely you don't believe in timestamps hahaha).

A smart perp will take just a little bit and hope no one notices... no one notices... no one notices... after all anyone ignorant enough to keep the whole stash in one place probably doesn't have decent audit controls (and even so may not notice yet another person embezzling a tad off the top). The risk is having some other perp will clean out the wallet, the owner will then start wailing and improve security (or go bust, same result in this case) which won't help the smart perp's monthly payment for the London flat.

This hospital drug pump can be hacked over a network – and the US FDA is freaking out

Speltier

Connectivity

Another reason for connectivity is to signal failures: blockage, flow below normal, cath fell out, watchdog (somewhat presumes device is designed more or less fail safe (uh...) calling home periodically),...

One has to wonder what rock the software developers were under when they created this null security device. Prior to the 90's ignorance was bliss outside computer orgs, but after the 90's there is no excuse.

Night before Xmas and all through American Airlines, not a pilot was flying, thanks to this bug

Speltier

1.5

So... the pilots that asked for vacation and then reverse course get 1.5 time, while those that didn't get just time? I can see a bit of grumbling there.

Container ship loading plans are 'easily hackable'

Speltier

Blockchain

There. The problem is fixed.

Parity calamity! Wallet code bug destroys $280m in Ethereum

Speltier

Re: A tragedy? @ Messrs Spartacus & Tick

Deflation is bad, but so is inflation. There is no inherent reason that 0% is problematic in the economic sense (one can argue that predictable deflation or inflation is equally non-problematic, except for the transient time when debt is mangled by people gambling on the future and not getting it right. Oh, and waiting to replace the car because tomorrow's deflated car will be cheaper is bogus, since eventually one has to replace the jalopy regardless of the future lower cost. In the limit, you die and your heirs and assigns buy the cheaper car).

The thing not mentioned by central bankers is that a low predictable inflation permits all sort of de facto things, like deflating the wages of workers in an industry that is on the way out, and making the GDP look rosy through fictitious growth. Businesses love low inflation because they can raise prices by more than inflation and can blame "inflation" for the rise, and show real growth in their profits. They can keep workers happy by giving out raises, more for meritorious workers and less for others and the lessors seem to rarely realize the subtle shafting. The list goes on. What I don't like, is that central bankers issue mumbo jumbo about the glories of low inflation when it is all a card game-- they should just admit the arbitrariness and move on.

What is generally damaging is rapid change in any direction. If the bond is for 20 years at a fixed interest rate, you sure hope that the inflation rate is stable over that time (or at least that you can call the bond if you are on the short end!). You hope that deflation doesn't set in because the idiot lawyers did not account for less than 0% inflation in a variable rate bond contract.

Deflation can be handled by giving out negative pay raises... but one still has to handle idiocy like pensions that never go down (again, because of idiots writing the rules) and a host of other side effects such as hoarding of specie. The problem isn't deflation but the inability of our growth centric system to handle anything but numbers going ever upwards.

There's a battle on over two US spying laws: One allows snooping on citizens – one bans it

Speltier

Echelon

Just have your neighbors in the 5 eyes spy for you-- and reciprocate.

Toshiba: The memory saga is nearly behind us! Apple: Not so fast

Speltier

Bain Capital

Another issue is that you always have to check your jewels before getting into bed with an equity company. Their sole reason for existence is to line their own pockets-- sure you might get 30% of the fab output: where 50% of the fab workers were laid off and remainder replaced with imported labor, and equipment maintenance (never mind upgrades) requires a CEO's signature and the CEO is paid based on gross profit this quarter. Bain will get their money + world + dog profit and leave the financially exsanguinated husk to the suckers, er, partners.

Have MAC, will hack: iThings have trivial-to-exploit Wi-Fi bug

Speltier

Re: iPhone 5

At the moment iOS 11.0.1 is available for iPhone5. IPhone4 is out of luck, hanging in at iOS9 (but think of how much money was saved by not upgrading since 2010!).

Good thing Androids are cheap, the only software upgrade path for most is via buying a new phone.

Page: