Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Bitcoin

Researchers Find Problems With Rules of Bitcoin 301

Posted by Unknown Lamer from the ruining-everything-with-math dept.
holy_calamity (872269) writes "Using game theory to analyze the rules of cryptocurrency Bitcoin suggests some changes are needed to make the currency sustainable in the long term, reports MIT Technology Review. Studies from Princeton and Cornell found that current rules governing the mining of bitcoins leave room for cheats or encourage behavior that could destabilize the currency. Such changes could be difficult to implement, given the fact Bitcoin — by design — lacks any central authority." The main problem discovered is that transaction fees do not provide enough incentive to continue operating as "miner" after there are no more bitcoins left to be mined.

Comment Re:The chain of trust is broken. (Score 1) 110

by Burz (#46557773) Attached to: Fake PGP Keys For Crypto Developers Found

How do you trust these proxies not to be run by state intelligence organizations?

1. The attackers can't be omnipresent at all times

2. Doing a MITM against all randomly-located HTTPS links is probably impossible to do without being discovered.

3. Some orgs like Torproject have an .onion address. Then you don't have to worry about MITM as long as your original copy of Tor was OK. If you're worried about Tor or other program being tampered with, try using one or more Linux Live CDs: Boot, update then install Tor or other secure proxy, then download keys and certs... leverage the built-in keys of the Linux distros.

Really, for anyone planning this type of attack, consistency is a HUGE problem and you only have to be slightly crafty to be reasonably sure about the keys you're getting. The only other thing to increase your certainty is to get key fingerprints from these people in person.

Comment Re:The chain of trust is broken. (Score 1) 110

by Burz (#46555453) Attached to: Fake PGP Keys For Crypto Developers Found

It ought to start by making certs and keys first-class GUI objects, starting with file browsers. Seriously, people should not see a blank square when they are copying or otherwise manipulating a key.

Further, there should be write-once devices that allow us to add keys and other identity info without worrying an attack will subvert that data.

Comment Re:The whole security world is in a very bad shape (Score 1) 162

by Burz (#46547187) Attached to: Full-Disclosure Security List Suspended Indefinitely

I should also point out that, from a manager or user perspective, a Qubes system is just a re-mix of Citrix client products. Even if the user runs in only one domain, an exploit against PCs is far less likely to break out of the VM, making cleanup a quicker and much more certain task.

It also has ways to protect you from physical attacks on boot partitions and BIOS, so travellers with laptops are less vulnerable.

Comment Re:The whole security world is in a very bad shape (Score 1) 162

by Burz (#46547095) Attached to: Full-Disclosure Security List Suspended Indefinitely

Well, much of it already exists as Qubes OS, and it runs most Linux and Windows apps just fine.

You can get CoreBoot BIOS for several systems, and they're just getting started. And given that Canonical has the best HCL (with the most compatible systems) and hardware partnership profile in the business (apart from MS), I think Shuttleworth's proposal is credible... Good luck to him!

Comment Re:Its due to the courts' zeal for punishment (Score 1) 246

and well..

quite frankly due to the prosecutor not understanding what he had been doing it's just about punishing for joking around. it should be illegal to prosecute something you can't understand. "I don't know what he did but he sure looks guilty, right!? you must convict!".

circa 1997 this happened to me, sort of. ran a traceroute on the wrong night to see where my emails were routed through(our school mandated the use of an internal email system where server wasn't internal and there was no encryption on the email clients(email client was mandated to be a certain windows email reader). now of course I had my machine full of warez(games and early music warez), winnukes, jolt of the day etc(and had winnuked some people so not totally innocent really of everything).

but what shocked me was the police interrogation, because they tried to make me sign something I had not said, because they did not understand the claims made by the "victim"(city) were impossible to have happened from my actions(and claiming shit like me crashing hospital internal network, hopping a supposed airgap and other stuff that I did not do, they just had some internal meltdown of the windows servers routing the traffic on the same day). the way the interrogation went was "you know what you did, tell us" and 16 year old me going "what the fuck dudes?".

originally they wanted me to confess to something technically impossible and it took them nearly 2 years to figure out that they did not know what to charge me with(and for the prosecutor to deem the investigation incompetently done and drop it, and it cost the state quite a lot for nothing...). I mean, the

posting anon but it's not too hard to figure out who this is for those who know.

anyway, doesn't matter which western country you live in always check what the coppers want you to sign and ask the fuckers to rewrite it to match what you actually said. after that ordeal I was convinced 20-30% of "solved" crimes are just pinned on some druggies in withdrawal who don't read what they sign.

Thanks for the advice.

Comment Re:Hubris (Score 1) 162

by Burz (#46530339) Attached to: Full-Disclosure Security List Suspended Indefinitely

Read more of their site (and Joanna's blog). DMA is isolated with an IOMMU; You must have an Intel i5 or better with the VT-d feature and a chipset + BIOS that supports it. AMD also has some processors with IOMMU capability under their own trade name.

PCIe devices are assigned to VMs as needed (you can even configure it in the GUI).

x86 virtualization is not about security,

Uh, x86 virt "wasn't" about security. Intel has already responded to bugs reported by the ITL team and others, so its changing for the better. Stick with Ivy Bridge or later.

The addition of the IOMMU feature alone is evidence the focus has shifted toward VM security.

As for legacy, it turns out that those PS/2 interfaces that have hung around in a lot of laptops (built-in keyboards) and towers are what keeps the USB miasma from negating the security architecture.

Comment Re:The whole security world is in a very bad shape (Score 1) 162

by Burz (#46530205) Attached to: Full-Disclosure Security List Suspended Indefinitely

The whole mess has a lynchpin (perhaps the only one?)....

Modern computers are vast amalgamations of logic (of varying quality), and we can see only the iceberg tip of the iceberg tip of that content at any given time. Even the experts are left constantly guessing about the doings of all the invisible things inside.

And no, I have no idea how to improve that situation. No matter what you change, you're not going to get any better results.

Start by creating a creating a desktop OS with a hypervisor ingrained into it (all the risky stuff, even graphics and IP stacks are isolated) to reduce the attack surface to a very small area. Then, hopefully, more and more eyeballs and minds will concentrate their attention on the really crucial parts instead of getting PTSD over the whole expanding theatre of apps and services.

Next, turn attention to system firmware (CoreBoot BIOS, and Shuttleworth's initiative to replace ACPI). We're almost half way there now...

Finally, open hardware: CPUs, GPUs and such (we may see mobile devices benefit from this first).

TL;DR: Make the whole logic stack inspect-able and open, and tightly link the security context provided by those components to the privileged part of the GUI.

Comment Re:Skills Levels of Hacking Community (Score 1) 162

by Burz (#46527495) Attached to: Full-Disclosure Security List Suspended Indefinitely

The explosion of "brogrammers" et al is a reflection of increasing amounts of code and complexity. Maybe this site closure is a just a symptom of that trend going too far... the surface area to be protected, audited and patched has just become to large and the security culture is caving under that weight.

I think I've mentioned Qubes to you before... I can stuff all sorts of apps and functionality into it without impacting my attack surface and overall risk much. I just have to think about the 'who' and 'what' of the app and the task before I assign it to a domain-- a little reflection buys me great peace of mind (instead of making me more worried, the way other architectures do).

This is based on a particular kind of Security By Isolation. The upshot is that the area of security focus for the community is reduced to the bare essentials, and that could have a positive effect in terms of available skills with more eyeballs looking at a given piece of sensitive code.

Slashdot Top Deals

Love may laugh at locksmiths, but he has a profound respect for money bags. -- Sidney Paternoster, "The Folly of the Wise"

Close