eschaton posted:the #1 attribute I want to avoid is the assumption I’ll throw it away for something newer in a year so they don’t have to provide firmware updates firmware updates are guaranteed to be a goner in 4-5 years, maybe even sooner - depends on the manufacturer. there's nothing inherently unstable about overclocking support however, unless you don't know what you do or got the first $99 cars you saw
|
|
# ? Jan 8, 2018 06:41 |
|
|
# ? Jun 5, 2024 14:22 |
|
https://twitter.com/mjg59/status/950253767475183616
|
# ? Jan 8, 2018 07:42 |
|
quote:hey, we’re video game programmers, we know what we’re doing, it will be fine.
|
# ? Jan 8, 2018 08:25 |
|
De Raadt (OpenBSD) is very unhappy about how the Intel Bug is being handled https://www.itwire.com/security/81338-handling-of-cpu-bug-disclosure-incredibly-bad-openbsd-s-de-raadt.html
|
# ? Jan 8, 2018 14:18 |
|
Didn't the OpenBSD folks drop details way before the embargo date on one of the huge bugs in the last two years? Basically guaranteeing being left out on any new ones?? There have been so many I can't remember names anymore.
|
# ? Jan 8, 2018 14:29 |
|
thebigcow posted:Didn't the OpenBSD folks drop details way before the embargo date on one of the huge bugs in the last two years? Basically guaranteeing being left out on any new ones?? they agreed to a 6 week embargo on krack, the researcher said others needed more time to get patches through and bsd went “lol release” putting it out weeks early
|
# ? Jan 8, 2018 14:44 |
|
Rumor is for Meltdown that AMD's little tantrum making GBS threads on Intel over kpti on a public kernel list is what caused the embargo to be moved to last week. Professional secfuckers aren't terribly happy with them right now.
|
# ? Jan 8, 2018 15:08 |
|
theo is somewhat correct to be mad at intel theo is also a loon
|
# ? Jan 8, 2018 17:36 |
|
quote:So, the branch predictor makes a prediction and the predicted instructions are fetched, decoded, and executed – but not retired until the prediction is known to be correct. Sound familiar? The realization I had – it was new to me at the time – was what it meant to speculatively execute a prefetch. The latencies were long, so it was important to get the prefetch transaction on the bus as soon as possible, and once a prefetch had been initiated there was no way to cancel it. So a speculatively-executed xdcbt was identical to a real xdcbt! (a speculatively-executed load instruction was just a prefetch, FWIW). friggin nice
|
# ? Jan 8, 2018 18:13 |
|
BangersInMyKnickers posted:friggin nice
|
# ? Jan 8, 2018 18:22 |
|
quote:And that was the problem – the branch predictor would sometimes cause xdcbt instructions to be speculatively executed and that was just as bad as really executing them. One of my coworkers (thanks Tracy!) suggested a clever test to verify this – replace every xdcbt in the game with a breakpoint. This achieved two things: They loving changed the result by measuring it. Bugfix by applied quantum mechanics. The more I read about Spectre, the more I am getting convinced that real life quantum mechanics are just a result of the universe speculatively executing potential parallel realities.
|
# ? Jan 8, 2018 19:30 |
|
mrmcd posted:Rumor is for Meltdown that AMD's little tantrum making GBS threads on Intel over kpti on a public kernel list is what caused the embargo to be moved to last week. Professional secfuckers aren't terribly happy with them right now. that doesn't make any sense, since the details had been pretty thoroughly figured out before that patch appeared, and I don't recall learning anything from that email except "ohhh snap!" like, literally the only thing that hadn't been figured out, I think, was the idea of poisoning the *indirect* jump branch predictor. also, who on earth would describe a patch that turned off the flag on amd cpus because they weren't vulnerable as a "tantrum" except intel's pr department?
|
# ? Jan 8, 2018 19:46 |
|
EVGA Longoria posted:they agreed to a 6 week embargo on krack, the researcher said others needed more time to get patches through and bsd went “lol release” putting it out weeks early
|
# ? Jan 8, 2018 19:49 |
|
Carbon dioxide posted:They loving changed the result by measuring it.
|
# ? Jan 8, 2018 19:49 |
|
crazypenguin posted:that doesn't make any sense, since the details had been pretty thoroughly figured out before that patch appeared, and I don't recall learning anything from that email except "ohhh snap!" Basically the embargo was lifted early because people were repro-ing the exploit and posting about it publicly on Twitter. Well... https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/ quote:AMD's behavior before this all went public was also rather suspect. AMD, like the other important companies in this field, was contacted privately by the researchers, and the intent was to keep all the details private until a coordinated release next week, in a bid to maximize the deployment of patches before revealing the problems. Generally that private contact is made on the condition that any embargo or non-disclosure agreement is honored. Granted, almost all I know is from that ars article but no one's really pushing back against that assertion.
|
# ? Jan 8, 2018 19:57 |
|
Wasn't this the flow of some Linux expo from last year, or am I misremembering? vvv Oh yes, that was it, thanks! canis minor fucked around with this message at 21:26 on Jan 8, 2018 |
# ? Jan 8, 2018 21:04 |
|
canis minor posted:Wasn't this the flow of some Linux expo from last year, or am I misremembering? naw that was "you registered for our security conference now type your twitter name and password here so you can tweet your followers about it (and your willingness to type your foo password into things that aren't foo)
|
# ? Jan 8, 2018 21:09 |
|
Windows's patch is causing some AMD systems to brick: https://betanews.com/2018/01/08/microsoft-meltdown-spectre-patch-bricks-amd-pcs/
|
# ? Jan 8, 2018 21:41 |
|
CommieGIR posted:Windows's patch is causing some AMD systems to brick: good
|
# ? Jan 8, 2018 21:42 |
|
Carbon dioxide posted:They loving changed the result by measuring it. brb time to have an existential crisis
|
# ? Jan 8, 2018 21:43 |
|
CommieGIR posted:Windows's patch is causing some AMD systems to brick: i hate how bricked doesn’t mean “magic smoke escaped” anymore
|
# ? Jan 8, 2018 21:44 |
|
hobbesmaster posted:i hate how bricked doesn’t mean “magic smoke escaped” anymore We can't have nice things. Nothing is sacred.
|
# ? Jan 8, 2018 21:46 |
|
hobbesmaster posted:i hate how
|
# ? Jan 8, 2018 21:51 |
|
CommieGIR posted:Windows's patch is causing some AMD systems to brick: how could they tell
|
# ? Jan 8, 2018 21:57 |
|
hopping on the "goddamnit 'bricked' should mean hardware murdered not just OS fuct" bandwagon
|
# ? Jan 8, 2018 22:10 |
|
flakeloaf posted:naw that was "you registered for our security conference now type your twitter name and password here so you can tweet your followers about it (and your willingness to type your foo password into things that aren't foo) this was rsa https://www.scmagazineuk.com/rsa-site-captures-plain-text-twitter-logins/article/530717/ https://twitter.com/hypatiadotca/status/690299393723883522
|
# ? Jan 8, 2018 22:16 |
|
CommieGIR posted:Windows's patch is causing some AMD systems to brick: less windows machines in the world sounds like a win win
|
# ? Jan 8, 2018 22:36 |
|
so if a security researcher discovers a security flaw and just shares it with the world rather than report it to the vendor, what responsibility does the reporter bear? seems like at very least they’re incurring some amount of civil liability: if Alice discloses a 0-day and Bob gets compromised by it, I expect Bob would prevail when suing Alice for negligence, if he can show a connection between Alice’s publication and his subsequent compromise (such as comments in exploit code referencing her publication) one could even say that at the scale at which these things affect us, Alice could conceivably be charged criminally: a security researcher should be reasonably expected to know that publishing a flaw will result in quite rapid exploit development and use, so publishing a 0-day could be construed as criminal negligence am I off base here?
|
# ? Jan 8, 2018 23:22 |
|
I guess one could always disclose anonymously
|
# ? Jan 8, 2018 23:28 |
|
there’s no responsibility to report it to the vendor. they made the product with the bug so it’s their fault and nobody else’s. that said if you want a career in infosec and aren’t tavis then you should think carefully about doing something like that. many employers will see that kind of behaviour and decide they can’t trust you.
|
# ? Jan 8, 2018 23:28 |
|
https://www.eff.org/issues/coders/vulnerability-reporting-faq
|
# ? Jan 8, 2018 23:44 |
|
mrmcd posted:Basically the embargo was lifted early because people were repro-ing the exploit and posting about it publicly on Twitter. Well... https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/ the cyber.wtf post that perfectly described meltdown but wrongly concludes that it doesn’t work was from July
|
# ? Jan 9, 2018 00:02 |
|
Evis posted:there’s no responsibility to report it to the vendor. they made the product with the bug so it’s their fault and nobody else’s. seems like a sufficiently good lawyer could twist it into "you're a HACKER!! who HACKED!! and gave away HACKING TOOLS!! and that's why we lost all the moneys"
|
# ? Jan 9, 2018 00:07 |
|
ate all the Oreos posted:seems like a sufficiently good lawyer could twist it into "you're a HACKER!! who HACKED!! and gave away HACKING TOOLS!! and that's why we lost all the moneys" hasn’t that exact thing been used when suing infosec researchers before
|
# ? Jan 9, 2018 00:11 |
|
ate all the Oreos posted:seems like a sufficiently good lawyer could twist it into "you're a HACKER!! who HACKED!! and gave away HACKING TOOLS!! and that's why we lost all the moneys" in the US vuln disclosures are more protected by the 1A than poc code, which can get closer to being a criminal tool eff posted:Publication of truthful information is protected by the First Amendment. Both source code and object code are also protected speech. Therefore truthful vulnerability information or proof of concept code are constitutionally protected.
|
# ? Jan 9, 2018 00:14 |
|
https://twitter.com/qrs/status/950462488348446721
|
# ? Jan 9, 2018 00:41 |
|
lol
|
# ? Jan 9, 2018 01:05 |
|
This is going to take years and years, isn't it?
|
# ? Jan 9, 2018 01:11 |
|
rjmccall posted:theo is somewhat correct to be mad at intel
|
# ? Jan 9, 2018 01:48 |
|
|
# ? Jun 5, 2024 14:22 |
|
Carbon dioxide posted:They loving changed the result by measuring it.
|
# ? Jan 9, 2018 01:51 |