[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: [Cryptography] Big ugly security problem in post-2008 Intel chipsets.



---------- Forwarded message ----------
From: iang <iang at iang.org>
Date: Wed, May 10, 2017 at 10:25 AM
Subject: Re: [Cryptography] Big ugly security problem in post-2008
Intel chipsets.
To: cryptography at metzdowd.com


On 07/05/2017 18:38, Peter Todd wrote:

> On Sat, May 06, 2017 at 11:28:38PM -0400, iang wrote:
>>
>> On 01/05/2017 22:40, Ray Dillinger wrote:
>> Unpopular opinions!  I think there was an element of truth in all that, but
>> two things changed - one was the evolution serious criminal gangs which
>> industrialised the process.  The second was the rise of cyberwar... although
>> the jury's out as to whether this was caused by e.g. Obama's OLYMPICGAMES or
>> as a natural evolution, a tit for tat.
>
> Cryptocurrencies have also forced cryptocurrency-related companies to adopt
> vastly improved security because theives can directly steal money.


Yes, this is why financial cryptography was always more fun.  It has
the tightest feedback loop - get it wrong and you get robbed.  This
tight feedback loop is mostly absent in other forms of cryptography
such as privacy, retail commerce (aka SSL & passwords), political /
natsec and military.  Which means, in financial cryptography as
opposed to the others, we learn the fastest, assuming we're capable of
that.

> Additionally theres a second, less-obivous effect of the above:
> non-cryptocurrency-related companies are getting hacked by theives trying to
> gain access to user data that in turn will let them hack other targets with
> cryptocurrency holdings. For example, phone companies are frequently getting
> social engineered to exploit their customers' 2FA setups, and in turn, exploit
> cryptocurrency accounts at stuff like exchanges.


Right.  We always knew that the phones were an inadequate 2FA simply
because they were relatively easy to attack.  And once the stakes were
high enough, they were attacked.

Now, for online banking, this was sorta maybe ok because the online
banks also had other security layers inside the banks, so using the
phone was their cheapest widespread option.  But this fell apart for
cryptocurrencies which typically did not have other layers of
protection (ok, they had verbal protections like multisig and and
and).

The interesting thing is that people wake up and blame the telco. But
it was never the telco's threat model to protect bitcoin or online
banking...

iang
_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography