From my perspective zig doesn't have "big cleanup" upfront. It's removing older features as it goes. stdlib changes as it wants from version to version. So do language features. Since zig is pre-1.0, zig foundation…
Instead of debating for years (like other languages), zig just tries things out. Worst case you can always rollback changes. IMO best APIs and designs are those that are battle tested by end users, not won in an…
Except that many component manufacturers release their efi capsules signed with Microsoft PKI. So no, you can't fully remove them if you want to verify updates.
If you're interested in the topic there's great YouTube channel that demonstrates such attacks IRL together with full tutorials. Below are 2 satellite related videos: 1) https://www.youtube.com/watch?v=2-mPaUwtqnE 2)…
Not the best name for the article. My first guess was version changes, or software being added/removed from repo. Turns out this is about source code modification.
A problem I encountered while writing custom stdlib, is that certain language features expect stdlib to be there. For example, <=> operator assumes, that std::partial_ordering exists. Kinda lame. In the newer C++…
Both AMD and Google note, that Zen[1-4] are affected, but what changed about Zen5? According to the timeline, it released before Google notified AMD [1]. Is it using different keys, but same scheme (and could possibly…
Honestly I don't get why people are hating this response so much. Life is complex and vulnerabilities happen. They quickly contacted the reporter (instead of sending email to spam) and deployed a fix. > we've…
Seems like you assumed none of your tools got backdoored. I'd start bootstrapping from busybox.
Linux Local Privilege Escalation, but the attacker has to be in sudo group in the first place. Great read, but this feels like academic research. Technically correct, but impractical at best.
If you want to manage VMs, then you're probably using terraform + provider. However, SDN (Software Defined Networking) is not yet supported [1], which makes any kind of deployment with network separation not feasible…
> Proxmox uses ZFS making snapshotting quick Proxmox only supports linear snapshots using ZFS (so no tree-like snapshots). This might be a deal-breaker for some usages.
Yes, loopix. https://www.usenix.org/conference/usenixsecurity17/technical...
GitHub is slowly rolling out feature over moe than a year [1], which will have positive impact on overall IT security. Spending 1 minute setting up 2FA is really not a big deal. [1]…
Depends how much patience you have. Firejail if you want ease of use (there are a lot of ready profiles to be used). Bubblewrap if you want more security, at the cost of having to do more manual work. TL;DR Firejail is…
I'm not a rust expert by any means, but I believe there's a problem with lifetimes. There are many ways to implement double-linked lists (think C++ smart pointers), but when you try to squeeze performance and use…
Sounds like amazing material for a CCC talk.
While authelia is quite cool "infra-as-code" tool, since you have your entire configuration in yaml form, for those not willing to spend a few evenings configuring SSO, there is authentik [1] which features management…
When performing forensic analysis, metrics don't usually help that much. I'd rather sift 2PB of logs, knowing that information I'm looking for is in there, than sit at the usual "2 weeks of nginx access logs which roll…
From my experience, you either go full reproducible builds with nix, or none at all. Sitting in the middle results with additional downsides from modifying pipeline without core upsides of reproducible builds.
What's the point of having your 2FA codes synchronized across all your devices? Isn't it in the name "TWO FACTOR"? It's supposed to be a separate device and ability to "across devices" comes as an anti-feature for me.…
Just last week google CTF featured a reverse engineering challenge of a neo geo game! https://capturetheflag.withgoogle.com/challenges/rev-arcade Also, the neo geo development wiki is an absolute goldmine of technical…
> SSH certificates are fail-secure Yeah... no. I think my private key stored on yubikey is harder to steal than session to your OIDC.
The gotcha is that "global" args don't propagate automatically to all stages (thin includes 1 stage builds). I want this one arg in multiple stages, so I'll declare it above everything is the chain of thought.
Note, that paper provides environment for AWS FPGAs, which you can rent on per-hour basis. As for cheaper FPGAs, the paper notes that the bottleneck is the size of on-chip memory. So I doubt it will be easy to find…
From my perspective zig doesn't have "big cleanup" upfront. It's removing older features as it goes. stdlib changes as it wants from version to version. So do language features. Since zig is pre-1.0, zig foundation…
Instead of debating for years (like other languages), zig just tries things out. Worst case you can always rollback changes. IMO best APIs and designs are those that are battle tested by end users, not won in an…
Except that many component manufacturers release their efi capsules signed with Microsoft PKI. So no, you can't fully remove them if you want to verify updates.
If you're interested in the topic there's great YouTube channel that demonstrates such attacks IRL together with full tutorials. Below are 2 satellite related videos: 1) https://www.youtube.com/watch?v=2-mPaUwtqnE 2)…
Not the best name for the article. My first guess was version changes, or software being added/removed from repo. Turns out this is about source code modification.
A problem I encountered while writing custom stdlib, is that certain language features expect stdlib to be there. For example, <=> operator assumes, that std::partial_ordering exists. Kinda lame. In the newer C++…
Both AMD and Google note, that Zen[1-4] are affected, but what changed about Zen5? According to the timeline, it released before Google notified AMD [1]. Is it using different keys, but same scheme (and could possibly…
Honestly I don't get why people are hating this response so much. Life is complex and vulnerabilities happen. They quickly contacted the reporter (instead of sending email to spam) and deployed a fix. > we've…
Seems like you assumed none of your tools got backdoored. I'd start bootstrapping from busybox.
Linux Local Privilege Escalation, but the attacker has to be in sudo group in the first place. Great read, but this feels like academic research. Technically correct, but impractical at best.
If you want to manage VMs, then you're probably using terraform + provider. However, SDN (Software Defined Networking) is not yet supported [1], which makes any kind of deployment with network separation not feasible…
> Proxmox uses ZFS making snapshotting quick Proxmox only supports linear snapshots using ZFS (so no tree-like snapshots). This might be a deal-breaker for some usages.
Yes, loopix. https://www.usenix.org/conference/usenixsecurity17/technical...
GitHub is slowly rolling out feature over moe than a year [1], which will have positive impact on overall IT security. Spending 1 minute setting up 2FA is really not a big deal. [1]…
Depends how much patience you have. Firejail if you want ease of use (there are a lot of ready profiles to be used). Bubblewrap if you want more security, at the cost of having to do more manual work. TL;DR Firejail is…
I'm not a rust expert by any means, but I believe there's a problem with lifetimes. There are many ways to implement double-linked lists (think C++ smart pointers), but when you try to squeeze performance and use…
Sounds like amazing material for a CCC talk.
While authelia is quite cool "infra-as-code" tool, since you have your entire configuration in yaml form, for those not willing to spend a few evenings configuring SSO, there is authentik [1] which features management…
When performing forensic analysis, metrics don't usually help that much. I'd rather sift 2PB of logs, knowing that information I'm looking for is in there, than sit at the usual "2 weeks of nginx access logs which roll…
From my experience, you either go full reproducible builds with nix, or none at all. Sitting in the middle results with additional downsides from modifying pipeline without core upsides of reproducible builds.
What's the point of having your 2FA codes synchronized across all your devices? Isn't it in the name "TWO FACTOR"? It's supposed to be a separate device and ability to "across devices" comes as an anti-feature for me.…
Just last week google CTF featured a reverse engineering challenge of a neo geo game! https://capturetheflag.withgoogle.com/challenges/rev-arcade Also, the neo geo development wiki is an absolute goldmine of technical…
> SSH certificates are fail-secure Yeah... no. I think my private key stored on yubikey is harder to steal than session to your OIDC.
The gotcha is that "global" args don't propagate automatically to all stages (thin includes 1 stage builds). I want this one arg in multiple stages, so I'll declare it above everything is the chain of thought.
Note, that paper provides environment for AWS FPGAs, which you can rent on per-hour basis. As for cheaper FPGAs, the paper notes that the bottleneck is the size of on-chip memory. So I doubt it will be easy to find…