Scientists working to advance the frontier of knowledge frequently also need to invent their tools along the way. Sometimes these are interesting little hacks to get a job done. Recently some researchers found ancestors of moths and butterflies older than any previously known by analyzing tiny scales found alongside ancient pollen. They needed a tool to manipulate these scales: separating them from surrounding debris, transferring them to microscope slides. The special tool was a needle tipped with a single human nostril hair.
As ancient insects were the published paper‘s focus, their use of nose hair tipped needle was only given a brief mention in the “Materials and Methods” section. Interviews by press quoted researchers’ claim that nose hair has the right mechanical properties for the job, without further details. Not even a picture of the tool itself. What properties of insect scales made them a good match with the properties of nose hair? Was there a comprehensive evaluation of multiple types of hair for the task? Would we regret asking these questions?
Novel approaches to fine-tipped tools would be interesting to examine under other contexts, like the tweezers we use to build surface-mount electronics. As SMD parts continue to shrink in size, will we reach a point where hair-tipped tools are the best DIY alternative to an expensive pick-and-place machine? It would be another creative approach to deal with the challenges of hand-built SMD. From simple but effective mechanical helpers, to handy 3D printed tools, to building hybrid Manual + CNC pick-and-place more affordable than their fully automated counterparts.
[via Washington Post]
Intel just moved some high level people around to form a dedicated security group.
When news of Meltdown and Spectre broke, Intel’s public relations department applied maximum power to their damage control press release generators. The initial message was one of defiance, downplaying the impact and implying people are over reacting. This did not go over well. Since then, we’ve started seeing a trickle of information from engineering and even direct microcode updates for people who dare to live on the bleeding edge.
All the technical work to put out the immediate fire is great, but for the sake of Intel’s future they need to figure out how to avoid future fires. The leadership needs to change the company culture away from an attitude where speed is valued over all else. Will the new security group have the necessary impact? We won’t know for quite some time. For now, it is encouraging to see work underway. Fundamental problems in corporate culture require a methodical fix and not a hack.
Editor’s note: We’ve changed the title of this article to better reflect its content: that Intel is making changes to its corporate structure to allow a larger voice for security in the inevitable security versus velocity tradeoff.
Hawaiians started their weekend with quite a fright, waking up Saturday morning to a ballistic missile alert that turned out to be a false alarm. In between the public anger, profuse apologies from officials, and geopolitical commentary, it might be hard to find some information for the more technical-minded. For this audience, The Atlantic has compiled a brief history of infrastructure behind emergency alerts.
As a system intended to announce life-critical information when seconds count, all information on the system is prepared ahead of time for immediate delivery. As a large hodgepodge linking together multiple government IT systems, there’s no surprise it is unwieldy to use. These two aspects collided Saturday morning: there was no prepared “Sorry, false alarm” retraction message so one had to be built from scratch using specialized equipment, uploaded across systems, and broadcast 38 minutes after the initial false alarm. In the context of government bureaucracy, that was really fast and must have required hacking through red tape behind the scenes.
However, a single person’s mistake causing such chaos and requiring that much time to correct is unacceptable. This episode has already prompted a lot of questions whose answers will hopefully improve the alert system for everyone’s benefit. At the very least, a retraction is now part of the list of prepared messages. But we’ve also attracted attention of malicious hackers to this system with obvious problems in design, in implementation, and also has access to emergency broadcast channels. The system needs to be fixed before any more chaotic false alarms – either accidental or malicious – erode its credibility.
We’ve covered both the cold-war era CONELRAD and the more recent Emergency Broadcast System. We’ve also seen Dallas’ tornado siren warning system hacked. They weren’t the first, they won’t be the last.
(Image: Test launch of an unarmed Minuteman III ICBM via US Air Force.)
Small aircraft with streaming video cameras are now widely available, for better or worse. Making eyes in the sky so accessible has resulted in interesting footage that would have been prohibitively expensive to capture a few years ago, but this new creative frontier also has a dark side when used to violate privacy. Those who are covering their tracks by encrypting their video transmission should know researchers at Ben-Gurion University of the Negev demonstrated such protection can be breached.
The BGU team proved that a side-channel analysis can be done against behavior common to video compression algorithms, as certain changes in video input would result in detectable bitrate changes to the output stream. By controlling a target’s visual appearance to trigger these changes, a correlating change in bandwidth consumption would reveal the target’s presence in an encrypted video stream.
Continue reading “Watching the Watchers: Are You The Star Of an Encrypted Drone Video Stream?”
While the whole industry is scrambling on Spectre, Meltdown focused most of the spotlight on Intel and there is no shortage of outrage in Internet comments. Like many great discoveries, this one is obvious with the power of hindsight. So much so that the spectrum of reactions have spanned an extreme range. From “It’s so obvious, Intel engineers must be idiots” to “It’s so obvious, Intel engineers must have known! They kept it from us in a conspiracy with the NSA!”
We won’t try to sway those who choose to believe in a conspiracy that’s simultaneously secret and obvious to everyone. However, as evidence of non-obviousness, some very smart people got remarkably close to the Meltdown effect last summer, without getting it all the way. [Trammel Hudson] did some digging and found a paper from the early 1990s (PDF) that warns of the dangers of fetching info into the cache that might cross priviledge boundaries, but it wasn’t weaponized until recently. In short, these are old vulnerabilities, but exploiting them was hard enough that it took twenty years to do it.
Building a new CPU is the work of a large team over several years. But they weren’t all working on the same thing for all that time. Any single feature would have been the work of a small team of engineers over a period of months. During development they fixed many problems we’ll never see. But at the end of the day, they are only human. They can be 99.9% perfect and that won’t be good enough, because once hardware is released into the world: it is open season on that 0.1% the team missed.
The odds are stacked in the attacker’s favor. The team on defense has a handful of people working a few months to protect against all known and yet-to-be discovered attacks. It is a tough match against the attackers coming afterwards: there are a lot more of them, they’re continually refining the state of the art, they have twenty years to work on a problem if they need to, and they only need to find a single flaw to win. In that light, exploits like Spectre and Meltdown will probably always be with us.
Let’s look at some factors that paved the way to Intel’s current embarrassing situation.
Continue reading “Spectre and Meltdown: Attackers Always Have The Advantage”
When news broke on Meltdown and Spectre ahead of the original disclosure plan, word spread like wildfire and it was hard to separate fact from speculation. One commonly repeated claim was that the fix would slow down computers by up to 30% for some workloads. A report released by Microsoft today says that “average users” with post-2015 hardware won’t notice the difference. Without getting into specific numbers, they mention that they expect folks running pre-2015 hardware to experience noticeable slowdowns with the patches applied.
The impact from Meltdown updates are easier to categorize: they slow down the transition from an user’s application level code to system level kernel code. The good news: such transitions were already a performance killjoy before Meltdown came along. There exists an extensive collection of tools (design patterns, libraries, and APIs) to help software developers reduce the number of user-kernel transitions.
Performance sensitive code that were already written to minimize kernel transitions will suffer very little from Meltdown updates. This includes most games and mainstream applications. The updates will have a greater impact on the minority of applications that frequently jump between kernel and user worlds. Antivirus software (with their own problems) have reasons to do so, and probably will end up causing most of the slowdowns seen by normal users.
Servers, with their extensive disk and networking IO — and thus kernel usage — are going to have a much worse time, even as seen through Microsoft’s rosy spectacles. So much so that Microsoft is recommending that admins “balance the security versus performance tradeoff for your environment”.
The impact from Spectre updates are harder to pin down. Speculative execution and caching are too important in modern CPUs to “just” turn off. The fixes will be more complex and we’ll have to wait for them to roll out (bumps and all) before we have a better picture.
The effects might end up being negligible as some tech titans are currently saying, and that probably will fit your experience, unless you’re running a server farm. But even if they’re wrong, you’ll still be comfortably faster than an Intel 486 or a Raspberry Pi.
Do any of you have numbers yet?
[via The Verge]
While there’s broad agreement that Meltdown and Spectre attacks are really bad news at a fundamental level, there is disagreement on its immediate practical impact in the real world. Despite reassurance that no attacks have been detected in the wild and there’s time to roll out the full spectrum of mitigation, some want to find protection right now. If you’re interested in an usable and easy to set up modern desktop that’s free of Meltdown or Spectre threats, a Raspberry Pi can provide the immunity you seek.
[Eben Upton] explained the side channel attacks using fragments of Python for illustration, which was an enlightening read independent of the Raspberry Pi pitch. While these ARM cores perform speculative instruction fetches, they don’t speculatively execute them or modify the cache. Under the current circumstances, that makes all the difference in the world.
A clever security researcher may yet find a way to exploit speculative fetches in the future, and claiming that Raspberry Pi has superior security would be a stretch. The platform has its own set of security problems, but today Meltdown/Spectre is not among them. And that just might be enough to sway some decisions.
If you need to stay in the x86 world, look over what it’d take to to rewind back to an Intel 486.
Thanks to [D00med] for sharing the link in a comment to our overview article.