lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 29 Mar 2012 17:57:56 +0900 (JST)
From: 夜神 岩男 <supergiantpotato@...oo.co.jp>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: PcwRunAs Password Obfuscation Design Flaw

--- On Thu, 2012/3/29, Christian Sciberras <uuf6429@...il.com> wrote:

> 
> So, it seems it dawned on everyone that current computer models are fundamentally flawed.
> The "protection" we're trying to add is, at this point, one huge hack attempt to get things right.
> Do I have a specific solution? No. But I do think rethinking the wheel might be worthwhile.
> This would include forgetting POSIX for a minute and think what could be improved without relying on religious zeal.
> Yes, I know it's hard, but it's for the betterment of humanity! I hope...

There are other architectures that provide very different situations, some of them significantly more secure than the shared data/instruction memory concept in widespread use today. But they aren't cheap.

cheap + secure = really hard

Well, perhaps provably impossible at some level which is what you're getting at, I think.

People favor cheap over secure. They prefer what they think they know to what they know they don't. They prefer breathtakingly mediocre to boringly deep tech.

This is manifest in the current market and I don't think it'll change any time soon. To the bulk of paying customers computers are still full of magic and dragons, and probably always will be. To stakeholders big enough to actually shape markets the interest is in selling what people can understand, not in actually advancing technology -- because this sort of advanced technology does not sell well. 

Consider that the bulk of the IT market is still focused on literally licensing arrangements of bit-spaces that the users already own and calling it a product -- and to convince users that they are "getting something" we have to go as far as actually putting arrangements on media in physical boxes on real store shelves with pricetags and things. This is ridiculous if you consider it for a moment, but the average customer just can't wrap their head around what information is in the first place, and they require this mnemonic crutch of a marketplace to understand how to give money to us developers and why they should do that.

Motorola, IBM, and a slew of companies now totally out of business discovered the truth about trying to sell the public high tech instead of cheap tech, and the related necessity of the marketplace farce above though repeated (usually disastrous) experience. In short, it is difficult to generate market buzz around a product that nobody understands, and architecture is definitely one of those things.

Now if you can dream up a use case which itself embodies the "next killer app" and which actually requires an architecture of strict data/instruction/signal and memory/register/bus segregation, and this killer architecture for this killer must-have app isn't actually a mainframe, and you can generate sales to a general enough segment of the global public that education systems, social dialogue and the DIY hardware and book markets begin to focus on your new[1] idea, then you might have a shot at changing the status quo. This is all assuming you can amass sales large enough to effect a seriously beneficial economy of production scale to cut the price of these hardware architectures down at least a thousand times compared to what they cost today (doable, but only if the market cooperated, hence the whole thing hinging on necessity and buzz).

Them's the breaks, my friend. Unfortunately it is going to be some time before a radical paradigm shift demands a change as significant as a real re-working of the hardware architecture. Even a departure from just x86 is hard enough to follow through on, despite vastly superior alternatives because nobody wants to change that bad.

The next chance for something that really will be useful that will really require a reworking of architecture is probably whenever quantum computing becomes a public thing -- but there is a whole world of crazy that goes along with that, because its sort of like nuclear weaponry, in that everyone wants to have and use it but not let anyone else.

Anyway, don't stress over it. The market is screwed up and its going to remain so for some time yet, fretting about it won't help.

-IY

[1. Not in fact new, of course, but rather a rehash of existing architecture ideas not well known outside of high-performance and experimental computing. But this will be new to the public and even the vast majority of IT professionals, and therefore magic that is new enough to be marketably mysterious.]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ