Use of the cache is only one exfiltration option (albeit a popular one);
there?s a cache-free Spectre variant that uses variation in the
execution time of AVX2 instructions.
I think that?s an optimistic assessment.
The Foreshadow researchers extracted high-value key material from SGX
architectural enclaves - a real security breach and not an artificial
proof of concept.
Found, sure, but that?s absence of evidence. It?d be rather surprising
if the major threat actors hadn?t added these tools to their repertoire,
and you wouldn?t necessarily expect to find out about successful
exploitation in the short term.
On sight, wrt to the executable email attachments it wasn't long
before it happened that I was telling people that nobody would be stupid
enough to do it.
It's a stupid design because it cannot be safe.
Steve O'Hara-Smith | Directable Mirror Arrays
C:\>WIN | A better way to focus the sun
| > You really thought that back then? It's what allowed
| > them to beat Netscape. For years it was a brilliant
| > design. It still is. It's just not safe. I write a lot of
| > HTAs, using script and COM for the functionality and
| > IE for the GUI.
| They just made IE part of the OS and this was the reason for the trails.
That was certainly a big part of it. "Cutting off Netscape's
air supply." But IE was also far more functional. Webmasters
wanted to write to it, because it was essentially allowing
for compiled window elements and DLL access in a webpage.
And those could easily be custom made. Also, MS made their
browser custom designed for corporate IT people. It could
be secretly controlled behind the backs of users. So corporations
wanted it in-house. IE is still around because businesses still
use HTAs in-house.
I don't think Bill Gates gets enough credit. He was greedy.
He was arrogant. Microsoft tends to invent ways to vacuum
wallets without thinking through whether they'll sell. But
most of what they do is ahead of its time. They came out
with ActiveX decades before highly interactive webpages.
They came out with Passport long before "Log in with Apple".
They came out with Hailstorm long before anyone was doing
web services. They created .Net in 2001, specially designed
for web services. They invented the SPOT watch years before
the iPhone, with the idea that everyone would be like Dick
Tracy, calling their dentist and checking sports scores.
It was all years ahead of its time. But it all failed, partly
for that reason and partly because those products were
90% money grab and 10% product. Gates was not as devious,
nor as design-oriented, as Jobs. And there was the stroke
of evil genius that kicked it all off: Active Desktop. Turn
Windows into a webpage and show ads. That was at least
10 years ahead of its time. There were just a few minor
glitches: People had 56k connections and no one wanted
Disney ads on their computer. But Gates foresaw the
sleazy consumer service Web long before it existed. Greed
"Ahem A Rivet's Shot" wrote
| > It's what allowed
| > them to beat Netscape. For years it was a brilliant
| > design. It still is. It's just not safe.
| It's a stupid design because it cannot be safe.
Yes. They eventually had to accept that. And they
eventually had to swallow their pride and move toward
web standards. But what's happening now is also not
razzmatazz webpages with a lot of functionality. Every
visitor wants to buy stuff, post photos, and generally
enjoy web services. Neither side cares about security.
None of it is safe. Anyone who shops or banks online,
who allows script, hasn't learned from ActiveX. Anyone
using social media hasn't learned the lessons on privacy.
If you try to tell them they just flippantly respond, "Hey,
that's Master Card's problem. My credit card is covered.
I don't pay." They don't want to know that they're using
a broken system. That would be too much hassle.
Anyone using Google properties, Apple properties, or
running their social life on Facebook or Instagram hasn't
learned the lesson of AOL. It's all far less safe now than it
ever was. Partly because of the extreme functionality
with executable code, and partly because the ubiquity
has made the system an attractive target for professional
Twenty years ago there was no ransomware and no
theft of credit card numbers. There were teenagers running
botnets for fun or renting them to spammers, and spying
on people having sex through their webcams.
The security was lower, but the risks were also far lower.
Similarly with email. It was perfectly safe for quite awhile
before people started getting the idea to start sending
attack files named something.doc.exe. What do we have
now? The majority of people are on gmail, where Google
claims the right to rifle through their email and makes it
very difficult not to give them a phone number. Allegedly
for security. It's AOL meets totalitarianism. Is that better?
You're less likely to receive a rigged DOC file, but that's
cold comfort in exchange for the hassle and humiliation
of not even owning your own correspondence. And it's
becoming increasingly difficult to use email via POP3, IMAP,
SMTP. Most people are going to a webpage, where script
allows spyware companies like Constant Contact to track
the details of every time the email is read and report it back
to the sender. They can even make self-destructing email.
Because you don't own or control your own correspondence.
More to the point, Email became unsafe when preview windows were added
and stupid people didn't disable them.
Preview is dangerous because it tries to display all photos and execute
all executable attachments and, if its enabled, you can't chose what it
tries the display.
The only safe MUAs are those that allow preview to be turned off *and*
can be configured to only show plaintext by default.
Similarly, its well worth having a plaintext web browser, such as Lynx,
installed. Not for everyday use, but looking at any website you think may
be dodgy before you point you all-singing, all-dancing graphical web
browser at it.
I learnt programming on machine with a multi-user, interactive OS in
1970 - A CTL Modular One. Security certainly was paid attention to. The
machine had segmented RAM, you only had access to memory the OS
allocated you, and only the OS, in supervisor mode, could set the
relevant Memory registers etc. Security here meant that one user's
program could not interfer, or be interfered, with another user's
I think we had to wait till the 386 before we got similar hardware
security features in a CPU chip - I don't think the 286 had enough. It
was the arrival of the 386 chip in desktops machines that inspired
Torvalds to look at starting Linux.
Unspotted mistake - for 1978 read 1968 - that was when I joined ICL and
learned PLAN assembler.
I had actually done a 2 week programming at university in 1967 because my
MSc thesis involved using a Mossbauer spectrometer, which output data on
paper tape. Its was fed to an Elliott 503 for analysing and plotting on a
printer. The Elliott was in interesting beast - huge because built
entirely with discrete transistors [before integrated circuits had been
invented] with 8KB 39 bit words on ferrite core memory and another 16Kb
of 39 bit ferrite core that was used as a fast disk, both for storing
programs and as scratch space for programs that handled more data than
would fit in main storage.
The Elliott 503 was programmed almost entirely in Algol 60, so that was
the first programming language I learned - and, with hindsite, a rather
good first language, especially as Elliott Algol used the reserved words
'read' and 'write' for i/o rather then the more common trick of calling
On Sat, 29 Aug 2020 17:00:13 -0400, "Mayayana"
declaimed the following:
There is also a story of day-traders relying upon moving from exchange
to exchange around the world -- when a flare or similar shuts down the
transference of bids and financial information. And the day-traders are all
calling doom because their money isn't moving and they are afraid
somewhere, someone is making money because they couldn't bid. I think the
story resolution (which likely didn't help the doom-sayers) was that ALL
the markets would roll-back to a point just prior to the flare effects, and
start from that state.
Wulfraed Dennis Lee Bieber AF6VN
I'm always amazed at how eagerly people rush to embrace things that
are so obviously Bad Things if you give it the slightest bit of thought.
(But then, I'm still amazed at who is the President of the United States.)
FSVO "stupid". It made them buckets of money.
And by today's standards, that qualifies as brilliant.
/~\ Charlie Gibbs | Microsoft is a dictatorship.
\ / | Apple is a cult.
"Dennis Lee Bieber" wrote
| There is also a story of day-traders relying upon moving from exchange
| to exchange around the world -- when a flare or similar shuts down the
| transference of bids and financial information. And the day-traders are
| calling doom because their money isn't moving and they are afraid
| somewhere, someone is making money because they couldn't bid. I think the
| story resolution (which likely didn't help the doom-sayers) was that ALL
| the markets would roll-back to a point just prior to the flare effects,
| start from that state.
Interesting. I wonder how they stored the backup
they used to find those records. Hopefully not
in the cloud. :) I guess that demonstrates how hard
it is for us to even imagine what it would mean now
to have nothing left but paper documents, with no
transportation but horses and no communication
but the Pony Express. After all, if all the circuit boards
are fried then we can no longer run any modern
machinery. There'd be no infrastructure. Most of us
would probably starve, as we looked at our petunias
in window boxes and wondered whether they're edible.
Getting our investments back would be the least of it.
But if you look at rural life, many of those people
could make it. They're more connected to neighbors
and more dependent on things like picking wild greens
and shooting deer. They often have wood stoves.
In the suburbs and cities it would be dark. Just
stopping the trucks into NYC would turn it into a
prison of millions of starving maniacs. It's an amazingly
delicate balance to house so many people in one place.
Imagine adding to that no phones, no cars, no power,
probably no water.
They had a tiny, tiny taste with the hurricane a few
years back, where yuppies had to hike across town,
so they could charge their phones, so they could get
a weather report and find out what was going on. But
that only lasted for a day or so. They were never in
serious danger. Maybe their quinoa casserole for the
neighborhood cocktail party spoiled. That was probably
about the extent of it.
"Ahem A Rivet's Shot" wrote
| > | It's a stupid design because it cannot be safe.
| > Yes. They eventually had to accept that. And they
| > eventually had to swallow their pride and move toward
| > web standards. But what's happening now is also not
| Yep it's what happens when everyone else is forced to play catchup
| with someone taking insane risks.
out, with close to 10% of people disabling it, a few years
sgo. The same with iframes. What changed it had nothing
to do with Microsoft. It was targetted ads and the spying
that goes with them.
It is to be understood that the moment an initiative for freedom or
genuine popular expression occurs, within a decade it will be bought,
controlled infiltrated and destroyed by big business and the profit
motive, and political activists.
Allowing the people to have free access to global communication was
intolerable. How would the lies of cultural propaganda and product
marketing be believed if everybody talked to each other and decided that
their product was, in fact, shit?
?There are two ways to be fooled. One is to believe what isn?t true; the
other is to refuse to believe what is true.?
"Ahem A Rivet's Shot" wrote
| > out, with close to 10% of people disabling it, a few years
| > sgo. The same with iframes. What changed it had nothing
| > to do with Microsoft. It was targetted ads and the spying
| > that goes with them.
| machine instead of just the sandbox a thing.
Yes, it was long after. ActiveX had been seen to be an
untenable approach online going forward. Java was being
phased out. People were even starting to see the problem
of Flash. People were seeing that executable code in
a webpage wasn't safe.
What's going on now is mostly
new developments. Ad companies want to spy. Webmasters
want money from ads. Apple, Google, Microsoft, Facebook,
Amazon would all like to force everyone to stay in their
walled shopping mall. To that end we had Silverlight aand
Adobe AIR. This stuff has been amplifying, not reducing.
All browsers are supporting the ability
for script to download updates to the page. Cross site
scripting. Increasing functionality to support ads and
push and location awareness. Virtually all attacks
filesharing, remote desktop, or other similar, insecure
network functionality. You can't just blame all that on MS.
Google and Mozilla are both racing to expand the power
of script and speed up the interpreting.
Now we also have WebAssembly. MS? No. Everyone's
behind it. Mozilla's hot on the bandwagon. Software
in a webpage. Exactly the brainstorm of ActiveX. Both
online companies and their website visitors want this
stuff. No one wants to deal with security. Some people
put their head in the sand by pretending Linux or Mac
are safe. Some people just figure their credit card company
will take the fall. It hasn't been Microsoft's fault for
about 20 years. If you get attacked online it will almost
certainly be because you enabled script and/or
enabled remote access functions so you could call your
thermostat to tell it you're on your way home.
"The Natural Philosopher" wrote
| It is to be understood that the moment an initiative for freedom or
| genuine popular expression occurs, within a decade it will be bought,
| controlled infiltrated and destroyed by big business and the profit
| motive, and political activists.
| Allowing the people to have free access to global communication was
| intolerable. How would the lies of cultural propaganda and product
| marketing be believed if everybody talked to each other and decided that
| their product was, in fact, shit?
There's always someone to cash in. But there are also
millions of ostriches who just want to buy cheap stuff
and would prefer that Google know what they're looking
for. The travesty of the Web as spyware shopping mall
was creatable due to demand.
I was going to pull you up on that as Cobol was well established by 78,
but figured from the rest of the post that wasn't right.
In any case I was born in 1968, and started programming on the BBC Micro
in the early 80s, so luckily I avoided Cobol then and ever since.
I don't think it was. When I was MD marketing no marketing director was
ever able to actually determine how much of their massive budget
actually produced sales. Instead they simply treated it as a religion.
One had to have faith in it actually working.
Socialism is the philosophy of failure, the creed of ignorance and the
gospel of envy.