Sébastien Marie is a user on maly.io. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

Sébastien Marie @semarie@maly.io

@cynicalsecurity Unless somebody can explain in deep technical detail what “disabling HT in the BIOS” actually means (i.e. in what state are the threads and how can one still interact with them) the only sane thing to do seems to be to actually bring up *all* logical cores, enable MCE and explicitly park them with interrupts disabled. At least this way all cores are in a well defined state.
Disabling HT in the BIOS is rather hand-wavy until somebody explains what’s actually happening.

The Digest, now on Mastodon @bsd.network
This is way overdue: I'm now posting Digest notes to bsd.network/@dragonflydigest, a BSD-specific Mastodon server. It's bothered me for a while that I'm autoposting Digest headlines to Twitter, which is useful for Twitter users but still supporting a walled garden.  Mastodon is a better implementation of a similar idea, and bsd.network nicely groups all sorts… ...
dragonflydigest.com/2018/08/02

En mettant en place un outil de surveillance qui détecterait 99% des terroristes avec seulement 0.1% de marge d'erreur, 90% de ce que vous détectez ce sont des innocents.
C'est juste des statistiques et c'est foutrement instructif ⬇⬇⬇
second-glance.fr/2017/01/22/la

stream de ?

il faut bien utiliser le stream1: stream.passageenseine.fr/strea

sinon avec le stream2 on a juste le chat qui dort (remarquez que c'est reposant comme stream) stream.passageenseine.fr/strea

Paper about #LazyFP Intel CPU flaw is out:
“LazyFP: Leaking FPU Register State using Microarchitectural Side-Channels”

blog.cyberus-technology.de/ima

second try with DBUS_SESSION_BUS_ADDRESS="no:" as launching keepassxc still triggered dbus-daemon launch.

/me should go reading libdbus code source

how to asking libdbus for no D-Bus: run with DBUS_SESSION_BUS_ADDRESS="" in environment.

dbus-launch(1) man page says if DBUS_SESSION_BUS_ADDRESS is not set, it means "autolaunch:". So try to convience dbus that I really want to *not* run it.

(note: it is still in testing... maybe nowdays it is really a mandatory componment. let's see what doesn't work)

Oh look, Theo de Raadt seems to confirm my feeling regarding Intel Hyperthreading that I tooted about yesterday:

marc.info/?l=openbsd-tech&m=15

See also this discussion/rant (with @mulander @cynicalsecurity @csirac2) about Hyperthreading from January:

mastodon.social/@Kensan/992990

My life is swirling sewage-laden toilet bowl right now, but the world needs an article on OpenBSD "breaking embargos."

If other people find the sources, I'll take an hour and hammer them into a post.

Post original mailing list and article links in answer to this toot. Or don't. Whatevs.

I'll credit folks, of course.

My bias on this: there were fubars, like the 8 out of 10 OpenSSL bug. They'll argue against embargos over beer, but if they agree to it they'll keep it.

Colin Percival tweeted a short thread on the “Lazy FPU” vulnerability that was just disclosed (CVE-2018-3665).

Colin credits his learning about it to Theo de Raadt. Took him ~5 hours to come up with working exploit code.

twitter.com/cperciva/status/10

More info on seclists.org and discussion on lobste.rs.

seclists.org/oss-sec/2018/q2/1

lobste.rs/s/qotnxq/confirmed_s

vulnerability: Exploiting lazy FPU state switching

Earlier this year, Julian Stecklina (Amazon) and Thomas Prescher (Cyberus Technology) jointly discovered and responsibly disclosed another vulnerability that might be part of these, and we call it LazyFP. LazyFP (CVE-2018-3665) is an attack targeting operating systems that use lazy FPU switching. This article describes what this attack means, outlines how it can be mitigated and how it actually works.

blog.cyberus-technology.de/pos

INTEL-SA-00145

Systems using ® Core-based microprocessors may potentially allow a local process to infer data utilizing state restore from another process through a speculative execution side channel.

intel.com/content/www/us/en/se

Thanks to Kurt Mosiejczuk's console server talk, I learned about upobsd for #OpenBSD upgrades for the brave. In ports.
bitbucket.org/semarie/upobsd

#BSDCan

Another shoutout for upobsd by @semarie.

Allows automatic upgrades and installs for #OpenBSD.

My serial console server is CompactFlash based and is (for obvious reasons) the one I cannot watch remotely. I usually have a long wait for upgrades since the CF is so slow.

Yesterday I used upobsd to do the main upgrade part unattended. It was *lovely*.

It's a package for 6.3. You can use it on a 6.3 box to make your bsd.rd and copy it to the 6.2 server in question.

La vache, il existe vraiment des sites internet pour tout.
Par exemple un wiki ultra fourni sur les études comparatives de nœuds de chaussure… 😱
fieggen.com/shoelace/index.htm

why properly documenting API is hard or "a new candidate for worstly-designed trivial API: SSL_CIPHER_description(3)"

marc.info/?l=openbsd-misc&m=15

Awesome read about Meltdown protection, crazy kernel stuff and the collaboration between #Illumos, #DragonFlyBSD and #OpenBSD blog.cooperi.net/a-long-two-mo

# upobsd -u /auto_upgrade.conf -o /bsd && reboot

Fetches the latest installer, injects my answers, reboots into it, upgrades and reboots into new kernel.

How do you upgrade your #OpenBSD?

if you like one of them, you could like others (aka self-promoting of tools for OpenBSD - all available in ports):

- sysclean : list obsolete files between OpenBSD upgrades (aka delete old stuff between upgrades)

- checkrestart : help to find processes that need restarting after upgrade (aka which service to restart after pkg_add -u)

- upobsd : download, verify and patch bsd.rd image (aka upgrading the system without hands)