[comboy]

Computer security has been ridiculous for quite some time. Your only chance is tons of layers and early detection that something's not OK. I'm really happy that everything that's happening is happening. Sad that things like Cloudbleed got so little attention outside HN-like circles.

I'm happy because it's gonna have to change. Whole stack revisited. Eventually. These things speed it up. On the long run, the thing that holds most value, in my opinion, is information. Not physical things, not energy, information. Bitcoin is a big step in that direction but I don't just mean cryptocurrencies. If you can't keep your information secret the value is destroyed.

I see two paths. One, we do a huge refactoring of how do we do computations. Super clear assumptions and provably building simple layers on top of that. I'd like that. The other one is that we keep this whole messy legacy. And security will become based on more and more layers and heuristics. Which would eventually become AIs competition. Brr.

Just some random ponderings, I'm not a security expert.

[graycat]

Maybe with the new, secure stuff, have it implement a padded cell where can run the old stuff. What's inside the padded cell might become a security disaster, but at least it's kept inside the cell.

We've done more or less that several times in computing: At first the code just ran on the computer and had full access to everything. Soon we got memory protection, privileged instructions, and operating systems. Then we got rings of security, virtual memory, virtual machines, etc.

We can do it again.

[cookiecaper]

> I'm happy because it's gonna have to change. Whole stack revisited. Eventually.

I used to believe this kind of thing, but now I think you greatly underestimate human indifference and interest in effort conservation (uncharitably called "laziness").

Look at Intel's response to Spectre/Meltdown. Are they going back and redesigning their microarchitecture with new hardware-enforced safety rings [that actually enforce, lol] and new ways to block timing attacks without sacrificing performance? Seriously doubt it. From LKML it sounds like they're just going to hardware-accelerate IBRS/IBPB to make it faster to shut down branch prediction in risky situations and leave the rest of the shebang as-is.

Even when the forecasted apocalyptic events occur, it's amazing how little anyone cares, or how little gets recognized. Surely there are people who've speculated (ha!) attacks like Spectre/Meltdown, given the knife's edge nature of hardware virtualization on x86, and advised against multi-tenancy. Surely there are people who have paid attention over the last ten years to the dozens of sandbox escape attacks that already exist without exploiting the microarchitecture! Are they getting their due? Is anyone asking why people didn't consider these possibilities or listen to the people who warned them? Nope, because they just don't want to hear that. It's all "Oh gee how could Intel have done this to us?!" when "How could you have acted like this was safe" is an at least equally valid question.

TPMs, again, are another example of exactly the same thing. Major exploits in them are 100% routine by now. Does anyone care? Google is quietly working to remove them from their own machines but it doesn't seem like anyone is going to get any real headway outside of that. Do freedom advocates like RMS get their due? Nope, they just get told "Bugger off with your 'I told you so'."

Have you ever spent months or years warning your bosses about something, only to have that thing happen, and watch them hand-wave it away and get extremely irritable after you mention that they had fair warning? Most semi-aware engineers probably have, because this happens constantly.

Admitting, realizing, and honestly correcting our mistakes is just not a thing that people do, unless they feel substantial direct and personal pain that the brain decides greatly exceeds the forecasted effort expenditure to correct the issue. Such negative force cannot be applied over an industry at large unless there is a very specific and coordinated demand from the handful of people at the tippy-top, as in the case of Spectre/Meltdown, since in the age of cloud computing, those exploits fundamentally jeopardize the profitability of every major tech company.

[candiodari]

> Does anyone care?

Let me answer that for you. In the period of the last 10 years, the world has all but switched to mobile devices. Mobile devices that make windows look like a secure operating system. In theory vendors promise 2 years of "safe" operation, and I am unaware of a single case where they actually shipped phones without major security vulnerabilities (and known, to at least some of their development team).

Internationally, iPhones do not matter. They're like 10% of the market, so I'm focusing on android phones here. And it's not like iPhones don't have exploits for them, it just means a few more years, something more like 4 year, until they're exploitable.

It is regularly reported that 40% of all android phones are vulnerable to individual vulnerabilities. At least half of all active android phones do not receive security updates, even in the case of serious vulnerabilities (and that patched "half" technically is described as anyone who ever got at least a single security update). How many of the total amount of android phones are trivially hackable if you run an app on them ? I'm going to say at least 75%, and at least including all phones more than 2 years since they were released.

So no. Nobody cares. We all know how bad the wintel situation is, and android is worse.

We need a global security disaster to happen so totally that regulators intervene and hold these vendors accountable.

[guy98238710]

If we want to understand why users do what they do, perhaps we should ask the UX people. Alan Cooper in his book "The Inmates are Running the Asylum" says that one of the differences between programmers and ordinary people is that programmers worry a lot about what-if scenarios while ordinary people just hope for the best and then handle surprises as they arise.

If we are to change behavior of consumers, we have to work with their natural motivation. I think the most realistic plan is to subsidize core infrastructure with enough high-quality opensource software and hardware to drive commercial interest out of all security-sensitive components.

It's like when Wikipedia is subsidized by its editors to provide the common good of education. Opensource can be similarly subsidized by developers to provide the common good of security.

[transpute]

> TPMs ... Google is quietly working to remove them from their own machines

Are you referring to Chromebooks or Google's cloud server hardware? Are the TPMs being replaced with a proprietary hardware enclave?

[eat_veggies]

It looks like they built their own chips for their servers:

https://cloudplatform.googleblog.com/2017/08/Titan-in-depth-...

Notable quote:

"Google designed Titan's hardware logic in-house to reduce the chances of hardware backdoors. The Titan ecosystem ensures that production infrastructure boots securely using authorized and verifiable code."

This is what we need. Authorized and verifiable code, none of this opaque binary blob BS.

[ENOTTY]

Google's code/hardware logic is an opaque binary blob to you. What difference does it make whether the binary blob is a Google chip or a TPM?

[eat_veggies]

Sorry, what I meant to say was that we need those types of verifiable and transparent chips in our own computers rather than ME and PSP

[amygdyl]

Does Azure's composable FPGA design offer potential for assemblage of a higher level of abstraction, my poor analogy is the web assembly reduced to instructions/ primitives but you control the gate logic that's run, and isn't that logic then totally isolated from any other design side effects?

If you by some circumstances had a terrific clean and tidy system in a functional language, wouldn't that offer a higher level of possible "primitive" operations?