There is a lot of completely legal software distribution over BitTorrent these days. This guy wants to go back to the stone-age. He probably is deeply afraid of the freedoms network-neutrality gives to people and companies.
Well, the western world is in decline. Desperately keeping old business-models alive and blocking new ones is a traditional sign of that.
Indeed. The "somebody else is at fault" people are a plague. They never learn anything from experience, because it is always somebody else that is responsible. Of course, that is usually not true, and hence they stay incompetent.
Their vision of Rust is nothing but a "coding safe space" where the compiler will make even the dumbest fuckup write secure code. Of course, that is not how it actually works.
Indeed. Buffer overflows in security-critical code are mostly a sign of developer incompetence and they are getting far harder to exploit than other flaws like XSS.
Actually this "problem" is easily rectified in C by understanding of the "volatile" keyword. Apparently that is beyond the complexity the people that have this issue can manage.
The incompetent among the coders (the majority, unfortunately) is always on the lookout for the next, greatest language or tool that will remove their incompetence. It never pans out. This collective stupidity has been going on for a few decades and it is always nonsense.
Complete and utter bullshit. Language has little to no influence on code security. You can be insecure on many different levels and incompetent coders universally manage to make it insecure.
Incidentally, the claim the Rust is safe-by-design is a shameless lie. It is not. It just makes some specific security issues more difficult (but not impossible) to implement. It does not do anything at all for most security problems.
Indeed. Developer incompetence is 90% of the problem. Languages, coding styles, etc. do not really matter. Incompetent coders demonstrate time and again that they can make it insecure, no matter what.
And there are even more soccer-mom types who don't feel comfortable unless everyone is surveilled, because if you don't have anything to hide, why worry, right?
Well, ask them to put cameras and microphones into their bathrooms and bedrooms and at least some seem to wise up.
the problem here is you'd need a huge grassroots-type movement to get AMD or Intel to back-down on this. But sadly the truth is that the vast absolute majority of people:
Do not care Don't understand enough about the hardware to have a valid opinion
OR worst of all actively support this kind of capability to you know; keep their kids safe from terrorists and/or the child-predators that some app has clearly shown to be infesting their neighborhood.
We live in a society that has completely run out of real threats, and so we've started to hyperfocus on statistically anomalies (partially thanks to a sensationalist media and 24 hour news cycle) to invent new ones.
Call it the Nancy Grace syndrome.
We will see. There is a real possibility using these CPUs may become illegal in some sectors of finance and medicine in the EU. Also, think about how much critical infrastructure is possibly affected. That would create a bit of pressure, I Imagine.
While I agree on the hyperfocus on statistical anomalies, I do really not think this is one. I agree that "ordinary citizens" are clueless as always. Just look like about every fascist and totalitarian government was cheered in by these "ordinary people". I do expect this will have a lot of people very, very concerned for years to come in a professional capacity, and some of those people will be the ones that decide about really large hardware purchases.
It is not "the same" vulnerabilities. It is "similar" ones. Nobody yet has found a way to dump the AMD PSP code. Also, AMD made at least sure that code has to be signed to get in there.
Wile that is still not a good situation, it is a bit different from the "full compromise" Intel currently has.
Indeed. Or Amazon has them as well. I have two in VMs that checked out as genuine without trouble. (I will not put the Win10 spyware into anything by a VM at this time....)
I mean, a devel-environment that expires after two months? If you do things right, you are just in the middle of the first serious experiments when that happens.
Of course. Why would it not be? Unless people that do this kind of crap are locked away for life when discovered, this is not going to stop. There are far too many authoritarian assholes in governments around the world that do not feel comfortable until they can spy on everybody.
Form most practical purposes "EVERYTHING" with an Intel CPU is a good approximation. AMD and alternate CPU architectures are not yet affected, may take a few years until the same attack is performed there and published.
And now it demonstrated how it works in the face of a competent attacker: Full, catastrophic, immediate failure. It outperforms any other security in this regard as well, only that it does worse than any other for of security.
You are mistaken. This is an attacker that can locally execute code. It is not one with physical access. And a local code execution can sometimes be upgraded to a fully remote code execution, especially as the ME can snoop at least on chipset-integrated network cards.
There is a lot of completely legal software distribution over BitTorrent these days. This guy wants to go back to the stone-age. He probably is deeply afraid of the freedoms network-neutrality gives to people and companies.
Well, the western world is in decline. Desperately keeping old business-models alive and blocking new ones is a traditional sign of that.
Indeed. The "somebody else is at fault" people are a plague. They never learn anything from experience, because it is always somebody else that is responsible. Of course, that is usually not true, and hence they stay incompetent.
Their vision of Rust is nothing but a "coding safe space" where the compiler will make even the dumbest fuckup write secure code. Of course, that is not how it actually works.
Indeed. Buffer overflows in security-critical code are mostly a sign of developer incompetence and they are getting far harder to exploit than other flaws like XSS.
Actually this "problem" is easily rectified in C by understanding of the "volatile" keyword. Apparently that is beyond the complexity the people that have this issue can manage.
The incompetent among the coders (the majority, unfortunately) is always on the lookout for the next, greatest language or tool that will remove their incompetence. It never pans out. This collective stupidity has been going on for a few decades and it is always nonsense.
With the Rust people you can never tell. They seem to be trolling themselves constantly about the miracles that their "one true language" can do.
Complete and utter bullshit. Language has little to no influence on code security. You can be insecure on many different levels and incompetent coders universally manage to make it insecure.
Incidentally, the claim the Rust is safe-by-design is a shameless lie. It is not. It just makes some specific security issues more difficult (but not impossible) to implement. It does not do anything at all for most security problems.
Indeed. Developer incompetence is 90% of the problem. Languages, coding styles, etc. do not really matter. Incompetent coders demonstrate time and again that they can make it insecure, no matter what.
There are still people that believe programming languages actually matter for security? It is time for the dumb idea to die.
And there are even more soccer-mom types who don't feel comfortable unless everyone is surveilled, because if you don't have anything to hide, why worry, right?
Well, ask them to put cameras and microphones into their bathrooms and bedrooms and at least some seem to wise up.
the problem here is you'd need a huge grassroots-type movement to get AMD or Intel to back-down on this. But sadly the truth is that the vast absolute majority of people:
Do not care
Don't understand enough about the hardware to have a valid opinion
OR worst of all actively support this kind of capability to you know; keep their kids safe from terrorists and/or the child-predators that some app has clearly shown to be infesting their neighborhood.
We live in a society that has completely run out of real threats, and so we've started to hyperfocus on statistically anomalies (partially thanks to a sensationalist media and 24 hour news cycle) to invent new ones.
Call it the Nancy Grace syndrome.
We will see. There is a real possibility using these CPUs may become illegal in some sectors of finance and medicine in the EU. Also, think about how much critical infrastructure is possibly affected. That would create a bit of pressure, I Imagine.
While I agree on the hyperfocus on statistical anomalies, I do really not think this is one. I agree that "ordinary citizens" are clueless as always. Just look like about every fascist and totalitarian government was cheered in by these "ordinary people". I do expect this will have a lot of people very, very concerned for years to come in a professional capacity, and some of those people will be the ones that decide about really large hardware purchases.
It is not "the same" vulnerabilities. It is "similar" ones. Nobody yet has found a way to dump the AMD PSP code. Also, AMD made at least sure that code has to be signed to get in there.
Wile that is still not a good situation, it is a bit different from the "full compromise" Intel currently has.
That is really interesting. Another failed MS API?
Hahahah, nice. "Free as in Herpes" is something I have to remember.
There are actual genuine ones. Like they are in a DB on MS side and they do not collide with other installations.
Indeed. Or Amazon has them as well. I have two in VMs that checked out as genuine without trouble. (I will not put the Win10 spyware into anything by a VM at this time....)
I mean, a devel-environment that expires after two months? If you do things right, you are just in the middle of the first serious experiments when that happens.
Funny. And in actual reality he does not beyond a very basic level of mechanical engineering. He is doing zero science.
The morale is to never start a ridiculous cult, as there will always be people stupid enough to take it seriously and make it a reality.
Of course. Why would it not be? Unless people that do this kind of crap are locked away for life when discovered, this is not going to stop. There are far too many authoritarian assholes in governments around the world that do not feel comfortable until they can spy on everybody.
Form most practical purposes "EVERYTHING" with an Intel CPU is a good approximation. AMD and alternate CPU architectures are not yet affected, may take a few years until the same attack is performed there and published.
And now it demonstrated how it works in the face of a competent attacker: Full, catastrophic, immediate failure. It outperforms any other security in this regard as well, only that it does worse than any other for of security.
Credentials, crypto-keys, etc. are explicitly _not_ "security by obscurity". You just demonstrated extreme incompetence.
Look up "Kerckhoffs's principle" some time to at least get a minimal clue.
You are mistaken. This is an attacker that can locally execute code. It is not one with physical access. And a local code execution can sometimes be upgraded to a fully remote code execution, especially as the ME can snoop at least on chipset-integrated network cards.
In addition, AV cannot detect an infection...
There was no one that did "blab" here. Instead the "fucking idiots" are all with Intel and likely the NSA.
You seem to forget that this potentially compromises a massive amount of enterprise computing.