1. 2

    What does your diet mainly consist of?

    Depends on whether or not it is an active day or not…. If it’s a day of low physical activity (like in the office):

    • 1 slice of bread with peanut butter and 2 cups of tea for breakfast (I can’t eat much in the morning). Also some extra vitamin supplements as I don’t get enough vitamin D because of the lack of sunlight.
    • Lunch: Mostly some cucumber, lettuce and bell pepper and a hard boiled egg prepared at home while having breakfast. Drinks: Tea, water, milk or some fresh-fruit juice I can get at work. (yes, no coffee at all).
    • Snacks: Free fruit from the office or nothing at all.
    • Dinner: Whatever I decide to make that day, but I try to leave out as much of the the “dead calories” (potatoes, rice, noodles, etc.) as possible. So that’s mostly meat or fish and veggies. I don’t do desserts.

    Do you normally plan meals ahead or pickup food from places often?

    If it’s a day with high physical activity, like cycling to work (adds 2 hours of activity to my day), walking around a lot or doing sports, my diet is mostly the same as on a low activity day, but I take some extra snacks, take-outs or I might add potatoes, rice or something else I usually leave out to my dinner. Usually the choice is dictated by the “whatever I feel like”-heuristic, but only when my body “asks” for extra food twice.

    Has working out or being active pushed you towards a certain type of diet?

    No, although I eat considerably more when I am active.

    I have basically a few diet-rules I go by:

    • I try to avoid eating anything pre-processed or pre-packaged as much as possible, so I prepare as much of my own food by myself. It’s cheaper and it gives you control of portion sizes.
    • Only eat extra when my body “demands” it. So I ignore the first “hunger itch”. It’s unpleasant, but you’ll get used to it after about 6 weeks and by then it’s easy. However if there is a second wave of “hunger” (the type I can’t ignore and makes me cranky) I give in to it and eat an early lunch or dinner, or take some extra on the go.
    • Coffee contains fat and fat is calories (no wonder it gives you energy), a bottle of beer is 2 slices of bread (so a double breakfast), soft drinks are (full of sugar), (passive) smoking is bad and in places where smokers eat, the food is bad because you can’t taste properly and not being able to taste properly makes it easier to keep eating. Avoid all when possible.
    • Most important one of all: Always make portions on the small side. You don’t have to feel “full”, you just have to feel “not hungry” for the next few hours.

    What did push me towards this diet is that one day I just “felt heavy” and less comfortable moving around. Due to that I checked my BMI and it was 25,5. That was when I thought: “No more, I don’t want to feel like this ever again, it has to go down to at most 23, that means losing about 10 kg and keeping it of! I want don’t want to let my partner down and I want to set a good example when I get kids!”. That was the strongest motivator to push me towards this diet.

    1. 4

      Coffee contains fat and fat is calories (no wonder it gives you energy)

      Coffee has no fat. Espresso is ~ 1 calorie per oz

      1. 1

        Allright I oversimplified things. Let me rectify that.

        It’s true that coffee has no fat and that Espresso only has 1 kcal per cup. However, this only holds if you purely disregard what happens inside your body after you consume the coffee.

        All coffee except for old style paper-filtered coffee, does contain Cafestol which is an amino-acid which gets turned into fat and increases LDL-cholesterol significantly. So you have to drink only black filtered coffee without milk or sugar if you want the “coffee contains no fat”-statement to hold. Also: Milk contains fat, cafestol and suger both get turned into glucose and fructose, and glucose and fructose eventually get burned or turned into lipids which eventually are truned into (body) fat.

        But you don’t have to believe me blindly, you can actually do this very simple science experiment by yourself for less about 10€/$: Get a few test tubes, some distilled water and some ethanol with a >70% purity. Put about 1 ml of coffee into the test tube, add about 2 ml of ethanol and 2-3 ml of distilled water. Shake the tube so that everything mixes properly and leave it to rest for about an hour.

        If there is a dark band floating on top, that is the fat in you coffee.

        1. 1

          Coffee is coffee. If you add anything else to coffee grounds besides water, it’s no longer just “coffee”. I thought that was pretty obvious.

          I cannot find any paper that supports your claim that “cofestol” turns into fat. I can only find that it’s fat soluble, which is not the same thing. I can find that it stimulates insulin secretion and glucose uptake, but that is also not the same as your claim. If it turned into any form of sugar why would they be testing the use of cafestol to treat or prevent diabetes? That doesn’t make sense.

          1. 1

            There are multiple studies, conducted from 1991 until 2015 by the Netherlands National Institute for Public Health and the Environment, sadly most of them are not (yet) translated into English, which confirm that cafestol lowers the production of bile acid, which in turn heightens levels of LDL-Cholesterol. So more fat from other sources stay fat and it stays in your bloodstream.

            For the breakdown path of cafestol (one of many lipids) you simply have to look up the common breakdown-paths of lipids in literature about diabetes. You have to connect the dots yourself though, but this is why patients with type-2 diabetes should consume at most 4 cups of regular black coffee per day, unless they have a low blood-sugar.

            If it turned into any form of sugar why would they be testing the use of cafestol to treat or prevent diabetes? That doesn’t make sense.

            Here I can only speculate, because I just don’t know the angle of attack this research might take.

            Given that type-2 diabetes is essentially insulin resistance and the fact some studies have shown that cafestol increases insulin production and glucose uptake in muscle tissue in rats, that might be why there is research into it.

            But given that any diabetes treatment is basically “keep blood-sugar levels between this safe lower bound and this safe upper bound” and that cafestol has been shown to lower the production of bile acid (in humans), which is required to turn fat (also a lipid) into glucose, then it might be possible to lower the amount of new glucose from being formed by lowering the amount of lipids being converted into glucose. This in turn lowers the required amount of insulin, but it increases the amount of LDL-cholesterol in the patient’s blood. The underlying reasoning would be: We have to get rid of the excess lipids, just store them anywhere we can so we can prevent them from being metabolized into glucose. It’s no real solution and you’ll die of Atherosclerosis in 2 to 15 years, but you’ll die in a few weeks due to a too high blood sugar..

            In the end I just don’t know, because this is still unpublished research.

            I do know that I am sceptical as hell when I see texts with “too good to be true” statements like “Coffee decreases chances of getting diabetes!” and “Researchers are using coffee to treat diabetes!”, because it’s too simplistic, it’s what many people wish for and it aligns perfectly with certain corporate interests. “Extraordinary claims need extraordinary evidence” and history has shown us time and time again that these types of claims have failed to provide said extraordinary evidence, or worse; they turned out downright false.

            1. 1

              Thanks for the incredibly thoughtful response. I’ll have to do some more research on this.

              1. 1

                You’re welcome. I understand where you’re coming from, as I myself was also quite baffled and couldn’t believe it when I discovered this information for the first time. That’s why I did more research and devised a simple experiment so I could see for myself etc..

      2. 2

        Coffee suppresses the feeling of “tiredness”, no it doesn’t give you energy and no it doesn’t have fat.

        A double cream caramel frappucino with extra special pumpkin syrup from Starbucks is not “coffee”, it just contains it.

      1. 9

        Contrary to the comments at Reddit, I’m pretty sure Apple cannot do this unless you have installed a MDM profile…

        Locking, remote wipe, etc are limited to your iCloud account. There is no equivalent to “Google Play Services”. APNS has no control; it only handles push notifications.

        1. 15

          Contrary to the comments at Reddit, I’m pretty sure Apple cannot do this unless you have installed a MDM profile…

          When the OS is closed source how would you know?

          1. 12

            If you think Apple has a gaping backdoor in all of their phones which violates the mission of their product line, then please prove me wrong. In fact, take this opportunity to short their stock and prove it to the world. You could make yourself really rich really fast.

            Nobody else has done it, and everything Apple has done with their product line has been to constantly increase user security, not install backdoors for remote control and spying.

            I do not think they are perfect, but this would be a huge blow to their public perception and would certainly tarnish their brand for years to come.

            1. 7

              Objectively, I think that u/user545 has a valid point. When proprietary software is in place there is no way to verify that such software does what the user expects it to do, and nothing more. Just because Apple has said it doesn’t spy on its users, doesn’t mean such a statement is true; and we cannot trust them, because we don’t know what the program does in the inside.

              1. 9

                Perhaps it’s not as severe as user545 says.

                I think the argument can be transposed to anything done by anyone else:

                • I didn’t see how cars were built. So I have to assume the worst.
                • I didn’t see how roads were built. So I have to assume the worst.
                • I didn’t audit this open source project’s source code myself. So I have to assume the worst.
                  • Or I only heard from someone that this source code checks out. But I don’t know that person, so I have to assume the worst (that they’re lying to me).
                  • I didn’t audit the crypto algorithms. So I have to assume the worst.
                  • I didn’t compile it myself. So I have to assume the worst.
                  • I didn’t compile my compiler myself. So I have to assume the worst.
                  • I didn’t compile my operating system myself with my own compiler. So I have to assume the worst.
                  • I didn’t mine and process the raw resources to create my computer. So I have to assume the worst.

                Sure I can assume the worst, but then I probably wouldn’t live in a society.

                “Assume the worst” feels like an impractical rule to follow. Instead, it’s a practical tradeoff of efficiency (of my time) and likelihood I need to “assume the worst”. I’m not discounting the valuable effort that security researchers do to audit and break into these systems. Especially if they take this approach, that’s great. But they’re way more qualified and have more resources (eg - time, money) than me to do it. I’m not going to blindly assume the worst that these security researchers are out to trick me.

                I agree with feld. Apple isn’t perfect. They may change in the future. But Apple seem less likely than Google to implement a backdoor like this based on the way they position themselves in the market right now.

                1. 5

                  You’re missing two things:

                  1. “They’re usually defective since suppliers dont care or have liability.”

                  2. “Intelligence agencies and law enforcement are threatening fines or jail for not putting secret backdoors in. The coercive groups also have legal immunity. Their targets can do 15 years if they talk.”

                  No 1 also applies to FOSS. With those premises, I definitely cant trust closed-source software to not have incidental or intentional vulnerabilities. Now, we’re back to thorough design and review by parties we trust. Multiple, skilled, mutually-suspicious groups.

                  1. 2

                    Thanks,

                    I agree with you on #1, including that it applies to FOSS. I may argue that a supplier has more incentive to fix it if you’re a potentially influential customer over a FOSS that has a disinterested maintainer (making you fall back to build-it-yourself or audit yourself. And to be clear, FOSS is definitely a better option than if the non-cooperative supplier is a monopoly). But I’d admit only be able to back up anecdotally, which isn’t a strong case.

                    For #2, couldn’t that also apply to key maintainers in FOSS if they are contributing to the same project? I’d take a random guess that governments may find it impossible to coerce a small set of individuals. 15 years would equality scare FOSS maintainers as well. Sure, a geographical barrier may make that more difficult, but I’d guess that human-based intelligence agencies like the CIA probably have some related experience in this. I agree that FOSS makes it harder to sneak one by reviewers, but maybe there’s not many people needed to coerce to get the backdoor in a release.

                    I only tangentially review security topics, so I’m not sure if that’s a realistic threat or just a tinfoil haty thought <:-).

                    I guess I’m putting more emphasis from the perspective of typical (non-technical) user of software to:

                    1. care more about security / privacy
                    2. pressure companies they support to have better security/privacy practices

                    Over distrusting all companies and have a significantly worse user experience of using software in general. Non-technical users generally like the fallback of technical support over just “figure it out yourself” or “you lost all your data because you couldn’t manage your secrets”.

                    I’m curious, if a company allowed you to audit their source code before you approved/used it, would that significantly minimize the advantages FOSS software have over proprietary software for you?

                    1. 2

                      I may argue that a supplier has more incentive to fix it if you’re a potentially influential customer over a FOSS that has a disinterested maintainer

                      This hasn’t been the case at all in the mobile space. The supplier has an incentive to not fix things so you buy a new device where as FOSS maintainers want your device to last as long as possible.

                      1. 2

                        I’d agree the motivation for some suppliers to upsell to newer devices, although I don’t really understand motivation for FOSS maintainers to want you to use your device as long as possible. As a one who maintained iOS libraries, there’s strong motivation to deprecate older devices/platforms since it’s a maintenance burden that sometimes hinders new feature work (and typically the most active contributors use the latest stuff). And when pitted against supporting the latest devices vs the older devices, chances are the newer stuff will win in those debates.

                        Thinking through the supplier stuff a bit more doesn’t make that much difference though. Sure, it doesn’t feel like a great business practice for a company to upsell. But it’s also how those companies stay in business. It could be viewed similarly to a maintenance support fee for existing devices. If suppliers offered the a retainer fee, it would effectively be the same thing then?

                        1. 2

                          The lineageOS team does amazing work keeping old Android devices on the latest release. Also means app devs don’t have to worry because these old devices support all the new apis and features.

                      2. 2

                        “For #2, couldn’t that also apply to key maintainers in FOSS if they are contributing to the same project?”

                        That’s a great observation. I held off mentioning it since people often say, “That’s speculation or conspiracy. Prove it with examples.” And the examples would have secrecy orders so… I just dropped the examples where they can find proof it happened. There very well could be coercive action against FOSS maintainers. Both Truecrypt developers and someone doing crypto on Linux filesystems kind of disappeared out of nowhere not talking about the project any longer. Now we’re into heresay and guesswork, though. Also, they might be able to SIGINT FOSS with a secrecy order. We might be able to counter that having people in foreign countries looking for the problem, submitting a fix, and the rule is to always take a fix. They have to spot the problem that might be out of their domain expertise, though.

                        Plenty of possibilities. I just don’t have anything concrete on mandated, FOSS subversion. I will say one of the reasons I’d never publish crypto under my own name or take money for it is this threat. I think it’s very realistic. I think we haven’t seen it play out since the popular libraries for crypto were so buggy that they didn’t need such a setup. If they did, they’d use it sparingly. Those also ran on systems that were themselves ridden with preventable 0-days.

                        Far as open vs closed with review, I wrote an essay on that here.

                        1. 2

                          Thanks for that essay, that was insightful.

                          I’m roughly remember the Truecrypt incident and that was suspect, although never came across the linux file system crypto circumstance. Was it similar to Truecrypt? Was that developer already known. My googling didn’t seem to show up any mention of that at all.

                      3. 1

                        There is one thing I am wondering about. Government agencies require backdoors but I would think they also require backdoors that are kept secret. How does that work with FOSS software? Alright yes they could sneek it in the compiled version maybe but distros are all moving to reproducible builds so that would be detected.

                        1. 2

                          Ignore the Karger/Thompdon attack: only happened twice that I know of. The nation-state attackers will go for low-hanging fruit like other black hats. They also need deniability. So, they’re most likely to either (a) use all bug hunting tools to find what’s already there and (b) introduce the kinds of defects people already do by accident. With (b), discoveries might not even burn the source if they otherwise do good work.

                          For FOSS, they’ll slip the vulnerability into a worthwhile contribution. It can be either in that component or be an interaction between it and others. Error-handling code of a complex component is a particularly-good spot since they often have errors.

                  2. 10

                    They are able to push updates over the internet and the whole thing is proprietary. I am unable to tell you what the system does because I cant see it. And at any time apple can push arbitrary code which could add a back door without anyone knowing.

                    When you can’t see what is going on you have to assume the worst.

                    1. 5

                      I can’t tell whether this is 1. a defense of open-source in general and android in particular or 2. a critique of apple.

                      Neither works.

                      1. See example of what just happened. or the firefox/mr robot partnership recently. open source does not automatically confer transparent privacy.

                      2. Apple has, in fact, emerged as a staunch defender of user privacy. There are many many examples of apple defending users against law enforcement.

                      You can’t wish Apple to be terrible about privacy and use that as the argument.

                      1. 3

                        Sure you can. They could take money to secretly backdoor the phone for NSA and use lawyers to tell FBI to get loss for image reasons. The better image on privcy leads to more sales. The deal with NSA puts upper bound on what FBI will do to them since they might just get data from NSA.

                        If that sounds far fetched, remember two things:

                        1. The telecoms were taking around $100 million each from NSA to give them data that they sometimes passed onto feds to use with parallel construction. Publicly they said they gave it out only with warrants. RSA went further to say they encrypted the data but weakened the crypto for $30 mil. The Core Secrets leak also said FBI could “compel” this.

                        2. In Lavabit trial, Feds argued he wouldnt have losses if customers didnt know he gave Feds the master key. He was supposed to do it under court order and then lie about it.

                        Given those two, I dont trust any profit-motivated company in US to not hand over data. Except maybe Lavabit in the past. Any of them could be doing it in secret for money that they take or get fines/jail.

                        1. 3

                          I would say Apple is more comparable to Lavabit than the others – they’re actively and publicly taking steps to protect their users’ privacy.

                          I wouldn’t argue that they will never do it, but to paint Apple and Google with the same brush on user privacy is silly and irresponsible.

                          1. 2

                            Well, we know that the secret, court meeting was going to put him in contempt or else. He had to shut the business down to avoid it. Apple may have been able to do more due to both size and making case public debate. Then again, that may have been a one-time victory followed by a secret loss. You can’t know if there’s two legal systems in operation side by side, one public and one secret. I assume the worst if the secret system is aggressively after something.

                            “I wouldn’t argue that they will never do it, but to paint Apple and Google with the same brush on user privacy is silly and irresponsible.”

                            I agree with this. Apple is a product company. Google is a full-on, surveillance company. Google is both riskier for their users now and more over time as they collect more which more parties get in various ways.

                        2. 3

                          I am not defending android at all. As you can see in the OP post android is absolutely horrible for privacy and control. I also agree that open source is not flawless of course but open source enables us to have the opportunity to inspect the programs we use (usually while contributing features) from what I understand the firerfox event was pushed through a beta/testing channel and not through the FF source. I would hope all linux distros have this feature turned off when packaging FF.

                          The OP comment was asking me to prove that Apple is able to change user settings over the network and I think that is an unreasonable statement to make when the software is closed source. I also mentioned that it is possible as apple is able to push new updates at any time with arbitrary code. So they have the capability of doing anything that is possible hardware wise.

                          1. 2

                            Fair on your 2nd point of responding to the OP and I don’t know whether they have the capability. However, they seem, at least at the moment, disinterested in taking random liberties with their users’ privacy.

                            1. 3

                              disinterested in taking random liberties with their users’ privacy.

                              I think that’s probably true but no one in this thread actually knows and one day its quite likely that the US government will force them to backdoor devices if they haven’t already.

                        3. [Comment removed by author]

                          1. 1

                            I can be sure in the way I can find out if needed. With proprietary software I can not be sure even if I was willing to put in the effort unless I wanted to spend my whole life trying to reverse engineer a build that would be out of date in a few months.

                            1. 1

                              Ill add that the move toward tamper-resistant enclaves and integrity checks will make that even harder since some are about denying you read access or flagging your device on access attempt. You’re effectively punished for trying to verify their software.

                              1. 2

                                I find these fairly problematic because one of the main uses for these systems is to prevent the user making modifications that the OEM doesn’t want and DRM but at the same time the do have genuinely useful features that would be desirable if they were under my control.

                                There are a lot of other things in IT I think fall under the same category. My bank offers you data showing all the different categories of things you have spent on in the month which is really useful for me to have but really creepy for the bank to have.

                                1. 2

                                  Yeah. There are also schemes that put the user in control to get those benefits. That most suppliers don’t implement them tells us a bit about their intent.

                          2. 1

                            How do you know they are able to do that then?

                            Because all system updates that got installed on my phone came only after I manually approved them. Unless I am not aware of some previously demonstrated capability this sounds like exactly the same kind of unsubstantiated argument you are arguing against.

                            1. 1

                              What criteria do you use for approving or denying updates and how would that be able to stop a backdoor being installed?

                              1. 2

                                It doesn’t matter since the original argument was that Apple can do the same thing (automatically install/change software on your device) which they cannot. You have to assent to the installation (of updates, backdoor or whatever). May not be a difference you care about, but I do.

                                I agree that black box software makes it impossible to know if software can be trusted, but binary package of an open source software is also just a black box if I am not able to generate the same hash when compiling myself which in my admittedly not recent experience happened a lot.

                                1. 1

                                  “You have to assent to the installation “

                                  You would need a copy of source for all priveleged hardware and software on their platform to even begin to prove that. You dont have that. So, you don’t know. You’re acting on faith in a profit-motivated, company’s promises.

                                  I’ll also add one that has enough money to do a secure rewrite or mod of their OS but doesnt intentionaly. They don’t care that much. They’re barely even investing into Mac OS X from what its users say. Whereas, Sun invested almost $300 million into redoing Solaris for version 10. That brought us things like ZFS.

                                  A company with around a $100 billion that cares less about QA than smaller businesses shouldnt be trusted at all. They’ve already signalled that wealth accumulation was more important.

                                  Meanwhile, tiny OK Labs cranked out mobile sandboxing good enough that General Dynamics bet piles of money on them for Defense use. Several other companies cranked out security-enhanced CPU’s, network stacks, DNS, end-to-end messaging, and so on. Quite a few were for sale, esp those nearing bankruptcy. Shows Apple had plenty of opportunities to do the same or buy them. Didnt care. They’ll make billions anyway.

                                  1. 2

                                    I agree with pretty much everything you say and while interesting, I am not sure how it is relevant to what I said.

                                    I did not argue that one should trust Apple (even though I do think iPhone has a better track record than Android). My point was simply that all other things being equal I prefer platforms that don’t suddenly change on some company’s whim and let me decide when or if I want to perform an update and that AFAICT Apple does not push those updates without user’s consent.

                                    I assume your argument is that consenting is meaningless as I cannot perform any reasonable security analysis of what I will receive. True that I can’t, but I also value predictability and speaking from a personal experience I feel I lose some of it with auto-updates.

                        4. 4

                          objdump -d

                          1. 3

                            When the OS is open source how would you know? Have you personally audited all of linux? How do you know you can trust third-party audits? I don’t think “it’s open source” provides much in terms of security all things considered.

                          2. 3

                            how do you know, what APNS does.

                          1. 1

                            Hmm, now the question is can I make my firewall drop fragments only for UDP port 53? Dropping all frags is a terrible thing to do…

                            1. 1

                              The IPv6 tunnels were fun for learning about IPv6 but probably should not have been allowed to exist as long as they have. Native or bust. MTU issues with IPv6 are a nightmare to deal with.

                              1. 1

                                We’d only get bust. Ipv6 was not designed for anything less than a flag day.

                              1. 12

                                Lots of null pointer dereferences, use-after-free, and double free. OpenBSD really needs a language with affine types or smart pointers that integrates with C. ;)

                                1. 6

                                  Such a language needs to work on every hardware platform they support and have a BSD licensed compiler/toolchain 🙃

                                  1. 5

                                    I actually think starting to use C++ in kernel is no-brainer, like GCC did. C++ doesn’t have hardware or toolchain problem, does it?

                                    1. 1

                                      Although I’m against C++, it’s clearly an option with more safety features and low-cost abstractions all the time. I”ll note that folks developing L4 microkernels and Genode started using it for those reasons. At this point, I’d rather whatever it is be a safer C with better abstractions that outputs vanilla C. That would solve most of tooling and integration issues that come with language switch. It also dodges C++‘s huge complexity. It’s ridiculously complex.

                                      1. 3

                                        a safer C with better abstractions that outputs vanilla C.

                                        Sounds like Nim to me. MIT license.

                                        1. 3

                                          It’s close! I’m eyeballing it for that use with Brute-Force Assurance. It would have way more acceptance than a Scheme-based solution. I’d have to swap its syntax out since C developers switch to C-like languages more than Python-like languages. The compiler for this purpose should produce C that looks like what a person would write more than a machine. It should at least be an option. Lets it get used incrementally in existing, C projects. Finally, the people I see online griping about the compiler means they need to focus hard on getting it in good shape or someone has to build a separate, certifying compiler.

                                          So, that’s what I was thinking when I assessed Nim as C replacement in general and for safety critical. Oh yeah, contracts! Frama-C or Ada-style contracts supported by default. Lets you encode whatever extra stuff the type system doesn’t already handle. I don’t know if they have contracts.

                                    2. 2

                                      Im sure they could build the language or C extensions given they built a whole OS and maintained (still do?) a compiler for it. It would also help them achieve their security goals better than their developers are doing now with C language. A good investment I’d say.

                                      1. 10

                                        This could happen if one or more people with interest and motivation showed up and managed to work well with the project to integrate this with the system as yet another form of mitigation.

                                        As for the existing devs, they are all already very busy scratching their own itches and pursue their own ideas, some related to security, some not. And generally they don’t like to be told what to work on in the time they volunteer.

                                        1. 1

                                          Exactly. The average coder in Rust is currently outperforming the OpenBSD team on these kinds of bugs due to type system. That means these bugs happen since they don’t care enough to prevent them. They’re about QA and mitigation tech up to a certain point with certain bug-adding tech (eg C language). Past that point or with different mitigations (esp language), they start making excuses about time, itches, and so on. I’ll keep pointing this out every time evidence of easily-prevented bugs comes in. Maybe something will click in a reader’s head that leads to a solution.

                                          Many of them also tell other people how they should be doing UNIX design, quality or security. Sometimes even in a snooty way. They like doing that despite aggravation it might cause others. You say those same people don’t like “to be told” they should use more secure tech in a security-focused project. It sounds like there’s a life lesson in there somewhere on top of some security lessons.

                                          1. 5

                                            since they don’t care enough to prevent them

                                            That’s a tad inflammatory nay? Suggesting that not using rust in tantamount to not caring. Its not like the Linux/BSD kernel could be rewritten in rust in a day, there is 20+ years of development in there.

                                            And while its not exactly a fair compairson as its been run against linux for longer, 9 issues (which have been fixed) versus quite a few in linux suggests something in OpenBSD is working.

                                            1. 1

                                              Yeah, a tad inflammatory to match the style of their mailing lists talking about other OS’s or hardware vendors not doing enough for security. I always give them credit for their strong points of simplified UNIX, code review/quality, mitigations, and great documentation. Plus, I like a few of them personally.

                                              Far as your counterpoint, it’s a strawman (full rewrite) that’s not even what Im proposing. I’m saying folks that cared seeing the language cause issues would make a safer version like others did in other projects (eg Clay, Cyclone). One highly-compatible with C. They’d write new code in that language. The extensive rewrites of existing code they already do would be done in that language. Over time (years), most or all the OS would be converted to the safer language. Someone might even write tools to automate this.

                                              1. 5

                                                The idea of a slightly modified C which would somehow prevent use-after-free and similar bugs is good. It’s similar to other ideas OpenBSD has already realized such as adding C API functions which are easier to use safely, or hardening of the C run-time against ROP. And it’s not as if the C we’re writing did not contain non-standard extensions already (packed structs, gcc-isms inherited by clang, etc.)

                                                Now, where are some compiler-writing C langauge lawyer academics with the needed skills who would sit down with a bunch of OpenBSD hackers and volunteer a lot of their spare time for this? In over 10 years of involvement with the project I’ve never met a person with this skill set. In a volunteer project you have to work with the skills you happen to get.

                                                1. 1

                                                  Glad you’re open to the possibility if you had help for it. The people behind Clay and Cyclone might have helped given they were already doing hardest parts. It’s possible you didn’t know those languages exist. The folks good at researching and developing languages usually aren’t good at polish, outreach, and so on.

                                                  It’s possible we need a sponsor organization or new type of volunteer for such a role. One that’s a middle-person between the team with time to build compilers and the people that would use them. Such a person would need to be able to influence compiler developers to ensure they don’t do anything that kills adoption. I figure there’d be a lot of negotiations with middle person doing tie breakers on stuff people were divided on. Probably also need to be a compiler developer themselves so they can do the polish, packaging, and later maintenance.

                                      2. 2

                                        I realize this is mostly bikeshedding, but does the core team regularly (or ever) consider this? Or is this seen as too much overhead - learning the subtleties of a new language/implementation on top of the difficulty of os/kernel development. I would think the D language folks would love to team up with one of the BSDs to focus on whatever language demands the OS team would come up with.

                                    1. 2

                                      Yet another reason to try for BSD jails and ansible.

                                      1. 2

                                        If only any of the BSDs had an init system with declarable units, instead of the hack that is shell scripts.

                                        1. 1

                                          Nobody is preventing you from installing and using one

                                          1. 2

                                            Yes, and nobody is preventing me from using Linux with systemd either, which I rather do until they fix this. If they never fix it, that’s fine too.

                                            1. 1

                                              How many service units are you writing on a daily basis that makes Systemd a necessity for your use case? Do Linux packages typically ship without service units and force you to do it yourself?

                                              1. 1

                                                Well, none of the Fun parts even come from the official repos. Plus there’s of course all internally developed stuff – somebody needs to write init scripts or unit files for those. Getting a unit file 95% correct on the first try is possible.

                                                You may be right that systemd is not necessary for anything I do. It’s just a whole lot more convenient than the alternatives.

                                                1. 1

                                                  That’s the difference with FreeBSD: we don’t have a small “official” repo. Our community maintained ports tree is huge and everything that needs an rc script comes with one.

                                                  1. 1

                                                    My frequent experience from FreeBSD has been that not all of those rc scripts in the ports tree work 100% well. Systemd units tend to work pretty solidly, on the other hand.

                                                    1. 1

                                                      If you happen to remember any specific poor experiences please send me a message… I’ll hunt down the rc scripts and fix them.

                                      1. 2

                                        It occurs to me that if you do not have the right to benchmark then you do not have the right to test that the product works as advertised. This cannot be legal.

                                        1. 2

                                          This license forbids systems integrators from publishing benchmarks related to this microcode. Presumably because Intel reserves that right to themselves. If you are not a systems integrator it doesn’t apply to you. If you are a systems integrator not only can you benchmark, clause 4 makes it clear you are under no obligation to share those results, even with Intel.

                                          1. 1

                                            We don’t want to get submissions for every CVE and, if we do get CVEs, we probably want them tagged security.

                                            1. 16

                                              while I agree with you in this case, I don’t particularly like the “I speak for everyone” stance you seem to be taking here.

                                              1. 9

                                                This one is somewhat notable for being the first (?) RCE in Rust, a very safety-focused language. However, the CVE entry itself is almost useless, and the previously-linked blog post (mentioned by @Freaky) is a much better article to link and discuss.

                                                1. 4

                                                  Second. There was a security vulnerability affecting rustdoc plugins.

                                              2. 4

                                                Do you think an additional CVE tag would make sense? Given there’s upvotes some people seem to be interested.

                                                1. 2

                                                  That’d be a good meta tag proposal thread.

                                                2. 4

                                                  Yeah, I’d rather not have them at all. Maybe a detailed, tech write-up of discovery, implementation, and mitigation of new classes of vulnerability with wide impact. Meltdown/Spectre or Return-oriented Programming are examples. Then, we see only the deep stuff with vulnerability-listing sites having the regular stuff for people using that stuff.

                                                  1. 5

                                                    seems like a CVE especially arbitrary code execution is worth posting. my 2 cents

                                                    1. 5

                                                      There are a lot of potentially-RCE bugs (type confusion, use after free, buffer overflow write), if there was a lobsters thread for each of them, there’d be no room for anything else.

                                                      Here’s a list a short from the past year or two, from one source: https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=Type%3DBug-Security+label%3AStability-Memory-AddressSanitizer&sort=-modified&colspec=ID+Type+Component+Status+Library+Reported+Owner+Summary+Modified&cells=ids

                                                      1. 2

                                                        i’m fully aware of that. What I was commenting on was Rust having one of these RCE-type bugs, which, to me, is worthy of discussion. I think its weird to police these like their some kind of existential threat to the community, especially given how much enlightenment can be gained by discussion of their individual circumstances.

                                                        1. -2

                                                          But that’s not Rust, the perfect language that is supposed to save the world from security vulnerabilities.

                                                          1. 4

                                                            Rust is not and never claimed to be perfect. On the other hand, Rust is and claims to be better than C++ with respect to security vulnerabilities.

                                                            1. 0

                                                              It claims few things - from the rustlang website:

                                                              Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety.

                                                              None of those claims are really true.

                                                              It’s clearly not fast enough if you need unsafe to get real performance - which is the reason this cve was possible.

                                                              It’s clearly not preventing segfaults - which this cve shows.

                                                              It also can’t prevent deadlocks so it is not guaranteeing thread safety.

                                                              I like rustlang but the claims it makes are mostly incorrect or overblown.

                                                              1. 2

                                                                Unsafe Rust is part of Rust. I grant you that “safe Rust is blazingly fast” may not be “really true”.

                                                                Rust prevents segfaults. It just does not prevent all segfaults. For example, a DOM fuzzer was run on Chrome and Firefox and found segfaults, but the same fuzzer run for the same time on Servo found none.

                                                                I grant you on deadlocks. But “Rust prevents data race” is true.

                                                            2. 2

                                                              I’m just going to link my previous commentary: https://lobste.rs/s/7b0gab/how_rust_s_standard_library_was#c_njpoza

                                                      1. 1

                                                        Is this still vulnerable to watermark attacks?

                                                        I’ll just stick to GELI encrypting all my drives…

                                                        edit: looks like yes https://lists.freebsd.org/pipermail/freebsd-current/2018-August/070860.html

                                                        1. 2

                                                          “I’ve had voters who have overnighted to our jurisdiction and paid over $50 to do so, and it still didn’t get back to us by voting day.”

                                                          I’d like to see more than just this anecdote as a reason that absentee ballots are not a solution.

                                                          1. 3

                                                            This sounds like rather a big deal, why is this in these old intel CPUs?

                                                            1. 12

                                                              VIA is an independent manufacturer of computers that sold low-power, crypto-accelerated, x86 chips designed by the third, x86 vendor that’s still around: Centaur. Here’s a video about them. They worked on processor verification with ACL2. Jared Davis, who contributed to that work, later did a “self-verifying” prover called Milawa that bootstrappers should find inspiring.

                                                              So, interesting company and people. Them being low watts with x86 compatibility got them used in a lot of embedded applications. The VIA Artigos were also one of only boxes you could get for $300 with tiny, form factor and crypto accelerator (incl TRNG). VIA stayed being a struggling also-ran in x86 but many users.

                                                              1. 6

                                                                VIA is not Intel

                                                              1. 1

                                                                Do they still refuse to accept patches for the BSDs?

                                                                1. 2

                                                                  Does anyone here use Bitwarden? I didn’t know about it, but it looks really attractive.

                                                                  1. 3

                                                                    Yes, it’s awesome. It’s also the only password manager that has a Firefox for Android extension (to my knowledge).

                                                                    1. 3

                                                                      Yes. It has some rough edges – I wish syncing was better – but it’s working great.

                                                                      My syncing issue has to do with the fact that everything has its own copy the data: desktop app, mobile app, browser plugins, etc. When you make a change they do not sync between them all immediately. You can have a Bitwarden app or plugin that is days behind so you have to go to settings and do a manual sync. Very annoying, but not a deal breaker.

                                                                      1. 2

                                                                        I use the venerable pass. It has none of this mobile mumbojumbo or autosync frills the kids today are talking about.

                                                                        It’s so simple and lean, I never thought pass git pull would be annoying.

                                                                        I would appreciate a mobile UI sometimes, though. A Sailfish client. But that’s not a dealbreaker either.

                                                                        Maybe I could hook the missus up with Rubywarden, though. Pass would be too much for her.

                                                                        Addendum: There appears to be a QML frontend on OpenRepos. Found through storeman. Not a complete client but have to give it a spin :)

                                                                        1. 1

                                                                          There is definitely a pass app for android. I’m not sure about iOS.

                                                                          1. 1

                                                                            As someone who uses a mobile and two desktops, having passwords being synced across devices is a must-have. It’s just too much of a pain to remember to copy new passwords from my phone to machine A, then B, and vice-versa.

                                                                            1. 1

                                                                              Home desktop, work desktop, work laptop, work macOS laptop and hopefully soon two Sailfish mobiles running pass.

                                                                              Made git pull a habit, not a chore, but ymmv.

                                                                        2. 2

                                                                          yeah, it’s open source and possible to run self-hosted as well.

                                                                          check out the discussion from a topic from a few days ago, id just be copying from there:

                                                                        1. 10

                                                                          The security researcher also recommended we consider using GPG signing for Homebrew/homebrew-core. The Homebrew project leadership committee took a vote on this and it was rejected non-unanimously due to workflow concerns.

                                                                          This is incredibly sad and makes me wonder what part of the workflow would have been impacted. Git automatically signs the commits I make for me once I have entered my password once, thanks to gpg-agent.

                                                                          1. 3

                                                                            They have a bot which commits hashes for updated binary artifacts. If all commits needed to be signed, it’d need an active key, and now you have a GPG key on the Jenkins server, leaving you no better off.

                                                                            1. 2

                                                                              But gpg cannot work with multiple smartcards at the same time, so maybe that’s a reason for some people. Either way there are simpler ways to deal with signing than gpg

                                                                              1. 1

                                                                                GPG signing wouldn’t have fixed this vulnerability as such, since presumably the same people not thinking about the visibility of the bot’s token would have equally failed to think about the visibility of the bot’s hypothetical private key

                                                                              1. 1

                                                                                Will the new DNS over HTTPS lose the hosts file records? I also use a feature of systemd which makes any subdomain of localhost point to localhost.

                                                                                1. 3

                                                                                  I assume that Firefox will ignore the local system resolver entirely, so this feature would no longer work for you unless you turn this off in Firefox.

                                                                                1. 17

                                                                                  An interesting aspect of this: their employees’ credentials were compromised by intercepting two-factor authentication that used SMS. Security folks have been complaining about SMS-based 2FA for a while, but it’s still a common configuration on big cloud providers.

                                                                                  1. 11

                                                                                    What’s especially bugging me is platforms like twitter that do provide alternatives to SMS for 2FA, but still require SMS to be enabled even if you want to use safer means. The moment you remove your phone number from twitter, all of 2FA is disabled.

                                                                                    The problem is that if SMS is an option, that’s going to be what an attacker uses. It doesn’t matter that I myself always use a Yubikey.

                                                                                    But the worst are services that also use that 2FA phone number they got for password recovery. Forgot your password? No problem. Just type the code we just sent you via SMS.

                                                                                    This effectively reduces the strength of your overall account security to the ability of your phone company to resist social engineering. Your phone company who has trained their call center agents to handle „customer“ requests as quickly and efficiently as possible.

                                                                                    update: I just noticed that twitter has fixed this and you can now disable SMS while keeping TOTP and U2F enabled.

                                                                                    1. 2

                                                                                      But the worst are services that also use that 2FA phone number they got for password recovery. Forgot your password? No problem. Just type the code we just sent you via SMS.

                                                                                      I get why they do this from a convenience perspective, but it bugs me to call the result 2FA. If you can change the password through the SMS recovery method, password and SMS aren’t two separate authentication factors, it’s just 1FA!

                                                                                      1. 1

                                                                                        Have sites been keeping SMS given the cost of supporting locked out users? Lost phones are a frequent occurrence. I wonder if sites have thought about implementing really slow, but automated recovery processes to avoid this issue. Going through support with Google after losing your phone is painful, but smaller sites don’t have a support staff at all, so they are likely to keep allowing SMS since your mobile phone number is pretty recoverable.

                                                                                        1. 1

                                                                                          In case of many accounts that are now de-facto protected by nothing but a single easily hackable SMS I’d much rather lose access to it than risk somebody else getting access.

                                                                                          If there was a way to tell these services and my phone company that I absolutely never want to recover my account, I would do that in a heartbeat

                                                                                        2. 1

                                                                                          This effectively reduces the strength of your overall account security to the ability of your phone company to resist social engineering. Your phone company who has trained their call center agents to handle „customer“ requests as quickly and efficiently as possible.

                                                                                          True. Also, if you have the target’s phone number, you can skip the social engineering, and go directly for SS7 hacks.

                                                                                        3. 1

                                                                                          I don’t remember the details but there is a specific carrier (tmobile I think?) that is extremely susceptible to SMS interception and its people on their network that have been getting targeted for attacks like this.

                                                                                          1. 4

                                                                                            Your mobile phone number can relatively easily be stolen (more specifically: ported out to another network by an attacker). This happened to me on T-Mobile, but I believe it is possible on other networks too. In my case my phone number was used to setup Zelle and transfer money out of my bank account.

                                                                                            This article actually provides more detail on the method attackers have used to port your number: https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin

                                                                                            1. 1

                                                                                              T-Mobile sent a text message blast to all customers many months ago urging users to setup a security code on their account to prevent this. Did you do it?

                                                                                              Feb 1, 2018: “T-Mobile Alert: We have identified an industry-wide phone number port out scam and encourage you to add account security. Learn more: t-mo.co/secure”

                                                                                              1. 1

                                                                                                Yeah I did after recovering my number. Sadly this action was taken in response to myself and others having been attacked already :)

                                                                                        1. 2

                                                                                          I stopped using iTerm2 a long time ago because of the latency. There is a drastic difference between iTerm2 and stock Terminal. If this fixes it, I’m back on board.

                                                                                          edit: WOW this is crazy fast!!

                                                                                          1. 1

                                                                                            Most users will see improved latency

                                                                                            Sounds like it - can’t say I’ve had any problems with latency though…

                                                                                          1. 4

                                                                                            The HipChat MacOS client is only using 40MB of RAM. I don’t want Slack’s resource usage. 👎

                                                                                            1. 5

                                                                                              Might I suggest https://github.com/wee-slack/wee-slack. At $WORK, we have a bunch of folks using it for Slack integration and it’s been a pretty good UX.

                                                                                            1. 1

                                                                                              No. Python interpreter startup time is too slow for these tools. The amount of wasted CPU time worldwide from scripts, monitoring tools, etc executing these commands rewritten as python is simply unforgivable.

                                                                                              1. 1

                                                                                                I install glances on every physical host and most of the VMs I manage. It does have quite a few dependencies but almost all of them are optional depending on what you need. It works great. Its one of the first things I go to when troubleshooting a problem. Speed is literally not an issue.