This license forbids systems integrators from publishing benchmarks related to this microcode. Presumably because Intel reserves that right to themselves. If you are not a systems integrator it doesn’t apply to you. If you are a systems integrator not only can you benchmark, clause 4 makes it clear you are under no obligation to share those results, even with Intel.

while I agree with you in this case, I don’t particularly like the “I speak for everyone” stance you seem to be taking here.

Do you think an additional CVE tag would make sense? Given there’s upvotes some people seem to be interested.

Yeah, I’d rather not have them at all. Maybe a detailed, tech write-up of discovery, implementation, and mitigation of new classes of vulnerability with wide impact. Meltdown/Spectre or Return-oriented Programming are examples. Then, we see only the deep stuff with vulnerability-listing sites having the regular stuff for people using that stuff.

seems like a CVE especially arbitrary code execution is worth posting. my 2 cents

If only any of the BSDs had an init system with declarable units, instead of the hack that is shell scripts.

VIA is an independent manufacturer of computers that sold low-power, crypto-accelerated, x86 chips designed by the third, x86 vendor that’s still around: Centaur. Here’s a video about them. They worked on processor verification with ACL2. Jared Davis, who contributed to that work, later did a “self-verifying” prover called Milawa that bootstrappers should find inspiring.

So, interesting company and people. Them being low watts with x86 compatibility got them used in a lot of embedded applications. The VIA Artigos were also one of only boxes you could get for $300 with tiny, form factor and crypto accelerator (incl TRNG). VIA stayed being a struggling also-ran in x86 but many users.

VIA is not Intel

Yes, it’s awesome. It’s also the only password manager that has a Firefox for Android extension (to my knowledge).

Yes. It has some rough edges – I wish syncing was better – but it’s working great.

My syncing issue has to do with the fact that everything has its own copy the data: desktop app, mobile app, browser plugins, etc. When you make a change they do not sync between them all immediately. You can have a Bitwarden app or plugin that is days behind so you have to go to settings and do a manual sync. Very annoying, but not a deal breaker.

yeah, it’s open source and possible to run self-hosted as well.

check out the discussion from a topic from a few days ago, id just be copying from there:

They have a bot which commits hashes for updated binary artifacts. If all commits needed to be signed, it’d need an active key, and now you have a GPG key on the Jenkins server, leaving you no better off.

But gpg cannot work with multiple smartcards at the same time, so maybe that’s a reason for some people. Either way there are simpler ways to deal with signing than gpg

GPG signing wouldn’t have fixed this vulnerability as such, since presumably the same people not thinking about the visibility of the bot’s token would have equally failed to think about the visibility of the bot’s hypothetical private key

I assume that Firefox will ignore the local system resolver entirely, so this feature would no longer work for you unless you turn this off in Firefox.

What’s especially bugging me is platforms like twitter that do provide alternatives to SMS for 2FA, but still require SMS to be enabled even if you want to use safer means. The moment you remove your phone number from twitter, all of 2FA is disabled.

The problem is that if SMS is an option, that’s going to be what an attacker uses. It doesn’t matter that I myself always use a Yubikey.

But the worst are services that also use that 2FA phone number they got for password recovery. Forgot your password? No problem. Just type the code we just sent you via SMS.

This effectively reduces the strength of your overall account security to the ability of your phone company to resist social engineering. Your phone company who has trained their call center agents to handle „customer“ requests as quickly and efficiently as possible.

update: I just noticed that twitter has fixed this and you can now disable SMS while keeping TOTP and U2F enabled.

I don’t remember the details but there is a specific carrier (tmobile I think?) that is extremely susceptible to SMS interception and its people on their network that have been getting targeted for attacks like this.

Most users will see improved latency

Sounds like it - can’t say I’ve had any problems with latency though…

Might I suggest https://github.com/wee-slack/wee-slack. At $WORK, we have a bunch of folks using it for Slack integration and it’s been a pretty good UX.

I install glances on every physical host and most of the VMs I manage. It does have quite a few dependencies but almost all of them are optional depending on what you need. It works great. Its one of the first things I go to when troubleshooting a problem. Speed is literally not an issue.

A few months ago, Apple has announced that they joined the AV1 group and Microsoft was a founding member. That makes me much more optimistic than previous open formats.

I think the MPEG-LA really fucked things up with the minefield they set up for H.265.

https://www.cnet.com/google-amp/news/apple-online-video-compression-av1/

https://en.m.wikipedia.org/wiki/Alliance_for_Open_Media

Apple and Microsoft implemented H.264 and refused to implement WebM. In retrospect I guess that made more sense for Microsoft since they were still in “we blindly hate anything with the word ‘open’ in it” mode. Apple made less sense to me.

Apple and Microsoft are both large corporations, and thus hydras; what one head said doesn’t necessarily reflect another. Still, they both have a foot in the game in three awful races: an attempt to be a monopoly without appearing to be such to regulators; both are heavily invested in software patents (a lose-lose game for everyone, but there’s a sunk cost fallacy problem here); heavy investment and affiliation with proprietary media companies.

I think the rest of your analysis on why h.264 made it in is right in gneral. Also, Cisco did the “here’s an open source h.264 implementation except if you modify it we might sue you for patent violations, so it’s not free software in practice” thing, and that was enough for various parties to check a box on their end, sadly.

BTW, I sat in on some of the RTCWeb IETF meetings where the battle over whether or not we would move to a royalty free default video codec on the web would happen then. I watched as a room mostly full of web activists not wanting patent-encumbered video to overtake the web were steamrolled by a variety of corporate representatives (Apple especially). A real bummer.

I’d like AV1 to do better… maybe it can by being actually better technology, and reducing a company’s bottom line by having a smaller bandwidth footprint, as it looks like they’re aiming for here. Dunno. Would love to hear more about strategy there.

Apple made less sense to me

Apple is extremely sensitive to things that affect battery life of iOS devices. H.264 can be decoded in hardware on their devices. WebM would have to be decoded in software, so supporting it would be a worse experience for device reliability (battery would drain really fast on sites with lots of WebM content).

IPSEC is integrated into the IPv6 spec.

IPSEC was removed from the IPv6 spec a long time ago. Around 2011 it changed from a MUST to a SHOULD, and now it isn’t mentioned at all anymore in the latest RFC that combined all of the various RFCs comprising IPv6: https://tools.ietf.org/html/rfc8200

I have been using IPv6 in some form since at least 2004 and have never once seen it coupled with IPSEC.

RFC 4294 - IPv6 Node Requirements: IPsec MUST

RFC 6434 - IPv6 Node Requirements: IPsec SHOULD

(FYI - I don’t use Github and I’m not familiar with their 2FA scheme, but commenting generally that most 2FA is done poorly and sometimes it’s better not to use it at all, depending on how it’s implemented.)

GitHub has a very extensive 2FA implementation and prefers Google Authenticator or similar apps as a second factor.

https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/

My issue with most implementations of 2FA is that they rely on phones and MMS/SMS which is beyond terrible and is often less secure than no-2FA at all

A second factor is never less secure than one factor. Please stop spreading lies and FUD. The insecurity of MMS/SMS is only a concern if you are being targeted by someone with the resources required to physically locate you and bring equipment to spy on you and intercept your messages or socially engineer your cellular provider to transfer your service to their phone/SIM card.

2FA with SMS is plenty secure to stop script kiddies or anyone with compromised passwords from accessing your account.

Your home router doesn’t know the uplink bandwidth of your cable modem connection to your ISP. So you have to dial it in for the FQ-CoDel algorithm to know how to achieve the right send rate to flush the buffers quickly and fairly enough.