Notes from George Cox’s Talk


Notes on George’s security design talk:

Security as an afterthought, aka add-on, aka “wax job” == fail

The security of a product is a lifecycle consideration (you can’t “fire and forget”); field remediation will be necessary

Secure hardware design requires cross-module thinking

Time to market == time to money

Avoiders focus on cost, security professionals focus on value

Remote reprovisioning functionality  built into computers these days, great for good guys, great for bad guys if done poorly


9 Responses to “Notes from George Cox’s Talk”

  1. David Colvin Says:

    Does anybody know of any end-user/home-user services that utilize the remote management features embedded in the new Core2?

  2. Michael Qin Says:

    Can someone explain what remote reprovisioning is? Thanks

  3. diabolicalmdog Says:

    Tools built into hardware/firmware/bios that allow you to install a new OS remotely without having to boot the OS on the computer (which is infected). Take a look at “network boot” or bootp for some of the older iterations of this idea.

  4. Andrew Muldowney Says:

    A bit older but when talking about hardware control I was reminded of this again.

  5. Andrew Muldowney Says:

    Talk about the need for hardware security/integrity. If you can force software to what you want at a hardware level, whats the point of software security?

  6. Abhishek Chhikara Says:

    Found this paper which provides some insight into secure hardware design

  7. Antonio Says:

    What is cross- module thinking?

  8. diabolicalmdog Says:

    George demonstrated how data may be secure from raw access within a certain hardware or software module, but when it passes to another part of the system it’s readable. By cross-module thinking, I mean security design with the thought in mind that all the hw/sw modules you’re creating for a system have to be integrated into each other such that the whole system is secure, not just being able to say that each module is secure in isolation.

  9. Rohit Sinha Says:

    The whole cross-module thinking can be related to end user application and a database setup. If there is a authentication module on say a website, if the password and corresponding username is sent over a unsecure channel, then even if the database stores everything encrypted, anyone can capture the data during the transfer. The different hardware modules are like the different computers that are interconnected by a network. So in order to make that authentication module secure, you must either send it over a encrypted channel (SSL) or encrypt the data on the client side (using JS) and then pass the data to the database for checking.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: