Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday November 09 2017, @03:19AM   Printer-friendly
from the code-by-john-hancock dept.

Submitted via IRC for SoyCow1984

One of the breakthroughs of the Stuxnet worm that targeted Iran's nuclear program was its use of legitimate digital certificates, which cryptographically vouched for the trustworthiness of the software's publisher. Following its discovery in 2010, researchers went on to find the technique was used in a handful of other malware samples both with ties to nation-sponsored hackers and, later on, with ties to for-profit criminal enterprises.

Now, researchers have presented proof that digitally signed malware is much more common than previously believed. What's more, it predated Stuxnet, with the first known instance occurring in 2003. The researchers said they found 189 malware samples bearing valid digital signatures that were created using compromised certificates issued by recognized certificate authorities and used to sign legitimate software. In total, 109 of those abused certificates remain valid. The researchers, who presented their findings Wednesday at the ACM Conference on Computer and Communications Security, found another 136 malware samples signed by legitimate CA-issued certificates, although the signatures were malformed.

Source: https://arstechnica.com/information-technology/2017/11/evasive-code-signed-malware-flourished-before-stuxnet-and-still-does/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by JNCF on Thursday November 09 2017, @09:50PM (3 children)

    by JNCF (4317) on Thursday November 09 2017, @09:50PM (#594863) Journal

    totally get the "gold rush" incentive that is continuing to work so well to blow up blockchain schemes via speculative support,

    You're correct that this is an effect, but it's important to note that there are miners turning a profit without engaging in long-term speculation. They're still "speculating" in the sense that they spend money on infrastructure hoping that prices stay high enough for their mining-rigs to pay off before obsolescence, but they're dumping whatever they mine almost immediately and holding fiat (or some other currency/commodity). I have no idea what percentage of miners this is, but it's economically viable to mine bitcoins (given the right conditions) without speculating that it will go up in value.

    does a transaction verification system really need a blockchain to function properly?

    Depends on the system. If it's just for you and your friends, no. If it's a global network of nodes with One True Ledger and no trust in any particular party, maybe. I don't know of a better system, but I could be ignorant of it, and it could be invented tomorrow. See AC's comment above. Webs of trust are great for some things, but trustless systems are pretty cool too, and I think they're a better fit for a global ledger.

    Intrinsically hard problems that a large number of people compete to solve: bad.

    Proof-of-Work, which Bitcoin and Namecoin use, is only one method of mining. There are Proof-of-Stake algorithms, and others. I'm not going to defend them, but I do want to note that this isn't actually an objection to blockchains in general, just the blockchains being discussed here.

    We're drifting away from the topic of code-signing and into the topic of digital currency now, but here goes: mining gold is hard. Collecting specific shells and carving them into wampum beads is hard. If gold and wampum beads were easy to obtain, they would never have been used as currency. We would have been trading something else that was comparatively hard to get, and therefore rare. The barrier doesn't have to be burned CPU cycles, but there needs to be something that makes it difficult to create whatever we're using as digital assets. I'm very interested in alternatives to PoW, but I haven't been sold on any. Shit-lord extraordinaire Curtis Yarvin (AKA Mencius Moldbug) has a scheme for allocating namespaces for Urbit wherein he starts with them all, and then sells them. It solves the problem of costly token generation and rarity, but at the cost of extreme inequality in starting positions.

    When replying to your earlier post, I was trying to keep on the topic of registering namespaces and private keys. But since this story is a little less fresh now, and the horse is out of barn, I'm gonna dredge up a point you made earlier.

    I don't want to spend $5 every time I want to verify a transaction, and when Bitcoin et. al. lose their speculative glamour and start paying their own bills, that's what transactions are currently costing. Maybe they can trim on that and get to $0.50 per transaction, but that's still too damn high for mainstream applications. The whole "compounded work" aspect of blockchain makes it a loser for microtransactions right out of the gate.

    The low costs of transactions today compared to the expected costs of transactions in the future is really due to block rewards, not speculation. If miners were operating at a loss to include transactions that don't make financial sense* as a speculation that some meager fee will be worth more in the future, they'd be better off not bothering and just buying coins on the open market. Block rewards are what keeps fees low in the present, not speculation. With the exception of some charitable True Believers, miners are including transactions because it makes financial sense for them to do so. I haven't been following fees lately (it's been a while since I've made a non-testnet transaction), but I know a few months ago Bitcoin fees were getting out of hand because of artificial limits on block size (1 MB per block, IIRC). Since not all transactions could fit in a given block, miners were only including the ones that had the highest fee-per-bit, and users were attaching higher fees to compete for room on blocks. The block size limit is there for security reasons, but it could be raised substantially. Bitcoin Unlimited would like to see it go away entirely, and I love them for that. Last I checked Bitcoin core was talking about increasing it after implementing Segwit, but I dunno if they followed through on that. I don't know what the free market would decide fees should be without block rewards and block size limits, I'd love to see. Satoshi speculated that fees should be lower than credit cards. Your $5 number is also speculation, of course; neither of us can tell how much block rewards impact the rate miners and users will settle on once they go away.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by JoeMerchant on Thursday November 09 2017, @10:34PM (2 children)

    by JoeMerchant (3937) on Thursday November 09 2017, @10:34PM (#594886)

    >there needs to be something that makes it difficult to create whatever we're using as digital assets.

    Paper $100 bills don't seem to be very difficult to make at all, the only thing that keeps them from being readily copied is the action of the treasury department (a whole other kettle of fish...)

    My speculation of $5 fees is a rough estimate I read somewhere (granted, not the most reliable source of information: vaguely remembered internet stories), but it would seem to track reasonably well with the cost of electricity multiplied up by the number of miners who compete to complete a transaction, not to mention the housing, maintenance and depreciation costs of the mining gear itself.

    In the "old days" when credit cards were imprinted on carbon paper, they were only accepted for transactions of $10 and more, and there were big buildings full of credit slip processors (people) - one huge one I remember was on the bank of the Miami River... cost of processing a credit transaction was quite high then, especially when you take inflation into account. They have gotten much better today, though I think 1.75% is still a pretty ridiculous tax on transactions.

    To circle back around to the original topic, whatever scheme is used, it would be desirable to keep the costs of processing low. Blockchain seems to be a solution in search of problems at the moment, and I don't think many people appreciate the distributed costs associated with the solution, just like nobody seemed to understand the inherent non-anonymity of blockchain 5 years ago.

    --
    🌻🌻 [google.com]
    • (Score: 2) by JNCF on Friday November 10 2017, @05:17AM (1 child)

      by JNCF (4317) on Friday November 10 2017, @05:17AM (#595040) Journal

      Paper $100 bills don't seem to be very difficult to make at all, the only thing that keeps them from being readily copied is the action of the treasury department (a whole other kettle of fish...)

      You hit the nail on the head, right at the end. The government uses their monopoly of violence to enforce their monopoly of inflation. Secret printing methods aside, this is what keeps paper money roughly as scarce as they want it to be. It is hard to make and use paper money without going to prison. If it wasn't, inflation would skyrocket and people would start trading something else.

      it would be desirable to keep the costs of processing low.

      Agree, all other things being equal. All other things are not equal at the moment. I would love to hear a proposal for an alternative to PoW that keeps all of its upsides without burning CPU cycles. I don't have any.

      Blockchain seems to be a solution in search of problems at the moment

      Disagree. Bitcoin seems to be extremely useful as a means of exchange on darknet blackmarkets. The circumvention of meddling from powerful entities is sort of the whole point. Namecoin, while not widely used (at least to my knowledge), is in a position to replace ICANN overnight if need be. Even as a dormant exit-strategy, I think it has value. The obviousness of this use-case is why it was the first altcoin. The Ethereums already have decentralised crypto trading running on them, and websites that can stay running with no interaction from the administrator. If you were interested in running a website pseudonymously, this would be an interesting alternative to TOR (better for some cases, worse for others).

      • (Score: 2) by JoeMerchant on Friday November 10 2017, @01:28PM

        by JoeMerchant (3937) on Friday November 10 2017, @01:28PM (#595107)

        >Disagree. Bitcoin seems to be extremely useful as a means of exchange on darknet blackmarkets. The circumvention of meddling from powerful entities is sort of the whole point.

        Well, sure, that's obvious. It also seems obvious to me that if the powerful entities prone to meddling decide to, they can effectively end Bitcoin and friends; at least as effectively as they have ended, say, child pornography.

        At the moment, I wouldn't be surprised if the inherent traceability of blockchain is why the meddling powerful entities are letting it run - much easier to participate in the blockchain to keep tabs on "terrorist funding" than to track down the more traditional funding schemes.

        --
        🌻🌻 [google.com]