Please provide specific details as others have said - this comment just sounds like you just had something vaguely related to security that you wanted to mention.
There's an entire field of research dedicated to figuring out what we'll replace those algorithms with if quantum computing does become practical on a significant scale: https://en.wikipedia.org/wiki/Post-quantum_cryptography
Yes. Something you don't know about can and may well kill you. These are the lessons of geography, astronomy, and physics. Crypto and computer security may well have the same properties.
"In the comments section of the Antonoupolos’s talk, reddit user @cfromknecht explains that there are flaws to the Elliptic Curve Digital Signature Algorithm (ECDSA), and it is very possible that quantum computers will be able to work faster than the transactions, therefore beating the encryption. “Whenever you spend bitcoins, you must include a signature that approves the spend, which is done using ECDSA” they explain, “If these signatures can be broken faster than transactions can be confirmed, an attacker could sign a different transaction that spends your coins before the original transaction is ever accepted.”
https://en.wikipedia.org/wiki/List_of_unsolved_problems_in_m...
Seriously though, I'm talking about something qualitative here. When I read about these side-channel attacks yesterday I had this crazy gut feeling about how exposed our technologies are to those who learn to understand them deeply.
There's an complementary kind of arrogance to the one you're suggested: "anything I don't understand couldn't possibly be a threat... since I could never easily exploit it, it'd be way too hard for someone else to."
But have you listened to the radiolab about the z-cash cryptography ritual? It's very enjoyable and has a spooky surprise ending:
In contrast, even if we suddenly solved the engineering challanges of building a large quantum computer, it would likely take a while for the economics to work out where a quantum based attack would be economical. For one, for the foreseable future, quantom computers would be expensive (needing high cooling at a minimum), so a 'casual' attacker would need to wait for an economical rental type service to emerge. Also, it would take time to scale up production, so the first bunch of quantum computers will be expensive due to market pressures from big players.
In reality, it is likely that quantom computers would see a gradual (even if exponential) rise in power that would give some idea of a timeline for when we have to adapt. Not to mention the research into replacing quatom vulnerable crypto with quantom resistent crypto for over a decade, and has already led to (seemingly) quantom resistent replacements.
The JS thing is a huge deal so someone might get their online banking credentials stolen and then account emptied. In which case, how helpful are the banks in helping to recover the money?
On the cryptocurrency side people need to secure their own money and ensure they don't open some shady ICO site. So stolen credentials means the money is gone forever.
Edit: FDIC insurance is applicable for the banks ie if the banks get hacked. The question here is on individuals getting hacked. I am not able to find if FDIC covers that.
Basically your fraud protection involves your responsibility to notify the bank, and the bank's responsibility to refund the money if you notified them in time. Check your statement or balance at least once every 60 days and report fraud immediately, and you can't lose more than $500.
Fraud and theft are not covered by FDIC insurance. FDIC insurance protects your balance, up to a limit, if the bank fails or if there is a run on the bank.
But in the case of the bank being hacked, I could imagine it affecting enough accounts that the bank cannot cover it. Would that count as the bank failing (or perhaps a run on the bank?), and so then be covered by FDIC insurance?
Finally, suppose the hack is a case of financial terrorism. Say, a state sponsored group is trying to undermine confidence in the banking system and so wants to be as disruptive as possible. Instead of just getting in and stealing some money, they have been in for months and have been sabotaging things. They mucked with the backup procedure to make it so the backups are corrupt, and the bank unwisely did not do actual restore tests on samples to check things. Finally, the hackers set everyone's account balance to zero (or more fun, delete everyone's account).
So now my bank has no idea how much money I'm supposed to have (or even if I'm a customer). They fail and FDIC steps in. Do the banks have to periodically give the FDIC or other regulators lists of accounts and balances, so that FDIC would be able to at least figure out things up to the last month, say, or would the FDIC also have no idea who gets what?
Completely. These are banks we're talking about, not bitcoin exchanges.
Spectre2 should allow malicious JavaScript to read data from other processes.
Running browser tabs in separate processes (e.g. Google Chrome's new Site Isolation) should protect data from Spectre1 alone but not Spectre2.
See the table here:
https://security.googleblog.com/2018/01/more-details-about-m...
If that's not right I'd love to be corrected.
Probably no known exploit of this yet.
Last few tickets I filed with Coinbase took days/weeks/never to get a response. Others seems to have a similar experience: https://www.reddit.com/r/Bitcoin/comments/735yqe/how_do_you_...
>> However, there are a few actions you should take right now to limit your exposure ...
None of the actions suggested includes the action of keeping cryptocurrency in user's own deterministic wallet to avoid any exposure from Coinbase side.
Speaking as a layman:
Running on the same physical core is a pretty common case on laptops.
Sharing a library with your target is probably a very common case. For instance, libc.
Only run Javascript on domains you really need and trust, and even then the minimum amount required for the site to function.
This is so inconvenient that practically no one is going to do it. I used to use NoScript but found I was just constantly clicking "temporarily allow."
My understanding is that Spectre will allow an attacker to read any memory anywhere in userspace, so yes, that would include the clipboard. Meltdown is just an enhancement to Spectre that allows it to also read into kernel space (ring 0). Spectre is the systemic issue that accurately deduces memory values based on CPU cache heat. Meltdown is the implementation-specific issue, which affects many ARM SKUs and virtually all Intel SKUs, that makes privileged memory susceptible to the same.
But I'm just inferring that from Google's security blog posting; I can't say with real expertise.
Would love for an expert to chime in.
The same way issuing a new session token for each login improves security. If the changes are unpredictable, whatever process an attacker uses to guess the correct target must be restarted every time the target changes.
1) Worst case scenario, it only allow you to read the memory of systems running validator nodes. There aren't very many of these (tens of thousands perhaps) and they generally don't store particularly valuable secrets. A small number of them may store private keys to Eth accounts with a small amount of Eth, but that's not typical operating procedure.
2) The EVM doesn't have any internal mechanism for measuring time (beyond existing blocks), so any timing attack within the EVM would require some very clever way of measuring time.
However, the block-lattice cryptos like RaiBlocks that find a way to build in concurrency and shared memory might be different.
Wait, doesn't that just spray their sensitive information over more and more machines that may or may not be sufficiently wiped before it's reassigned to someone else? Or increase the chance they encounter someone running one of these exploits panning for digital gold in the other users RAM?
sam.ns.cloudflare.com sue.ns.cloudflare.com
A direct-connect IP address was found: coinbase.com 107.21.102.138 UNITED STATES
Previous lookups for this domain:
2015-04-28: coinbase.com 107.21.102.138 UNITED STATES
2015-02-28: coinbase.com 54.243.122.18 UNITED STATES
http://www.crimeflare.us/cgi-bin/cfsearch.cgi
---
They've also used the same EC2 IP address for 3 years, so the claim is bullshit.
Now more than ever, this statement just does not compute. What good reason could something as sensitive as Coinbase have to remain on a third-party cloud provider and let Amazon hold the keys to the kingdom, especially after this disclosure that informs us that our imagined VM sandboxes have been a fairy tale all along?
There's a secret from a time not so long past that makes these attacks nearly-irrelevant: "don't run untrusted code". Maybe the corollary "don't run on hardware that runs untrusted code" is necessary (though I personally feel it's a little redundant).
It's embarrassing that Coinbase would continue to expose their application to this attack surface after yesterday's disclosures. Honestly, it should've been that way before; this isn't the first time VM isolation has been broken, and it won't be the last. It's just the least-fixable breakage so far.
> Sensitive workloads, especially where key handling is involved, run on Dedicated Instances (instead of shared hardware). Where we do run on shared hardware, we make it more difficult to accurately target one of our systems by rapidly cycling through instances in AWS.
I'm quoting this just because I know people will say I'm excluding the context if I don't. If you're going to run on "dedicated instances" anyway and pay the huge price premium for them, there's no reason to continue to put your secrets in Amazon's hands.
Little ragtag startups may use the excuse "We're scared of real sysadmins, they will laugh at us because they're over 25", but that excuse should not work for something as big and serious as Coinbase.
Playing Instance Roulette by "rapid cycling [instances]" in hopes that you get away from any bad neighbors ASAP is extremely silly, please give me a break. Just buy some hardware. How is this so hard?
Noone has been running their own datacenter for a while.
Take a gander at http://reddit.com/r/coinbase and weep...
They answered fast.
