←back to thread

Intel x86 considered harmful – survey of attacks against x86 over last 10 years

(blog.invisiblethings.org)
276 points chei0aiV | 4 comments | 27 Oct 15 14:51 UTC | HN request time: 0.638s | source
Show context
kragen ◴[27 Oct 15 15:35 UTC] No.10458647[source]
Probably worth pointing out that the author is the project lead of Qubes, one of the very few promising projects in the vast wasteland of computer security.
replies(2): >>10459513 #>>10459645 #
kachnuv_ocasek ◴[27 Oct 15 17:32 UTC] No.10459645[source]
Very few? Seriously?
replies(4): >>10459760 #>>10459957 #>>10460536 #>>10461036 #
1. kragen ◴[27 Oct 15 18:09 UTC] No.10459957[source]
Seriously. The vast majority of computer security effort is wasted on things like the advisory-and-patch cycle, pen testing, and virus scanning, which can never, by their very nature, provide computer security. That's not to say you don't have to do them — it's just that they're not productive.
replies(2): >>10460620 #>>10488411 #
2. kachnuv_ocasek ◴[27 Oct 15 19:50 UTC] No.10460620[source]
Oh, I understand now and I agree wholeheartedly.

There's been some exciting progress in the formal verification department in recent years, though.

replies(1): >>10460717 #
3. kragen ◴[27 Oct 15 20:06 UTC] No.10460717[source]
I agree!
4. kabdib ◴[01 Nov 15 21:32 UTC] No.10488411[source]
The game console guys have their act together. Well, Microsoft, anyway. And Apple is doing a great job on the mobile OS side of things. There's also some very interesting hypervisor work coming out of the Windows 10 group.

So "most" is probably okay. with a couple noticeable exceptions:

Android needs to get its shit together. Not letting any old manufacturer write device drivers with jaw-droppingly bad security holes would be a start. I last looked at vendor-provided drivers in 2010 or so and I very much doubt they have improved.

(A while ago I wanted to store a secret on an Android device. And I couldn't do it. Ten year old platform and no effective secure storage; did the ghost of J Edgar Hoover visit Google and threaten them?)

Network equipment manufacturers: Why even bother with a home router when some code monkey stuck a hard-coded password into the firmware? I'd love to be able to inspect the code on the device I'm trusting to keep my network safe. Interesting that DDWRT is under political attack, isn't it?