|
Truga posted:yeah, i'm not saying it's a good and i don't think it's even a feasible idea, but i think it'd take no less than that. if it's just penalties after breaches that's too late, and also big corps can just shrug off almost anything Unless it was a percentage of average annual gross revenue over last (1, 3, 5) years. I really think a lot of financial penalties should be written that way, tbh.
|
# ? Jan 24, 2018 21:53 |
|
|
# ? May 15, 2024 04:09 |
|
To what extent is the speed of technology a function of it being insecure, poo poo code? Is it worth it to see technology grow at a much slower pace but with much stronger security from the getgo?
|
# ? Jan 24, 2018 21:54 |
|
nope. if your system was built by unlicensed professionals and it stores pii you're punished severely to the same degree as acting as a lawyer without passing the bar, practicing medicine without being licensed, keeping books without an actual accountant, etc
|
# ? Jan 24, 2018 21:55 |
|
I think government sponsored pentesters trying to own things as much as they can would do it. Basically the NSA TAO except with a mandate to report bugs to vendors and the ability to force them to fix the bugs when there is a meaningful well defined impact.
|
# ? Jan 24, 2018 21:57 |
|
Rex-Goliath posted:nope. if your system was built by unlicensed professionals and it stores pii you're punished severely to the same degree as acting as a lawyer without passing the bar, practicing medicine without being licensed, keeping books without an actual accountant, etc only if you get caught and it’s bad enough to warrant attention
|
# ? Jan 24, 2018 21:58 |
|
oh wow only dole out punishments when people are caught?? let's not do anything hasty here
|
# ? Jan 24, 2018 22:03 |
|
as a point of comparison this is what you have to do to write software that you can be 100% confident is free of logical defects: https://www.fastcompany.com/28121/they-write-right-stuff and that's just compliance with spec for a static embedded device with no internet exposure haveblue fucked around with this message at 22:07 on Jan 24, 2018 |
# ? Jan 24, 2018 22:05 |
|
.. https://www.cnbc.com/2018/01/24/congress-asks-apple-intel-others-about-spectre-disclosure-delays.html Taviso is excited. This'll be fun.
|
# ? Jan 24, 2018 22:38 |
|
the infuriating part isn't that older than dirt elected officials don't know the answer to this question, it's that nobody in their staff understands the reason well enough to explain it
|
# ? Jan 24, 2018 22:40 |
|
it seems like they’re more concerned about it being kept secret from the smaller players, not so much about it being kept from the public
|
# ? Jan 24, 2018 22:43 |
|
flakeloaf posted:the infuriating part isn't that older than dirt elected officials don't know the answer to this question, it's that nobody in their staff understands the reason well enough to explain it normally I assume that the reason to keep it secret for that long is to get patches in place but then I look at what Intel put out and they might as well have started work in a panic two weeks before the deadline
|
# ? Jan 24, 2018 22:45 |
|
did you actually look or did you figure that linus communication skills, suitable for a five year old, were sufficient to make a judgment?
|
# ? Jan 24, 2018 22:55 |
|
Evis posted:it seems like they’re more concerned about it being kept secret from the smaller players, not so much about it being kept from the public yeah it sounds like they may be trying to come up with a set of standards for disclosure processes so people aren't left out which on the one hand makes sense. having CERT act as a clearing house for the disclosure from the start could be good and would also have the benefit of shifting liability for the disclosure off the companies involved. On the other hand how much do you trust the feds to handle security on your behalf?
|
# ? Jan 24, 2018 22:57 |
|
Cybernetic Vermin posted:did you actually look or did you figure that linus communication skills, suitable for a five year old, were sufficient to make a judgment? I'm judging them based on the microcode patches being very broken, and that their linux patches should have been done more than a month ago no need to trust linus
|
# ? Jan 24, 2018 23:02 |
|
in effect you know gently caress all and just assume that things should have solutions, where this in reality is not at all necessarily true
|
# ? Jan 24, 2018 23:08 |
|
Cybernetic Vermin posted:in effect you know gently caress all and just assume that things should have solutions, where this in reality is not at all necessarily true / FAT32 SHAMER fucked around with this message at 23:16 on Jan 24, 2018 |
# ? Jan 24, 2018 23:14 |
|
seriously this was the initial question of meltdowm/spectre: what is there is no actual fix? there are not necessarily microcode traps for every path, and it is pretty much a given that intel will be bankrupt before giving everyone affected a fixed processor, so there is not necessarily a simple blame game to play. the show must, actually, go on. somehow. also there is a decent chance that Intel has a lot of clever people working on best-effort solutions, and a fair chance that linus, being a literal (gifted granted) child is not at all helping
|
# ? Jan 24, 2018 23:27 |
|
Rex-Goliath posted:nope. if your system was built by unlicensed professionals and it stores pii you're punished severely to the same degree as acting as a lawyer without passing the bar, practicing medicine without being licensed, keeping books without an actual accountant, etc so then is this state licensure like other engineers have in the US? start with accredited degrees (ABET or by merit), add years of experience under guidance from other engineers, then pass a standardized exam. apply for comity in all states where you practice the penalties for loving up aren’t that bad tbh and there’s industry exemptions so it would require some real teeth. I’d be interested to see a proposal that would work.
|
# ? Jan 24, 2018 23:30 |
|
Hed posted:so then is this state licensure like other engineers have in the US? start with accredited degrees (ABET or by merit), add years of experience under guidance from other engineers, then pass a standardized exam. apply for comity in all states where you practice
|
# ? Jan 24, 2018 23:33 |
|
Cybernetic Vermin posted:seriously this was the initial question of meltdowm/spectre: what is there is no actual fix? there are not necessarily microcode traps for every path, and it is pretty much a given that intel will be bankrupt before giving everyone affected a fixed processor, so there is not necessarily a simple blame game to play. the show must, actually, go on. somehow. there is a difference between "they should fix it 100% without a performance impact" and "whatever they do choose, it should function correctly after six months of high-priority development" they failed at the latter.
|
# ? Jan 24, 2018 23:36 |
|
i laughed really hard at that shabbos switch when he was all "I was sitting there in the dark in my living room after dinner and thought 'it's the 21st century! There's got to be a better way!'" like lmao
|
# ? Jan 24, 2018 23:41 |
|
Dylan16807 posted:there is a difference between "they should fix it 100% without a performance impact" and "whatever they do choose, it should function correctly after six months of high-priority development" i 100% think there is stuff that cannot be solved in 6 months at any price that may be solved in 12 cheaply, but i more fundamentally know there are things that are unsolvable in this context. intel should be made to pay at some point, but linus being a jackass about the engineering efforts is an incredibly bad mechanism to enforce that tbqh states at some point need to start holding various computational processes to account, though the way there is pretty philosophical Cybernetic Vermin fucked around with this message at 23:45 on Jan 24, 2018 |
# ? Jan 24, 2018 23:42 |
|
like, how hard is it to make a microcode patch that does not crash your system
|
# ? Jan 24, 2018 23:50 |
|
ymgve posted:like, how hard is it to make a microcode patch that does not crash your system
|
# ? Jan 24, 2018 23:51 |
|
what if cybersecurity but google, you know, on the cloud
|
# ? Jan 25, 2018 00:12 |
|
anthonypants posted:harder than one that crashes your system, but on the other hand it should be pretty easy to test for Simply solve the halting problem, and you are golden.
|
# ? Jan 25, 2018 00:19 |
|
Cybernetic Vermin posted:i 100% think there is stuff that cannot be solved in 6 months at any price that may be solved in 12 cheaply, but i more fundamentally know there are things that are unsolvable in this context. intel should be made to pay at some point, but linus being a jackass about the engineering efforts is an incredibly bad mechanism to enforce that Like it or not, Linus is an authority figure on the Linux kernel. So he might actually know a thing or two about how bad this is.
|
# ? Jan 25, 2018 00:30 |
|
we gonna have this licensure fight in this thread too? the professional engineering exams for software engineering already exist they are 100%, 1000% dog poo poo someone would have to make them not dog poo poo before you would be able to use them for anything there's no reason why they exist in the state that they do i'm deffo sure you can pass the fe exam without knowing how to code (because the software engineering fe exam has no coding section whatsoever, it's thermo and physics and other actual build poo poo engineering content), and pretty sure you can pass the full pe exam without knowing how to code
|
# ? Jan 25, 2018 00:38 |
|
Jonny 290 posted:i laughed really hard at that shabbos switch when he was all "I was sitting there in the dark in my living room after dinner and thought 'it's the 21st century! There's got to be a better way!'" ya it was p. good. like the dude trying to get some rando off the street to turn the bedroom lights out.
|
# ? Jan 25, 2018 00:41 |
|
good luck developing your patches in secret, tested extremely thoroughly across all possible permutations, and not waiting a decade to get them released. despite all the complaints given the wide scope and everyone rushing to patch this has gone over rather smoothly
|
# ? Jan 25, 2018 00:44 |
|
Evis posted:it seems like they’re more concerned about it being kept secret from the smaller players, not so much about it being kept from the public They're more concerned with scoring political points with other technologically-ignorant olds than they are about the state of responsible disclosure in the industry.
|
# ? Jan 25, 2018 00:55 |
|
CommieGIR posted:Like it or not, Linus is an authority figure on the Linux kernel. So he might actually know a thing or two about how bad this is. i aint trustin no dude that realizes an arch is hosed up and keeps slamming his dick into a keyboard writing kernels for it and angry mailing list msgs about it
|
# ? Jan 25, 2018 00:57 |
|
Jonny 290 posted:i aint trustin no dude that realizes an arch is hosed up and keeps slamming his dick into a keyboard writing kernels for it and angry mailing list msgs about it sorry folks, we are cancelling support for Linux on x86.
|
# ? Jan 25, 2018 01:08 |
|
Jonny 290 posted:i aint trustin no dude that realizes an arch is hosed up and keeps slamming his dick into a keyboard writing kernels for it and angry mailing list msgs about it oh come off it, you ain't trustin' nobody no how anyway
|
# ? Jan 25, 2018 01:12 |
|
Farmer Crack-rear end posted:oh come off it, you ain't trustin' nobody no how anyway any yosposter has a standing offer to come pet the cats if they visit denver, but im smokin u out and we dont play around
|
# ? Jan 25, 2018 01:37 |
|
Shaggar posted:yeah it sounds like they may be trying to come up with a set of standards for disclosure processes so people aren't left out which on the one hand makes sense. having CERT act as a clearing house for the disclosure from the start could be good and would also have the benefit of shifting liability for the disclosure off the companies involved. On the other hand how much do you trust the feds to handle security on your behalf? didn’t CERT used to do this in the 90s? I’m pretty sure we worked with them on some embargoed issue.
|
# ? Jan 25, 2018 02:55 |
|
Avenging_Mikon posted:Question time! the problem isn't writing the laws, the problem is enforcing them food/fire safety laws work because an inspector can walk in and shut your poo poo right down on the spot if they feel you're not in compliance, and if something bad happens because you were violating them then people - even top execs - can end up in jail for it
|
# ? Jan 25, 2018 07:27 |
|
Subjunctive posted:didn’t CERT used to do this in the 90s? I’m pretty sure we worked with them on some embargoed issue. They still do, not only US-CERT but also Carnegie Mellon CERT aka CERT/CC. I've worked with both extensively on certain hyped vulnerabilities. (And non-hyped but arguably worse vulns lol) Btw It's dumb to just say "CERT" because there's hundreds of them globally and in the us specifically it's unclear if you mean US-CERT or CERT/CC.
|
# ? Jan 25, 2018 08:23 |
|
spankmeister posted:They still do, not only US-CERT but also Carnegie Mellon CERT aka CERT/CC. I've worked with both extensively on certain hyped vulnerabilities. (And non-hyped but arguably worse vulns lol) yeah, I was thinking of US-CERT, my bad
|
# ? Jan 25, 2018 09:23 |
|
|
# ? May 15, 2024 04:09 |
|
I have really been following Linus being an loud rear end in a top hat, but from what little I saw, I got the impression that he's primarily pissed about how Intel's response is very clearly being run by their lawyers and not their engineers. He seems to be OK with the current gross mitigations because he knows they're temporary. The thing that he's infuriated about is that Intel's future plans seem to be continuing shipping CPUs that are broken, but including a MSR that you can write 1 to once at bootup and then the CPU becomes fixed with no additional effort. Which makes no loving sense at all unless you realize that Intel's lawyers are trying to cling to a delusional fig leaf that every Intel CPU every made is not in fact broken, you're broken, and Intel has magnanimously designed a feature that allows broken operating systems to easily work around the OS's brokenness because it is definitely your fault and not Intel's.
|
# ? Jan 25, 2018 09:55 |