> I thought not trusting clients was already security 101?
Of course it is. Always has been.
The security field is riddled with complete nonsense. Much of it even couched in terms of "best practices". It's the perfect field for people with zero specific knowledge or experience to be trusted with management or engineering - since it doesn't matter until it did matter, at which point a mild non-apology is usually sufficient.
Security field isn't about security, it's about managing liability. "Best Practices" don't need to result in actual security - what matters is that, if you follow them and a security incident happens, you can say you followed the Best Practices and therefore It's Not Your Fault.
We're at something like 116 now and they keep coming up with funny terms for it.
secure enclaves, secure virtualization, trusted execution environment, trusted platform, confidential computing, protected execution, LaGrande, protected launch, hardware attestation, ..
It was, back when I took my intro to security class. And that was back in the day when we talked about domestic and export versions of RSA.
> I thought not trusting clients was already security 101?
Of course it is. Always has been.
The security field is riddled with complete nonsense. Much of it even couched in terms of "best practices". It's the perfect field for people with zero specific knowledge or experience to be trusted with management or engineering - since it doesn't matter until it did matter, at which point a mild non-apology is usually sufficient.
Security field isn't about security, it's about managing liability. "Best Practices" don't need to result in actual security - what matters is that, if you follow them and a security incident happens, you can say you followed the Best Practices and therefore It's Not Your Fault.
You are right. And by now an "it will be fixed next month" seems to be enough. even when nothing is fixed.
sorry we only can install a literal rootkit on your device to detect tampering
I am still surprised by how often this is a problem
It is, but most software doesn't include security.