Re: Tor exit nodes

[Thorsten Glaser <tg@debian.org>]

Matt Taggart dixit:

>> Also, consider ecosystem monoculture: if everyone uses the same
>> kind of token things might get interesting, consider monoculture
>> in agriculture…
>
> .. and the award for Best Prediction of the Future goes to Thorsten
>
> https://dan.enigmabridge.com/roca-critical-vulnerability-in-infineon-security-chips/

To my excuse, I did not know about this particular vulnerability.

I was, however, aware that such embedded devices do not normally
have good sources of randomness, and that they run specially
tailored code (which means less exposure, less testing, less eyes
on them), but I think both of that were common knowledge, and that
most people wouldn’t generate a key on such a device (although I’ve
read reports of people doing that by booting from a live CD, imme‐
diately generating a keypair, uploading the secret key to a device,
then trying to eliminate traces from RAM etc. and I was shocked and
told them about the “needs entropy” issue; I got one to redo their
key completely).

Monoculture *is* a problem with them, though. I learnt (in this
thread, I think) that device makers need to go through lots of
bureaucracy to get them approved (especially in the EU), and,
next prediction, I’m just waiting for a major EFI breakdown
(AFAIHH they all derive from Tiano, which is as big as, if not
bigger, a codebase than the Linux kernel).

Sometimes, KISS is good. I personally just sign on a different
computer. But, to each their own.

Oh, sorry for the long sentences, it’s getting late.

Have a nice day,
//mirabilos
-- 
<igli> exceptions: a truly awful implementation of quite a nice idea.
<igli> just about the worst way you could do something like that, afaic.
<igli> it's like anti-design.  <mirabilos> that too… may I quote you on that?
<igli> sure, tho i doubt anyone will listen ;)