1. 2

    From what I understood, this doesn’t apply to Apple’s FileVault. Mostly metadata leaking from previewing images from other encrypted drives like Veracrypt.

    1. 1

      Hmm. Is this related to bsdcan?

        1. 1

          Yes, Theo gave an impromptu talk where he expressed frustration at rumors of openbsd being untrustworthy and then speculated on possible future intel problems. Screaming happened. But now it seems he was right.

          Though the bigger issue of embargo’s and their value remains.

          1. 4

            Screaming happened.

            To be clear, the screaming was not done by Theo.

            1. 3

              I wish people would stop saying he gave a talk / presentation because that’s not what it was. This was a BOF session. It is a group discussion about a predefined topic and Theo was the BOF organizer. This is why he was talking to the crowd and asking questions. It wasn’t to attack anyone or inflame the situation; it was entirely within the spirit of the BOF.

          1. 4

            For those who don’t know the author, he’s been around for a while and even was a member of the team that “started” Canonical and Ubuntu [1]

            [1] https://wiki.ubuntu.com/BenjaminMakoHill

            1. 8

              I was expecting to see a reference to the fairphone in the article but none. Guess FP needs more marketing people :)

              p.s. it seems the FP CEO announced today that Android 7.1 is coming to the FP2 so it’s paying up! https://www.fairphone.com/en/2018/05/08/keeping-your-phone-longer-refreshed/

              1. 1

                I don’t do it (and it’s never been something I’ve even considered). If I was really concerned about reading the replies without reading anything that I’ve already seen, I’d use the mailing list feature.

                1. 1

                  Thank you. I’ve thought about it but you I would get all stories and not just one particular thread.

                  And even if I could, reading email for me is sub-par in contrast to read it here. The layout is so clean and easy to zoom on any browser (mobile included) ;-)

                1. 6

                  I have returned from a week of holiday, so have spent my morning deleting emails and marking hipchat conversations as read. I’m in the middle of a vendor selection process, and this week is about crossing out the clearly bad choices and arranging to talk to the maybe good options.

                  I’m also negotiating a change to my contract to adopt a four-day week, talking to my CEO soon.

                  I’ve applied to volunteer at the National Museum of Computing.

                  I spent the weekend hacking on an app for managing notes on research papers. It’s nearly ready for a first release.

                  1. 1

                    National Museum of Computing

                    Nice, I really enjoyed the part of the visit of the VT terminals where I typed for a bit ;-)

                  1. 4

                    Really depends on your needs but for a home desktop and speaking about OpenBSD, I couldn’t use it because of Skype/Google Hangouts because of problems getting my webcam going.

                    But if I did, I would try Firefox webrtc [1] next with the caveat that is still something that is being worked on [2].

                    [1] https://mozilla.github.io/webrtc-landing/gum_test.html

                    [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1437670

                      1. 6

                        This is just gold:

                        Under the new patch, Linux listed all x86-compatible chips as vulnerable, including AMD processors. Since the patch tended to slow down the processor, AMD wasn’t thrilled about being included. The day after Christmas, AMD engineer Tom Lendacky sent an email to the public Linux kernel listserve explaining exactly why AMD chips didn’t need a patch.

                        “The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault,” Lendacky wrote.

                        A very interesting article. Would be more interesting to know the details behind the above gaffe — did the AMD engineer break his NDA, or did he come up with the root cause behind the patch independently?

                        TBH, regarding discussions on public listserve, it seems really weird that these kinds of things wouldn’t be done behind closed doors — just because the software is OSS, doesn’t mean that every single change has to be thoroughly explained on the public mailing lists, like Verge seems to suggest. In the BSD world, for example, internal developer-only (i.e., committer-only) mailing lists do exist, which, for better or worse, make it easy to not unneccessarily publicise such changes, whilst still gettting the exposure and feedback from the developer community.

                        1. 16

                          When you know a secret for too long, you forget what’s supposed to be secret and what’s not. Also, when too many people know, you forget who knows and doesn’t. You forget when it’s secret and when it’s public. When the secret topic is half secret and half public, you forget precisely what’s secret and what’s not. Etc., etc.

                          Governments, with 100 years of practice, screw this up. Amateurs are doomed.

                          1. 3

                            wow … 64Mb!?! I remember upgrading to 12 :)

                            Also impressive:

                            AMD 5X86 486-clone running at 133mhz

                            Similar performance to Pentium 75Mhz

                            The AMD 5X86 series were the fastest 486 clones ever made

                            1. 1

                              If all you want is the TL;DR, here’s the headline finding: due to flaws in both Signal and WhatsApp (which I single out because I use them), it’s theoretically possible for strangers to add themselves to an encrypted group chat. However, the caveat is that these attacks are extremely difficult to pull off in practice, so nobody needs to panic. But both issues are very avoidable, and tend to undermine the logic of having an end-to-end encryption protocol in the first place.

                              1. 2

                                I got this recommendation from a podcast and was pleasantly surprised. There is so much in the book that I’ve enjoyed it and connected a lot of small dots for me.

                                Sapiens: A Brief History of Humankind, Yuval Noah Harari, 2011

                                1. 2

                                  I enjoyed Sapiens too. Relevant to the suggestion Harari makes about the shift to agriculture being a net negative, I recently saw an interesting critique of studies that concluded pre-agriculture humans worked a lot less than humans in later societies. Basically, it seems that a whole lot of food processing work that happened after collecting raw ingredients wasn’t accounted for. Once it’s accounted for, the amount of work goes up to ~35 hours per week IIRC. I wonder if that puts a dent into Harari’s argument.

                                1. 3

                                  If you like this, also see this recent BBC Radio 4: PowerPointless http://www.bbc.co.uk/programmes/b092r9j0
                                  From there I found about the Swiss Anti-PowerPoint Party :-D

                                  1. 8

                                    There have been so many attempts to make the dream of the free software phone a reality that have failed or come up short. I really want this project to succeed.

                                    1. 2

                                      I wish the fairphone was a good free software phone. But it runs android and even the “open source” version ships binary blobs and the development process is sealed off from the public :(

                                      And while purism has a much better approach to open source, the hardware supply chain is much less transparent than fairphone’s.

                                      I support both efforts, but ideally I would like to buy a product that meets both of these goals.

                                      1. 1

                                        Basically the Purism software should run on a Fairphone?

                                        1. 1

                                          Not sure, what about the binary blobs that are required on the FP ? (see https://code.fairphone.com/projects/fp-osos/dev/fp2-blobs-download-page.html)

                                    1. 3

                                      I think a few issues mentioned here (like copy and paste being weird key combos) are related to using the default Windows console application specifically. But you can run bash.exe from other apps too! I like ConEmu, it’s a lot nicer to use.

                                      https://conemu.github.io/

                                      1. 3

                                        I’ve used https://github.com/mintty/wsltty that was mentioned on the bug under Github

                                      1. 4

                                        Very nice … she has lots of interesting stuff there on the blog and I learned that CoreOS/Container Linux is related to ChromeOS. Also some dotfiles :)

                                        1. 3

                                          The problem with “how to secure” instructions for advanced users is that less advanced users won’t read them. Still waiting for the day somebody ships an iot that requires a “how to make insecure” guide.

                                          1. 2

                                            Maybe Rockwell-Collins AAMP7G:

                                            https://www.rockwellcollins.com/-/media/Files/Unsecure/Products/Product_Brochures/Information_Assurance/Crypto/AAMP7G_data_sheet.ashx

                                            Not sure if they’ll sell it to IoT vendors. It can be cloned based on publicly-available information, though. Green Hills also has a secure OS (INTEGRITY-178B) targeting this market with a bunch of middleware for crypto, networking, and so on. You can get the “how to secure” with maybe decent security but it comes at a steep price so far. Everything I’ve seen was around $40,000-50,000 or more for OEM deal. Kind of a steal versus the cost of building that much stuff robustly but too much for the IoT vendors aiming to maximize profit by reducing development and per-unit costs. Better to use free stuff with little to no security. ;)

                                            1. 1

                                              Ubuntu Core seems to require that you register the an account online with an SSH key if you want to use SSH.

                                            1. 1

                                              So Randy was wrong ? :) See pages 8 and 9 of the transcript of his talk Randy Pausch Lecture: Time Management