NB: Note that this long and tedious post deals with IBM's Trusted technology only; I'm afraid I know very little about Microsoft's Palladium, which by all accounts was even worse:)
Just as a nitpick, this is not IBM's technology, but that of TCPA/TCG. IBM is one of the first to include this technology in their systems and thus probably wants to make sure that the actual capabilities are well-known.
BTW at some point, Palladium (aka NGSCB), was proposed to include a secure path to the monitor and keyboard (and possibly other io devices). This feature could be actually very useful in preventing local snooping.
It sounds to me like the author of the article is talking about two completely different issues. The first is code decompilation and static obfuscation. The second is about runtime obfuscation.
In theory, if you don't run the binary you have, you don't need to worry about it modifying itself. The same techniques that work on obfuscated byte code now should work on the the binary. Now if you were trying to reverse engineer a program by running it and tracing it, that's where PSCP seems like it would help.
This introduces several additional points of failure in every connection. For example, suppose you had a 5 port knock before connecting to your final real port. If any one of these fails to reach the end point, you're denied service. Thus, if I have the ability to stop some of your packets from coming through, I only have to stop one packet per connection attempt -- a new low bandwidth DOS.
Even if there's nobody malicious in between you and the server, you need to make sure that 5 packets get through in sequence. That's not terribly easy.
Does Subversion really handle the repeated merge problem now? I have heard that Arch does do this and I don't really know about bitkeeper. I'd say that this is my personal biggest beef with CVS (aside from its ridiculously inefficient storage scheme).
Last time I checked, repeated merge was a post-1.0 issue, but for me, it's the only reason not to move to Subversion.
Re:Similar techniques are in use already
on
Javascrypt
·
· Score: 2, Interesting
That's cool to know, but I don't think that this is true:
And in the event that someone compromises a secure server, your password wouldn't be available to the attacker, only the hash.
If you look at the code on the site, they have a 'challenge' value that is appended to the hash of the password, so to calculate the challenge response you need both the 'challenge value' (a.k.a. a nonce) and your password. The server needs the same thing. I think that this same technique is used in APOP.
The only way that they wouldn't need some shared secret is if you used some sort of asymmetric signing protocol, but then key distribution is a problem...
There are some nice ideas and good thinking here, but does anyone have a link to more interesting performance numbers? I'm curious how well this would work on a workload that was both intense and non-sequential.
I don't have a GameCube, but I was really tempted to get one when I saw the Viewtiful Joe teasers. Maybe that'll help sales. Or better yet for me, maybe Capcom will release the game on Playstation2...
The headline of this story is misleading. Some people disagree philosophically with Palladium's goals, not its technical merits. It just happens that these people are famous cryptographers. At the moment, the technical details seem sparse, so we'll just have to wait until they are released (if ever) to see if the goals that are mentioned are actually met.
IANAL, but could someone sue the company for false advertising? If they say their product is safe and secure, but you feel it isn't and you are a user, then shouldn't your be able to bring a case against them? At that point, you have to present evidence for your claim and (assuming the court records aren't sealed) the exploit becomes public record.
Re:Hmm, not terribly impressed...
on
New DOOM III Shots
·
· Score: 3, Insightful
Nope, you're not alone. I can't understand why so many people go nuts over screenshots like these. As long as I see lines and corners where I should see curves, I won't be impressed.
I'm not saying the games aren't fun, but for me, the graphics don't seem to be any monumental improvement, even over a few years ago.
Do you feel pressure from the US and other countries to approve software patents? I know many corporations will withhold business from countries that don't have "support" for this sort of thing, so is there a big national-level economic incentive in software patents?
I use Linux (and various kinds of Unix) for the interface. I detest the mouse. Clicking all over the place is much too slow for my tastes. Clicking alternated with typing is even worse.
Tab completion is one of my favorite interface inventions ever.
Slashdot Mirror
Manssiere!
NB: Note that this long and tedious post deals with IBM's Trusted technology only; I'm afraid I know very little about Microsoft's Palladium, which by all accounts was even worse :)
Just as a nitpick, this is not IBM's technology, but that of TCPA/TCG. IBM is one of the first to include this technology in their systems and thus probably wants to make sure that the actual capabilities are well-known.
BTW at some point, Palladium (aka NGSCB), was proposed to include a secure path to the monitor and keyboard (and possibly other io devices). This feature could be actually very useful in preventing local snooping.
It sounds to me like the author of the article is talking about two completely different issues. The first is code decompilation and static obfuscation. The second is about runtime obfuscation.
In theory, if you don't run the binary you have, you don't need to worry about it modifying itself. The same techniques that work on obfuscated byte code now should work on the the binary. Now if you were trying to reverse engineer a program by running it and tracing it, that's where PSCP seems like it would help.
This introduces several additional points of failure in every connection. For example, suppose you had a 5 port knock before connecting to your final real port. If any one of these fails to reach the end point, you're denied service. Thus, if I have the ability to stop some of your packets from coming through, I only have to stop one packet per connection attempt -- a new low bandwidth DOS.
Even if there's nobody malicious in between you and the server, you need to make sure that 5 packets get through in sequence. That's not terribly easy.
Seems like the biggest problem with the camera is that it is basically a digital signing oracle for whoever holds it.
I downloaded source the other day and it claims to be version 1.7a. Does anyone know how this relates to this release?
Does Subversion really handle the repeated merge problem now? I have heard that Arch does do this and I don't really know about bitkeeper. I'd say that this is my personal biggest beef with CVS (aside from its ridiculously inefficient storage scheme).
Last time I checked, repeated merge was a post-1.0 issue, but for me, it's the only reason not to move to Subversion.
If you look at the code on the site, they have a 'challenge' value that is appended to the hash of the password, so to calculate the challenge response you need both the 'challenge value' (a.k.a. a nonce) and your password. The server needs the same thing. I think that this same technique is used in APOP.
The only way that they wouldn't need some shared secret is if you used some sort of asymmetric signing protocol, but then key distribution is a problem...
There are some nice ideas and good thinking here, but does anyone have a link to more interesting performance numbers? I'm curious how well this would work on a workload that was both intense and non-sequential.
I don't have a GameCube, but I was really tempted to get one when I saw the Viewtiful Joe teasers. Maybe that'll help sales. Or better yet for me, maybe Capcom will release the game on Playstation2...
The government hires ex-criminals to fight crime with great success -- just look at She-Spies! ;-)
The headline of this story is misleading. Some people disagree philosophically with Palladium's goals, not its technical merits. It just happens that these people are famous cryptographers. At the moment, the technical details seem sparse, so we'll just have to wait until they are released (if ever) to see if the goals that are mentioned are actually met.
IANAL, but could someone sue the company for false advertising? If they say their product is safe and secure, but you feel it isn't and you are a user, then shouldn't your be able to bring a case against them? At that point, you have to present evidence for your claim and (assuming the court records aren't sealed) the exploit becomes public record.
Why can't the heat be used to recharge the battery and give it a longer run time? Seems like this just throws away energy...
I'm not terribly sure I'd trust an application given to me on a business card by someone I don't know, much less something that boots.
Reminds me of "Bart vs. Australia"...
"Yahoo Serious Festival"
Lisa: I know those words, but that sign makes no sense.
Is it just me, or does the character look like half of all the manga/anime characters?
How would you know that it was really Senator Jacka$$? They don't even have to put their name on the message now.
OTOH, it probably is Senator Jacka$$. It's always Senator Jacka$$. Blast him and his SMS spam!
1. Run a broadband connection to the South Pole.
2. ????
3. Profit!
Nope, you're not alone. I can't understand why so many people go nuts over screenshots like these. As long as I see lines and corners where I should see curves, I won't be impressed.
I'm not saying the games aren't fun, but for me, the graphics don't seem to be any monumental improvement, even over a few years ago.
My 2 cents.
My Dinner with Andre! It really deserves the big screen for all the action. Like when the waiter comes with the wine!
Do you feel pressure from the US and other countries to approve software patents? I know many corporations will withhold business from countries that don't have "support" for this sort of thing, so is there a big national-level economic incentive in software patents?
And when the apocalypse comes, this will become even more practical!
I use Linux (and various kinds of Unix) for the interface. I detest the mouse. Clicking all over the place is much too slow for my tastes. Clicking alternated with typing is even worse.
Tab completion is one of my favorite interface inventions ever.
Just my opinion.
There are so many questions being asked here about details... The company website has much more information than this article. Go to the source.