« L'Asie-Pacifique, c'est grand. Facilement 175 ms de latence. »


Show thread

Apparently, that “constant-time” userland crypto code is not all that constant without having the “Please, let my code be worthy of constant-time execution on this CPU” flag¹ being set ¯\_(ツ)_/¯

Linux Kernel Mailing List discussion:

¹ It’s a bit in a Model-Specific Register (MSR), so privileged operation meaning it requires kernel support…

> We discover ÆPIC Leak, the first [...] CPU bug that leaks stale data from the microarchitecture WITHOUT using a side channel. [...] leaks stale data incorrectly returned by reading undefined APIC-register ranges.
> ÆPIC Leak is like an uninitialized memory read in the CPU itself.

What a wonderful time to be alive. aepicleak.com/

Tiens, encore un langage de programmation ? (Mais celui-cxi vient de James Clark, celui de groff, jade et nxml-mode donc ça doit être bien.) blog.jclark.com/2022/05/why-ba


Ha #humour de développeur dans la dernière release du micrologiciel du modem du #pinephone:

“Fix one, two or -2,147,483,648 buffer overflows”



Quoting an anonymous Twitter user (got harrassed for these statements):

"Safari is buggy" is a valid criticism.

"Safari is behind Chrome in features" is not a valid criticism.

Never forget that the browser vendors, including Google and Apple, seized control of the web from the W3C. These few companies have too much power over the web, period.


A wild #blog post appears!

Let's study the #LLVM and #GCC optimizers around the question of increments and decrements and see how they differ. Then we can make a decision as to whether or not we want to teach those optimizations to our #QBE optimizer we've been working on.


#compile #compilers #optimizer #optimizers #compile #optimize #unix #c #programming #program #bsd #openbsd #freebsd #netbsd #dragonflybsd #linux #cproc

Multiple vulns have been found in #swhkd, a #rust based hotkey daemon for Wayland. Again, this clearly shows (after log4j and Spring4Shell) that one can use a memory safe language and still implement a bunch of vulns.

Don't get me wrong, I like rust's concept, however, I am annoyed by the current trend and attitude that every software is secure as long as it's implement it in rust.

Even worse, when people start bashing other people coding in C and all them careless.


as openbsd ports is currently locked for 7.1 release, lang/rust 1.60.0 is available at github.com/semarie/rust-ports

@cynicalsecurity Unless somebody can explain in deep technical detail what “disabling HT in the BIOS” actually means (i.e. in what state are the threads and how can one still interact with them) the only sane thing to do seems to be to actually bring up *all* logical cores, enable MCE and explicitly park them with interrupts disabled. At least this way all cores are in a well defined state.
Disabling HT in the BIOS is rather hand-wavy until somebody explains what’s actually happening.

The Digest, now on Mastodon @bsd.network
This is way overdue: I'm now posting Digest notes to bsd.network/@dragonflydigest, a BSD-specific Mastodon server. It's bothered me for a while that I'm autoposting Digest headlines to Twitter, which is useful for Twitter users but still supporting a walled garden.  Mastodon is a better implementation of a similar idea, and bsd.network nicely groups all sorts… ...

En mettant en place un outil de surveillance qui détecterait 99% des terroristes avec seulement 0.1% de marge d'erreur, 90% de ce que vous détectez ce sont des innocents.
C'est juste des statistiques et c'est foutrement instructif ⬇⬇⬇

stream de ?

il faut bien utiliser le stream1: stream.passageenseine.fr/strea

sinon avec le stream2 on a juste le chat qui dort (remarquez que c'est reposant comme stream) stream.passageenseine.fr/strea

Paper about #LazyFP Intel CPU flaw is out:
“LazyFP: Leaking FPU Register State using Microarchitectural Side-Channels”


second try with DBUS_SESSION_BUS_ADDRESS="no:" as launching keepassxc still triggered dbus-daemon launch.

/me should go reading libdbus code source

Show thread

how to asking libdbus for no D-Bus: run with DBUS_SESSION_BUS_ADDRESS="" in environment.

dbus-launch(1) man page says if DBUS_SESSION_BUS_ADDRESS is not set, it means "autolaunch:". So try to convience dbus that I really want to *not* run it.

(note: it is still in testing... maybe nowdays it is really a mandatory componment. let's see what doesn't work)

Oh look, Theo de Raadt seems to confirm my feeling regarding Intel Hyperthreading that I tooted about yesterday:


See also this discussion/rant (with @mulander @cynicalsecurity @csirac2) about Hyperthreading from January:


My life is swirling sewage-laden toilet bowl right now, but the world needs an article on OpenBSD "breaking embargos."

If other people find the sources, I'll take an hour and hammer them into a post.

Post original mailing list and article links in answer to this toot. Or don't. Whatevs.

I'll credit folks, of course.

My bias on this: there were fubars, like the 8 out of 10 OpenSSL bug. They'll argue against embargos over beer, but if they agree to it they'll keep it.

Show older

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!