Holy Jesus that's a lot of money. Has anyone credible ever done any market sizing of the btc services or hardware markets? At first blush it is hard for me not to estimate the btc specific hardware market as being less than 200MM even when you add up everyone's revenue since the dawn of time. It looks like avalon's total sales so far has been less than $10MM.
I assume this has to be about inventory - some kind of line of credit that allows them to offer customer financing, shift away from their pre-order system, or some kind of upfront cost associated with a process upgrade.
It's hard to believe there is much money to be spent on R&D for asic hashing, or that they would gain much via some big marketing campaign.
Wow, the US Attorney is really going out of his way to fill this one up with bullshit. I knew something was very wrong when goodin claims hundreds of millions in losses on a carding ring and it didn't take long to find it. The only people that would pay $50 for anything having anything to do with credit cards would be fbi investigators. Hell they're the only ones that would pay one tenth that.
software is fundamentally broken in some way that it just gets harder and harder to keep a lid on the more effort we make. There is money to be made selling inflatable rafts before a tsunami, but it's pretty depressing work and pretty much everyone is still going to die. The only semi-workable answers are air gapping and drastically reducing the size of your code base, and neither are working that awesome for people or is anyone much willing to do it. Look at google chromeos. One of the lowest attack surface pcs on the market and it was designed from the ground up assuming they'd get owned regularly. Very few other orgs are doing either one.
"...the erosion of confidence in the ability of the United States to do anything discreetly or keep anything secret."
An amusingly worded statement perfectly delivered in intelligence speak. Because Mr. Hayden is so crucially aware of how improbable it is for anyone to keep anything secret at all anymore, he's only worried about people's misplaced confidence in secrecy being rationalized. The IC banks on people's impression that secrecy is still practical, but certainly once you realize that if the people most aware of the porous nature of data networks can't even stop their secure side documents from leaking en masse nobody less focused will consider their documents private.
It's a classic double edged sword - the intelligence community had been the primary driver of innovation in computer and network defense strategies. But somewhere between the beginning and the end of the development of TPM they decided that insecure computers were so valuable as an asset that it couldn't be risked that they might fund research that might accidentally result in some real level of defense.
If general Alexander spent a tenth the money on defense as he does on offensive teams and research and bugs maybe they'd actually have more advanced strategies than air gap and pray. But once the basic judgement was made that software quality issues appeared to make computer security np complete they basically gave up on the problem. Thus began the race to exploit and backdoor the world that we took an early lead in but has lead to a lot of blowback when not everyone was as concerned as we were with not sharing the benefits with private industry. Now the big states know more or less everything about each other, while US multinationals essentially have to horse trade for even basic information sharing about active intrusions on their networks. Meanwhile the only people left in the dark are members of the public that are trying to play by the rules.
The idea that a serious compromise will present a clear path back to a specific ssh key that got used by the attackers and that you'll possibly be able to stop it just by turning off that key is pretty laughable. But then again, so is protecting your core infrastructure with 1.5 factor android soft tokens. Google isn't even willing to make it sound like especially strong protection for your gmail account. How much for a CAC style pki infrastructure? Hard to believe it's more than $50-$100/seat for a small organization. If you're worried about figuring out which employee got his phone dropped after your whole backend got molested perhaps an actual security posture would be more suitable.
What percentage of those android phones would you say are upgraded to a level where they don't have any publicly announced cve's against them that allow for rce or close enough? Like 5 or 10 percent? I agree that it's better than a single secret, but how does a soft toekn count as "something you have" if it can be stolen from your phone and not end up "missing"? My google auth secret continued to work without a hiccup after apple repaired and wiped my phone and i restored from their cloud backup service. That's not too bad for keeping my voice mail private, but it's a pretty weak protection for sudoers on boxes that are pretty much critical to your company existing.
Out of curiosity, how do those krait cores compare to the exynos a15 based cores that samsung is shipping in volume? I've been very impressed with their performance on chromeos as compared to older ip. With xen now building with a15 hvm support it would seem to make it easier to make use of that 2g of ram. It's hard to believe that android is really going to do much with that aside from the browser.
If you train your users to accept self signing you might as well just give up on pki. It appears from the chromium pinning list that they really do let anyone add a pinning rule for themselves if they want to, that would probably be the most practical. I'm not sure of the status of pinning support in other browsers.
I wish cnet didn't write this article like they thought they were CNN or USA Today. What are we supposed to make of the phrase "master keys"? It doesn't seem like they are talking about root ca's. Is it really practical to try to collect and use all of the multitude of last link in the chain endpoint certificate keys? Those seem to change quite often and can be quite numerous. Demanding sub-ca or company wide middle chain keys would seem to be more manageable, but that would suggest that both they're really worried about people watching for signing chain anomalies since presumably they have at least a few root ca privates and that they are willing to sit in the middle rewriting traffic.
Perhaps this is a response to growing use of certificate pinning? Facebook apparently has joined google in using pins, and I was recently told that microsoft is enabling pinning as an option in EMET4. But if that was the issue, that would tend to suggest they had been previously accustomed to rewriting some of these providers traffic with unlikely root ca's, something which people have been keeping an eye out for and to my knowledge has never been caught in the wild.
I assume this has to be about inventory - some kind of line of credit that allows them to offer customer financing, shift away from their pre-order system, or some kind of upfront cost associated with a process upgrade.
It's hard to believe there is much money to be spent on R&D for asic hashing, or that they would gain much via some big marketing campaign.