1. 6

      This is just gold:

      Under the new patch, Linux listed all x86-compatible chips as vulnerable, including AMD processors. Since the patch tended to slow down the processor, AMD wasn’t thrilled about being included. The day after Christmas, AMD engineer Tom Lendacky sent an email to the public Linux kernel listserve explaining exactly why AMD chips didn’t need a patch.

      “The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault,” Lendacky wrote.

      A very interesting article. Would be more interesting to know the details behind the above gaffe — did the AMD engineer break his NDA, or did he come up with the root cause behind the patch independently?

      TBH, regarding discussions on public listserve, it seems really weird that these kinds of things wouldn’t be done behind closed doors — just because the software is OSS, doesn’t mean that every single change has to be thoroughly explained on the public mailing lists, like Verge seems to suggest. In the BSD world, for example, internal developer-only (i.e., committer-only) mailing lists do exist, which, for better or worse, make it easy to not unneccessarily publicise such changes, whilst still gettting the exposure and feedback from the developer community.

      1. 16

        When you know a secret for too long, you forget what’s supposed to be secret and what’s not. Also, when too many people know, you forget who knows and doesn’t. You forget when it’s secret and when it’s public. When the secret topic is half secret and half public, you forget precisely what’s secret and what’s not. Etc., etc.

        Governments, with 100 years of practice, screw this up. Amateurs are doomed.

        1. 3

          wow … 64Mb!?! I remember upgrading to 12 :)

          Also impressive:

          AMD 5X86 486-clone running at 133mhz

          Similar performance to Pentium 75Mhz

          The AMD 5X86 series were the fastest 486 clones ever made

          1. 1

            If all you want is the TL;DR, here’s the headline finding: due to flaws in both Signal and WhatsApp (which I single out because I use them), it’s theoretically possible for strangers to add themselves to an encrypted group chat. However, the caveat is that these attacks are extremely difficult to pull off in practice, so nobody needs to panic. But both issues are very avoidable, and tend to undermine the logic of having an end-to-end encryption protocol in the first place.

            1. 2

              I got this recommendation from a podcast and was pleasantly surprised. There is so much in the book that I’ve enjoyed it and connected a lot of small dots for me.

              Sapiens: A Brief History of Humankind, Yuval Noah Harari, 2011

              1. 2

                I enjoyed Sapiens too. Relevant to the suggestion Harari makes about the shift to agriculture being a net negative, I recently saw an interesting critique of studies that concluded pre-agriculture humans worked a lot less than humans in later societies. Basically, it seems that a whole lot of food processing work that happened after collecting raw ingredients wasn’t accounted for. Once it’s accounted for, the amount of work goes up to ~35 hours per week IIRC. I wonder if that puts a dent into Harari’s argument.

              1. 3

                If you like this, also see this recent BBC Radio 4: PowerPointless http://www.bbc.co.uk/programmes/b092r9j0
                From there I found about the Swiss Anti-PowerPoint Party :-D

                1. 8

                  There have been so many attempts to make the dream of the free software phone a reality that have failed or come up short. I really want this project to succeed.

                  1. 2

                    I wish the fairphone was a good free software phone. But it runs android and even the “open source” version ships binary blobs and the development process is sealed off from the public :(

                    And while purism has a much better approach to open source, the hardware supply chain is much less transparent than fairphone’s.

                    I support both efforts, but ideally I would like to buy a product that meets both of these goals.

                    1. 1

                      Basically the Purism software should run on a Fairphone?

                      1. 1

                        Not sure, what about the binary blobs that are required on the FP ? (see https://code.fairphone.com/projects/fp-osos/dev/fp2-blobs-download-page.html)

                  1. 3

                    I think a few issues mentioned here (like copy and paste being weird key combos) are related to using the default Windows console application specifically. But you can run bash.exe from other apps too! I like ConEmu, it’s a lot nicer to use.

                    https://conemu.github.io/

                    1. 3

                      I’ve used https://github.com/mintty/wsltty that was mentioned on the bug under Github

                    1. 4

                      Very nice … she has lots of interesting stuff there on the blog and I learned that CoreOS/Container Linux is related to ChromeOS. Also some dotfiles :)

                      1. 3

                        The problem with “how to secure” instructions for advanced users is that less advanced users won’t read them. Still waiting for the day somebody ships an iot that requires a “how to make insecure” guide.

                        1. 2

                          Maybe Rockwell-Collins AAMP7G:

                          https://www.rockwellcollins.com/-/media/Files/Unsecure/Products/Product_Brochures/Information_Assurance/Crypto/AAMP7G_data_sheet.ashx

                          Not sure if they’ll sell it to IoT vendors. It can be cloned based on publicly-available information, though. Green Hills also has a secure OS (INTEGRITY-178B) targeting this market with a bunch of middleware for crypto, networking, and so on. You can get the “how to secure” with maybe decent security but it comes at a steep price so far. Everything I’ve seen was around $40,000-50,000 or more for OEM deal. Kind of a steal versus the cost of building that much stuff robustly but too much for the IoT vendors aiming to maximize profit by reducing development and per-unit costs. Better to use free stuff with little to no security. ;)

                          1. 1

                            Ubuntu Core seems to require that you register the an account online with an SSH key if you want to use SSH.

                          1. 1

                            So Randy was wrong ? :) See pages 8 and 9 of the transcript of his talk Randy Pausch Lecture: Time Management

                                1. 2

                                  Interesting, didn’t know about the ‘Network Scan’. Also nice to compare the results between browsers including my phone!

                                    1. 1

                                      Interesting and SLES still uses it by default. What’s going on here ?

                                      1. 21

                                        There is a reasonable explanation from a former Red Hat developer who worked on btrfs. I have quoted most of his comment for convenience:

                                        People are making a bigger deal of this than it is. Since I left Red Hat in 2012 there hasn’t been another engineer to pick up the work, and it is a lot of work.

                                        For RHEL you are stuck on one kernel for an entire release. Every fix has to be backported from upstream, and the further from upstream you get the harder it is to do that work.

                                        Btrfs has to be rebased every release. If moves too fast and there is so much work being done that you can’t just cherry pick individual fixes. This makes it a huge pain in the ass.

                                        Then you have RHEL’s “if we ship it we support it” mantra. Every release you have something that is more Frankenstein-y than it was before, and you run more of a risk of shit going horribly wrong. That’s a huge liability for an engineering team that has 0 upstream btrfs contributors.

                                        The entire local file system group are xfs developers. Nobody has done serious btrfs work at Red Hat since I left (with a slight exception with Zach Brown for a little while.)

                                        https://news.ycombinator.com/item?id=14909843

                                        1. 3

                                          Pure speculation on my part: RHEL/CentOS uses XFS now by default. I guess this is “good enough” and due to changing requirements of their customers, mostly towards virtualization, container technology, overlay filesystems etc., btrfs became a solution looking for a problem?

                                          1. 5

                                            When talking about RedHats customers: many of them use RAID setups… So I asked today at my clients site, and got shown the following page:

                                            https://btrfs.wiki.kernel.org/index.php/Status

                                            RAID0: OK

                                            RAID1: Mostly okay (may get stuck irreversibly)

                                            RAID10: Mostly okay (may get stuck irreversibly)

                                            RAID56: Unstable. Write hole still exists, parity not checksummed

                                            So, this is the reason why btrfs was not even considered as a trial there. They had definitely looked into it.

                                          2. 2

                                            Maybe they have a plan to use ZFS at some point? I wish they had included some explanation for dropping support.

                                            1. 2

                                              My suspicion is that when Red Hat added btrfs to RHEL 6 as a technology preview they expected it to stabilize and to move to a fully supported thing within a major release or two of RHEL, but now Red Hat’s engineering no longer believes that this is going to happen soon enough. Based on a three to four year release cycle, RHEL 8 is probably going to be released within a year (RHEL 7 came out June 2014), so now is about when Red Hat could be making engineering decisions about what will be included and what won’t be.

                                            1. 1

                                              not sure if this fits your requirements, but I’ve been meaning to try out AWS Network Mapping with Lucidchart Import (video)

                                              1. 3

                                                Is the website failing HTTPS cert verification for anyone else?

                                                  1. 10

                                                    I keep seeing this as a reply but I’m not sure what purpose does it serve: you still can’t read the site. The only thing you can get from comments is that yes, the site is using a self-signed certificate, meaning that the breakage is intentional.

                                                    1. 7

                                                      It is not broken - it is simply a different approach to CAs.

                                                      1. 4

                                                        It is not broken

                                                        Broken has a couple of different meanings in this context. The relevant ones being (a) “according to design” and (b) “according to reasonable expectations of users.” It can be broken(b) while also not-broken(a). Or in other words it can be “broken by design.”

                                                        1. 2

                                                          The user process is broken. The browser tries its best to give a very technical workaround, but the fact is that all other sites I read on the web don’t require me to trade my own sense of security for that of the author.

                                                          I do respect his choice, to be sure, but I ask people here to stop just silently referring to that original comment thread as if it explains anything. It doesn’t.

                                                        2. 2

                                                          In Chrome at least you can certainly read the site, you just have to click “Advanced” and “proceed to teduangst.com”

                                                          1. 2

                                                            The idea is to add the CA to the browser store. The CA is constrained to creating certs for tedunangst.org, which is nice. The weakness here is acquiring the CA in a secure way in the first place; the model is similar to SSH or signify.

                                                            Ideally you would acquire the CA out of band, like by meeting Ted in person. Good luck with that.

                                                            Unfortunately clicking through like you described loses any benefit: you’re obviously not checking the cert every time, so you’re prone to being MITMed each time you visit the site, as opposed to just the first time. (Firefox lets you save the exception, but Chrome doesn’t.)

                                                            The benefit of this over Let’s Encrypt is that if you add Ted’s CA and remove all the other CAs (that don’t have their own name constraints) from your cert store, you know that any valid HTTPS cert for tedunangst.com came from Ted and not from another compromised CA. I doubt even people who have added Ted’s CA have removed those other CAs, though, so it doesn’t seem like a real benefit to me.

                                                          2. 2

                                                            Indeed. I don’t understand this at all.

                                                        3. 2

                                                          Hi wyager, seems it’s my turn to direct you to: https://lobste.rs/s/qeqqge/moving_https ;-)

                                                          1. [Comment removed by author]

                                                            1. 4

                                                              It’s not just a self-signed cert, it’s a custom CA cert. If it were a self-signed cert, great, trust the site or don’t and move on. As a CA, the question is whether you trust @tedu to sign certs for your email, bank, and every other site.

                                                              1. [Comment removed by author]

                                                                1. 6

                                                                  Thanks for digging in. I guess we’re getting to the point where someone should roll all this up in a FAQ to get linked from every “hey site’s ssl config is broken” comment is posted on a tedunangst.com story, which is going to happen regularly for the foreseeable future.

                                                                  1. 14

                                                                    Or, you know, he could just use a trusted CA, like everyone else. ;)

                                                                    1. 4

                                                                      An alternative that would not violate his conviction would be to still provide a non-HTTPS service on a different port, such as 8080. This allows proper use of HSTS and all the modern trimmings - while still allowing people to use software that doesn’t understand this CA/cert without additional hackery. It’s a solution that works for me.

                                                                      I use it when I find my overly strong TLS/SSL configuration to fail on an older device, for example.

                                                                      1. 3

                                                                        Oh, that’s something I hadn’t considered. Bit of a discovery problem, and then the question of which link people pass around, and duplicate detection, and oh my, but it’s a good addition to the list of alternative plans.

                                                                        1. 1

                                                                          Oh! I thought HSTS would enforce HTTPS for all ports. Are you sure this works in all browsers? :O

                                                                        2. 1

                                                                          The certificate business is a protection racket, plain and simple, so be sure to read “Or, you know, he could just use a trusted CA, like everyone else” in your very best mobster-movie voice. It’ll make a lot more sense that way.

                                                                          1. 1

                                                                            If mob, I was thinking along the lines of, (mafia voice) “it would be a shame of what might happen to your site your users saw it without our protection and quality assurances and that sort of thing.”

                                                              1. 2

                                                                CVE and vulnerability statistics are nonsense. How often do we have to explain this?

                                                                Classic: https://www.youtube.com/watch?v=3Sx0uJGRQ4s

                                                                1. 6

                                                                  Hmm, they didn’t just count CVEs; according to the slides, they did a three-month audit of BSDs and then made conclusions based on the found bugs. So, although close, it’s not exactly “vulnerability statistics”.

                                                                  1. [Comment removed by author]

                                                                    1. 4

                                                                      A set of requirements, good design, implementation, and strong verification of each by independent parties. It’s what was in the first, security certifications. The resulting systems were highly resistant to hackers. At B3 or A1 level, that usually showed during the first pentests where evaluators would find very little or nothing in terms of vulnerabilities.

                                                                    2. 2

                                                                      That’s a great presentation despite deficiencies I’ll overlook. Especially on the relationship between what vulnerability researchers focus on and what the CVE lists show. A good example of this I’ve been discussing in another thread is OpenVMS. It lives up to its legendary reliability as far as I can tell so far but I learned that its security was an actual legend: mix of myth and reality. The reality was better architecture for security than its competitors back in the day, attention to quality in implementation, and low CVE’s in practice with famous DEFCON result. I figured what actually was happening is most hackers didn’t care about it or just couldn’t get their hands on the expensive system (same with IBM mainframe/minicomputers). I predicted they’d find significant vulnerabilities in it which happened at a later DEFCON. So, nice work, highly reliable, and not as secure as advertised by far. ;)

                                                                      Another good example to remember is Linux kernel. I slam it on vulnerabilities but that’s because they (esp Linus) don’t seem to care that much. The vulnerability count itself is heavily biased due to its popularity like Windows once was before Lipner of high-assurance security implemented Security, Development Lifecycle. I’ll especially note the effect of CompSci and vendors of verification/validation tools. They love hitting Linux since it’s a widely-used codebase with open code. Almost every time I see a new tool in static analysis, fuzz testing, or whatever they apply it to Linux kernel or major programs in Linux ecosystem. They find new stuff inevitably since the code wasn’t designed for security or simplicity like OpenBSD or similar project. So, there’s more to report just because there’s more eyeballs and analysis in practice instead of just in “many eyeballs” theory. Same amount of attention applied to other projects might have found similar amount of vulnerabilities, more, less, or who knows what.

                                                                      1. 3

                                                                        nickpsecurity:

                                                                        So, there’s more to report just because there’s more eyeballs and analysis in practice instead of just in “many eyeballs” theory

                                                                        That was one of the conclusions from Ilja as well, if I read it right:

                                                                        “Say what you will about the people reviewing the Linux kernel code, there are simply orders of magnitude more of them. And it shows in the numbers”

                                                                    1. 2

                                                                      I like how Google/Android simplified the stack, regular (desktop) Linux solution is some kind of schizophrenic dream :) Lot of dependencies, especially when you have to switch between Intel<->AMD<->NVIDIA drivers, you may spend half a day cleaning you system from unwanted packages.

                                                                      1. 1

                                                                        And ChromeOS uses Freon

                                                                        1. 1

                                                                          Yeah - Google, Microsoft, Apple are big enough to convince other players to deliver them drivers for the API they prepare.