Sent the URL to my Dad. He liked it:


I'm also impressed with the author. The guy has true integrity:

So, you can have a hard drive that your PC boots Linux from, internally using a separate copy of Linux installed on its controller logic board to handle the hard drive's functionality. That's cool as hell!

Also, there *must* be an Xzibit "Yo dawg" style joke in there somewhere...

I just the idiot sitting in the corner at the moment. So does this speed up the HDD read/write or boot time for the OS? Does it give me free HBO? Does it turn the cat orange?

Not that I would be wanting to try it, sounds very cool and geeky but I had enough with my room mate's projects. He wants to take apart the microwave now... I better get ready for CPR.

Interesting read, like a novel for nerds...

The part about "There also are a few things that make life easier, though. First of all, it seems Western Digital hasn't been intentionally obfuscating the code", made me think that WD didn't give it a thought that whitehat hacker would be looking into their device.

The section, "If a blackhat hacker had somehow obtained root access to a server with this drive, he could...", was also informative; and scary.

A world unknown to most people. This was some clever detective work, mix in with a lot of hardware/software knowledge.

What if all hard drives were sold with a small dedicated linux install with a boot manager, data recovery tools, and basic internet access. THAT would be awesome!

An entire and expensive industry would be put out of business. Ergo, your idea will never see the light of day.

What a fascinating investigation!
If it were possible to use the explained tools to really sneak in a bootable OS (and run it) it could possibly by-pass this whole UEFI thing?

Indeed, we can't solve too many problems. Network security and internet privacy could have been solved long time ago. Internet privacy is simple:
- all cookies are by default discarded (all browser, every sessiop, all the time) except for websites specifically whitelisted. (this should be the default)
- LSO cookies should be discarded by default (all browsers, all the time) without exception
- javascript and flash should not load from 3rd party sites without permission
- really any flash element should ask for permission before loading due to the vulnerabilities
- applications should really ask to use the internet by default. Certain applications should ask to use the internet each time they need to. Obviously not the browser, but if I have an office program, I would like to know that it is not by default using the internet and why it would (checking for addon updates, refreshing list of addons, fetching online help, etc).

Network security is a bit more complicated, but one can easily frustrate blind hackers:
- obviously hardware firewalls (should be standard between any networked device and a web connection)
- software firewalls should interact with the web connection and be able to detect specific programs making requests. This would be useful for finding malware that is maliciously sending data on the user when it is obviously inappropriate or unnecessary
- 2 or 3 factor authentication should be standard for most important web interfaces. I thought finger printer authentication or retinal scanneres would be standard fare for ALL computers... That would be a good default factor for accessing your hardware. I wouldn't want to be transmitting that information over the internet, but locally would be okay. Texting me an authorization code after I've attempted to login with a well formed password should be a must though everywhere.
- 100% encrypted transmission of data across the internet. Understandably encryption is getting easier to hack, but at least slow down whoever is trying by increasing the level of encryption and applying it to absolutely everything. Should be a no-brainer

With network security, some internet companies, like AT&T automatically ship routers with very good wifi SSID names and passwords (albeit number passwords, but very long and random), but long SSID names, non-broadcast SSID, WPA2 or better, and very long alphanumeric passwords should be standard for anybody's.

LOL, sorry for too long post!!

TLDR;

I agree with what you said. People can't solve problems the "easy way".. just like with anti-virus, despite the fact that 100% of viruses are NOT in virus definition files when they are first released in the wild.. therefore antivirus will always be ineffective at protecting you from viruses. (virii?) Better to have an operating system that doesn't allow exploits, software ecosystem that distributes software free of malware, users who are educated on how to safely download software, constant updating of software, and constantly applying test cases to detect hinky stuff

Unfortunately, it's not so easy as you might think. Security is hard.

Mechanisms exist for Linux and for Windows to do all of these. But they aren't used. Why? They seriously impede usability. Maintaining application allow-lists is a major chore, especially in large enterprises. Furthermore, they are generally trivial to circumvent. Malware can impersonate approved applications. Device drivers can talk directly to hardware, bypassing most operating system controls. And people don't know how to answer security dialog boxes.

Hardware firewalls are custom-built (read: expensive) appliances mostly containing standard stuff: x86 CPUs, RAM, PCI-E bus, etc. All the smarts are in the software installed into the appliance at the factory. There is nothing intrinsic to such a design that makes it "more secure" than the same software installed on an off-the-shelf server.

Biometrics are great identifiers. They are lousy authenticators. What's the difference? An identifier is claim, and necessarily must be public. An authenticator is proof of the claim, requiring a secret that only the claimant knows and a target can validate. Biometrics are not secrets. How do you revoke a finger? Read my article "It's me, and here's my proof: why identity and authentication must remain distinct."

I am a big fan of this approach. Out-of-band transaction authorization wipes out entire classes of attacks. Phishing can become a thing of the past.

Not a good idea at all. Traffic engineering, WAN optimization, and application profiling all become impossible in such a world, the cost of connectivity will rise, and performance will suffer. Firewalls will lose their ability to inspect traffic, negating the security they now provide.

Also, encryption is not getting easier to attack. 256-bit asymmetric encryption and 2048-bit symmetric encryption still require more time to defeat than the current age of the universe. I think that's good enough. Flaws, when found, are in implementations, not in algorithms.

I've written previously that hiding your SSID gets you nothing; this not really a debatable point. The normal course of wi-fi creates probe frames and association frames, which by design contain your clear-text SSID regardless of how you've configured broadcast. Tools exist to sniff these from the air. Think back to my article about identifiers vs. authenticators. An SSID is an identifier. Trying to hide something not designed to be hidden will create a false sense of security, blinding you to the real threats. Obfuscation is not security.

Also: what's better in your mind than WPA2?

Neither of these is possible in the real world, for they require perfection. Humans aren't perfect, and can never create something that is perfect.

You're still new here, apparently ... many of us regulars can carry on for quite a while sometimes.

whoops, sorry to hijack thread

Whoops, looks like my view of security and privacy is not very up to date. Thanks for the information.


Yeah, I guess the model of computer security doesn't work well when people bypass these... I guess this model is just not sufficient. How could we change this to allow devices to only be accessible through the proper channels?

This is true of course. But does a "software" firewall installed on my computer make it easier to bypass, circumvent, or hack? I guess I've always assumed that it was better to have a "hardware" firewall ala router.


Very good article on this. I enjoyed reading this. Also, just a comment, I worked at a company in the automotive industry where a contractor that provided the robotics and the computer interfaces used a visual basic interface that used logins. These logins, although technically they had a "name", you didn't login with the name, only the password.. Which is to say: 1) click <login>, enter password. Obviously this is not a good idea because the difficulty of penetrating the system lowers as the number of users increases.




Good information again.


Okay, read that link too. Great information. Too answer your question, the only thing that I can think of is WPA2 Enterprise.
15 Reasons to Use Enterprise WLAN Security

Security is what I do for a living

Tighter coupling of the software to the hardware. But this comes with its own set of trade-offs: your ownership and control of the software is reduced. For those of us in the FLOSS world, that trade-off is unacceptable.

Host-based firewalls are excellent for limiting inbound access to listening services that you can't stop or otherwise control. They are absolutely useless for stopping outbound access, contrary to what many people wish to believe. A firewall on a separate device is more appropriate for this function. It does not matter whether that separate device is a NAT router, a Linux box running iptables, or a Windows box running Microsoft Threat Management Gateway even. (Yes, TMG is one kick-ass firewall. Too bad Microsoft is discontinuing it.)

That's a terrible design. It removes an important security principle: the ability to audit behavior. You cannot trace actions back to individuals when all actions take place in the context of a single login. Horrible, just horrible.

WPA2 is the strongest wi-fi protection we have right now. WPA2 supports two forms of authentication: Personal and Enterprise. WPA2-Personal relies on secrets shared between supplicants (computers) and access points. WPA2-Enterprise relies on RADIUS-based authentication servers. Both offer equivalent protection of information over the air. Their differences lie in how authentication is performed. In a large enterprise, you really don't want to be manually configuring secrets on hundreds of APs and thousands of computers. Instead, you install digital certificates everywhere (easy to do with deployment tools) and configure a central RADIUS server to validate certificates and allow computers to connect to access points.

You sir are very knowledgeable!!

Sorry if I didn't make this clear. There were individual passwords that were tied to an individual name. You logged in with the password though and then the name popped up. But it is still horrible as you say, perhaps equally horrible as just one password.