Wow!
Look also at the quantities of 'new' boards said to be available.
I wonder if there's a (better) model -3 or some other reason for dumping this quantity.
Interestingly, no bids on Ebay yet.
Having looked at the details of the exploit, I cannot see any grounds for complaint about its release or about the level of detail. There's enough to stimulate action but not to actually increase the risk.
IBM knew for a while and apparently assumed its customers would provide adequate additional physical security to prevent a crooked bank official using the clearly defined flaw. Wrong assumption, IMHO. The Altera FPGA chip and evaluation board, and the methodolgy are advanced stuff but not rocket science. There must be at least one disaffected or crooked official in a position to do an exploit.
As has also been pointed out, closing the loophole is not a big deal in coding terms. I guess IBM was more concerned about the cost of software re-certification (new code for crypto boxes happens infrequently and involves a LOT of testing) and the cost of loading it piecemeal into all the affected machines.
Slashdot Mirror
Houston, we have a problem.... ...estimator is there, Java applet runs, but the site that it refers to is (apparently) not reachable.
Wow! Look also at the quantities of 'new' boards said to be available. I wonder if there's a (better) model -3 or some other reason for dumping this quantity. Interestingly, no bids on Ebay yet.
Look at the exploit details - 3DES may not help you that much!
Having looked at the details of the exploit, I cannot see any grounds for complaint about its release or about the level of detail. There's enough to stimulate action but not to actually increase the risk.
IBM knew for a while and apparently assumed its customers would provide adequate additional physical security to prevent a crooked bank official using the clearly defined flaw. Wrong assumption, IMHO. The Altera FPGA chip and evaluation board, and the methodolgy are advanced stuff but not rocket science. There must be at least one disaffected or crooked official in a position to do an exploit.
As has also been pointed out, closing the loophole is not a big deal in coding terms. I guess IBM was more concerned about the cost of software re-certification (new code for crypto boxes happens infrequently and involves a LOT of testing) and the cost of loading it piecemeal into all the affected machines.
Sloppy thinking, bad decision, worrying result.