1. 4

    tl;dr

    Users on reddit discovered that FSLabs includes a password extraction utility. The company replied with it’s own statement.

    They backdoored their flight simulator to target a specific individual who has been cracking their games - they were successful at it..

    1. 4

      Following up on your link, the company says:

      we were made aware there is a reddit thread started tonight regarding our latest installer and how a tool is included in it, that indescriminantly dumps Chrome passwords. That is not correct information - in fact, the reddit thread was posted by a person who is not our customer and has somehow obtained our installer without purchasing.

      1. If such a specific serial number is used by a pirate (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us. “Test.exe” is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product. The only reason why this file would be detected after the installation completes is only if it was used with a pirate serial number (not blacklisted numbers).

      So, the company claims this is not a password extraction utility, but it presumably does something that exfiltrates (a long word I learned on this forum) personal information in a targeted manner, which is still disturbing.

      If they have a list of cracked serial numbers they SHOULD be blocking them, not trying to use potentially illegal means of tracking down the installer.

      1. 4

        Ah, thanks. Your comment made me realize that I didn’t link the meaty forum post from the company owner bragging how they actually hacked the hacker:

        https://forums.flightsimlabs.com/index.php?/announcement/11-a320-x-drm-what-happened/

    1. 1

      This seems really cool. I’d love to have email more under my own control. I also need 100% uptime for email though, so it’s hard to contemplate moving from some large hosted service like Gmail.

      1. 4

        If email is that important to you (100% uptime requirement), then what’s your backup plan for a situation where Google locks your account for whatever reason?

        1. 1

          Yeah, that’s true. I mean I do have copies of all my email locally, so at least I wouldn’t lose access to old email, but it doesn’t help for new email in that eventuality.

        2. 3

          Email does have the nifty feature that (legit) mail servers will keep retrying SMTP connections to you if you’re down for a bit, so you don’t really need 100% uptime.

          Source: ran a mail server for my business for years on a single EC2 instance; sometimes it went down, but it was never a real problem.

          1. 1

            True. I rely on email enough that I’m wary of changing a (more or less) working system. But I could always transition piece by piece.

          2. 3

            If you need 100% delivery, then you can just list multiple MX records. If your primary MX goes down (ISP outage, whatever), then your mail will just get delivered to the backup. My DNS registrar / provider offers backup MX service, and I have them configured to just forward everything to gmail. So when my self hosted email is unavailable, email starts showing up via gmail until the primary MX is back online. Provides peace of mind when the power goes out or my ISP has outages, or we’re moving house and everything is torn apart.

            1. 1

              That’s a good system that seems worth looking into.

            2. 2

              Note that email resending works. If your server is unreachable, the sending mail server will actually try the secondary MX server, and if both are down, it will retry half an hour later, then a few more times up to 24 hours later, 48 hours if you are lucky. The sender will usually receive a noification if the initial attempts fail (and a second one when the sending server gives up)

              On the other hand, if your GMail spam filter randomly decides without a good reason that a reply to your email is too dangerous even to put into the spam folder, neither you nor the sender will be notified.

              1. 1

                And I have had that issue with GMail, both as a sender and a receiver, of mail inexplicably going missing. Not frequently, but it occurs.

            1. 39

              Perhaps build systems should not rely on URLs pointing to the same thing to do a build? I don’t see Github as being at fault here, it was not designed to provide deterministic build dependencies.

              1. 13

                Right, GitHub isn’t a dependency management system. Meanwhile, Git provides very few guarantees regarding preserving history in a repository. If you are going to build a dependency management system on top of GitHub, at the very least use commit hashes or tags explicitly to pin the artifacts you’re pulling. It won’t solve the problem of them being deleted, but at least you’ll know that something changed from under you. Also, you really should have a local mirror of artifacts that you control for any serious development.

                1. 6

                  I think the Go build system issue is a secondary concern.

                  This same problem would impact existing git checkouts just as much, no? If a user and a repository disappear, and someone had a working checkout from said repository of master:HEAD, they could “silently” recreate the account and reconstruct the repository with the master branch from their checkout… then do whatever they want with the code moving forward. A user doing a git pull to fetch the latest master, may never notice anything changed.

                  This seems like a non-imaginary problem to me.

                  1. 11

                    I sign my git commits with my GPG key, if you trust my GPG key and verify it before using the code you pulled - that would save you from using code from a party you do not trust.

                    I think the trend of tools pulling code directly from Github at build time is the problem. Vendor your build dependencies, verify signatures etc. This specific issue should not be blamed directly on Github alone.

                    1. 3

                      Doesn’t that assume that the GitHub repository owner is also the (only) committer? It’s unlikely that I will be in a position to trust (except blindly) the GPG key of every committer to a reasonably large project.

                      If I successfully path-squat a well-known GitHub URL, I can put the original Git repo there, complete with GPG-signed commits by the original authors, but it only takes a single additional commit (which I could also GPG-sign, of course) by the attacker (me) to introduce a backdoor. Does anyone really check that there are no new committers every time they pull changes?

                      1. 3

                        Tags can be GPG signed. This proves all that all commits before the tag is what the person signed. That way you only need to check the people assigned to signing the tagged releases.

                  2. [Comment removed by author]

                    1. 2

                      Seriously, if only GitHub would get their act together and switch to https, this whole issue wouldn’t have happened!

                      1. 4

                        I must have written this post drunk.

                  1. 6

                    Anyone know of cloud providers (either virtualized or real hardware) that either offer OpenBSD, or allow you to install OpenBSD easily and without hacks?

                    I only know of prgmr.com, RootBSD and ARP Networks. I am interested in companies offering real professional support running on server grade hardware (ECC, Xeon, etc) with proper redundant networking, etc, so amateur (but cheap) stuff like Hetzner doesn’t count.

                    Somewhat tangential, but I am also interested in European companies. I only know of CloudSigma, Tilaa, Exoscale and cloudscale.ch. Are they any good?

                    EDIS and ITL seem to be Russian companies or shells operating in European locations, not interested in those.

                    Many thanks!

                    1. 5

                      https://www.vultr.com/servers/openbsd

                      I wouldn’t consider Gilles’ method a hack at this point, now that online.net gives you console access. Like usual, you first have to get the installer on to a disk attached to the machine. Since you can’t walk up to the machine with a stick of USB flash, copying it to the root disk from recovery mode makes all the sense.

                      1. 2

                        Thanks, I forgot about vultr.

                        As for installing, I would vastly prefer PXE boot. It’s not just about getting it installed. It’s about having a supported configuration. I am not interested in running configurations not supported by the provider. What if next year they change the way they boot the machines and you can’t install OpenBSD using the new system anymore? A guarantee for PXE boot ensures forward compatibility.

                        Or what if some provider that is using virtualization updates their hypervisor which has a new bug that only affects OpenBSD? If the provider does not explicitly support OpenBSD, it’s unlikely they will care enough to roll back the change or fix the bug.

                        You’re not paying for hardware, as Hetzner showed, hardware is cheap, you’re paying for support and for the network. If they don’t support you, then why pay?

                        1. 2

                          Yeah I share your concerns. That’s why I’ve hesitated to pay for hosting and am still running all my stuff at home. It would suck to pay only to hear that I’m on my own if something changes and my system doesn’t work well after that change.

                          Given how often OpenBSD makes it to the headlines on HN and other tech news outlets, it is really disappointing how few seem to actually care enough to run or support it. It’s also disappointing considering that the user base has a healthy disdain for twisting knobs, and the system itself doesn’t suffer much churn. It should be quite easy to find a stable & supported hardware configuration that just works for all OpenBSD users.

                          1. 1

                            It should be quite easy to find a stable & supported hardware configuration that just works for all OpenBSD users.

                            Boom! There it is. The consumer side picks their own hardware expecting whatever they install to work on it. They pick for a lot of reasons other than compatibility, like appearance. OpenBSD supporting less hardware limits it a lot there. I’ve always thought an OpenBSD company should form that uses the Apple model of nice hardware with desktop software preloaded for some market segment that already buys Linux, terminals, or something. Maybe with some must-have software for business that provides some or most of the revenue so not much dependency on hardware sales. Any 3rd party providing dediboxes for server-side software should have it easiest since they can just standardize on some 1U or 2U stuff they know works well with OpenBSD. In theory, at least.

                      2. 4

                        https://www.netcup.de/

                        I run the above setup on a VPS. OpenBSD is not officially supported, but you can upload custom images. Support was very good in the last 3-4 years (didn’t need it recently).

                        1. 2

                          Looks nice, especially since they are locals :) Do you mind answering some questions?

                          • Do they support IPv6 for VPS (/64)?
                          • Have you tried to restore a snapshot from a VPS?
                          • Mind sharing a dmesg?
                          1. 3
                        2. 2

                          I have two OpenBSD vservers running at Hetzner https://www.hetzner.com . They provide OpenBSD ISO images and a “virtual KVM console” via HTTP. So installing with softraid (RAID or crypto) is easily possible.

                          Since one week there is no official vServer product more. Nowadays, they call it … wait for it … cloud server. The control panel looks different, however, I have no clue if something[tm] changed.

                          Here is a dmesg from one server: http://dmesgd.nycbug.org/index.cgi?do=view&id=3441

                          1. 2

                            Joyent started providing a KVM OpenBSD image for Triton last May: https://docs.joyent.com/public-cloud/instances/virtual-machines/images/openbsd

                            (This has been possible for some time if you had your own Triton cluster, but there was no official way until this was published.)

                            1. 1

                              What’s the deal for cloud providers for not making OpenBSD available? Is it technically complex to offer, or just that they don’t have the resources for the support? Maybe just a mention that it’s not supported by their customer service would already help users no?

                              1. 11

                                As far as I know, it’s a mix of things. Few people ask for OpenBSD, so there’s little incentive to offer it. Plus a lot of enterprise software tends to target RHEL and other “enterprise-y” offerings. Even in the open source landscape, things are pretty dire:

                                OpenBSD also seems to have pretty bad timing issues on qemu/KVM that have fairly deeply rooted causes. Who knows what other horrors lurk in OpenBSD as a guest.

                                OpenBSD doesn’t get people really excited, either. Many features are security features and that’s always a tough sell. They’d rather see things like ZFS.

                                For better or for worse, OpenBSD has a very small following. For everybody else, it just seems to be the testing lab where people do interesting things with OS development, such as OpenSSH, LibreSSL, KASLR, KARL, arc4random, pledge, doas, etc. that people then take into OSes that poeple actually use. Unless some kind of Red Hat of OpenBSD emerges, I don’t see that changing, too. Subjectively, it feels very UNIX-y still. You can’t just google issues and be sure people have already seen them before; you’re on your own if things break.

                                1. 8

                                  Rust’s platform support has OpenBSD/amd64 in tier 3 (“which are not built or tested automatically, and may not work”).

                                  I can talk a little about this point, as a common problem: we could support OpenBSD better if we had more knowledge and more people willing to integrate it well into our CI workflow, make good patches to our libc and so on.

                                  It’s a damn position to be in: on the one hand, we don’t want to be the people that want to inflict work to OpenBSD. We are in no position to ask. On the other hand, we have only few with enough knowledge to make OpenBSD support good. And if we deliver half-arsed support but say we have support, we get the worst of all worlds. So, we need people to step up, and not just for a couple of patches.

                                  This problem is a regular companion in the FOSS world, sadly :(.

                                  Also, as noted by mulander: I forgot semarie@ again. Thanks for all the work!

                                  1. 7

                                    semarie@ has been working upstream with rust for ages now… It would be more accurate to say ‘we need more people to step up’.

                                    1. 2

                                      Right, sorry for that. I’ll change the wording.

                            1. 6

                              Hah, that’s a blast from the past for me.

                              Finally, if you want to see Falcon running on a great OS, you should try out AuroraUX, an emerging open source distribution of Open Solaris. It comes with Falcon ready to run.

                              source: http://www.falconpl.org/index.ftd?page_id=sitewiki&prj_id=_falcon_site&sid=wiki&wid=Getting%20started

                              I have been part of AuroraUX (project long defunct, domain expired so don’t follow links). Falcon was picked as the systems scripting language (think like Perl on OpenBSD). That was around a decade ago.

                              Some Googling reveals what the AuroraUX project had to say about Falcon

                              Falcon is our scripting language of choice. “Simple, fast and powerful programming language, easy to learn and to feel comfortable with, and a scripting engine ready to empower mission-critical multithreaded applications.” – http://www.auroraux.org/index.php/AuroraUX:About

                              source: https://stackoverflow.com/questions/851997/what-is-your-opinion-on-the-falcon-language

                              AuroraUX itself didn’t move far, Sun was sold to Solaris putting the thing under discussion, the main developer first wanted to use the DragonflyBSD kernel but instead started contributing to it and then moved off to do Linux and Mesa stuff. I think the only thing left after AuroraUX is the gnat-aux compiler for Ada.

                              1. [Comment from banned user removed]

                                1. 3

                                  The last two comments I’ve seen from this user seem like the inverse of the friendlysock experiment. If this isn’t intentional, I’d highly recommend reading the blog post and reconsidering your posting style.

                                  1. 2

                                    I would like to know, why are you people down-voting stefantalpalaru for that comment?

                                    I am not a native speaker nor in the US, that remark was insightful for me - am I missing something except it (the comment) being slightly snarky?

                                    1. 32

                                      I’m sort of used to people making fun of my writing style (people complain about my use of exclamation marks on the internet every month or so, complaining about question marks is a new one :) ) but in general I find technical comments on my posts much more interesting.

                                      I’m honestly a bit disappointed by this comment – i tend to think of lobste.rs as a place where people try to have more substantive technical discussions about posts, as opposed to hacker news where comment threads frequently get derailed by conversations about irrelevant things and I end up not learning anything by reading the comments. To me the point of tech discussion sites like this is to discuss the technology! (for example: how could a kernel bug like this happen? have you run into other similar bugs on Mac/Linux? How did you debug them? Can you use dtrace to discover more about what’s going on inside the kernel?).

                                      There are so many interesting questions to talk about, and I think it’s kind of a shame to waste time making nitpicky comments about the use of a question mark in the title :)

                                      1. 11

                                        As a linguist who’s read enough language written without punctuation (Latin and Greek), I’d like to thank you for your use of punctuation, and to encourage it.

                                        Latin, fun fact, has two words to introduce questions, one that introduces questions where you expect an affirmative answer (“nonne”), and one that introduces questions where you expect a negative answer (“num”), and the interrobang was only invented millennia later. It’s always useful to have a metachannel conveying subtext, and punctuation is compact.

                                        “I think I found a Mac kernel bug.” sounds definitive, and immediately puts a team of kernel hackers on the defensive. “I think I found a Mac kernel bug?” sounds rather surprised at oneself, and emphasizes the incredulity that you’d posted on Twitter, that it was 4 days from kernel hacking to finding a bug, that you’d expected that people would have found it, and generally is the spirit of humility and exploration that has made your writings so interesting to read!

                                        Thank you for exploring syscalls :)

                                        1. 2

                                          So, however insignificant, this issue has, believe it or not, been (low-key) bugging me since this (sub)thread happened. I’m purely concerned with the linguistic question taken at face value, since I vaguely concur with the annoyance at the question mark (in the sense that I would feel odd to write in that style that myself, though I don’t care to tell anyone else what they should prefer). The reason it’s been bugging me is that it’s obvious that “just drop the question mark” can’t work, precisely because it significantly alters the quality of what is being expressed – as you stated. So how would I say that?

                                          And I think I just realised the answer: the way to correctly express that sentiment in a more formal register is simply “Have I really found a Mac kernel bug?” D’uh, I guess.

                                          1. 1

                                            Absolutely. And there’s “I think I might have found a Mac kernel bug” in slightly more formal colloquial registers, “Discovery of potential Mac kernel bug” for a title of some Technical Letter to a journal 50 years ago. More formal titles have fewer questions.

                                            And we’ve been repurposing punctuation to convey pitch of a sentence when spoken, useful to convey one’s meaning when writing. Sometimes it’s a question mark to convey High Rising Terminal, sometimes it’s comma splices and lack of terminal period to convey a fading train of thought, it’s a fun writing constraint, you should try it

                                        2. 8

                                          Thanks for taking the time to reply. I was asking because I felt I might be missing some language slang/common use that was pointed out here.

                                          Regarding your blog posts: I love reading them, your technical content is sound, delivered in a fun way and a dive into things I rarely look at myself - I’m following all your ruby profiler posts. Keep up what you are doing, the silent majority appreciates it ;)

                                        3. 11

                                          the high rising terminal - often associated with “valleyspeak” - is stereotypically associated with shallow, unintelligent women, especially in american pop culture.

                                          If anyone else on the site had asked about this, I’d wager we would see far less common contentious voting patterns. But hell, let’s call a spade a spade: I’ve seen enough of OPs previous comments to have a pretty good guess at what he’s doing when he made that comment - and I wager the downvoters did too.

                                          1. 7

                                            As a meta-discourse thing, I don’t really like this kind of comment even from people whose good faith I’m confident of. It’s really easy for a forum to fall into a pattern where 90% of the discussion is about pretty superficial aspects of the posts, especially in a dismissive way. I wouldn’t say that kind of thing is always off-topic, but I guess I try to think: is this observation novel and non-obvious enough that someone reading the comment learns something? Usually when I’ve been tempted to post a comment complaining about superficial aspects of a post (and there are definitely things I dislike and am tempted to comment on!) it’s hard for me to argue with a straight face that the answer is “yes”.

                                      1. 3

                                        My phone has 2-fa token apps, signal (for texting/calls with wife) and slack (for work)

                                        1. I don’t trust the phone, don’t store anything important on it (passwords, gpg keys, ssh keys, email)
                                        2. I don’t use it for anything except making calls, texting, making an occasional photo for later reference
                                        3. I have no apps that could disturb me, slack is set to only send notifications on mentions and direct messages which rarely happens
                                        4. It’s a cheap phone but rugged (so it can survive the dog walks and an occasional drop in the mud)

                                        It’s not sexy, cool or anything so I almost never use it - only when needed and even then I still hate it. I started falling back more to reliable technology - to such a level that I often even forget to take the phone with me (which is liberating).

                                        The biggest things that reduced my phone usage however are:

                                        1. I started using a dead tree A5 daily calendar, my shopping lists go into it on post-it notes when I’m going out the house.
                                        2. I bought a g-shock watch - try it (any watch) you will be amazed how many times you start using the phone when all you wanted initially was just checking the time…
                                        1. 4

                                          At a glance it seems okay, but I guarantee those colour choices will look like crap on a light background. For most (all?) testing frameworks I’ve used that output in colour, I always have to find the “no colour” option or else I can’t read it.

                                          1. 2

                                            I support I sort of consider it the user’s responsiblility to have configured a color scheme where most colors are readable. However, it would be both easy and a good idea to make it possible to configure the color scheme (at least from the source code), and I should probably add an option to output without colors (and enable that option by default when the output is not a TTY).

                                            1. 3

                                              I use solarized light, and nearly everyone these days uses some form of dark colour scheme. The output from the Catch2 testing framework, for example, is mostly unreadable with the colour choices. In other cases, I’ve run across similar problems.

                                              If you’re going to offer colour output, I think you need to have an option to turn it off. (And I see that you’ve added #ifndefs around them.) If/when this ever gets a main function to manage test suites (most serious ones do), don’t forget the --color=no option.

                                              1. 2

                                                I added support for theming first because that was very easy to add.

                                                I just pushed a commit to add support for –no-color (and which disables color when stdout is not a TTY and such): https://github.com/mortie/snow/commit/c41d869c613a3a587279c6f833f74c609cb3bbf5

                                                The commit after that adds support for the NO_COLOR environment variable mentioned by @mulander.

                                              2. 3

                                                @jcs created http://no-color.org/ to propagate a consistent option to disable colors.

                                                1. 2

                                                  Looks like I get to be the first software to support NO_COLOR on that list :)

                                              3. 1

                                                I always wanted a terminal which would automatically corrected colors based on contrast. At least a separate color scheme for default background color.

                                                It should not be that hard, maybe I could add PoC using suckless’s st to my overly long TODO list…

                                                1. 1

                                                  It’s actually quite readable in black on white. Though I agree with the general sentiment, and it’s probably quite a bit worse on a yellowish background.

                                                1. 2

                                                  Perhaps it would be more useful to ask people not to derail technical posts with meta-discussion about communication style and behavior. It’s a regular occurrence in this community, and not restricted to mailing list threads.

                                                  1. 8

                                                    Many of these submitted mailing list threads aren’t really submitted for their technical content in the first place, though— they’re explicitly submitted because they were a flamewar and people like to gawk at flamewars, so that’s kind of on-topic to discuss imo. The only particularly interesting thing about the recent Torvalds submission, for example, is the flaming. Presumably that’s why the submitter chose to include an all-caps quote, “COMPLETE AND UTTER GARBAGE” in the submission title, rather than highlighting any technical content. I’m going to go out on a limb and predict that if it had a technical title instead of a flamewar title, it wouldn’t have gotten the attention here that it did. (The little technical content the linked post has turns out further down the thread to not even be correct.)

                                                    At the very least, when people are linking gawk-at-the-flamewar type mailing list posts, can I suggest tagging them with the rant tag?

                                                    1. 3

                                                      The only particularly interesting thing about the recent Torvalds submission, for example, is the flaming.

                                                      He accuses Intel of planning to not to fix the specter bug, as in they want to provide a workaround off by default since it would impact their performance metrics and shifting the responsibility to OS vendors. That’s far more interesting than flaming and worth the submission in itself.

                                                      So the IBRS garbage implies that Intel is not planning on doing the right thing for the indirect branch speculation.

                                                      It’s not “weird” at all. It’s very much part of the whole “this is complete garbage” issue.

                                                      The whole IBRS_ALL feature to me very clearly says “Intel is not serious about this, we’ll have a ugly hack that will be so expensive that we don’t want to enable it by default, because that would look bad in benchmarks”.

                                                      So instead they try to push the garbage down to us. And they are doing it entirely wrong, even from a technical standpoint.

                                                      source: http://lkml.iu.edu/hypermail/linux/kernel/1801.2/04628.html

                                                      1. 5

                                                        http://lkml.iu.edu/hypermail/linux/kernel/1801.2/04630.html http://lkml.iu.edu/hypermail/linux/kernel/1801.2/04637.html

                                                        The next 2 emails show that Linus has misread the patch.

                                                        You’re looking at IBRS usage, not IBPB. They are different things.

                                                        Yes, the one you’re looking at really is trying to protect the kernel, and you’re right that it’s largely redundant with retpoline. (Assuming we can live with the implications on Skylake, as I said.)

                                                        (I pointed that out in the lobste.rs thread, and that’s kind of the thing I was annoyed about)

                                                        1. 3

                                                          FWIW, if you look at the second email you linked…

                                                          Ehh. Odd intel naming detail.
                                                          If you look at this series, it very much does that kernel entry/exit stuff. It was patch 10/10, iirc. In fact, the patch I was replying to was explicitly setting that garbage up.
                                                          And I really don’t want to see these garbage patches just mindlessly sent around.

                                                          Linus seems to be claiming that he didn’t misread the patch.

                                                  1. 1

                                                    Is it just me or is that blog post 4 years old and the link to the game itself no longer operable?

                                                    I’d like to play FTL too, but I can’t find a link anywhere to the web version.

                                                    1. 1

                                                      Yes, the post is from 2014 as indicated by the submitted title…

                                                      The link might have changed but you can still play it on humble bundle, here’s a screenshot with FTL running and the URL visible: https://bsd.network/system/media_attachments/files/000/011/872/original/29d97af524763cf8.png

                                                    1. 2

                                                      Extremely well written article - it really resonates well with me.

                                                      http://blog.zdsmith.com/posts/digital-minimalism-for-the-working-hacker.html#fn:5

                                                      The other place that remains in my windowing environment is my email client. My concerns are roughly the same. There’s a lot of state, a lot of unrelated documents that end up being opened up next to each other, and a long load time.

                                                      I bet there’s some interesting thinking to be done about whether there is something in what we use these applications for that leads to this kind of behavior, and whether it could be resolved by changing how we handle the data. In a sense the whole GTD/Inbox Zero movement was about this: when you get an email, capture it by parsing in some way: transform from unstructured to structured data, maybe by making a note in your to-do list and archiving the email. Your to-do list is not necessarily a place; when well-maintained it’s something you can summon up when you need it and dismiss when you’re done. Of course, if handled poorly, your to-do list can become another place, an entity that sticks around keeps its own state and requires you to come to it

                                                      I’m implementing GTD fully since a couple of months. My browser tabs went down from 50+ to <10 - and all related to the current tasks. After evaluating how I used browser tabs - it was a mess. Things I wanted to perhaps read later, things I might want to reference later & things related to what I am doing now. Now, I constantly close tabs either by filling them as a TODO in taskwarrior with notes & annotations (things I need to do later), adding them to my calendar (deadlined events) or just filling into my archives (like that nice code snippet you found and might want to use later on). I picked separate tools on purpose: taskwarrior for lists of tasks, the filesystem for archives & a dead tree a5 daily calendar for calendaring. Having them separate means I don’t have to parse out what’s what & I now know where to look for things. It worked amazingly well at auto killing my bad tab habbit - I now get nervous if I have too many tabs open as it takes MORE mental work to filter out which tab is for what compared to a tab that gets filed into one of the existing systems.

                                                      1. 1

                                                        Why is this tagged satire? Is there something I missed?

                                                        1. 6

                                                          very surprising that the BSDs weren’t given heads up from the researchers. Feels like would be a list at this point of people who could rely on this kind of heads up.

                                                          1. 13

                                                            The more information and statements that come out, the more it looks like Intel gave the details to nobody beyond Apple, Microsoft and the Linux Foundation.

                                                            Admittedly, macOS, Windows, and Linux covers almost all of the user and server space. Still a bit of a dick move; this is what CERT is for.

                                                            1. 5

                                                              Plus, the various BSD projects have security officers and secure, confidential ways to communicate. It’s not significantly more effort.

                                                              1. 7

                                                                Right.

                                                                And it’s worse than that when looking at the bigger picture: it seems the exploits and their details were released publicly before most server farms were given any head’s up. You simply can’t reboot whole datacenters overnight, even if the patches are available and you completely skip over the vetting part. Unfortunately, Meltdown is significant enough that it might be necessary, which is just brutal; there have to be a lot of pissed ops out there, not just OS devs.

                                                                To add insult to injury, you can see Intel PR trying to spin Meltdown as some minor thing. They seem to be trying to conflate Meltdown (the most impactful Intel bug ever, well beyond f00f) with Spectre (a new category of vulnerability) so they can say that everybody else has the same problem. Even their docs say everything is working as designed, which is totally missing the point…

                                                            2. 7

                                                              Wasn’t there a post on here not long ago about Theo breaking embargos?

                                                              https://www.krackattacks.com/#openbsd

                                                              1. 12

                                                                Note that I wrote and included a suggested diff for OpenBSD already, and that at the time the tentative disclosure deadline was around the end of August. As a compromise, I allowed them to silently patch the vulnerability.

                                                                He agreed to the patch on an already extended embargo date. He may regret that but there was no embargo date actually broken.

                                                                @stsp explained that in detail here on lobste.rs.

                                                                1. 10

                                                                  So I assume Linux developers will no longer receive any advance notice since they were posting patches before the meltdown embargo was over?

                                                                  1. 3

                                                                    I expect there’s some kind of risk/benefit assessment. Linux has lots of users so I suspect it would take some pretty overt embargo breaking to harm their access to this kind of information.

                                                                    OpenBSD has (relatively) few users and a history of disrespect for embargoes. One might imagine that Intel et al thought that the risk to the majority of their users (not on OpenBSD) of OpenBSD leaking such a vulnerability wasn’t worth it.

                                                                    1. 5

                                                                      Even if, institutionally, Linux were not being included in embargos, I imagine they’d have been included here: this was discovered by Google Project Zero, and Google has a large investment in Linux.

                                                                2. 2

                                                                  Actually, it looks like FreeBSD was notified last year: https://www.freebsd.org/news/newsflash.html#event20180104:01

                                                                  1. 3

                                                                    By late last year you mean “late December 2017” - I’m going to guess this is much later than the other parties were notified.

                                                                    macOS 10.13.2 had some related fixes to meltdown and was released on December 6th. My guess is vendors with tighter business relationships (Apple, ms) to Intel started getting info on it around October or November. Possibly earlier considering the bug was initially found by Google back in the summer.

                                                                    1. 2

                                                                      Windows had a fix for it in November according to this: https://twitter.com/aionescu/status/930412525111296000

                                                                  2. 1

                                                                    A sincere but hopefully not too rude question: Are there any large-scale non-hobbyist uses of the BSDs that are impacted by these bugs? The immediate concern is for situations where an attacker can run untrusted code like in an end user’s web browser or in a shared hosting service that hosts custom applications. Are any of the BSDs widely deployed like that?

                                                                    Of course given application bugs these attacks could be used to escalate privileges, but that’s less of a sudden shock.

                                                                    1. 1

                                                                      DigitalOcean and AWS both offer FreeBSD images.

                                                                      1. 1

                                                                        there are/were some large scale deployments of BSDs/derived code. apple airport extreme, dell force10, junos, etc.

                                                                        people don’t always keep track of them but sometimes a company shows up then uses it for a very large number of devices.

                                                                        1. 1

                                                                          Presumably these don’t all have a cron job doing cvsup; make world; reboot against upstream *BSD. I think I understand how the Linux kernel updates end up on customer devices but I guess I don’t know how a patch in the FreeBSD or OpenBSD kernel would make it to customers with derived products. As a (sophisticated) customer I can update the Linux kernel on my OpenWRT based wireless router but I imagine Apple doesn’t distribute the Airport Extreme firmware under a BSD license.

                                                                    1. 4

                                                                      Seems like this is not an ARM or an AMD bug. If so, good news for them and a second even bigger wakeup call for Intel after the management processor debacle.

                                                                      1. 2

                                                                        How do you judge ARM unaffected? I saw the patch regarding AMD but there is a diff regarding ARM floating around that could be tied to this: https://lwn.net/Articles/740393/

                                                                        1. 1

                                                                          It sounds like ARM is affected, but the impact is not as severe: http://lists.infradead.org/pipermail/linux-arm-kernel/2017-November/542751.html

                                                                          Their benchmarks say that syscalls roughly doubled in cost, but unlike the Intel bug, the cache remains intact. The Intel bug is particularly bad because the page cache has to be fully flushed on each userspace/kernel transition.

                                                                          1. 3

                                                                            A bit nitpicky, but my read of that is that the bug itself is equally present on ARM as on Intel (unlike AMD, which isn’t affected), but due to ARM’s virtual memory design it’s possible to implement the workaround (PTI) with less of a performance hit. Which is a better outcome for ARM, but more like luck than better QA, since those architectural features on ARM weren’t designed for the purpose of implementing something like PTI, they just happen to be useful for it.

                                                                            1. 1

                                                                              Ah, you’re right, where I said “bug” I meant “bugfix”.

                                                                      1. 3

                                                                        I’m sure this is a minority opinion, but it would be nice if it were easy to opt-out of these changes.

                                                                        For my home machines I’m not concerned about the security risk, and would rather have the better performance.

                                                                        1. 5

                                                                          It looks like the pti=off flag should get the old behavior back.

                                                                          1. 2

                                                                            I’m not concerned about the security risk

                                                                            we don’t yet know what are the security risks.

                                                                            1. 7

                                                                              Shared computers are more shared. :)

                                                                              1. 1

                                                                                Well, we know it involves user processes reading kernel memory, and I’m confident that I’m not running any malicious user processes that are attempting to do so.

                                                                                And the real issue is almost certainly not as bad as the scare mongering in The Register’s article.

                                                                            1. 1

                                                                              This looks horrendously unreadable.

                                                                              1. 2

                                                                                It’s actually interactive. You can click a button like ‘m’ (or hit m on the keyboard) and see shortcuts available when you’re composing a new message. If you are actually using mutt this makes more sense than a huge list of modes & hotkeys in groupings.

                                                                                1. 1

                                                                                  Aha, that explains it. I was viewing the page via my iPhone.

                                                                                2. 1

                                                                                  I agree - different colours could have been chosen.

                                                                                1. 8

                                                                                  Wow. This guy is the Miod Vallat of desktop environments.

                                                                                  1. 1

                                                                                    My…friend…doesn’t know who Miod Vallat is.

                                                                                    1. 7

                                                                                      Miod and his machine room.

                                                                                      1. 1

                                                                                        He had an Alpha-based laptop, too. I didn’t know Tadpole made those. Ran OpenVMS, too, for a little over $10,000. If FOSS’d, that kind of laptop could be useful today for verifiable or non-backdoored computing given Alpha’s with those specs were on a 500nm process. That’s still verifiable without electron microscopes or whatever.

                                                                                        Plus, PALcode was the shit. We need a RISC-V that’s microcoded and/or PALcoded with a HLL compiler for those. One can do many neat things.

                                                                                  1. 12

                                                                                    Suggestion for the website itself: Don’t have the auto-load happen when you first scroll down to the bottom of the page. Let the user initiate that action so that the footer is still accessible. The Instagram website is a good example of this design pattern. Otherwise, really interesting stuff, thanks for sharing!

                                                                                    1. 5

                                                                                      Thanks!

                                                                                      This is somewhat of a meta-joke we have — autoload and unreachable footer are clear anti-patterns, yet we force them ourselves. But you’re right, we should eventually switch to initiating the autoload by user.

                                                                                      1. 1

                                                                                        Or make the footer stick to the bottom of the browser frame.

                                                                                        1. 9

                                                                                          ugh please no, floating elements are terrible and only limit screen real estate on small devices.

                                                                                          1. 2

                                                                                            I think floating navigation can make sense in some contexts since having navigation easily accessible can be important. A footer is not important to have always accessible though, so I would agree that it probably isn’t the best choice here.

                                                                                      2. 1

                                                                                        For me, it loads the rest of the page before Safari can even finish the bounce-back animation, so it just cuts it off in the middle.

                                                                                      1. -1

                                                                                        I think there’s a question that should be asked. Would this be found if firefox was a GPL project, and should we be primarily contributing to GPL projects since ALL of it must be shared?

                                                                                        1. 8

                                                                                          That is irrelevant. The Linux kernel is GPL and yet you don’t get immediate access to all development done by companies around it. Most will throw you a tarball of the source code over the wall once in a while (see Google Android). They can develop an auto install feature, use it to distribute a payload and show you the code months later, heck they don’t even have to if the payload is a loadable Linux kernel module.

                                                                                          In this specific case, the extension is actually shared and open source. So was the code used to deploy the plugin/shield study. However that doesn’t prevent a valid use-case (deploying opt-in user studies) being misused as an advertising channel (TV show tie-in piggy backing on your consent to help with user studies).

                                                                                          1. 2

                                                                                            I guess then the answer is don’t contribute to corporate maintained repositories and that we should be using a non-corporate browser.

                                                                                            1. 12

                                                                                              Firefox is the closest to a non-corporate browser you can get. Essentially there are only 4 serious web rendering engines still in active development:

                                                                                              • WebKit (derived from KHTML) maintained & developed mainly by Apple
                                                                                              • Blink forked of off WebKit by Google
                                                                                              • Gecko maintained & developed by Mozilla
                                                                                              • Trident/Edge developed by Microsoft

                                                                                              Those companies have the resources to push development and keep up with security updates. Developing a web browser rendering engine is a very resource intensive process. If you switch to a browser that just consumes one of those then you are really not changing anything - that browser is at the mercy of the upstream vendor and will lag with security updates. If you find a browser that actually forks one of the above then you run with the risk of them not keeping up with security & development.

                                                                                              1. 5

                                                                                                This is true, but it’s very important to note that if you install Firefox or Chromium from a distro like Debian, they will do the work of stripping out the tracking misfeatures while still applying critical security updates from upstream. The whole job of the Debian maintainers in this case is to protect users from exactly this situation, and they do a good job at it.

                                                                                                1. 2

                                                                                                  Yes, I guess this is the heart of the problem. There really should be a community driven browser just as there is a community driven operating system.

                                                                                            2. 2

                                                                                              The code was open source (https://github.com/mozilla/addon-wr) and even if it wasn’t addon code is shipped in source form so you can inspect it on your end.

                                                                                            1. 7

                                                                                              So, why isn’t Theo called on his rants more often?

                                                                                              We even have a nice little epithet ready-made: DeRants.

                                                                                              1. 3

                                                                                                I think people who aren’t up for that particular brand of interaction just avoid the project – which is probably how he likes it!

                                                                                                I was using OpenBSD for pf and relayd for a few years, but I didn’t participate in the mailing list.

                                                                                                1. 3

                                                                                                  Because it happens much less often than you or anyone else believes.

                                                                                                  I’m participating in all the project related mailing lists daily - it’s easier to find someone completely not related to the project doing a rant on our list than it is to find Theo finally pushed into replying.

                                                                                                  1. 2

                                                                                                    I’m an infrequent reader of the OpenBSD lists (I normally read them weekly), but a quick scan of December’s posts by Theo has 4-5 posts that are rather abrasive (at least to my probably over-sensitive eyes).

                                                                                                    For example: 1 2 3 4

                                                                                                    1. 1

                                                                                                      Now go through the emails from the same time-period looking out for Rupert Gallagher ie. in the SSD TRIM thread - note you won’t be able to on marc.info as he uses protonmail. That’s a person not related to the project, Theo just stands out to you as he is a known person and people trigger him with emails like the one quoted below:

                                                                                                      Date: Wed, 06 Dec 2017 03:15:57 -0500
                                                                                                      From: Rupert Gallagher
                                                                                                      To: Mike Burns
                                                                                                      Cc:
                                                                                                      Subject: Re: TRIM on SSD

                                                                                                      I know well that article, because it is several years old with no updates.

                                                                                                      Those working on ffs should do what they are supposed to do. Lack of money? Setup a stickers sale or a kickstarter, get the money and just fucking do it.

                                                                                                      Sent from ProtonMail Mobile

                                                                                                      edit: removed emails from the headers, no point feeding spam bot crawlers.

                                                                                                      1. 2

                                                                                                        I don’t disagree that there are plenty of abrasive posts from others on -misc (probably more so than on any other list I’m subscribed to… well other than cypherpunks, but that’s another story…). I can’t help but think that the tone of some of Theo’s posts has encouraged others to post in a similar vein.

                                                                                                        Yes, I know “shut up and show me the code”, but surely newbies need to start somewhere?

                                                                                                        1. 1

                                                                                                          Is that a deliberate feature of Proton Mail or a happy accident? I fail to see how a service like Proton Mail can work for a mailing list scenario, surely the mail is sent in plain text as per normal?

                                                                                                          1. 1

                                                                                                            Well you can read it and pass it through a base64 decoder. It’s just something the marc.info mail archive software is not able to handle and the user decided not to disable that in his protonmail settings. It’s not for security.