---------- Forwarded message ---------- From: iang <iang@iang.org> Date: Wed, May 10, 2017 at 10:25 AM Subject: Re: [Cryptography] Big ugly security problem in post-2008 Intel chipsets. To: cryptography@metzdowd.com On 07/05/2017 18:38, Peter Todd wrote:
On Sat, May 06, 2017 at 11:28:38PM -0400, iang wrote:
On 01/05/2017 22:40, Ray Dillinger wrote: Unpopular opinions! I think there was an element of truth in all that, but two things changed - one was the evolution serious criminal gangs which industrialised the process. The second was the rise of cyberwar... although the jury's out as to whether this was caused by e.g. Obama's OLYMPICGAMES or as a natural evolution, a tit for tat.
Cryptocurrencies have also forced cryptocurrency-related companies to adopt vastly improved security because theives can directly steal money.
Yes, this is why financial cryptography was always more fun. It has the tightest feedback loop - get it wrong and you get robbed. This tight feedback loop is mostly absent in other forms of cryptography such as privacy, retail commerce (aka SSL & passwords), political / natsec and military. Which means, in financial cryptography as opposed to the others, we learn the fastest, assuming we're capable of that.
Additionally theres a second, less-obivous effect of the above: non-cryptocurrency-related companies are getting hacked by theives trying to gain access to user data that in turn will let them hack other targets with cryptocurrency holdings. For example, phone companies are frequently getting social engineered to exploit their customers' 2FA setups, and in turn, exploit cryptocurrency accounts at stuff like exchanges.
Right. We always knew that the phones were an inadequate 2FA simply because they were relatively easy to attack. And once the stakes were high enough, they were attacked. Now, for online banking, this was sorta maybe ok because the online banks also had other security layers inside the banks, so using the phone was their cheapest widespread option. But this fell apart for cryptocurrencies which typically did not have other layers of protection (ok, they had verbal protections like multisig and and and). The interesting thing is that people wake up and blame the telco. But it was never the telco's threat model to protect bitcoin or online banking... iang _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography