1. 3

    Multiple bands (2.4 GHz and 5 GHz) should also have the same SSID. Don’t put 5 GHz on its own SSID

    In that setup, pretty much all devices I’ve ever seen tend to fall back to 2.4 very very easily and quickly (when 5 still works) and practically never upgrade to 5.

    1. 4

      Enable band steering on your access points.

      1. 2

        huh, TIL that’s a thing. Not supported in OpenWrt apparently? but “802.11r Fast Transition” is supported now

    1. 2

      Quote from Wikipedia:

      An enumeration is a complete, ordered listing of all the items in a collection.

      Could someone enlight me on this? What the Article describes doesn’t seem like “complete listing”.

      1. 3

        To enumerate can also mean “to build a list” which is closer to this usage, but I’d agree it was used imprecisely.

        I’d prefer calling this a username oracle attack!

        1. 4

          A couple decades late I think. Guess and check attacks have been called enumeration for quite a while.

          1. 2

            it’s never too late to tilt at windmillsencourage precise speech!

            Legitimately though - good to know this is common parlance in the security community.

          2. 2

            Given enough time (possibly heat death of the universe scales) this method could create a full enumeration.

          3. 1

            It could be seen as a complete listing, if the “collection of usernames” isn’t interpreted to be the collection of all usernames the server has, but rather all usernames the attacker cares about.

          1. 4

            Does anyone have any experience with Microsoft Teams? We are looking at it as a potential replacement.

            1. 6

              My team (roughly ~40 people) transitioned from Slack to Teams a bit over a year ago. It’s gone well and speaking in terms of productivity, it’s been an improvement. There are a lot of cool integration features with Teams but they’re more oriented to the Microsoft ecosystem whereas Slack was more open. We do everything w/ Microsoft here (Azure, VSTS, .NET, Office 365, etc)so it worked out well.

              Slack has more ‘fun’ features like custom emojis - we had to give up all the funny faces of team members in the transition.

              If your company isn’t in the Micorosft ecosystem I don’t think I would recommend it.

              1. 4

                It’s reliable and has plenty of good features, especially on the management side, but the UX is not excellent. Some people even claim to hate it, but I haven’t figured out how serious those feelings are.

                They have been improving it in a nice pace in 2018. It feels to me that the Teams team in Microsoft is culturally similar to the Visual Code Studio folks – i.e. part of the new Microsoft.

                Like dsschnau says, you can probably find better solutions if you’re not in the Office365 bearhug already. But they won’t be massively better (unless you want the burden of hosting yourself, in which case there are plenty of choices). If you are paying for office365 (not to mention Azure/VSTS/TFS) already, getting another chat solution in addition to Teams would be just stupid.

                1. 3

                  IME the Teams interface is extremely buggy (flashes of white, elements jumping around the screen, pretty severe lag/unresponsiveness) but I haven’t used it in 8 months.

                  1. 2

                    I heard bad things from early adopters, but not not heard much recently. A quick play and the UI seems OK, but issues like you have described above tend to more noticeable after a bit of use.

                  1. 8

                    It seems like everything coming out of siggraph is terrifying now.

                    1. 4

                      They really skipped over the limitations though, I didn’t catch how long training takes and I would like to have seen some more examples of where is struggles, but I expect more of this is in the paper.

                    1. 2

                      Found this yesterday, doesn’t seem to expose a lot of radare2 features, but the learning curve is so much shallower!

                      1. 1

                        This is a pretty ace side channel attack, using the relative time complexities of blinding different colours to calculate the value of pixels in an iframe by timing how long the rendering takes.

                        1. 5

                          Examples of major changes:

                          generics?

                          simplified, improved error handling?

                          I am glad to see they are considering generics for Go2.

                          1. 5

                            Russ has more background on this from his Gophercon talk: https://blog.golang.org/toward-go2

                            The TL;DR for generics is that Go 2 is either going to have generics or is going to make a strong case for why it doesn’t.

                            1. 1

                              As it should be…

                              1. 1

                                Glad to hear that generics are very likely on the way from someone on the Go team.

                                The impression I got was that generics were not likely to be added without a lot of community push in terms of “Experience Reports”, as mentioned in that article.

                                1. 1

                                  They got those :)

                              2. 1

                                Wouldn’t generic types change Go’s error handling too? I mean that when you can build a function that returns a Result<Something, Error> type, won’t you use that instead of returning Go1 “tuples” ?

                                1. 5

                                  For Result type, you either need boxing, or sum type (or union, with which you can emulate sum type), or paying memory cost of both value and error. It’s not automatic with generics.

                                  1. 1

                                    I see, thanks for clarifying! :)

                                  2. 1

                                    As I understand it Go has multiple return values and does not have a tuple type, so not sure how your example would work. There are some tickets open looking at improving the error handling though.

                                1. 4

                                  We need some form of “strict” mode which turns these all onto sane settings by default.

                                  1. 2

                                    XKCD #927 😜

                                    1. 4

                                      I don’t think this is really relevant - it wouldn’t be a competing standard, or a standard at all really, just a baseline to start from that could vary from server to server.

                                  1. 12

                                    Cool article, but not what I expected from the phrase window manager!

                                    1. 9

                                      In hindsight, I guess the tag should have given it away. But I enjoyed the surprise as well :)

                                      1. 1

                                        Missed the hardware tag too. Been looking at electric blinds recently and the off the shelf ones seem prohibitively expensive.

                                        1. 2

                                          TechCrunch Disrupt 2019: “Electric Blinds Meets Machine Learning Monitored and Controlled via a $5 Droplet!”

                                          1. 2

                                            Author here. Although the raw material I used is <10$, as a rule for all DIY projects you should always consider the time and equipment needed. I’ve seen some motorized shades for ~200$, which for a finished/professional product is quite ok.

                                        2. 2

                                          It doesn’t even support ICCCM!

                                        1. 5

                                          I had way too much fun paring the binary down to under 1KB, so thought it would be fun to show off. This is a tool for the very limited use-case of writing your own bare metal kernel (to replace Linux) on a raspi 3.

                                          1. 3

                                            Nice work. How small did you get it in the end, and did you use any interesting tricks to get the size down?

                                            1. 4

                                              I wish there were some clever tricks; it might have made an interesting blog post. Since I wrote the code in 32-bit arm first, the biggest help was things that improved in arm64: CRC-32 and integer division are now built-in instructions, which saved me two routines.

                                              Other tricks:

                                              • “Re-roll” any loops and use subroutines heavily. Don’t paste code or unroll anything. A modern CPU can do thousands of instructions per byte to the UART at 115200bps, so the extra branches won’t matter.
                                              • Don’t obey calling conventions near the leaf nodes (which for me, was the entire program). I noted that a leaf routine trashed registers x0 to x3, then made the calling routine (one step higher in the call-stack) use registers x4 - x6 instead. ret {reg} helps a lot here, because the routine prelude can be just mov x7, lr. Effectively, arm64’s generous register file became my stack.
                                              • My favorite trick was using extr to rotate a word and add an incoming byte in a single instruction, in uart_read_u32. This is pretty much what extr is for, so it’s not especially clever. I just had to spend an hour reading through the instruction descriptions, looking for interesting ones that might help.
                                              • The loss of conditional execution was rough, but it felt like csel and tbz really do cover most of the use cases. In particular, tbz can be used to make a tight loop if you’re counting up to a power of 2.
                                              1. 1

                                                Thanks for the update, sounds interesting and well worth a blog post to me.

                                            2. 1

                                              Have you done this? Specifically writing your own bare metal kernel?

                                              1. 1

                                                I’ve… started. :) I got pretty far in rust in 32-bit mode before deciding I should jump into the deep end and go full 64-bit. I’ll definitely post my progress to github as I get things working.

                                                1. 1

                                                  Very cool! What’s the goal? By that I mean, what features are you looking for in your as yet to be completed kernel?

                                                  1. 2

                                                    My loose goal, besides “fun”, is to build a non-posix unikernel that boots into a text environment reminiscent of the old Apple II. No real goal behind that, though it would be nice to get USB & wifi working.

                                                    1. 2

                                                      Are you familiar with the Ultibo unikernel for the Pi, which provides a neat Wirthian environment implemented completely in Object Pascal?

                                                      1. 2

                                                        I am now! Very cool! :)

                                                      2. 1

                                                        SO interesting to me how many people are hearkening back to that time!

                                                        Makes me think of tic-80 - https://tic.computer/

                                                        Sounds like a fun project. Good luck!

                                                        1. 1

                                                          There were even TIC-80 demos at Revision this year. This placed #10.

                                                          1. 1

                                                            Very cool! tic-80 is so much fun. it really evokes the feeling of working in that 8 bit, self contained, everything IMMEDIATELY accessible space while using a modern language, syntax and tools.

                                              1. 3

                                                Does anyone know how much his missing tool, the wire bond machine would cost?

                                                1. 11

                                                  That is truly amazing work.

                                                  1. 6

                                                    I couldn’t agree more. The amount of dedication and determination this must have taken is quite impressive.

                                                    EDIT: Also worth reading about is Jeri Ellsworth, mentioned in the piece as an inspiration.

                                                    1. 2

                                                      As far as I’ve seen Jeri has all but disappeared from the Internet, I used to follow her YouTube channel quite a bit. It’s a shame, she was a great teacher.

                                                      Edit: seems like she’s still active on Twitter

                                                      1. 3

                                                        I got excited when she started posting about radio stuff about six months ago, but it looks like it was only a short lived return. She was really one of my favourite technical YouTubers back in the day.

                                                  1. 4

                                                    The beep.patch file contains calls to exec (the ! command). Applying the patch RUNS code.

                                                    1. 1

                                                      Can you go into more details on this? What does it run?

                                                      1. 2

                                                        I recommend viewing it for yourself of course, but for your convenience:

                                                        https://github.com/holeybeep/holeybeep/blob/e971461c5b4a12d3291b6553af8872a740d70f01/beep.patch#L62

                                                        !id>~/pwn.lol;beep
                                                        

                                                        id prints information about the uid and gids of the current process. >~/pwn.lol directs that output to a file in your home directory (or some home directory, depending on how you run this). Then beep emits a beep.

                                                        That patch is able to execute arbitrary commands was discussed here recently.

                                                    1. 1

                                                      That’s pretty cool. Anyone know anything about the machine they are using (https://www.shimaseiki.com/product/knit/swg_n2/)? It looks pretty pricey.

                                                      1. 13

                                                        Before the site went down someone found a commend injection issue, allowing command execution as root.

                                                        1. 18

                                                          For those who didn’t see it. It was a textbox on a web page passing unfiltered input to a root shell!

                                                        1. 1

                                                          The ‘check’ functionality doesn’t seem to work.

                                                          1. 1

                                                            Still seems broken 27 days later.

                                                          1. 6

                                                            What am I looking at?

                                                              1. 3

                                                                We don’t discuss all of our security processes and technologies in specific detail for what should be obvious reasons

                                                                isn’t that worrisome?

                                                                1. 5

                                                                  When it’s related to spam mitigation it’s not unusual.

                                                                2. 2

                                                                  That’s a little worrisome. They built an auto nuker, but didn’t think about what next? Whether it’s a false positive or not, “what if it’s republished?” should be part of the checklist. What if it really were malicious? I just keep retrying until I find a version that sticks.

                                                                3. 4

                                                                  The left-pad thing happened again.

                                                                  1. 2

                                                                    Somebody left padded the safeguards meant to prevent left padding? “no, no, we totally fixed it by adding a ‘are you sure you want to fuck everybody?’ confirmation to the delete command.”

                                                                    1. 1

                                                                      Has anyone written up the impact this time around?

                                                                  1. 4

                                                                    This is going to get expensive for companies pretty quickly.

                                                                    1. 7

                                                                      So that means buying more servers, with… Intel processors in them!

                                                                      1. 4

                                                                        Maybe. With the slowdown that KPTI incurs, it makes EPYC even more attractive.

                                                                        Now whether AMD can fab enough to keep up with demand is another question.

                                                                        1. 1

                                                                          Unfortunately AMD historically hasn’t had the management and the stockholder return to take on Fortress Intel. So Intel board hires weasel CEO’s to exploit the situation. Ironically, the tech is more than good enough.

                                                                      2. 2

                                                                        It already is. Across the board 30% hit is fairly common on cloud services. So the hit is worse than say, Apple and it’s battery/clock down issue, but clearly Intel weasels think they can outlast it - what are you going to do, not buy more Intel?

                                                                      1. 1

                                                                        No, the second statement after the for(;;) isn’t part of the loop body.

                                                                        1. 1

                                                                          If I am understanding you correctly he is calling p.innerHTML = P; too many times, once for each loop instead of once after the loop. This likely result in a similar output being seen from a quick read of the code.