cynicalsecurity -> has moved to

cynicalsecurity ->

Pinned toot

Periodic reminder that I have moved my account to

Periodic reminder that I have moved my account to

Polite notice: I’ve moved, I’m on @cynicalsecurity now.

I just noticed some people are still answering here and I have not seen your messages, sorry :(

And yes, I did set the forward…

I have moved my main account to @cynicalsecurity should you wish to follow me there.

I have already followed, at least I hope, all those I was previously following.

Hi all

I'm moving my main account to @phessler, so update your follow settings if you desire.

Achtung Bitte: I am going to try to move my account from @cynicalsecurity to @cynicalsecurity

I don't know if it will work correctly because I am using the web interface and I am one of these "give me my ADM-3A back" people. Bear with me.

Are the standard documents for #WPA3 available? #OpenBSD has an interest in creating a not-shite implementation for our #wifi.

I am not sure if I should thank @Kensan and @qrs for introducing me to Intel's DIDO where the NIC speaks directly to the processor's L3 cache.

Now I am even more terrified of Intel processors than I already was.

It is obviously a performance trick taking DMA over PCI to the next level (most likely for Intel NICs which are already integrated on SOCs) but… my God that takes courage to deploy in any secure network design.

Does anyone have experience with the PINE64 SBCs?

They seem to offer Gigabit Ethernet compared to the Raspberry Pi3 or is this purely theoretical? I also note FreeBSD support in 12.0-CURRENT.

Looking to do a firmware update to install the #Meltdown microcode, but don't have Windows?

On #OpenBSD: pkg_add geteltorito; geteltorito -o bios.img firmware-update.iso; then dd bios.img onto a usb stick.

#FreeBSD update on #Meltdown mitigation. Including a WIP mitigation implementation.

The patch applied fine in #HardenedBSD 12-CURRENT. I'm compiling world + kernel with the patch to test it out on my laptop.

On yet another note I have started dumping my brain on paper due to medical reasons. Almost forty years of hacking which might be eventually of interest to someone.

On a completely separate note from CPU shenanigans the amazing news is that I have two (!!) offers for H||GTFO articles, both by beards greyer than mine, and one of the two is DEC VAX hacking, the other stuff which would have been TS/SC not long ago.

So hoping they’ll deliver!

Reversing an antivirus to make it detect classified documents 👌

There’s a moment in Code Rush, the 2000 Netscape documentary where Jamie Zawinski (who should be here?) says, this is a new medium, but if we don’t watch it this could end up like television. It could be controlled by a few big companies. It really hurt the heart.

Speaking of trying out all the emulators, I'm a bit of a fan of those which run in the browser. Full-screen the browser and you get the feeling of just having the machine to yourself. There's a hundred or so catalogued here, from the usual 8bit suspects, to early Unix capable machines, even earlier machines, 16 bit machines - you name it!

#acorn #atari #commodore #altair #amstrad #datageneral #apple #dec #robotron #sinclair #tandy #ibmpc #babbage

@fluffy @ajroach42

Should we stop and realise that we need data-driven security we would be forced to acknowledge the need for a major redesign.

Personally I’m quite fond of tagged designs but I am also looking elsewhere but always in the direction of securing data throughout the system and, possibly, the network.

The problem will just have been moved elsewhere to the next subsystem which was ignored in the original threat model and in the new amended threat model which is just “old threat model” + “side-channels in OoO execution”.

Because of the marketing-driven rush there will be no comprehensive review of the new threat model which includes a network, multi-tenant VMs, etc. Net result: we are playing whack a’mole with security issues in hardware as we are in software.

and, objectively, it wasn’t. Hardware security in the 90’s meant an Atalla cryptographic module or IBM’s Cryptographic Accelerator for the zSeries.

So, what am I trying to say?

At the moment everyone is up in arms about side-channel attacks on speculative execution and they are all barking up the wrong tree.

Allow me to explain: what are we attacking? We are, ultimately, attacking data. Once the chip manufacturers have scrambled to fix this PR nightmare what will be the net result?