[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] PcwRunAs Password Obfuscation Design Flaw

--- On Thu, 2012/3/29, Christian Sciberras <uuf6429@xxxxxxxxx> wrote:

> 
> So, it seems it dawned on everyone that current computer models are 
> fundamentally flawed.
> The "protection" we're trying to add is, at this point, one huge hack attempt 
> to get things right.
> Do I have a specific solution? No. But I do think rethinking the wheel might 
> be worthwhile.
> This would include forgetting POSIX for a minute and think what could be 
> improved without relying on religious zeal.
> Yes, I know it's hard, but it's for the betterment of humanity! I hope...

There are other architectures that provide very different situations, some of 
them significantly more secure than the shared data/instruction memory concept 
in widespread use today. But they aren't cheap.

cheap + secure = really hard

Well, perhaps provably impossible at some level which is what you're getting 
at, I think.

People favor cheap over secure. They prefer what they think they know to what 
they know they don't. They prefer breathtakingly mediocre to boringly deep tech.

This is manifest in the current market and I don't think it'll change any time 
soon. To the bulk of paying customers computers are still full of magic and 
dragons, and probably always will be. To stakeholders big enough to actually 
shape markets the interest is in selling what people can understand, not in 
actually advancing technology -- because this sort of advanced technology does 
not sell well. 

Consider that the bulk of the IT market is still focused on literally licensing 
arrangements of bit-spaces that the users already own and calling it a product 
-- and to convince users that they are "getting something" we have to go as far 
as actually putting arrangements on media in physical boxes on real store 
shelves with pricetags and things. This is ridiculous if you consider it for a 
moment, but the average customer just can't wrap their head around what 
information is in the first place, and they require this mnemonic crutch of a 
marketplace to understand how to give money to us developers and why they 
should do that.

Motorola, IBM, and a slew of companies now totally out of business discovered 
the truth about trying to sell the public high tech instead of cheap tech, and 
the related necessity of the marketplace farce above though repeated (usually 
disastrous) experience. In short, it is difficult to generate market buzz 
around a product that nobody understands, and architecture is definitely one of 
those things.

Now if you can dream up a use case which itself embodies the "next killer app" 
and which actually requires an architecture of strict data/instruction/signal 
and memory/register/bus segregation, and this killer architecture for this 
killer must-have app isn't actually a mainframe, and you can generate sales to 
a general enough segment of the global public that education systems, social 
dialogue and the DIY hardware and book markets begin to focus on your new[1] 
idea, then you might have a shot at changing the status quo. This is all 
assuming you can amass sales large enough to effect a seriously beneficial 
economy of production scale to cut the price of these hardware architectures 
down at least a thousand times compared to what they cost today (doable, but 
only if the market cooperated, hence the whole thing hinging on necessity and 
buzz).

Them's the breaks, my friend. Unfortunately it is going to be some time before 
a radical paradigm shift demands a change as significant as a real re-working 
of the hardware architecture. Even a departure from just x86 is hard enough to 
follow through on, despite vastly superior alternatives because nobody wants to 
change that bad.

The next chance for something that really will be useful that will really 
require a reworking of architecture is probably whenever quantum computing 
becomes a public thing -- but there is a whole world of crazy that goes along 
with that, because its sort of like nuclear weaponry, in that everyone wants to 
have and use it but not let anyone else.

Anyway, don't stress over it. The market is screwed up and its going to remain 
so for some time yet, fretting about it won't help.

-IY

[1. Not in fact new, of course, but rather a rehash of existing architecture 
ideas not well known outside of high-performance and experimental computing. 
But this will be new to the public and even the vast majority of IT 
professionals, and therefore magic that is new enough to be marketably 
mysterious.]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/