Take down the Web site. Eliminate all official downloads.
First, people shouldn't be encouraged to use unmaintained software.
Second, if somebody really depends on it, they're put on notice that they now have to step up and support it.
Predisclosure is very risky. You don't really know which members of your "predisclosure list" have good control over who finds out and which don't. And even with perfect control, if you're going to patch something the size of Amazon at all, you're going to have to tell a lot of people. Are you sure you want every individual who happens to have a certain job at Amazon to have the chance to exploit other people's systems?
You're not really trusting organizations. You're trusting collections of individuals. And with that many individuals, you are going to have some bad actors. But you'd have a problem even if you could think of organizations as units with perfect policy enforcement. Suppose the NSA comes to you and says they're running a big Xen cluster (they probably are somewhere). And it's critical to national and maybe global security (it could very possibly be). Do they get on the list? How are you going to feel when they use that preannouncement to break into somebody else's system?
Furthermore, people inferred that there was probably a Xen vulnerability from Amazon's downtime, before the official announcement. So how, exactly, was that better than having the Xen project actually announce that fact, with or without details or a patch?
Also, it's not so easy to really know what's a "critical deployment". The fact is that, whether you're Xen or you're bash, you don't really know who's using your stuff. You don't really know what's critical. And you definitely don't know who's trustworthy.
And all of THAT assumes that you even control the disclosure at all. If you find a problem in your software, that problem is "new to you". That does not mean that a bunch of other people don't already know about it. Especially the sort of people who make a business of exploiting these things. So you don't even know for sure who you're depriving of the knowledge.
There's always an exception. Maybe Xen is that exception. But the idea that predisclosure should be the normal approach for software in general, whether open source or otherwise, is a very dangerous one.
Thank you for the correction on how much you get to know about the insides.
FPGAs aren't in any sense "open source hardware". Their physical embodiment is opaque and unmodfiable, although you do get at least some vague idea how they're organized. They're just devices that run a rather unusual form of software. That may or may not be a problem, but it's still true.
Being concerned about back doors isn't the only reason you'd want something to be open source... maybe you'd just like to be able to adapt and improve it. Or maybe not; hardware is a pretty unforgiving environment, and it's not obvious that that many people want to mess with it. Regardless of whether open source hardware is needed, it really doesn't exist in any significant way.
"Significant" matters there, by the way.I said "basically NO open source hardware", and "basically" was in there for a reason. I can also have truly open source CPUs custom fabbed, but it's not something anybody does or will probably ever do.
The vast bulk of the functionality comes from an Intel processor about whose internals they will tell you approximately NOTHING, let alone let you modify it. Most of the rest comes from other equally closed chips.
How is that open source?
There's basically NO open source hardware out there. And if there were nobody would be in a position to do much with it, because it would take a fab to make any change.
Have standards dropped so far that we're forgetting that?
That's the theory - how is it working out in practice?
It hasn't been enough of a problem in practice for anybody to bother to write the code to shrink the storage.
You do realize that Bitcoin is an actual deployed system that carries a huge transaction volume, right? That's the practice.
In a phone, the GSM modem has its own CPU (and its own memory).
Most phones are based on SoCs (Systems on a Chip); everything's interconnected on the same silicon. Usually the GSM modem processor has access to the memory and I/O busses of the main processor (but not the other way around), can reset the main processor, and often boots before the main processor and must explicitly turn on the main processor before it runs. I believe that in some designs the modem processor actually sets up the boot loader for the main processor as well. The modem processor can definitely rewrite the flash where the main processor's operating system is stored.
The result of this is that the modem has total control of the phone. It can do anything it wants to any data on the phone, including the internals of the main OS, and there's basically nothing the main processor can do about it other than maybe be too obscure and complicated to manipulate easily.
The firmware in the modem is invariably closed source and secret. The modem will only boot firmware that's crypto-signed by the manufacturer, and anyway the hardware is totally undocumented.
The modems have "over the air" command sets that let the carrier manipulate the phone remotely without going through the main OS. Those command sets can be very rich... and can include the ability to reflash the main OS, or even to peek and poke its memory while it's running.
So on most (all?) phones, it basically doesn't matter what your OS is. The carrier (possibly together with the SoC manufacturer) can do whatever it wants if it's willing to figure out the complexity of doing so. And of course governments lean on carriers and SoC manufacturers to get access to that capability, and commercial "partners" also have influence.
So call them a "cheater", "liar", whatever? And before you do even that, you should probably think about whether doing so is going to do anybody any good or just add to the world's unhappiness.
Even if you feel the person needs to be called out, "slut" is a bad choice of name for the case you describe, because it fundamentally means "person who has more sex than I think they should", or maybe "person who has sex with more people than I think they should", not "person who breaks promises".
I see where you're going with the "choice" thing, but I still agree with the GP. The bottom line with name calling is that you're trying to make somebody feel miserable for something that's none of your business. Whether they chose it or not is secondary.
I assume you can list all the undefined behaviors in the C standard off the top of your head, yes? And you've never actually written a line of code with an error in it, right?
I've spent a lot of time cleaning up after security bugs written by people with that attitude. None of them could make mistakes either. Maybe you guys should form a club, so the rest of us can identify the special beings walking among us.
You mean other than the part where the guy directly says that it's flying autonomously with nothing but a compass direction?
Maybe it needs a radio because they sometimes fly it remotely?
Yes, yes it is.
In security, you're trying to change the behavior of corporate drones, idiots, and people who are invested in the status quo. People use these papers as ammunition for that.
The drones will call your attack "theoretical" and "impractical" unless you spell out exactly how to do it, step by step. If they hadn't detailed exactly how to do it, the attitude would basically have been that nobody could possibly figure out the impossible complexity of weakening a REAL RNG. I mean, look at the self tests! Nobody could get around that! In fact, even people who weren't complete idiots might have guessed, at first glance, that the self tests would be hard to defeat, or that you couldn't do this hack without screwing up the chip.
Even with a detailed paper, they will probably be ignored until somebody actually does it in the field. If you wrote a one-pager that said "Warning! Somebody could alter the behavior of gates by tweaking the dopants", they would 1000 percent ignore it.
As for the verbose background information, it's standard in the field (although they went a bit heavy on it). It has zero cost, and readers in the field who don't need it simply skip it. So I don't know why you're getting so upset about it.
Please don't trash people's work in fields you don't even slightly understand.
I've been following this stuff since the 1990s, thanks. Let's just say that I have strong enough credentials on Tor and related systems that detailing them would out me.
If you want to see exactly how irrelevant encryption is to deanonymization by a global adversary, start around the year 2001 or 2002 in this bibliography:
http://freehaven.net/anonbib/#2001
Once again, layering TLS over Tor will not do a damned thing to protect you from widespread traffic analysis. It protect the content of your communication, but it will do no more than bare Tor to protect the fact of the communication itself. Even the content protection is very limited; the attacker can make a lot of very firm inferences, especially if she can learn the content of the same Web site you're hitting.
And, as far as we can tell, yes, there are approximately global adversaries out there.
This is dangerously wrong. I am going to correct it for the archives, in case somebody acts on it.
It doesn't matter what the content is, only that something was communicated. Crypto isn't magic.
The point of anonymity systems is to avoid being an interesting enough target that you get other kinds of attention. Tor fails in that if the enemy has a wide enough view of the network and some kind of interest in detecting some particular activity.
If you routinely connect to Jim-Bob's Bait and Terror shop, you are going to become a person of interest. And if you also connect to Aunt Sue's Needlepoint and Terror Shop, and Chef Ernesto's Cooking and Terror shop, what's the common element? Once you're a person of enough interest, they will find a way to find out whatever they want about you, up to and including physically breaking into your house, assuming they can't hack your computer. So your goal is to prevent them from getting that much specific interest in you.
For that matter, if during your many connections your traffic pattern looks like you downloaded a file exactly the size of "Bombing with Night Crawlers", they may in fact know exactly what you did. Especially when that night crawler bomb goes off in your town.
And you don't need ALL the traffic, by the way. You just need enough that the signal starts to rise out of the noise.
the police make up some alternative explanation of how they got the evidence
So, they did two things: in phase one, they identified the guy running Freedom Hosting. In phase two, they identified the people connecting to it.
We don't really know how they did phase one. Speculation is that they hacked in over the Tor channel, using a software exploit against the Web server. If you have a giant database of exploits and a nice framework for using them, that's not really much harder than traffic analysis, even if you do have the data to do traffic analysis too. And, if you're going to do the hack ANYWAY to cover up your ability to do traffic analysis, you might as well just start with the hack.
Also, if it was the NSA who did it, maybe they did it that way so they wouldn't have to explain traffic analysis to certain investigators in the FBI. Or maybe they just did the hack because it was easier. None of those means the NSA couldn't have done it with traffic analysis if the hack hadn't been available.
Or maybe they really did identify Freedom Hosting using traffic analysis, and then use a hack as a cover story.
Or maybe the NSA wasn't in on this one and the FBI just did its own hacking.
For phase two, if you want to get ALL the users, quickly, the hack is really probably better than the traffic analysis. But again they could be using it as a cover story, or they could have done it for the same sorts of reasons they might have done it in phase one.
Also, the hack was somewhat sophisticated. If not the NSA then who?
Anybody with enough money to hire a sophisticated hacker? We're talking about basic exploitation, not Stuxnet.
In phase one, if Freedom Hosting was taken using, say, an SQL injection vulnerability in some Web forum software or something, that's not very hard. You don't have to be the NSA to do that. Freelancers do that.
And didn't they start phase two after they'd physically grabbed the Freedom Hosting servers? That means their phase one exploit didn't even have to give total control; it just had to be enough to give them an IP address for Freedom Hosting so they could go grab it by force.
Once you have control of Freedom Hosting, then it's not very hard to plant a browser exploit on it to collect the users for phase two. As I recall, it wasn't even some kind of uber-magical zero-day multi-browser exploit; I seem to remember it being relatively mundane.
I'm pretty sure I could personally have done all the necessary hacking, for both phases, and I'm not an exploitation specialist. Surely the FBI can hire one or two people that good.
... or because they don't think those targets have enough value to make it worth bringing what they can do with traffic analysis out in open court. They give some things to LE. That doesn't mean they give LE everything they have.
But it's true that Tor is the best available for a lot of applications. And I do personally doubt that the NSA can reliably deanonymize Tor for low volumes of non-repeating traffic. I wouldn't bet on it, though. And I wouldn't bet on it lasting if it's true today.
One way to make your old car run better is to look up the price of a new model.
