We have seen this play out in IT during 80s and 90s. AV and Firewalls for cars are next. Then they will wise up and move cars to a dedicated network with mutual authentication. Until then, we have 'lost decade' of blue-screen-of-death automobiles. Unfortunately, unlike mostly harmless IT crashes, when auto crashes someone going to get hurt.
I am not going to argue "pointless box-ticking exercises" point, but without FIPS certification LibreSSL adoption will always be limited.
As analogy, lets say you discovered cure for cancer that can be made at home from 5$-worth of household supplies. Until you get it FDA approved, people would still die from cancer.
While I suspect your post is intentionally humorous, driving rolling wreck is a choice. It isn't difficult or expensive to DIY basic repairs and maintenance, as such I have zero sympathy for someone driving with malfunctioning brakes, broken ignition lock, or most cases of drastic power loss.
Autos are not categorically different from computing hardware and software. Just like you add RAM and SSD, patch OS and applications on your PC... you are expected to change oil, coolant, spark plugs and maintain your brakes. Interfaces are different, and it is almost always dirty/greasy, but it doesn't take rocket science degree to figure it out. Plus, there is almost always a YouTube video showing you how to do it.
So stop with excuses and fix your rolling wreck. Just like you'd fix your PC if it was infested with malware.
You are probably thinking about Dual_EC_DRBG, support for it has been removed by NIST since 2013.
Generally, FIPS certification would only include things you do, and mandate how to do them. For example, if you implement AES256-GCM, you will have to demonstrate that it is implemented according to the standard - NIST SP 800-38D, but you don't have to implement it.
The last time my 80s era roadster was patched was when it rolled off the production line. 30+ years on the long-term stable release! Beat that with your Tesla.
Why do we need to connect cars to the internet again?
It is about time we get viable alternative to OpenSSL. Unfortunately, LibreSSL is not FIPS certified, and as such won't be used for government-facing projects. This means as a system integrator I have a choice - use OpenSSL (and private label certify it) and be able to sell my product to industry and government client, or use LibreSSL and only be able to sell to industry clients.
To protect against cyber threats that would work. To protect against nuclear EMP (since we were talking Fallout)? Not so much. Even 70s and 80s cars use coils and ECUs, and that would get fried. What you need is mechanically injected car with non-electronic control. Some of the early 70s Mercedes would almost work, since they used vacuum to control everything.
Thankfully, they won't sell thousands of licenses since government requires certification. No lab, no matter how much they are paid, would certify something like that.
It is very easy to build a system that the system's designer could not hack, or code a crypto library that the library's programmer could not break. Then if you could successfully keep the product away from other people you could have an unhackable system.
Average car on the road is 11 years old right now. Assuming it is possible to design secure OS (see Programming Satan's Computer for many reason why not), crypto of that vintage is susceptible to bruteforce. This is assuming over that period of time nobody dropped the ball and lost signing keys and such.
Thing is, what you proposing is fundamentally is a feature bloat. It doesn't help you drive.
Seeing all these vulnerabiltieis pop up in all these cars, knowing how malware-ridden is typical user's GPC, you are asking for more GPC in cars?!?! What is wrong with you?!
If your grandma's AOL-connected computer gets infected, it will at most become a nameless bot zombie and a minor nuisance. On other hand, under similar scenario your grandma's networked car, probably with her screaming in terror until the bitter end, could realistically become a remotely controlled weapon and seriously ruin everybody's day. Just consider than only a couple of big accidents can pretty much shut down an entire urban highway system, the bar for extreme mayhem in this case is much, much lower.
Very interesting to read your perspective. Do you think "normal people don't want to code" would stay unchanged? We are well past "computers are a fad" public opinion stage, you'd think that coding attitude would also shift? Especially for situations typically applicable for scripting languages.
Anecdotally, many people learned Lua when WoW came out.
I think it would be better if programming languages borrowed some of the logic nomenclature used in philosophy. That is, problem of readability have been repeatedly solved in other fields. The only reason I could see this hasn't been done in coding is cultural. It has roots in RTFM culture so prevalent in the computer science world, where knowledge of obscure trivia is valued over logic and clarity.
Formal logic statements, math, statistics are all very precise without being unreadable by a third-party who is familiar with nomenclature. I might not understand the logic behind any given theorem, but I certainly have an ability to read it. This is not the case for programming languages. For example, C code for LSFR is absolutely not human readable, yet I can write a paragraph, pseudo-code, or diagram that precisely explains it.
I respectfully disagree. I hate programming because syntax in every language out there is about as obnoxious as it gets. The biggest issue is that programming languages are all written by coders, for coders. With no concept that the language doesn't have to be obscure or convoluted to be efficient. That is what compilers are for.
Just like there could be no functional/. comments (or any other natural language statement) that only author could read, there should be no functional code that could not be easily read by others. Most people here worked with code written by others - no matter what, it is at best difficult to understand. That is key symptom that the language itself is flawed.
We need Flash because it is easy to block. You can remove a huge chunk of Web obnoxiousness by simply disabling/uninstalling Flash while not breaking the rest of the website. With HTML5, this won't be as straight-forward process.
Slashdot Mirror
Are you saying that the only way to secure a car from theft is to network it? That is nonsense.
We have seen this play out in IT during 80s and 90s. AV and Firewalls for cars are next. Then they will wise up and move cars to a dedicated network with mutual authentication. Until then, we have 'lost decade' of blue-screen-of-death automobiles. Unfortunately, unlike mostly harmless IT crashes, when auto crashes someone going to get hurt.
I am not going to argue "pointless box-ticking exercises" point, but without FIPS certification LibreSSL adoption will always be limited.
As analogy, lets say you discovered cure for cancer that can be made at home from 5$-worth of household supplies. Until you get it FDA approved, people would still die from cancer.
While I suspect your post is intentionally humorous, driving rolling wreck is a choice. It isn't difficult or expensive to DIY basic repairs and maintenance, as such I have zero sympathy for someone driving with malfunctioning brakes, broken ignition lock, or most cases of drastic power loss.
Autos are not categorically different from computing hardware and software. Just like you add RAM and SSD, patch OS and applications on your PC... you are expected to change oil, coolant, spark plugs and maintain your brakes. Interfaces are different, and it is almost always dirty/greasy, but it doesn't take rocket science degree to figure it out. Plus, there is almost always a YouTube video showing you how to do it.
So stop with excuses and fix your rolling wreck. Just like you'd fix your PC if it was infested with malware.
You are probably thinking about Dual_EC_DRBG, support for it has been removed by NIST since 2013.
Generally, FIPS certification would only include things you do, and mandate how to do them. For example, if you implement AES256-GCM, you will have to demonstrate that it is implemented according to the standard - NIST SP 800-38D, but you don't have to implement it.
The last time my 80s era roadster was patched was when it rolled off the production line. 30+ years on the long-term stable release! Beat that with your Tesla.
Why do we need to connect cars to the internet again?
It is about time we get viable alternative to OpenSSL. Unfortunately, LibreSSL is not FIPS certified, and as such won't be used for government-facing projects. This means as a system integrator I have a choice - use OpenSSL (and private label certify it) and be able to sell my product to industry and government client, or use LibreSSL and only be able to sell to industry clients.
I want my Cat connected to the IoT. Somebody please hack it so it stops leaving hairballs everywhere.
To protect against cyber threats that would work. To protect against nuclear EMP (since we were talking Fallout)? Not so much. Even 70s and 80s cars use coils and ECUs, and that would get fried. What you need is mechanically injected car with non-electronic control. Some of the early 70s Mercedes would almost work, since they used vacuum to control everything.
Thankfully, they won't sell thousands of licenses since government requires certification. No lab, no matter how much they are paid, would certify something like that.
It is very easy to build a system that the system's designer could not hack, or code a crypto library that the library's programmer could not break. Then if you could successfully keep the product away from other people you could have an unhackable system.
I suspect this is the approach this startup took.
^^^ Mod this up please.
Yes, and this is exactly how you end up with a homer car.
Average car on the road is 11 years old right now. Assuming it is possible to design secure OS (see Programming Satan's Computer for many reason why not), crypto of that vintage is susceptible to bruteforce. This is assuming over that period of time nobody dropped the ball and lost signing keys and such.
Thing is, what you proposing is fundamentally is a feature bloat. It doesn't help you drive.
Seeing all these vulnerabiltieis pop up in all these cars, knowing how malware-ridden is typical user's GPC, you are asking for more GPC in cars?!?! What is wrong with you?!
If your grandma's AOL-connected computer gets infected, it will at most become a nameless bot zombie and a minor nuisance. On other hand, under similar scenario your grandma's networked car, probably with her screaming in terror until the bitter end, could realistically become a remotely controlled weapon and seriously ruin everybody's day. Just consider than only a couple of big accidents can pretty much shut down an entire urban highway system, the bar for extreme mayhem in this case is much, much lower.
Very interesting to read your perspective. Do you think "normal people don't want to code" would stay unchanged? We are well past "computers are a fad" public opinion stage, you'd think that coding attitude would also shift? Especially for situations typically applicable for scripting languages.
Anecdotally, many people learned Lua when WoW came out.
I think it would be better if programming languages borrowed some of the logic nomenclature used in philosophy. That is, problem of readability have been repeatedly solved in other fields. The only reason I could see this hasn't been done in coding is cultural. It has roots in RTFM culture so prevalent in the computer science world, where knowledge of obscure trivia is valued over logic and clarity.
Formal logic statements, math, statistics are all very precise without being unreadable by a third-party who is familiar with nomenclature. I might not understand the logic behind any given theorem, but I certainly have an ability to read it. This is not the case for programming languages. For example, C code for LSFR is absolutely not human readable, yet I can write a paragraph, pseudo-code, or diagram that precisely explains it.
In the IoT world, the Internet browses you!
I respectfully disagree. I hate programming because syntax in every language out there is about as obnoxious as it gets. The biggest issue is that programming languages are all written by coders, for coders. With no concept that the language doesn't have to be obscure or convoluted to be efficient. That is what compilers are for.
/. comments (or any other natural language statement) that only author could read, there should be no functional code that could not be easily read by others. Most people here worked with code written by others - no matter what, it is at best difficult to understand. That is key symptom that the language itself is flawed.
Just like there could be no functional
Wikipedia tells me that interstitial is short for Interstitial cystitis or bladder pain syndrome.
That too would get me to abandon the website.
>>>We are attempting to determine if any laws have been violated at this point
What happens to first determining if there was any criminal intent or adverse consequences?
... and this is why you should never talk to police. They might just determine that you have been violating something while talking with you.
What about civilizations that intentionally broadcast "we are here" beacon? We would be able to detect this.
Another point - plastic degrades with UV exposure. It becomes hard and brittle.
We need Flash because it is easy to block. You can remove a huge chunk of Web obnoxiousness by simply disabling/uninstalling Flash while not breaking the rest of the website. With HTML5, this won't be as straight-forward process.