Domain: secure64.com
Stories and comments across the archive that link to secure64.com.
Comments · 9
-
Re:Flawed HW+ inefficient SW = disappointment
Itanium is also immune to speculative execution because with Itanium, the compiler does the speculating, not the processor.
See https://secure64.com/not-vulnerable-intel-itanium-secure64-sourcet/
-
Itanium beats x86
According to http://secure64.com/not-vulnerable-intel-itanium-secure64-sourcet,
The Itanium platform is naturally immune to both Spectre and Meltdown precisely because the complex, expensive methods used to speed up a 44-year old architecture are completely absent in Itanium.
Itanium execution is explicitly parallel. It is the job of the compiler or coder to lay out the instructions and tell the hardware what can be done in parallel. Linus once quipped that he’d like to see an out-of-order Itanium (probably something he regrets saying, now), showing himself clueless about what EPIC and Itanium were about.
Without out-of-order execution, there is no way for the Meltdown attack to work.
Likewise, there is no speculative execution in Itanium. Instead, the architecture provides powerful branch prediction and predication, a concept generalized from ARM (sadly, abandoned in AArch64) to avoid branching altogether.
-
Re:git blame
Oh no, he's smart: almost every high assurance security offering ever marketed has been ignored by consumers. They *don't give a fuck*. Being the demand side of the equation, they're the reason [1] the suppliers are producing insecure garbage all the time. It's what they buy. Steven Lipner, who managed VAX High Assurance VMM, wrote about the what it taught management here [2]. Summary: users wanted the features more than security and would decide against any product developing features too slow (read: all high security systems). Many users also wanted lower costs (security adds costs) and integration with whatever garbage went mainstream. Intel tried three times [3] to do their part with i432 being a marvel of engineering and Itanium being used in a highly secure, affordable OS [4]. Intel's security-oriented efforts tanked to the tune of billions lost as market favored backward compatibility and price/performance instead.
So, users and market don't give a fuck. Only a niche segment does. Unless subsidized by grants or government contracts, high assurance systems are typically not built at all. All the secure stuff being built is grant-funded academia, defense-funded commercial, and/or high priced, patented I.P. for niche use (eg smartcard, embedded). Those of us left doing custom solutions pre-Snowden had very little business with most doing it on the side of better paying work. Post-Snowden, there's more demand, the demand is once again making insecure tradeoffs, false security abounds, and talent to do high assurance is still mostly nonexistent after market killed it off post-OrangeBook. On top of the millions using ad-driven services and tech that sells them out. Truly don't give a fuck and it ain't changing.
[1] https://www.schneier.com/blog/...
[2] http://blogs.microsoft.com/cyb...
[3] https://www.schneier.com/blog/...
[4] http://www.secure64.com/secure...
Nick P, Security Engineer/Researcher (High assurance focus)
-
How Rover (the fix) Works
Rover uses the Reverse DNS tree to advertise records that say that some address block [e.g. 0.192.in-addr.arpa] belongs to some ASN [e.g. 65535]. And you can use DNSSEC to verify that the rDNS advertisement for the address block is valid. This lets your routers (or at least the router-server you've got sitting next to your routers) validate whether a BGP announcement they receive is plausible.
And BGP's not at all anarchistic - the ASN assignments and IP address block assignments are both owned by IANA or its delegates (ARIN, RIPE, etc.), which is why it's meaningful to discuss whether a route advertisement is legitimate. The problem this is trying to solve is that people have been announcing routes they don't legitimately own, whether it's the kind of fat-fingers classful addressing autosummarization mistake that takes your two Class C subnets and announces the Class A that contains them, or whether it's Pakistan's PTT advertising YouTube's address blocks to keep Pakistanis (and the rest of the world) from watching politically incorrect videos on YouTube. (The fat-finger version happens more often, which is why you'll see ISPs that own a
/8 advertising it as two /9s, so they can use longest-match to protect their space.) -
Solution is called Rover, Uses Reverse DNS
TFA wasn't very detailed either, but it mentions that the new protocol is called Rover. Project website is here. The short summary is that you can use Reverse DNS to advertise the BGP Autonomous System Number (ASN) that's authoritative for your block of address space, and use DNSSEC to protect the Reverse DNS tree. If somebody else starts advertising that they've got a route to your address block, routers (or route servers sitting next to the routers, because your standard router doesn't actually know how to do this) can verify whether that's correct.
-
Re:yeah
Lets add Sweeden to another nation that considers ddos attacks illegal.
Hackers Given A Message: DoS is a Crime
From June 1, 2007, Sweden bans all website attacks, like DoS attacks. Sweden calls it a crime to program computers to automatically click on the same page thousands of times. This comes in response to the attacks on the Swedish national police website and other government websites. Attackers can be found guilty and receive up to 2 years in prison. The new law declares both automatic and manual DoS attacks illegal. Prosecutors will have to show the court that the attack was of criminal intent and that it was intended to damage a computer system. Simply trying to launch an attack is also to be considered criminal act.
-
Re:I hope P.B. win this trial
Only if it's criminally illegal,
I'm not sure exactly what Google Sweden's policy is. I'd be surprised if it was the same as TPB's. Is there a list of mocking responses that Google has written in response to copyright infringement complaints?
That's why TPB don't make that argument.
I look forward to reading about TPB's legal defence. I expect it to have some interesting legal theory behind it. But all I want to address is the argument that if TPB is illegal then all search engines are illegal. This is clearly not the case.
Does it? Show us the Swedish law that says so.
Well, given that intent to commit a crime is generally considered an important point in a number of jurisdictions, it seems odd that you would be expecting me to demonstrate this is also the case in Sweden. But here's an example of some learned professionals treating this as an established fact in at least some aspect of Swedish law, and here's another article where intent is considered important. Perhaps this is different for criminal copyright infringement, but I think really it's up to you to demonstrate that copyright infringement is a strict liability crime in Sweden.
Why are you asking me for references to back up my lack of certainty? My position is that I don't know whether their behaviour is legal but that demonstrating search engines are legal is not sufficient. If we don't know whether intent matters then it seems disingenuous to assume that it does when forming an opinion. You'll end up with a guess. -
Re:I would say that this is a pretty serious issue
Serious only if you're using BIND and a non-SOA DNS server. See http://secure64.com/products.shtml for good reasons to ditch BIND if you have some spare $$.
Remember: no cache, no fooling around with cache for giggles.
-
Funny
I just read a whole write up in the Sunday paper this weekend about a local (Colorado) company that is writing some new and cool stuff specifically for the Itanium processor. Matter of fact they used to work for HP / Intel I believe and set off to start this company. So they seem to think it's still got tons of potential and will still be the next big thing.