Slashdot Mirror

An anonymous reader quotes BleepingComputer: A new variation of the Spectre attack has been revealed this week by six scientists from the Ohio State University. Named SgxSpectre, researchers say this attack can extract information from Intel SGX enclaves. Intel Software Guard eXtensions (SGX) is a feature of modern Intel processors that allow an application to create so-called enclaves. This enclave is a hardware-isolated section of the CPU's processing memory where applications can run operations that deal with extremely sensitive details, such as encryption keys, passwords, user data, and more... Neither Meltdown and Spectre were able to extract data from SGX enclaves. This is where SgxSpectre comes in.

According to researchers, SgxSpectre works because of specific code patterns in software libraries that allow developers to implement SGX support into their apps. Vulnerable SGX development kits include the Intel SGX SDK, Rust-SGX, and Graphene-SGX. Academics say an attacker can leverage the repetitive code execution patterns that these SDKs introduce in SGX enclaves and watch for small variations of cache size. This allows for side-channel attacks that allow a threat actor to infer and slowly recover data from secure enclaves.

Intel's recent Spectre patches don't necessarily help, as an attacker can work around these fixes. Intel says an update for the Intel SGX SDK that adds SgxSpectre mitigations will be released on March 16. Apps that implement Google's Retpoline anti-Spectre coding techniques are safe, researchers say.

derGoldstein writes "Discovery posted an interesting story of how X-rays that are used by astronomers for determining the various chemical abundances inside stars could also potentially be used for more effective radiation therapy: 'Radiation treatment is a coarse instrument at best, since it destroys surrounding healthy cells as well as cancerous tumors. Much research is underway for targeted methods to reduce the collateral damage and attack just the cancer cells, including embedding nanoparticles inside tumors ... Nahar and Pradham envision a prototype device capable of generating x-rays (gzipped PDF) at the key frequencies to trigger a flood of low-energy electrons in platinum and gold, based on their computer simulations. Gold or platinum nanoparticles would amass naturally in cancerous tumors in the body, and could then be zapped with the focused x-ray beam.'"

wikinerd writes "Wikipedia is under criticism by its co-founder Larry Sanger who has left the project. He warns of a possible future fork due to Wikipedia's Anti-Elitism and he presents his view on Wikipedia's (lack of) reliability. New wikis on various subjects have already emerged, with some of them being complete forks of Wikipedia. Critical articles on Wikipedia are also being published by other sources."

wikinerd writes "Wikipedia is under criticism by its co-founder Larry Sanger who has left the project. He warns of a possible future fork due to Wikipedia's Anti-Elitism and he presents his view on Wikipedia's (lack of) reliability. New wikis on various subjects have already emerged, with some of them being complete forks of Wikipedia. Critical articles on Wikipedia are also being published by other sources."

museumpeace writes "Stuck for ideas about cheapest/fastest/most realistic rendering technology for that new video game you want to develop? Here is a great list of links and resources. The very latest is a tool mentioned on Technology Review which, if you feed it just a few dozen frames of a video of , for instance, Kurt Shilling pitching, can extrapolate a library of animated gestures or actions from just that sample. This new technique is already licensed to Electronic Arts. It was developed by Aaron Hertzman and Zoran Popovic and grew out of earlier work by Hertzman at NYU and a busy curriculum of computer graphics accomplishments by Popovic."

base_chakra writes "Two years since its initial release, the MusicXML music notation document type has finally reached v1.0. MusicXML is an (you guessed it) XML-based musical score format developed by Recordare LLC, and derived from the MuseData and Humdrum projects. Although MusicXML was quickly adopted by virtually every major music notation software products available, a standard non-binary format for rendering music notation on the web is something that's still sorely needed. Despite its unfortunate limitations, will MusicXML eventually become the de facto means of rendering music notation online, or will it fall into obscurity like so many document types?"

EngrBohn writes "NASA has named the Mars Spirit landing site the 'Columbia Memorial Station'. They've obviously been planning this, as there's even a plaque at the CMS."

penciling_in writes "John Patrick, former vice president of Internet technology at IBM, says 'ENUM is a really big deal'. Here is what he has to say on CircleID about this: 'Basically, ENUM is a protocol that will make it possible to converge the Public Switched Telephone Network (PSTN) and the Internet. In other words, a telephone number can get you to a Web service -- telephone number in, URL out. The idea can be extremely useful when you consider that most telephones are limited to twelve keys on a keypad. Every try to enter your alphanumeric login ID and password to a web site on a cell phone or Personal Digital Assistant? It is next to impossible! The biggest impact of ENUM will probably be for Voice Over IP (VoIP). In fact, it could be the tipping point.'"

srstoneb writes "Earlier this week the Disney dub of Miyazaki's "Porco Rosso" premiered at the Austin Film Festival. It will probably be the only theatrical showing of "Porco", sadly, but reviews of the dub have been quite favorable. Even more exciting, as reported at Nausicaa.net and elsewhere, is that the Hewitts -- who did the English scripts for "Spirited Away" and "Porco" -- said they're currently working on "Nausicaa"! The cast includes Patrick Stewart, as well as Uma Thurman and, tentatively, Natalie Portman. A post to the Nausicaa.net mailing list by fan Dan Vogler further states that Stewart's role is Lord Yupa. (Somebody already made the inevitable joke about Picard being stabbed by a Nausicaan, so don't bother.) Both movies are tentatively intended for DVD release in spring 2004." Porco Rosso is a great flick, check it out if you aren't to dead inside to enjoy a kids flick. Greatly looking forward to both DVDs.

bedessen writes "An article at NewsFactor summarizes the developments in new plastics that exhibit magnetic fields of fractal dimensions. Whereas a simple bar magnet produces magnetic fields that go from the north pole to the south pole, the fields of the new hybrid plastic sprout like branches of a cactus lined with secondary fields that resemble needles. As these fields become increasingly interlocked, they exhibit a unique kind of order. This intensely ordered structure might one day be key to storing information with a very high density. The researchers behind this are Arthur Epstein, director of the Center for Materials Research at Ohio State University, and Joel Miller, a professor of chemistry at the University of Utah. There's also this PDF overview of the subject, which is quite technical but still readable."

bedessen writes "An article at NewsFactor summarizes the developments in new plastics that exhibit magnetic fields of fractal dimensions. Whereas a simple bar magnet produces magnetic fields that go from the north pole to the south pole, the fields of the new hybrid plastic sprout like branches of a cactus lined with secondary fields that resemble needles. As these fields become increasingly interlocked, they exhibit a unique kind of order. This intensely ordered structure might one day be key to storing information with a very high density. The researchers behind this are Arthur Epstein, director of the Center for Materials Research at Ohio State University, and Joel Miller, a professor of chemistry at the University of Utah. There's also this PDF overview of the subject, which is quite technical but still readable."

David Gerard writes "As seen on Yale LawMeme: Microsoft is requiring colleges wanting cheap licenses to keep their license terms secret (e.g. Ohio State, University of Michigan) ... in direct contravention of state public records and Freedom of Information laws." Many FOI laws have loopholes permitting state agencies not to disclose information when it would harm business interests, so what the colleges and Microsoft are doing may not actually be illegal (or could be argued not to be, anyway), but it certainly is shady.

Landaras asks: "After spending two years at Ohio State studying Management Information Systems, I've decided to take a year off from school. However, after hearing about the University of Phoenix's online Bachelor's program, I thought I would consider completing my four-year Informations Systems undergraduate away from the 'brick and mortar' setting. Does anyone have any experience with completely on-line degree programs, and what are your thoughts of them?"

Jón Ragnarsson asks: "I'm loosing my mind over my bookmarks. I use 3 computers on a daily basis, and not even one of them is mobile. I have about 10 instances of browsers on them, each and every one with it's own bookmark system. I have countless times cursed when I'm at home but need some obscure bookmark on my computer at work, and just can't remember the url or phrases to find it in Google. So last night I went on a mission: I decided to think up a standard to store and retreive bookmarks. But first I deceided to search the Net just in case if somebody else had done the same thing. I typed 'bookmark protocol' in Google and behold, the fourth link mentioned the ACAP - Application Configuration Access Protocol, defined in rfc2244. So, why isn't it used?"

"It's much more than a simple bookmark storage, the RFC remarks:

The Application Configuration Access Protocol (ACAP) is designed to support remote storage and access of program option, configuration and preference information.

Probably the main reason this isn't being used is because you can't rely on every user having access to an ACAP server. Well, why not have both? Your browser could implement a mini-server until you find one that you can use. So should I suggest this to Mozilla/Microsoft/Opera? Or is there a simpler way. When Netscape was the king, I simply uploaded the bookmark file to my homepage area, it worked (more or less). And since I use browser 90% for content not on my computer I'm very likely to have net access when I'm using my browser. So could this be feasable, or am I daydreaming again?"

FarHat wrote to us about an article currently running on CNN regarding the long-term prospects of Microsoft and Linux. One of the launch points is the persistent rumors of Microsoft porting Office to Linux, as well as Neal Stephenson's In the Beginning was the Command Line. Fun read, overall.

Saber Taylor writes "Loki President, Scott Draeker, issued a statement saying that e-mail floods to game companies asking for Linux ports may be counterproductive. Reasonable, although I think it's worthwhile to let vendors know I bought their product because they support Linux."

Matthew Priestley has taken a break from slaving for the man to write us a piece where he takes on the convential wisdom that Security through Obscurity isn't secure at all, and tries to argue that sometimes it is. Click the link below to read it. Lots of interesting stuff and some good examples. Its worth a read. The following was written by Slashdot Reader Matthew Priestley Obscurity as Security Disclaimer: The author of this paper works for Microsoft, but his opinions may not be those of Microsoft. In fact, they aren't. The author hereby declares that nobody important is even aware of his existence and that the closest he has ever come to plotting with Bill Gates on the Master Plan was when they used adjacent urinals this one time. The author did not peek.

0 Introduction With the popularity of the open-source mindset, a general contempt has drizzled upon all forms of obscurity. The concept of security through obscurity (STO) in particu lar has been decimated. Security through obscurity, which relies on the ignorance of attackers rather than the strength of defenders, is dead in all but practic e. The victory of the opposing full disclosure approach is so complete that proposed ta ctics die at the mere hint they are a form of STO.

This paper suggests security through obscurity can and does work in certain strictly limited ways, and should not be eliminated unthinkingly from the admin's arsenal. It further implies that the boundaries between STO and 'real' security are blurry and deserve evaluation. However, this paper in no way proposes obscurity as a method for keeping secrets in the long term.

1 Full disclosure does not apply to instantiated data Instantiated data - the data used by specific instances of an algorithm - do not fall within the scope of full disclosure. Were this not so, then even the simplest password would violate the ban on security through obscurity. Passwords are secrets known only to their creators, and password entry is commonly obscured, as in the case of the 'shadow' login of UNIX. While the login protocol may be open, passwords themselves are a form of STO, with obscurity localized in the password string.

Instantiated data are exempt from full disclosure because the risk from their failure is limited. When a script cracks a password, the damage done to the secure system extends only as far as that password's scope. The cracker cannot use the compromised string to gain power directly in another system, even if that system runs the same password protocol. Nor can anything be inferred about the value of one password merely from the value of another with equal or lower permissions.

A similar example of instantiated data obscurity is the private key that forms the basis of asymmetric cryptography. So obscure is this information that it is rare for even the owner to be familiar with its precise value. But such obscurity is a necessary element of modern security schemes. Strong security does not eliminate obscurity - rather, it localizes obscurity to instantiated data. The phrase in cryptology, 'carry all security in the key' might be better phrased 'carry all obscurity in the key'.

2 Full disclosure does not apply to time-limited secrets Secrets that expire after a short lifetime can be protected by a wider array of techniques than long-standing secrets. The defense of information that will be irrelevant in a matter of hours or days may not warrant fully peer-reviewed security. Consider the famous Navajo code-talkers of World War II. Among the Americans coordinating the at tack against Japanese-held islands in the Pacific were a number of Navajo Indians, who spoke a slangy version of the complex Navajo tongue. Commands from HQ were issued through these code-talkers, who encrypted and decrypted with an alacrity that belittled the automated methods of the day. This is an excellent example of time-limited security through obscurity. Secret languages are excellent security in the short-term, but however cryptic Navajo may be, it is a code subject to human betrayal. Use of Navajo against the Japanese much beyond the 3-year window of the war would have been unwise. But because the secrets of American strategy in the Pacific were irrelevant after the conclusion of the fighting, the long-term weakness of obscure Navajo as a security measure was unimportant.

3 Obscurity serves as a tripwire Perhaps the classic example of wrongheaded STO is the administrator who modifies his web server to listen on a nonstandard port - thereby confusing attackers, as the theory goes. Considering the degree to which tasks such as port scanning can be automated, the naivete of this defense seems plain. The cracker might be forced to check all 64512 unreserved ports, but eventually the concealed web server will be found. This appears to be a weakness of STO, but if manipulated correctly, it is in fact a great strength. Imagine that our same admin had also invoked a tripwire script and set it to listen on one or more unused ports. When the tripwire is probed with a SYN packet from a cracker trying to locate the web server, instantly the system goes to full alert. The packet is logged and the admin's pager sounds like an alarm.

Such tripwire approaches work because they do not expect obscurity to keep information hidden. Rather, they obscure information as a ploy to force invaders into showing their hand. Because the obscured implementation differs on each system, crackers must resort to guess-check scanning before attacks can commence. But tripwires are deployed throughout the system, anticipating this very move. Running an automated kit suddenly becomes a risky proposition, and even talented crackers must gamble on, for example, whether 'root' is really the name of the primary account or merely a hotline to the authorities.

Lighthearted implementations of this approach are a staple in the popular "Indiana Jones" films. In one scene, Jones is confronted with a hallway of lettered tiles, all seemingly alike. To cross safely he must step only on those tiles with letters corresponding to the secret word 'Jehovah'. The penalty for a misstep is to crash through the floor and plummet into a gaping pit. Attackers not privy to the password would find an exhaustive search less than optimal in this case. When traps are mingled with genuine data, STO can be a powerful disincentive. Such measures do not make a given machine resistant to breach in the long term, any more than medieval moats could ultimately protect their castles. But like moats, tripwire obscurity provides a critical buffer against attackers, allowing defenders room to breathe.

4 Asymmetric cryptography exhibits traits of STO Despite the notion that asymmetric cryptography such as RSA is 'real' security, in some aspects these methods resemble STO. Indeed, this entire class of cryptography is founded on the hopeful guess that a certain mathematical problem is intractable. The back door into cryptographic methods that rely on multiplying primes is, quite simply, to develop a swift means of factoring those multiples. This NP-time problem must be solved before a private key can b e derived from its corresponding public key, and the notorious difficulty of NP problems leads some supporters to characterize asymmetric cryptography as 'prova bly secure'. This is far from the case - there is uncertainty among mathematicia ns as to whether this problem will even prove non-trivial once approached from t he right angle. Startling progress has been made in solving similar 'impossible' problems using innovative ploys - for example, DNA computers can now solve the Traveling Salesman problem in linear time. Given that asymmetric encryption is used widely in the world's e-commerce infrastructure, the repercussions when this piece of obscurity is cracked are disturbing to contemplate.

One telling argument against STO is that it promotes a false sense of security, leading admins into complacency. But the complexity of asymmetric cryptography, combined with reports of its infallibility, can produce much the same effect. Co nsider this social-engineering exploit of digital signing. Using a tool such as m akecert, the cracker generates a root certificate with the name 'Verisign Class 1 Primary CA' and uses it to sign an end-entity certificate with the subject 'CN=Rob Malda, E=malda@slashdot.org' (CT:Please don't. I'm used to posers pretending to be me in Quake, but not on email ;) The cracker then sends the email to an enemy, using a client that does not validate e-mail addresses and spoofing the return address friendly name. The inexpert recipient, thinking all is in order and knowing that digital signatures never lie, trusts the root certificate and hence forth carries on a conversation with a false CmdrTaco. Only scrutiny of the headers will reveal the mail is actually going to a different address. The widely made claim that public-key cryptography is 'real' security and completely unrelated to 'false' STO delivers a more powerful illusion of security than anything an XOR'd password file can provide.

Even brute-force cryptanalysis has parallels in STO. Suppose we wish to conceal the passwords for a number of Swedish bank accounts. We resolve to write them to a secret location on our hard drive, perhaps a few unused bytes in a file sector. Only we, who know the lucky offset, can read the data. This form of concealment is a typical case of secruity through obscurity. The integrity of our secret depends on the ignorance of the cracker, and a trial of all 2^n possible locatio ns compromises the system. But in what way is this fundamentally different from the 'genuine' security of n-bit encryption? To break this form of security, 2^n keys are generated and tried agains t the cipher text until the result is a plain body. Is the difference between this 'true' security and the 'false' STO merely than n is considerably larger in encryption than in the case of hard drives? But this implies that our real error lay, not in reliance upon obscurity, but in having a hard drive of insufficient size!

5 Conclusions Security in the absence of obscurity is not strictly possible, but good systems both localize and advertise their points of obscurity. When the admin is fully a ware of the obscurity in a system, tripwires and instantiated data can provide a useful complement to more rigorous security techniques. Obscurity cannot keep information safe or concealed for long, but it can make attacks risky and destroy the effectiveness of automatic kits. These benefits should not be dismissed as an article of faith.

skroz writes "At Linux world today, 3dfx announced plans to bring their direct rendering infrastructure to its Linux drivers. Their hope is to broaden high-end graphics support in Linux. Check out the story here. "

Chad Cunningham writes "C|Net has posted a story on NT5.0 vs. Red Hat Linux 5.1. Not a bad article, but again they missed some of the things that linux can do as well as NT. For example, they touted the ability to control management functions on NT from other NT machines as well as from a web browser (only IE4 of course) . They seemed to think it was better than being able to telnet into your machine and edit ANYTHING from ANY computer. Of course, I guess no one told them about linuxconf... "