Groups | Search | Server Info | Login | Register

Groups > fr.comp.lang.ada > #2340

Re: Canal+ crash

From Niklas Holsti <niklas.holsti@tidorum.invalid>
Newsgroups fr.comp.lang.ada, comp.lang.ada
Subject Re: Canal+ crash
Date 2024-07-21 14:31 +0300
Organization Tidorum Ltd
Message-ID <lg49sfFbc7aU1@mid.individual.net> (permalink)
References (3 earlier) <v7fuqu$3fihj$1@dont-email.me> <v7hmrc$3p5q7$8@dont-email.me> <v7icut$654$1@dont-email.me> <lg3th4F90ggU1@mid.individual.net> <v7ijr1$12fk$1@dont-email.me>

Cross-posted to 2 groups.

Show all headers | View raw

On 2024-07-21 12:19, Dmitry A. Kazakov wrote:
> On 2024-07-21 10:00, Niklas Holsti wrote:
>> On 2024-07-21 10:22, Dmitry A. Kazakov wrote:
>>> On 2024-07-21 03:04, Lawrence D'Oliveiro wrote:
>>>> On Sat, 20 Jul 2024 11:08:47 +0200, Dmitry A. Kazakov wrote:
>>>>
>>>>> On 2024-07-20 09:43, Lawrence D'Oliveiro wrote:
>>>>>
>>>>>> On Sat, 20 Jul 2024 09:23:11 +0200, Dmitry A. Kazakov wrote:
>>>>>>
>>>>>>> It is about the fundamental principle that security cannot be 
>>>>>>> added on
>>>>>>> top of an insecure system.
>>>>>>
>>>>>> Actually, it can. Notice how the Internet itself is horribly 
>>>>>> insecure,
>>>>>> yet we are capable of running secure applications and protocols on 
>>>>>> top
>>>>>> of it.
>>>>>
>>>>> Why on earth do we need security updates?
>>>>
>>>> Because computer systems are complex, and new bugs keep being 
>>>> discovered
>>>> all the time.
>>>
>>> This does not make sense. You can create a very complex system out of 
>>> screwdrivers and still each screwdriver would require no update.
>>>
>>> Systems consist of computers and computers of software modules. There 
>>> is nothing inherently complex about making a module safe and bug 
>>> free. Security interactions are primitive and 100% functional. There 
>>> is no difficult issues with non-functional stuff like real-time 
>>> problems.
>>
>> Well, several recent attacks use variations in execution timing as a 
>> side-channel to exfiltrate secrets such as crypto keys. The crypto 
>> code can be functionally perfect and bug-free, but it may still be 
>> open to attack by such methods.
> 
> It is always a tradeoff between the value of the information and costs 
> of breaking the protection. I doubt that timing attack are much more 
> feasible in that respect than brute force.


Security researchers and crypto implementers seem to take timing attacks 
quite seriously, putting a lot of effort into making the crucial crypto 
steps run in constant time.


>> But certainly, most attacks on SW have used functional bugs such as 
>> buffer overflows.
> 
> Exactly. Non-functional attacks are hypothetical at best. They rely on 
> internal knowledge which is another problem. 


As I understand it, the "internal knowledge" needed for timing attacks 
is mostly what is easily discoverable from the open source-code of the 
SW that is attacked.

Back to fr.comp.lang.ada | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Canal+ crash Nicolas Paul Colin de Glocester <Master_Fontaine_is_dishonest@Strand_in_London.Gov.UK> - 2024-07-19 23:41 +0200
  Re: Canal+ crash "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> - 2024-07-20 09:23 +0200
    Re: Canal+ crash Lawrence D'Oliveiro <ldo@nz.invalid> - 2024-07-20 07:43 +0000
      Re: Canal+ crash "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> - 2024-07-20 11:08 +0200
        Re: Canal+ crash Lawrence D'Oliveiro <ldo@nz.invalid> - 2024-07-21 01:04 +0000
          Re: Canal+ crash "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> - 2024-07-21 09:22 +0200
            Re: Canal+ crash Niklas Holsti <niklas.holsti@tidorum.invalid> - 2024-07-21 11:00 +0300
              Re: Canal+ crash "J-P. Rosen" <rosen@adalog.fr> - 2024-07-21 11:10 +0200
                Re: Canal+ crash "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> - 2024-07-21 11:34 +0200
                Re: Canal+ crash Nicolas Paul Colin de Glocester <Master_Fontaine_is_dishonest@Strand_in_London.Gov.UK> - 2024-07-21 13:11 +0200
                Re: Canal+ crash Lawrence D'Oliveiro <ldo@nz.invalid> - 2024-07-21 21:53 +0000
                Re: Canal+ crash "J-P. Rosen" <rosen@adalog.fr> - 2024-07-22 08:36 +0200
                Re: Canal+ crash Lawrence D'Oliveiro <ldo@nz.invalid> - 2024-07-23 01:48 +0000
              Re: Canal+ crash "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> - 2024-07-21 11:19 +0200
                Re: Canal+ crash Niklas Holsti <niklas.holsti@tidorum.invalid> - 2024-07-21 14:31 +0300
                Re: Canal+ crash "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> - 2024-07-21 18:49 +0200
                Re: Canal+ crash Lawrence D'Oliveiro <ldo@nz.invalid> - 2024-07-21 21:55 +0000
            Re: Canal+ crash Lawrence D'Oliveiro <ldo@nz.invalid> - 2024-07-21 21:52 +0000
              Re: Canal+ crash "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> - 2024-07-22 09:16 +0200
                Re: Canal+ crash Lawrence D'Oliveiro <ldo@nz.invalid> - 2024-07-23 01:49 +0000
                Re: Canal+ crash "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> - 2024-07-23 09:06 +0200
                Re: Canal+ crash Lawrence D'Oliveiro <ldo@nz.invalid> - 2024-07-23 08:36 +0000
        Re: Canal+ crash Niocláisín Cóilín de Ghlostéir <Spamassassin@irrt.De> - 2025-07-27 23:41 +0200
  Re: Canal+ crash Nioclás Pól Caileán de Ghloucester <Spamassassin@irrt.De> - 2025-10-20 23:30 +0200
    Re: Canal+ crash Nioclás Pól Caileán de Ghloucester <Spamassassin@irrt.De> - 2025-10-24 12:46 +0200
    Re: Canal+ crash Nioclás Pól Caileán de Ghloucester <Spamassassin@irrt.De> - 2025-10-30 09:30 +0100

csiph-web