Domain: hermann-uwe.de
Stories and comments across the archive that link to hermann-uwe.de.
Comments · 12
-
Re:Live by the sword, die by the sword.
Firewire also allows direct memory access I believe. Yes USB has security flaws, but that is a bug no a design flaw, of allowing DMA access.
-
Re:NXP is a huge secure element provider.
I didn't see any of that in the Wired story. It essentially stated: "plug it in, it infects your PC, Antivirus software is useless, and future USB devices plugged into your system can be infected". When Bruce wrote about it along with quite a few others, the evidence seems to point to a rather bad security flaw.
Well, as USB itself does not provide DMA (again, this is requested and handled at the driver level), a USB device can do absolutely nothing until the system recognizes it and starts talking to it (e.g. via a driver). You clearly didn't follow what you've read, or you'd understand that the nature of this vulnerability is that many devices don't have firmware programming disabled and can be reprogrammed to behave as other devices (in fact, you do seem to understand this, as you said "The problem lies in that USB trusts the device to be what it says it is, even if that is more than one thing", which is correct; it's equally correct that a USB device can be more than one thing, e.g. an audio device and a video device, so that's not a flaw, the flaw is in the devices being reprogrammable in the first place). Which, of course, means the devices have to be identified by the system and a driver has to exist for whatever they identify as.
Further proof that it is a device issue here, and evidence that USB devices must be "accepted" by the host before they can to anything at all, here. Not that this should be necessary, given a basic understanding of what you're talking about and a bit of logic.
Meanwhile, devices utilizing any of the DMA-enabled buses*[1] can just power up and happily start reading and writing your RAM, with the system being unable to stop them. If a cheap Firewire device was shipped with its firmware still writable, well, just imagine the possibilities. In fact, it's been done and the sky hasn't fallen yet, so I think we're okay.The short answer to this one is I only usually have 1 set of devices that are relatively permanent for those other buses. It's not a thumbdrive that gets passed around.
That's you; Firewire is still fairly widely used in media production, and the devices using it include cameras, control boards, and DAT decks, which do get passed around. And without USB, where do you think you'd plug that thumb drive?
Drop 2 sets of file transfers through the disks on that one hub, and see what happens.
Okay, so you're doing two copy operations and are surprised when seek times slow them by more than 50%? You don't copy files on spinning disks much, do you? I do it all the time, albeit with SSDs, and have not once seen the slowdown you are talking about, so either you're full of shit, your equipment is full of shit, or you don't really know where the slowdown is coming from, but none of that is the fault of USB.
I have about 10 disks hooked up and was copying files between 3 sets (3 full speed copy operations, including 2 SSDs) with each disk capable of +100MB/s on large file sequential read/write speeds.
Which is it, 10 or 2? One, two, or three transfers? All this goalpost moging makes me think you're just full of shit.
You state that your drives can handle 100MB/s; USB3 is 5gbps (that's 640MBps), while SATA is 1.5, 3., or 6gbps (187.5, 375, or 750MB/s) depending on whether you've got SATA I, II, or III ports. On a high-end mobo like you claim to own, it's probably SATA-III, so 6gbps. That includes a fair bit of overhead, so the best you can e -
Re:Wow, Slashdotters have gotten stupid
Sure, it means you really could get rid of all the other ports completely and use a breakout cable if necessary (only in the interim as other types of ports might just go away), making devices much smaller and simpler.
Perhaps, if you like the idea of having 8 different boxes on your desk and a rats nest of cables. Does that sound smaller and simpler?
All a geek should need to know is "externalize PCIe".
Exactly, there's nothing new to be excited about here. It's just the same old shit on an external port.
All the speed of an internal bus (and more) without having to physically put the card into the machine, and even being able to do it at a distance.
Which would make physical security of your system somewhat more difficult to ensure. Server cages are going to need a finer mesh to ensure that no one can stick a cable into a machine they don't own.
But apparently it's bad to have newer, better things, when we could just stick with the older, crappier. Right?
I like better, but newer doesn't necessarily mean better. The higher speed of Thunderbolt is nice, but it comes with too many drawbacks. I'll be disabling Thunderbolt on my devices just like I disable Firewire today.
-
Re:Uh oh
It's nice of you to give them the benefit of the doubt despite the fact that the Firewire DMA exploits work fine in OS X. At least up to (including) 10.5, maybe they fixed it in 10.6 or 10.7.
-
Nano's Crypto Smokes
It's interesting they didn't run any real crypto tests that actually, you know, *used* the Nano properly. The Nano comes with the Padlock engine built in, for hardware crypto. With Padlock-aware software running crypto, the Nano "spanks" Core 2 Quads with lots of welly and gives even Intel's i7 a run for its money.
-
Firewire
Cold boot attacks on laptops are interesting and all, but me, I'd just use the firewire port
It is applicable on a smaller number of laptops, but you also have write access and the machine continues running (less suspicious). Somewhere (perhaps in my link, can't remember) I saw a nifty python script that patches winlogon to allow unlock by entering an incorrect password. If you're an exceptionally slick bastard, you might squeeze a keylogger/downloader/etc into some dark corner of RAM and hijack some unlucky thread. On Windows machines, who knows, maybe we'll see a convenient hardware dongle to assrape the DRM path while it's looking the other way...
Don't even have to move the laptop somewhere secluded to rip it apart. Just plug in your 'music player.'
-
Re:Java never really mattered, Taco? Ouch
We all know that Perl is far superior from Java (or at least they guys who use it think so
;)
Programming Languages Hierarchy
J/K -
Re:Public Performance...
Or pick an artist who uses a better license. Jonathan Coulton is my favorite example, he releases his songs under the 'creative commons' license ("Podsafe Christmas Song" is a good example). http://www.hermann-uwe.de/blog/10-100-creative-commons-christmas-songs has a list of more.
-
Re:How can you defeat the dreaded BSOD?
If this really is combat, how can the Blue Screen of Death be defeated?
You flip its power switch for massive damage!
What has Linux got that's anywhere near as dangerous? :-)
Uhm, Richard Stallman singing? -
Re:AJAX is a silly acronym
See this diagram, and in particular the arrow from "people who refuse to use the word AJAX to "AJAX programmers"
-
Re:Because it's a pain on LinuxSeems a lot easier on Debian: http://www.hermann-uwe.de/blog/towards-a-moderate
l y-paranoid-debian-laptop-setup--part-1-base-system - Insert the installer CD and boot in expert-mode (don't hit ENTER when you boot, but rather type "expert").
- Partitioning:
- Select manual partitioning. Remove all partitions (if any). Create a 100 MB
/boot (ext3) as primary partition, and make the rest of the hard drive one huge partition which has "Use as:" set to "physical volume for encryption". - The standard options for cipher, key size, IV mode etc. should be fine (AES, 256 bit, CBC-ESSIV-SHA256, dm-crypt).
- After the erasing is done (this is important!), use the whole encrypted space as "physical volume for LVM". Then select "Configure the Logical Volume Manager". Create one big volume group and a bunch of logical volumes for the various partitions we'll use (lv-root, lv-usr, lv-var, lv-tmp, lv-swap, lv-home).
- It is extremely important that your swap space is encrypted (in this case it is, as all partitions except for
/boot reside on a dm-crypt device)! Never set up unencrypted swap!
- Select manual partitioning. Remove all partitions (if any). Create a 100 MB
- Insert the installer CD and boot in expert-mode (don't hit ENTER when you boot, but rather type "expert").
-
My GPL'ed samples...
Hi, I put a few samples I have created a few years ago on my homepage, maybe you can use some of them... All of them are GPL'ed of course... Uwe.