Sébastien Marie is a user on maly.io. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

Sébastien Marie @semarie@maly.io

@julianaito do *not* try to search "2048", another gadget could be showed

@ckeen it has been [removed](cvsweb.openbsd.org/cgi-bin/cvs) because of the [requirement](github.com/apache/couchdb/issu) of ancient SpiderMonkey and it blocked the removal of [lang/spidermonkey](cvsweb.openbsd.org/cgi-bin/cvs)

but if you are able to update it with a sane spidermonkey dependency, it could be fine.

@cybergrunge vue l'étiquette, ce n'est pas un fil de terre mais un fil pilote.
@maiwann c'est un chauffage à l'autre bout du fil ?

@cynicalsecurity Unless somebody can explain in deep technical detail what “disabling HT in the BIOS” actually means (i.e. in what state are the threads and how can one still interact with them) the only sane thing to do seems to be to actually bring up *all* logical cores, enable MCE and explicitly park them with interrupts disabled. At least this way all cores are in a well defined state.
Disabling HT in the BIOS is rather hand-wavy until somebody explains what’s actually happening.

The Digest, now on Mastodon @bsd.network
This is way overdue: I'm now posting Digest notes to bsd.network/@dragonflydigest, a BSD-specific Mastodon server. It's bothered me for a while that I'm autoposting Digest headlines to Twitter, which is useful for Twitter users but still supporting a walled garden.  Mastodon is a better implementation of a similar idea, and bsd.network nicely groups all sorts… ...

@florian I saw this IPv6 problem from time to time. I will test it.

@jrx you should use the git version of radare2. the one in ports is outdated (0.10.6 is from Sept 27 2016)

En mettant en place un outil de surveillance qui détecterait 99% des terroristes avec seulement 0.1% de marge d'erreur, 90% de ce que vous détectez ce sont des innocents.
C'est juste des statistiques et c'est foutrement instructif ⬇⬇⬇

stream de ?

il faut bien utiliser le stream1: stream.passageenseine.fr/strea

sinon avec le stream2 on a juste le chat qui dort (remarquez que c'est reposant comme stream) stream.passageenseine.fr/strea

Paper about #LazyFP Intel CPU flaw is out:
“LazyFP: Leaking FPU Register State using Microarchitectural Side-Channels”


second try with DBUS_SESSION_BUS_ADDRESS="no:" as launching keepassxc still triggered dbus-daemon launch.

/me should go reading libdbus code source

how to asking libdbus for no D-Bus: run with DBUS_SESSION_BUS_ADDRESS="" in environment.

dbus-launch(1) man page says if DBUS_SESSION_BUS_ADDRESS is not set, it means "autolaunch:". So try to convience dbus that I really want to *not* run it.

(note: it is still in testing... maybe nowdays it is really a mandatory componment. let's see what doesn't work)


- one possibility is editing /usr/src/distrib/miniroot/install.sub (not standard way)
- another is using /upgrade.site script (openbsd.org/faq/faq4.html#site)

@florian it seems there is a new sysctl in GENERIC.MP #24 : I see a sysctl_hwsmt symbol. wonder what it should be... 😃

Oh look, Theo de Raadt seems to confirm my feeling regarding Intel Hyperthreading that I tooted about yesterday:


See also this discussion/rant (with @mulander @cynicalsecurity @csirac2) about Hyperthreading from January:


My life is swirling sewage-laden toilet bowl right now, but the world needs an article on OpenBSD "breaking embargos."

If other people find the sources, I'll take an hour and hammer them into a post.

Post original mailing list and article links in answer to this toot. Or don't. Whatevs.

I'll credit folks, of course.

My bias on this: there were fubars, like the 8 out of 10 OpenSSL bug. They'll argue against embargos over beer, but if they agree to it they'll keep it.

Colin Percival tweeted a short thread on the “Lazy FPU” vulnerability that was just disclosed (CVE-2018-3665).

Colin credits his learning about it to Theo de Raadt. Took him ~5 hours to come up with working exploit code.


More info on seclists.org and discussion on lobste.rs.



vulnerability: Exploiting lazy FPU state switching

Earlier this year, Julian Stecklina (Amazon) and Thomas Prescher (Cyberus Technology) jointly discovered and responsibly disclosed another vulnerability that might be part of these, and we call it LazyFP. LazyFP (CVE-2018-3665) is an attack targeting operating systems that use lazy FPU switching. This article describes what this attack means, outlines how it can be mitigated and how it actually works.



Systems using ® Core-based microprocessors may potentially allow a local process to infer data utilizing state restore from another process through a speculative execution side channel.