IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New I'll see your WPA flaw...
... and raise a TPM bug :-)

http://www.theregister.co.uk/2017/10/16/roca_crypto_vuln_infineon_chips/
RSA keys produced by smartcards, security tokens, laptops, and other devices using cryptography chips made by Infineon Technologies are weak and crackable


Time to go back to pen & paper all round...

PS. A patched wpa_supplicant has been released for desktop Linux.
New Interesting.
I wonder how many of these "flaws" were intentional, to make things easier for the three-letter guys. The number might be zero, but one has to wonder.

Cheers,
Scott.
New Good point!
Where in hell is that code review open source promises? Other than by those 3 letter guys and North Koreans who keep mum.
Alex

"There is a cult of ignorance in the United States, and there has always been. The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that "my ignorance is just as good as your knowledge."

-- Isaac Asimov
New That's not the promise
The promise is that all bugs are shallow. That doesn't say anything about noticing bugs, including security flaws.
--

Drew
New I don't even think that's true any more.
Half the problem is of course that we make software all wrong.

CAR ANALOGY ALERT

If we made cars the way we made software, we would make cars one at a time by hand, and the the first thing an engineer would do is throw out the current set of tools and make his own.

Then he'd borrow some doors off another car, throw away most of them but keep the frame and then try to bolt on door cards and window fixtures from a third car. It'd kinda work but there'd be a recall later on to sort out the fact that they let the rain/heat/snow in.

He'd reinvent the ICE from scratch, being careful to avoid learning from any mistakes. This ICE would be made from components that mostly match the stuff you can buy in a motor factor, but the screw threads go the other way half the time, just cuz.

Lather rinse and repeat throughout the car.

Testing would consist of getting a US learner driver to do their test in it - drive forward a bit, turn a bit, go backwards a bit, play the radio, make sure all the lights work, ensure paint is shiny. Any more than that would be excessive and, most importantly, very boring.

END CAR ANALOGY

The crazy thing is that we have most programmers doing what most programmers shouldn't - actually writing code. Computers should be writing code (and if programmers are writing code, they should be the kinds of weird lunatic geniuses who write compilers and design microprocessors and who you wouldn't want to be stuck with at a party). Programmers should be solving problems and working out how to test their shit properly and then telling a computer to write the damn code.
New But where's the fun in that?
--

Drew
New Most computer generated code I've seen is pretty awful.
In the best cases it is because the computer must handle so many different conditions the code it writes must be pretty generalized.

For a worst case, check out the html code written by Microsoft Word. It'd probably take about 40 lines to write "Hello World".
New Yabbut ...
As long as something can read it and generate the right output, why should I care if it's readable?
--

Drew
New Performance, maybe?
New Better hardware is cheaper than a good developer
--

Drew
New A major reason why computer generated code is so bad.
Cheap programmers wrote the code they run to generate code.
New I can see both sides.
We have just-in-time compilers, garbage collectors, profilers, and all the rest. And AI and Expert Systems are getting better all the time. It's not unreasonable to expect that actual writing of code by machine is going to continue to get better.

But, on the other hand, just today I downloaded the drivers and utilities for a Windows-connected Dymo label writer.

165 MB installer.

It's ridiculous. :-/ (Of course, that was human written code that was dragging around some giant Windows C++ Runtime package, also too.)

I'm also reminded of my time working for a small banking software company, just after grad school. I was working on a hypertext "help" system for their banking software. It crawled on a 286 (as you might imagine), and when I told the group in a meeting about it on guy said, "Great! That means we can sell them more powerful computers with it too!!" :-/

drook is right that the modern way is to throw more hardware at the problem, until the next paradigm-breaker comes around to make people start down a different path ("What do you mean that it's faster to do the computations on my $400 graphics card than on my $1200 CPU??"). It's wasteful to not care about code efficiency and instead always think that progress depends on eliminating people with expertise, and makes it much, much easier for bugs (and back doors) to creep in. But until there are actual penalties for bad and inefficient code, it's hard to imagine things changing.

Of course, my copy of "Spontaneous Assembly" never got much of a workout from me, so... ;-)

Cheers,
Scott.
New I think you have the prices of the GPU and CPU switched around ;-)
New 165MB seems a lot, but let's think about it:
There's a Windows C++ runtime in there.

There's the installation software itself.

There's probably localised documentation in multiple languages - if that includes any multimedia at all (e.g. instructional video or images) it'll soon balloon.

The driver and application software - also localised as above.

Not to mention that everything comes with a copy of Google Chrome these days :)
New In this case, it doesn't really apply
The WPA bug is in the standard (the separate blunder in wpa_supplicant notwithstanding) and TPM is about as closed as you can get.

The TLA's probably got some mileage out of the WPA bug, but it is far from the fire and forget flaws in Windows that were exposed after someone let an attack server unattended. I'm willing to let the 802.11 group skate on this one, although they should probably look up the meaning of the term "nonce" before continuing... :-/
     Bug in WPA2 - (Another Scott) - (15)
         I'll see your WPA flaw... - (scoenye) - (14)
             Interesting. - (Another Scott) - (13)
                 Good point! - (a6l6e6x) - (12)
                     That's not the promise - (drook) - (10)
                         I don't even think that's true any more. - (pwhysall) - (9)
                             But where's the fun in that? -NT - (drook)
                             Most computer generated code I've seen is pretty awful. - (Andrew Grygus) - (7)
                                 Yabbut ... - (drook) - (6)
                                     Performance, maybe? -NT - (Andrew Grygus) - (5)
                                         Better hardware is cheaper than a good developer -NT - (drook) - (4)
                                             A major reason why computer generated code is so bad. - (Andrew Grygus) - (3)
                                                 I can see both sides. - (Another Scott) - (2)
                                                     I think you have the prices of the GPU and CPU switched around ;-) -NT - (scoenye)
                                                     165MB seems a lot, but let's think about it: - (pwhysall)
                     In this case, it doesn't really apply - (scoenye)

Resistance is useless. You will assimilate us.
73 ms