# Security in computer science only a mirage



## bcomputerguy (Jan 15, 2017)

With exploits like this that directly affect the hardware and timing of a CPU, can we really believe that security in computer science is anything but a dream?

Sure you can raise the bar but if someone wants to get in, they can. Even if they are running in virtual machines on your server, they can own the whole machine.

Or am I over blowing the implications of research and projects like these?


----------



## Deleted member 9563 (Jan 15, 2017)

I don't know if you're over blowing the implications, but what I see here is the same as you see in the physical world. There is no ultimate "safety". The whole concept is relative.

I think that somehow we've been lulled into thinking of computers as being isolated from the physical world. They aren't. People can come to your house with guns and there is no way that you can stop them from taking your computer or anything else. There is always a greater level of attack, given enough money or power. Why would "cyberspace" be different in that regard? Of course it wouldn't.

What we so often forget is that we are indeed safe. No one is going to spend precious resources picking on most of us individually. Yes, we had a shocking revelation when the extent of the NSA and FVEY intrusion became known, but most of the harm from them is from us having gotten sloppy. If I was to put my finger on the most harmful aspect of all this, I'd say it is the growth of 1984 type evil made possible by this technology. As individuals, our computers will remain as safe as always, but our lives may be less safe due to the direction of governments in current times.


----------



## Sevendogs (Jan 15, 2017)

The only truly "safe" computer is one that is turned off  Oj, you make a good point in that as individuals, no one is particularly interested in us, unless of course we are doing something we shouldn't be, and raise the interest of a government agency, law enforcement, criminals, etc.


----------



## bcomputerguy (Jan 15, 2017)

OJ said:


> I don't know if you're over blowing the implications, but what I see here is the same as you see in the physical world. There is no ultimate "safety". The whole concept is relative.
> 
> I think that somehow we've been lulled into thinking of computers as being isolated from the physical world. They aren't. People can come to your house with guns and there is no way that you can stop them from taking your computer or anything else. There is always a greater level of attack, given enough money or power. Why would "cyberspace" be different in that regard? Of course it wouldn't.
> 
> What we so often forget is that we are indeed safe. No one is going to spend precious resources picking on most of us individually. Yes, we had a shocking revelation when the extent of the NSA and FVEY intrusion became known, but most of the harm from them is from us having gotten sloppy. If I was to put my finger on the most harmful aspect of all this, I'd say it is the growth of 1984 type evil made possible by this technology. As individuals, our computers will remain as safe as always, but our lives may be less safe due to the direction of governments in current times.



I've heard this type of reasoning before but where it falls apart is that if they want to raid your house, they have to physically go there and kick down the doors, etc...

Technology on the other hand, especially in a connected age guess what, they can just throw out a wide net and see what sticks.

This is a major difference between the real world and online but online can lead to real world consequences real fast.

I am definitely not the type to hide out and be super cryptic about my stuff. I don't even think that I am important enough to be tracked but again this isn't the problem. I don't even have passwords on my phone and my passwords online are notoriously easy to guess.

Metadata can paint a picture of you that isn't true, that could put you in a compromising position so it's not about you being important to track. You could just be a easy way to get conviction or some type of vendetta.


----------



## getopt (Jan 15, 2017)

I am responding here blind to the OP, because I have blocked Youtube here completely, and I'm not going to unblock it. I can resist seductions.

But I want to answer OJ. I appreciate his contribution.

He's absolutely right saying "the whole concept is relative". Accepting this concept one has to find out about this relativeness in terms of where do I stand and what are my needs.

A farmer using the Internet mostly for checking the weather has other needs for safety and privacy than let's say a banking company. And the bankers face a different threat model than NGO workers do.

When it comes to defense and protection one should have at least roughly an idea about who are my potential adversaries and what expense are they ready to spend to get my crown jewels. It is always a good idea to consider an IT-attacker to be more capable than oneself is.

The days where the Internet was _mainly_ a good place for education, communication and business are past. The Internet is now changing back from where it evolved, namely from attack and defense. Collateral damage has to be expected by civilian users of the Internet when governments start practicing digital warfare (I avoid the buzzword "cyberwar") by collecting exploits and holding back/hiding security advisories.

And there is the phenomenon around the terms "fake" and "post truth". If that persists for a long enough period, our societies are going to be hurt substantially. That is, because the Internet has become ubiquitous and mobile by offering seductive "free" services.

The personal mileage may differ in terms of self defense when using the Internet. But be assured one thing is understood immediately in the business world and thus even by governments: When people start refusing doing business or using "services" they get it right and miraculously fast.

A possible line of self defense is always to say good bye to commercial offerings and services and to terms of use. Hurt your adversaries by refusing doing business with them. People not knowing how to protect their digital life and environment should deny buying smart-TVs, smart-refrigerators, smart phones, smart home-automation and other smart IoT gadgets like "Alexa".




OJ said:


> As individuals, our computers will remain as safe as always


I'd have written: our computers will remain as unsafe as they always have been.


----------



## bcomputerguy (Jan 16, 2017)

getopt said:


> I am responding here blind to the OP, because I have blocked Youtube here completely, and I'm not going to unblock it. I can resist seductions.
> 
> But I want to answer OJ. I appreciate his contribution.
> 
> ...



Multiple difference sources outside of youtube to watch the lectures or listen to code. Writing an reply to something that you don't understand doesn't seem like a wise path to take.

What could possibly go wrong with 
<insert x86 instruction here>? 
Side effects include side-channel attacks and bypassing kernel ASLR

https://media.ccc.de/v/33c3-8044-what_could_possibly_go_wrong_with_insert_x86_instruction_here

Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud
https://cmaurice.fr/pdf/ndss17_maurice.pdf

Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR
https://gruss.cc/files/prefetch.pdf

ARMageddon How Your Smartphone CPU Breaks Software-Level Security And Privacy
https://www.blackhat.com/docs/eu-16...reaks-Software-Level-Security-And-Privacy.pdf

Open Source code
https://github.com/iaik/armageddon


----------

