[Cryptography] Big ugly security problem in post-2008 Intel chipsets.

iang iang at iang.org
Wed May 10 10:25:31 EDT 2017 

On 07/05/2017 18:38, Peter Todd wrote:

> On Sat, May 06, 2017 at 11:28:38PM -0400, iang wrote:
>> On 01/05/2017 22:40, Ray Dillinger wrote:
>> Unpopular opinions!  I think there was an element of truth in all that, but
>> two things changed - one was the evolution serious criminal gangs which
>> industrialised the process.  The second was the rise of cyberwar... although
>> the jury's out as to whether this was caused by e.g. Obama's OLYMPICGAMES or
>> as a natural evolution, a tit for tat.
> Cryptocurrencies have also forced cryptocurrency-related companies to adopt
> vastly improved security because theives can directly steal money.

Yes, this is why financial cryptography was always more fun.  It has the 
tightest feedback loop - get it wrong and you get robbed.  This tight 
feedback loop is mostly absent in other forms of cryptography such as 
privacy, retail commerce (aka SSL & passwords), political / natsec and 
military.  Which means, in financial cryptography as opposed to the 
others, we learn the fastest, assuming we're capable of that.

> Additionally theres a second, less-obivous effect of the above:
> non-cryptocurrency-related companies are getting hacked by theives trying to
> gain access to user data that in turn will let them hack other targets with
> cryptocurrency holdings. For example, phone companies are frequently getting
> social engineered to exploit their customers' 2FA setups, and in turn, exploit
> cryptocurrency accounts at stuff like exchanges.

Right.  We always knew that the phones were an inadequate 2FA simply 
because they were relatively easy to attack.  And once the stakes were 
high enough, they were attacked.

Now, for online banking, this was sorta maybe ok because the online 
banks also had other security layers inside the banks, so using the 
phone was their cheapest widespread option.  But this fell apart for 
cryptocurrencies which typically did not have other layers of protection 
(ok, they had verbal protections like multisig and and and).

The interesting thing is that people wake up and blame the telco. But it 
was never the telco's threat model to protect bitcoin or online banking...

iang

More information about the cryptography mailing list