This was the first time-based side channel attack I learned. Within Minix you initially could place a password right at a page boundary and try and login. If there was a page fault before the password was rejected, you knew you had the right character right before the page bound. Of course, the solution is very simple: check all the characters for correctness, simply setting a boolean to false each time you find an incorrect character. Probably even better is to pad the input to a maximum length (in a time independent way), use a hash and always test the all the bytes in the hash.
Adding delays is costly and unnecessary, outside the fact that you might still detect something since the average random delay is probably a constant. Don't forget that these attacks already rely strongly on statistics. One thing that you can easily do with an online system is to add a delay after a bad attempt. If you add enough delay, a statistical attack may take simply too long a time (make sure sure you don't aggravate your users until they get a heart attack). Obviously, on an online system, you cannot *just* set a maximum amount of retries without handing a DoS attack to attackers.
Preventing side channels attacks is hard, and don't get illusions that they can be easily discarded because they are impossible to implement. They can be implemented and with the current state of cryptography, they are the one of the weakest points in many security protocols and algorithms. Within the SHA-3 competition it is definitely one area that is getting attention.
Re:It's interesting where a lot of the time went
on
Recomputing the Sky
·
· Score: 1
That's the bare minimum if you are using 1 GB = 8,000,000,000 bits. Which is unlikely since they are probably using Explorer to do the file size calculations as well.
So basically, that would be approx. 1.91 hours or 1 hour 54 minutes as a bare minimum. Normally, however, you can safely divide by 10 to get the maximum speed in MB instead of bits at the ethernet level (I'm assuming similar efficiency for 1 Gbit/s as for 100 Mbit/s here).
So that would mean 802 GiB would take 2 hours and 23 minutes. So they've achieved about 7 minutes overhead. Sounds about right for a well performing network.
You're probably not living anywhere near a large city, are you? I mean, the night sky is probably there somewhere near those very faint dots I can see when there are no clouds.
Meaning that they have already got a library for this build in? Or is it something that you can only do because Silverlight has [please insert silverlight exclusive technology here]?
OK, now somebody calculate how many atoms are actually going to hit earth once it's here (if it gets here at all), or I won't be able to sleep tonight.
I would like to add that this kind of Hawking radiation is extremely slow process and that it has nothing to do with giant fireballs escaping from black holes as such. Or, very probably, anything else we can detect.
I must admit that I do miss something like apt-get on my Android.
I want at least some way to distinguish between apps and libraries. Currently it looks a bit too much like a one app one process model. I thought we were past that.
Something that I can use to keep my app store up to date. Currently I've got 56 apps waiting for an update. I can spend a whole day just updating apps because they have some more or less mundane bug.
That kind of resolution is only usable on a phone if you've got some way of handling it. Everything that is directly using the pixels will require a microscope. Leave it to Apple to actually pull such a thing off.
Here is to hoping that we scale to such pixel densities that having a few dead dots actually doesn't matter.
True, but I could not even easily count the number of (GSM) phones they currently have in their product line. That does not make it easier to market anything.
Many of these teenagers have grown up by now. I've seen correct answers on complex questions regarding cryptography that I've even have trouble understanding, let alone answer. And you can rely on the mods to do a relatively good job of refining the answers (even though many good answers posted too late get lost, and even though once the complexity goes up, the quality of modding goes down).
Look at the post by hguorbray for instance. Now that seems to me like a well thought out answer. Way better than going into a bookstore and pick up DB books at random.
I (wildly) wonder how much of that is really needed. My first computer had MSX-BASIC and a programmers manual. It took quite some figuring out how even to start a game. It took even more guts on trying to make or hack a game. It made one heck of a learning experience. Then again, I was pretty much set on understanding computers, not so much as doing anything useful with it.
PS. And Dijkstra is wrong, you can start off by learning BASIC and become a good programmer:) Then again, MSX-BASIC probably was one of the least murky versions of BASIC that ever existed.
SHA-3 is currently just a competition, not a specific hash algorithm. So even if you wanted to (but you shouldn't) you *cannot* use SHA-3. You can use Skein or one of the other candidates if you don't care about security though.
I know you are trying to be funny, but it's actually 2^64 - most hash functions are "limited" to 2^64 or 2^128 (due to the fact that the length is factored in).
From the almighty Wikipedia: "The remaining bits are filled up with a 64-bit integer representing the length of the original message, in bits."
Basically most of it was salt water marshes and lakes that we drained. Fortunately we are not living anywhere near a geological active region, nor do we have a rainy season or trouble with hurricanes. A lot of the world is not as lucky. We've spend oodles of money and time into building dikes and such. We are a highly organized, rich country. You cannot just take our solution and implement it anywhere else.
You won't even believe what we have to do to be safe from newer threats that come from the changes in climate. Basically we have to make all the dikes a lot higher. The chances of floods from rivers is much higher and the sea dikes were not build with higher water levels either.
BTW, fun fact, Schiphol was a lake, so when you land, don't forget that the runway already is 3m below sea level - and the train station is much lower than that:)
Many of these new languages have very strong features, it's just not always the features that corporate environments want. If you want a well structured, understandable and *maintainable* language, Java is still a long way ahead on all those new languages. Even worse, most of all those new languages are worse.
I'm also aching for a new language. A language that is even better supported by IDE's (refactoring, background compiling, static code checking and such). A language that has a better module system than Java. A language that takes all these things learned by Java and other OO languages and removes the awkwardness. I'm just not sure that functional languages provide these things.
There are many languages that are easier to write than Java. There are few that are more easily read and maintained. Guess what a smart enterprise is waiting for?
Well, congratulations of doing so well, but not everybody can be a high payed consultant, and if everyone was writing two books we'd be overrun by books and would have to hold book burning sessions. Be glad you've got a good set of brains and a good upbringing, but stop gloating.
He must be one of the guys that thought that building an entirely new computer language without exceptions (Google Go, for a name that doesn't Google) was a good idea too.
Oh, how I love code that is written like this:
boolean ok = true; if (!someMethod()) {
ok = false; } if (ok && !someOtherMethod() {
ok = false; }
return ok;
Now you've got rid of all the exceptions. Oh, but the method calls are hidden within if statements, and although you have a single return at the end, the *triggering* of the return value is in the if block. You've already used up the return value too, and people can easily make the mistake of not checking it. Google Go solved this by being able to have multiple return values, but that just simplifies the argument handling a bit.
Of course in many cases Exceptions are NOT the way to go. I've created a nice lib that uses result listeners instead of exceptions on most places. Then the user of the lib (the business logic more or less) can make a decision on what to do with a result. That does not do away with RuntimeExceptions or the exception that the user can throw to stop after a bad result.
Hah, no need for exceptions at all? He must live in another world entirely than the one I'm living in. It *must* have been an exaggeration.
I expect these kind of screens to be available in a couple of years. Lets hope they finally *will* compete on resolution rather than size. Currently I'm going to settle for the HP ZR24w IPS screen. It's not perfect but it's the only 1200 line IPS screen that is reasonably priced.
Link to working prototype demo - long video with lots of info: - b&w & color options - video - dynamic refresh rate (power consumtion) - high transmissive (up to 45 per cent more than LCD) - transmissive, transflective and reflective options - can be build using adapted LCD manufacturing equipment - competitive in price with LCD technology (well, that's subjective, isn't it)
Slashdot Mirror
This was the first time-based side channel attack I learned. Within Minix you initially could place a password right at a page boundary and try and login. If there was a page fault before the password was rejected, you knew you had the right character right before the page bound. Of course, the solution is very simple: check all the characters for correctness, simply setting a boolean to false each time you find an incorrect character. Probably even better is to pad the input to a maximum length (in a time independent way), use a hash and always test the all the bytes in the hash.
Adding delays is costly and unnecessary, outside the fact that you might still detect something since the average random delay is probably a constant. Don't forget that these attacks already rely strongly on statistics. One thing that you can easily do with an online system is to add a delay after a bad attempt. If you add enough delay, a statistical attack may take simply too long a time (make sure sure you don't aggravate your users until they get a heart attack). Obviously, on an online system, you cannot *just* set a maximum amount of retries without handing a DoS attack to attackers.
Preventing side channels attacks is hard, and don't get illusions that they can be easily discarded because they are impossible to implement. They can be implemented and with the current state of cryptography, they are the one of the weakest points in many security protocols and algorithms. Within the SHA-3 competition it is definitely one area that is getting attention.
That's the bare minimum if you are using 1 GB = 8,000,000,000 bits. Which is unlikely since they are probably using Explorer to do the file size calculations as well.
So basically, that would be approx. 1.91 hours or 1 hour 54 minutes as a bare minimum. Normally, however, you can safely divide by 10 to get the maximum speed in MB instead of bits at the ethernet level (I'm assuming similar efficiency for 1 Gbit/s as for 100 Mbit/s here).
So that would mean 802 GiB would take 2 hours and 23 minutes. So they've achieved about 7 minutes overhead. Sounds about right for a well performing network.
You're probably not living anywhere near a large city, are you? I mean, the night sky is probably there somewhere near those very faint dots I can see when there are no clouds.
Meaning that they have already got a library for this build in? Or is it something that you can only do because Silverlight has [please insert silverlight exclusive technology here]?
OK, now somebody calculate how many atoms are actually going to hit earth once it's here (if it gets here at all), or I won't be able to sleep tonight.
Great insight! I'm off proving that galaxies can actually travel back in time...
I would like to add that this kind of Hawking radiation is extremely slow process and that it has nothing to do with giant fireballs escaping from black holes as such. Or, very probably, anything else we can detect.
I must admit that I do miss something like apt-get on my Android.
I want at least some way to distinguish between apps and libraries. Currently it looks a bit too much like a one app one process model. I thought we were past that.
Something that I can use to keep my app store up to date. Currently I've got 56 apps waiting for an update. I can spend a whole day just updating apps because they have some more or less mundane bug.
That kind of resolution is only usable on a phone if you've got some way of handling it. Everything that is directly using the pixels will require a microscope. Leave it to Apple to actually pull such a thing off.
Here is to hoping that we scale to such pixel densities that having a few dead dots actually doesn't matter.
True, but I could not even easily count the number of (GSM) phones they currently have in their product line. That does not make it easier to market anything.
- make design choices *and write them down*
- yea gods, why the hell didn't he index?
Many of these teenagers have grown up by now. I've seen correct answers on complex questions regarding cryptography that I've even have trouble understanding, let alone answer. And you can rely on the mods to do a relatively good job of refining the answers (even though many good answers posted too late get lost, and even though once the complexity goes up, the quality of modding goes down).
Look at the post by hguorbray for instance. Now that seems to me like a well thought out answer. Way better than going into a bookstore and pick up DB books at random.
I (wildly) wonder how much of that is really needed. My first computer had MSX-BASIC and a programmers manual. It took quite some figuring out how even to start a game. It took even more guts on trying to make or hack a game. It made one heck of a learning experience. Then again, I was pretty much set on understanding computers, not so much as doing anything useful with it.
PS. And Dijkstra is wrong, you can start off by learning BASIC and become a good programmer :) Then again, MSX-BASIC probably was one of the least murky versions of BASIC that ever existed.
There are infinite other ones, it's just that we cannot find them (in time with current techniques).
SHA-3 is currently just a competition, not a specific hash algorithm. So even if you wanted to (but you shouldn't) you *cannot* use SHA-3. You can use Skein or one of the other candidates if you don't care about security though.
I know you are trying to be funny, but it's actually 2^64 - most hash functions are "limited" to 2^64 or 2^128 (due to the fact that the length is factored in).
From the almighty Wikipedia: "The remaining bits are filled up with a 64-bit integer representing the length of the original message, in bits."
Basically most of it was salt water marshes and lakes that we drained. Fortunately we are not living anywhere near a geological active region, nor do we have a rainy season or trouble with hurricanes. A lot of the world is not as lucky. We've spend oodles of money and time into building dikes and such. We are a highly organized, rich country. You cannot just take our solution and implement it anywhere else.
You won't even believe what we have to do to be safe from newer threats that come from the changes in climate. Basically we have to make all the dikes a lot higher. The chances of floods from rivers is much higher and the sea dikes were not build with higher water levels either.
BTW, fun fact, Schiphol was a lake, so when you land, don't forget that the runway already is 3m below sea level - and the train station is much lower than that :)
Many of these new languages have very strong features, it's just not always the features that corporate environments want. If you want a well structured, understandable and *maintainable* language, Java is still a long way ahead on all those new languages. Even worse, most of all those new languages are worse.
I'm also aching for a new language. A language that is even better supported by IDE's (refactoring, background compiling, static code checking and such). A language that has a better module system than Java. A language that takes all these things learned by Java and other OO languages and removes the awkwardness. I'm just not sure that functional languages provide these things.
There are many languages that are easier to write than Java. There are few that are more easily read and maintained. Guess what a smart enterprise is waiting for?
Well, congratulations of doing so well, but not everybody can be a high payed consultant, and if everyone was writing two books we'd be overrun by books and would have to hold book burning sessions. Be glad you've got a good set of brains and a good upbringing, but stop gloating.
A high efficiency airo...sorry about that, it's over 30 degrees here and I'm not that heat resistant.
"P4-2.4GHz or faster, 2GB RAM...pretty much all a normal business user needs."
Except for a highly airco...
He must be one of the guys that thought that building an entirely new computer language without exceptions (Google Go, for a name that doesn't Google) was a good idea too.
Oh, how I love code that is written like this:
boolean ok = true;
if (!someMethod()) {
ok = false;
}
if (ok && !someOtherMethod() {
ok = false;
}
return ok;
Now you've got rid of all the exceptions. Oh, but the method calls are hidden within if statements, and although you have a single return at the end, the *triggering* of the return value is in the if block. You've already used up the return value too, and people can easily make the mistake of not checking it. Google Go solved this by being able to have multiple return values, but that just simplifies the argument handling a bit.
Of course in many cases Exceptions are NOT the way to go. I've created a nice lib that uses result listeners instead of exceptions on most places. Then the user of the lib (the business logic more or less) can make a decision on what to do with a result. That does not do away with RuntimeExceptions or the exception that the user can throw to stop after a bad result.
Hah, no need for exceptions at all? He must live in another world entirely than the one I'm living in. It *must* have been an exaggeration.
I expect these kind of screens to be available in a couple of years. Lets hope they finally *will* compete on resolution rather than size. Currently I'm going to settle for the HP ZR24w IPS screen. It's not perfect but it's the only 1200 line IPS screen that is reasonably priced.
This screen (in different versions) should be available in a year or so (2nd half 2011):
http://www.youtube.com/watch?v=D6tzaIgZKs0
Link to working prototype demo - long video with lots of info:
- b&w & color options
- video
- dynamic refresh rate (power consumtion)
- high transmissive (up to 45 per cent more than LCD)
- transmissive, transflective and reflective options
- can be build using adapted LCD manufacturing equipment
- competitive in price with LCD technology (well, that's subjective, isn't it)
I wonder how they would compare.
As the original was a merge of different songs, maybe the result will start and make sense :)