Spectre / Meltdown

Use of the cache is only one exfiltration option (albeit a popular one); there?s a cache-free Spectre variant that uses variation in the execution time of AVX2 instructions.

I think that?s an optimistic assessment.

The Foreshadow researchers extracted high-value key material from SGX architectural enclaves - a real security breach and not an artificial proof of concept.

Found, sure, but that?s absence of evidence. It?d be rather surprising if the major threat actors hadn?t added these tools to their repertoire, and you wouldn?t necessarily expect to find out about successful exploitation in the short term.

--
https://www.greenend.org.uk/rjk/

On sight, wrt to the executable email attachments it wasn't long before it happened that I was telling people that nobody would be stupid enough to do it.

It's a stupid design because it cannot be safe.

--
Steve O'Hara-Smith                          |   Directable Mirror Arrays 
C:\>WIN                                     | A better way to focus the sun 
The computer obeys and wins.                |    licences available see 
You lose and Bill collects.                 |    http://www.sohara.org/

"Deloptes" wrote

| > You really thought that back then? It's what allowed | > them to beat Netscape. For years it was a brilliant | > design. It still is. It's just not safe. I write a lot of | > HTAs, using script and COM for the functionality and | > IE for the GUI. | | They just made IE part of the OS and this was the reason for the trails. |

That was certainly a big part of it. "Cutting off Netscape's air supply." But IE was also far more functional. Webmasters wanted to write to it, because it was essentially allowing for compiled window elements and DLL access in a webpage. And those could easily be custom made. Also, MS made their browser custom designed for corporate IT people. It could be secretly controlled behind the backs of users. So corporations wanted it in-house. IE is still around because businesses still use HTAs in-house.

I don't think Bill Gates gets enough credit. He was greedy. He was arrogant. Microsoft tends to invent ways to vacuum wallets without thinking through whether they'll sell. But most of what they do is ahead of its time. They came out with ActiveX decades before highly interactive webpages. They came out with Passport long before "Log in with Apple". They came out with Hailstorm long before anyone was doing web services. They created .Net in 2001, specially designed for web services. They invented the SPOT watch years before the iPhone, with the idea that everyone would be like Dick Tracy, calling their dentist and checking sports scores.

It was all years ahead of its time. But it all failed, partly for that reason and partly because those products were

90% money grab and 10% product. Gates was not as devious, nor as design-oriented, as Jobs. And there was the stroke of evil genius that kicked it all off: Active Desktop. Turn Windows into a webpage and show ads. That was at least 10 years ahead of its time. There were just a few minor glitches: People had 56k connections and no one wanted Disney ads on their computer. But Gates foresaw the sleazy consumer service Web long before it existed. Greed is genius.

"Ahem A Rivet's Shot" wrote

| > It's what allowed | > them to beat Netscape. For years it was a brilliant | > design. It still is. It's just not safe. | | It's a stupid design because it cannot be safe.

Yes. They eventually had to accept that. And they eventually had to swallow their pride and move toward web standards. But what's happening now is also not safe. Javascript is being used in the MBs per page. Now there's quasi-compiled javascript. Everyone wants razzmatazz webpages with a lot of functionality. Every visitor wants to buy stuff, post photos, and generally enjoy web services. Neither side cares about security. None of it is safe. Anyone who shops or banks online, who allows script, hasn't learned from ActiveX. Anyone using social media hasn't learned the lessons on privacy. If you try to tell them they just flippantly respond, "Hey, that's Master Card's problem. My credit card is covered. I don't pay." They don't want to know that they're using a broken system. That would be too much hassle.

Anyone using Google properties, Apple properties, or running their social life on Facebook or Instagram hasn't learned the lesson of AOL. It's all far less safe now than it ever was. Partly because of the extreme functionality with executable code, and partly because the ubiquity has made the system an attractive target for professional hackers.

Twenty years ago there was no ransomware and no theft of credit card numbers. There were teenagers running botnets for fun or renting them to spammers, and spying on people having sex through their webcams.

The security was lower, but the risks were also far lower. Similarly with email. It was perfectly safe for quite awhile before people started getting the idea to start sending attack files named something.doc.exe. What do we have now? The majority of people are on gmail, where Google claims the right to rifle through their email and makes it very difficult not to give them a phone number. Allegedly for security. It's AOL meets totalitarianism. Is that better? You're less likely to receive a rigged DOC file, but that's cold comfort in exchange for the hassle and humiliation of not even owning your own correspondence. And it's becoming increasingly difficult to use email via POP3, IMAP, SMTP. Most people are going to a webpage, where script allows spyware companies like Constant Contact to track the details of every time the email is read and report it back to the sender. They can even make self-destructing email. Because you don't own or control your own correspondence.

More to the point, Email became unsafe when preview windows were added and stupid people didn't disable them.

Preview is dangerous because it tries to display all photos and execute all executable attachments and, if its enabled, you can't chose what it tries the display.

The only safe MUAs are those that allow preview to be turned off *and* can be configured to only show plaintext by default.

Similarly, its well worth having a plaintext web browser, such as Lynx, installed. Not for everyday use, but looking at any website you think may be dodgy before you point you all-singing, all-dancing graphical web browser at it.

--
Martin    | martin at 
Gregorie  | gregorie dot org

I learnt programming on machine with a multi-user, interactive OS in

1970 - A CTL Modular One. Security certainly was paid attention to. The machine had segmented RAM, you only had access to memory the OS allocated you, and only the OS, in supervisor mode, could set the relevant Memory registers etc. Security here meant that one user's program could not interfer, or be interfered, with another user's programs.

I think we had to wait till the 386 before we got similar hardware security features in a CPU chip - I don't think the 286 had enough. It was the arrival of the 386 chip in desktops machines that inspired Torvalds to look at starting Linux.

Unspotted mistake - for 1978 read 1968 - that was when I joined ICL and learned PLAN assembler.

I had actually done a 2 week programming at university in 1967 because my MSc thesis involved using a Mossbauer spectrometer, which output data on paper tape. Its was fed to an Elliott 503 for analysing and plotting on a printer. The Elliott was in interesting beast - huge because built entirely with discrete transistors [before integrated circuits had been invented] with 8KB 39 bit words on ferrite core memory and another 16Kb of 39 bit ferrite core that was used as a fast disk, both for storing programs and as scratch space for programs that handled more data than would fit in main storage.

The Elliott 503 was programmed almost entirely in Algol 60, so that was the first programming language I learned - and, with hindsite, a rather good first language, especially as Elliott Algol used the reserved words 'read' and 'write' for i/o rather then the more common trick of calling library procedures.

--
Martin    | martin at 
Gregorie  | gregorie dot org

On Sat, 29 Aug 2020 17:00:13 -0400, "Mayayana" declaimed the following:

There is also a story of day-traders relying upon moving from exchange to exchange around the world -- when a flare or similar shuts down the transference of bids and financial information. And the day-traders are all calling doom because their money isn't moving and they are afraid somewhere, someone is making money because they couldn't bid. I think the story resolution (which likely didn't help the doom-sayers) was that ALL the markets would roll-back to a point just prior to the flare effects, and start from that state.

--
	Wulfraed                 Dennis Lee Bieber         AF6VN 
	wlfraed@ix.netcom.com    http://wlfraed.microdiversity.freeddns.org/

I'm always amazed at how eagerly people rush to embrace things that are so obviously Bad Things if you give it the slightest bit of thought. (But then, I'm still amazed at who is the President of the United States.)

FSVO "stupid". It made them buckets of money. And by today's standards, that qualifies as brilliant.

--
/~\  Charlie Gibbs                  |  Microsoft is a dictatorship. 
\ /        |  Apple is a cult. 
 X   I'm really at ac.dekanfrus     |  Linux is anarchy. 
/ \  if you read it the right way.  |  Pick your poison.

"Dennis Lee Bieber" wrote

| There is also a story of day-traders relying upon moving from exchange | to exchange around the world -- when a flare or similar shuts down the | transference of bids and financial information. And the day-traders are all | calling doom because their money isn't moving and they are afraid | somewhere, someone is making money because they couldn't bid. I think the | story resolution (which likely didn't help the doom-sayers) was that ALL | the markets would roll-back to a point just prior to the flare effects, and | start from that state. |

Interesting. I wonder how they stored the backup they used to find those records. Hopefully not in the cloud. :) I guess that demonstrates how hard it is for us to even imagine what it would mean now to have nothing left but paper documents, with no transportation but horses and no communication but the Pony Express. After all, if all the circuit boards are fried then we can no longer run any modern machinery. There'd be no infrastructure. Most of us would probably starve, as we looked at our petunias in window boxes and wondered whether they're edible. Getting our investments back would be the least of it.

But if you look at rural life, many of those people could make it. They're more connected to neighbors and more dependent on things like picking wild greens and shooting deer. They often have wood stoves.

In the suburbs and cities it would be dark. Just stopping the trucks into NYC would turn it into a prison of millions of starving maniacs. It's an amazingly delicate balance to house so many people in one place. Imagine adding to that no phones, no cars, no power, probably no water. They had a tiny, tiny taste with the hurricane a few years back, where yuppies had to hike across town, so they could charge their phones, so they could get a weather report and find out what was going on. But that only lasted for a day or so. They were never in serious danger. Maybe their quinoa casserole for the neighborhood cocktail party spoiled. That was probably about the extent of it.

Yep it's what happens when everyone else is forced to play catchup with someone taking insane risks.

--
Steve O'Hara-Smith                          |   Directable Mirror Arrays 
C:\>WIN                                     | A better way to focus the sun 
The computer obeys and wins.                |    licences available see 
You lose and Bill collects.                 |    http://www.sohara.org/

"Ahem A Rivet's Shot" wrote

| > | It's a stupid design because it cannot be safe. | > | > Yes. They eventually had to accept that. And they | > eventually had to swallow their pride and move toward | > web standards. But what's happening now is also not | > safe. Javascript is being used in the MBs per page. | | Yep it's what happens when everyone else is forced to play catchup | with someone taking insane risks.

You think MS is to blame? Javascript was being phased out, with close to 10% of people disabling it, a few years sgo. The same with iframes. What changed it had nothing to do with Microsoft. It was targetted ads and the spying that goes with them.

You obviously never looked at the alternative...

--
If I had all the money I've spent on drink... 
...I'd spend it on drink. 

Sir Henry (at Rawlinson's End)

It is to be understood that the moment an initiative for freedom or genuine popular expression occurs, within a decade it will be bought, controlled infiltrated and destroyed by big business and the profit motive, and political activists.

Allowing the people to have free access to global communication was intolerable. How would the lies of cultural propaganda and product marketing be believed if everybody talked to each other and decided that their product was, in fact, shit?

--
?There are two ways to be fooled. One is to believe what isn?t true; the  
other is to refuse to believe what is true.? 

?Soren Kierkegaard

That was *long* after ActiveX made having JavaScript affect the machine instead of just the sandbox a thing.

--
Steve O'Hara-Smith                          |   Directable Mirror Arrays 
C:\>WIN                                     | A better way to focus the sun 
The computer obeys and wins.                |    licences available see 
You lose and Bill collects.                 |    http://www.sohara.org/

"Ahem A Rivet's Shot" wrote

| > You think MS is to blame? Javascript was being phased | > out, with close to 10% of people disabling it, a few years | > sgo. The same with iframes. What changed it had nothing | > to do with Microsoft. It was targetted ads and the spying | > that goes with them. | | That was *long* after ActiveX made having JavaScript affect the | machine instead of just the sandbox a thing. |

Yes, it was long after. ActiveX had been seen to be an untenable approach online going forward. Java was being phased out. People were even starting to see the problem of Flash. People were seeing that executable code in a webpage wasn't safe.

What's going on now is mostly new developments. Ad companies want to spy. Webmasters want money from ads. Apple, Google, Microsoft, Facebook, Amazon would all like to force everyone to stay in their walled shopping mall. To that end we had Silverlight aand Adobe AIR. This stuff has been amplifying, not reducing.

All browsers are supporting the ability for script to download updates to the page. Cross site scripting. Increasing functionality to support ads and push and location awareness. Virtually all attacks online require javascript enabled. Often the exploits require filesharing, remote desktop, or other similar, insecure network functionality. You can't just blame all that on MS. Google and Mozilla are both racing to expand the power of script and speed up the interpreting.

Now we also have WebAssembly. MS? No. Everyone's behind it. Mozilla's hot on the bandwagon. Software in a webpage. Exactly the brainstorm of ActiveX. Both online companies and their website visitors want this stuff. No one wants to deal with security. Some people put their head in the sand by pretending Linux or Mac are safe. Some people just figure their credit card company will take the fall. It hasn't been Microsoft's fault for about 20 years. If you get attacked online it will almost certainly be because you enabled script and/or enabled remote access functions so you could call your thermostat to tell it you're on your way home.

"The Natural Philosopher" wrote

| It is to be understood that the moment an initiative for freedom or | genuine popular expression occurs, within a decade it will be bought, | controlled infiltrated and destroyed by big business and the profit | motive, and political activists. | | Allowing the people to have free access to global communication was | intolerable. How would the lies of cultural propaganda and product | marketing be believed if everybody talked to each other and decided that | their product was, in fact, shit? |

There's always someone to cash in. But there are also millions of ostriches who just want to buy cheap stuff and would prefer that Google know what they're looking for. The travesty of the Web as spyware shopping mall was creatable due to demand.

I was going to pull you up on that as Cobol was well established by 78, but figured from the rest of the post that wasn't right.

In any case I was born in 1968, and started programming on the BBC Micro in the early 80s, so luckily I avoided Cobol then and ever since.

---druck

I don't think it was. When I was MD marketing no marketing director was ever able to actually determine how much of their massive budget actually produced sales. Instead they simply treated it as a religion. One had to have faith in it actually working.

--
Socialism is the philosophy of failure, the creed of ignorance and the  
gospel of envy. 

Its inherent virtue is the equal sharing of misery. 

Winston Churchill