So should or should not an embedded system have a remote management
interface?
In this case, heck, no. The whole point of this thing is that it is
NOT remotely programmable to keep malware out.
If you have a modest and well-defined spec, it is well within our
abilities to produce reliable
On Mon, Nov 16, 2009 at 11:30 AM, Bernie Cosell ber...@fantasyfarm.com wrote:
As I understand it, this is only really a vulnerability in situations
where a command to do something *precedes* the authentication to enable
the command. The obvious place where this happens, of course, is with
On Nov 16, 2009, at 12:30 PM, Jeremy Stanley wrote:
If one organization distributes the dongles, they could accept
only updates signed by that organization. We have pretty good
methods for keeping private keys secret at the enterprise level,
so the risks should be manageable.
But even then,
On 11/12/09, David-Sarah Hopwood david-sa...@jacaranda.org wrote:
Sandy Harris wrote:
On 11/8/09, Zooko Wilcox-O'Hearn zo...@zooko.com wrote:
Therefore I've been thinking about how to make Tahoe-LAFS robust against
the possibility that SHA-256 will turn out to be insecure.
[...]
Jonathan,
Anyone care to give a layman's explanation of the attack? The
I find this paper to be useful:
http://www.g-sec.lu/practicaltls.pdf
Cheers,
Stefan.
--
Stefan Kelm sk...@bfk.de
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstrasse 100
On Mon, Nov 16, 2009 at 11:20:27PM -0500, Jerry Leichter wrote:
I'm not sure that's the right lesson to learn.
I might have, perhaps, phrased it a little better. Regardless of
initial planning, TI continued selling devices relying on this
particular code signing implementation well past what the
On Tue, Nov 17, 2009 at 01:35:12AM -, John Levine wrote:
So should or should not an embedded system have a remote management
interface?
In this case, heck, no. The whole point of this thing is that it is
NOT remotely programmable to keep malware out.
Which is perhaps why it is not a