Just to add to that, it looks like some manufacturers have already pushed out the new microcode alongside the recent ME fixes. I flashed my Skylake laptop a few days ago, and now I'm on microcode rev 0xc2 (versus 0xba…
What bothers me is the lack of confirmation on the microcode updates (other than 'soon') – apparently they're out there[1], but Intel's own package has yet to be updated[2]. The 20171215 update carried by some distros…
It appears to be available on a few other models as well (searching 'site:dell.com "ME inoperable"' brings up service tags for a few non-rugged Latitudes and a couple of Optiplexes), despite it not being an option on…
Actually, Chromium (and uBO) has supported blocking WebSockets via webRequest for a while now[1], despite the desperate protests of a MindGeek employee[2]. [1]…
If you're able to build Chromium yourself, here's a trivial patch which does just that (only tested on Linux): https://gist.github.com/blockoperation/5ec91d666e670e39584d2...
Since we're talking about backdoors, how about compiler ones? With C, there are several routes to bootstrapping your compiler of choice – there are countless implementations that can be used as intermediates (both…
It would be easy for them to fingerprint it and block it at a server level, given that it uses some hardcoded headers (which are probably sent in the wrong order versus the browser it's spoofing), doesn't fetch any of…
Whether it's a good addition to the language or not is debatable, but as a browser feature, it sounds terrifying. Browsers have a huge attack surface as it is (I mean, WebGL is a thing – exposing GPU drivers to random…
Writing performant code by using the correct idioms, data structures, algorithms, etc, from the start is just common sense rather than 'premature optimisation'. Writing unreadable, micro-optimised code in the name of…
> Adolescents are horrible at consequence extrapolation: it's why they're famously risk hungry and blasé about doing stuff grownups would be terrified of. Why they never think they'll be the ones who die or get pregnant…
Resources/frames/XHRs/etc from 'file://' might be blocked, but what about top-level redirects? At the very least, user-initiated top-level navigations should bypass any policies. If you're out to cause mischief, you…
Samples are just instruments, and sequencers are just composition tools. It's the end result that matters.
I'm surprised it took this long for her to bring up the subject – Theresa May would've had her soundbites prepared in advance and released within hours of the attack if she was still Home Sec. > That is my view - it is…
I'm still waiting for Chromium to add a per-site switch for WebGL (just like for JS, cookies, Flash, etc). Enabling WebGL globally seems like a disaster waiting to happen, even with sanitisation and sandboxing.
Renoise is great, especially for breakbeat/jungle drum programming. Just load up your break of choice, put in some slice markers (or play it with offset commands like on old trackers), and you're set. I do find the…
I haven't tried an XPS, but the Precision 7xxx stuff definitely qualifies. My 7510 came with Ubuntu, and the experience was just as polished as any Windows machine (better in some ways, as they had configured their way…
sesearch is one way of doing it, for example: $ sesearch -A -s some_app_t -c file -p read -p write allow some_app_t some_type_t:file { read write }; allow some_app_t some_other_type_t:file { read write }; allow…
I don't see why you should get to run random, unauditable code on my machine or decide for me how I consume your content.
The Google Cloud status page had a message about some 'long-lived' OAuth tokens being invalidated on the same day that the mass logouts occurred. They took it down quite quickly, and it doesn't appear in the incident…
It's available on my laptop at least: $ egrep '^(model name|microcode)' /proc/cpuinfo | head -n2 model name : Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz microcode : 0x9e $ egrep -o ' (hle|rtm) ' /proc/cpuinfo | head -n2…
Multiple accounts can be quite usable if you get the separation right. Separate uids for personal emails/banking and porn browsing should be a given, at least.
I'm familiar with grsec (having an interest, albeit not as an expert, in some of the issues it addresses, and as a long-time Hardened Gentoo user), but that doesn't override my point that 'CONFIG_MODULES=n' seems neater…
I can see why it might be a burden when you're dealing with hundreds of servers, but on a personal machine, where the occasional disruption won't get you sacked, it's pretty straightforward (though I say this as someone…
...or just roll your own kernel with CONFIG_MODULES=n. If you only need a specific set of modules, you might as well just build them in and just forget LKMs altogether. It's not very convenient when you run into some…
It must be used with care though, otherwise you'll end up with so many holes in your policy that you defeat whole point of using SELinux in the first place. Definitely don't use the output directly.
Just to add to that, it looks like some manufacturers have already pushed out the new microcode alongside the recent ME fixes. I flashed my Skylake laptop a few days ago, and now I'm on microcode rev 0xc2 (versus 0xba…
What bothers me is the lack of confirmation on the microcode updates (other than 'soon') – apparently they're out there[1], but Intel's own package has yet to be updated[2]. The 20171215 update carried by some distros…
It appears to be available on a few other models as well (searching 'site:dell.com "ME inoperable"' brings up service tags for a few non-rugged Latitudes and a couple of Optiplexes), despite it not being an option on…
Actually, Chromium (and uBO) has supported blocking WebSockets via webRequest for a while now[1], despite the desperate protests of a MindGeek employee[2]. [1]…
If you're able to build Chromium yourself, here's a trivial patch which does just that (only tested on Linux): https://gist.github.com/blockoperation/5ec91d666e670e39584d2...
Since we're talking about backdoors, how about compiler ones? With C, there are several routes to bootstrapping your compiler of choice – there are countless implementations that can be used as intermediates (both…
It would be easy for them to fingerprint it and block it at a server level, given that it uses some hardcoded headers (which are probably sent in the wrong order versus the browser it's spoofing), doesn't fetch any of…
Whether it's a good addition to the language or not is debatable, but as a browser feature, it sounds terrifying. Browsers have a huge attack surface as it is (I mean, WebGL is a thing – exposing GPU drivers to random…
Writing performant code by using the correct idioms, data structures, algorithms, etc, from the start is just common sense rather than 'premature optimisation'. Writing unreadable, micro-optimised code in the name of…
> Adolescents are horrible at consequence extrapolation: it's why they're famously risk hungry and blasé about doing stuff grownups would be terrified of. Why they never think they'll be the ones who die or get pregnant…
Resources/frames/XHRs/etc from 'file://' might be blocked, but what about top-level redirects? At the very least, user-initiated top-level navigations should bypass any policies. If you're out to cause mischief, you…
Samples are just instruments, and sequencers are just composition tools. It's the end result that matters.
I'm surprised it took this long for her to bring up the subject – Theresa May would've had her soundbites prepared in advance and released within hours of the attack if she was still Home Sec. > That is my view - it is…
I'm still waiting for Chromium to add a per-site switch for WebGL (just like for JS, cookies, Flash, etc). Enabling WebGL globally seems like a disaster waiting to happen, even with sanitisation and sandboxing.
Renoise is great, especially for breakbeat/jungle drum programming. Just load up your break of choice, put in some slice markers (or play it with offset commands like on old trackers), and you're set. I do find the…
I haven't tried an XPS, but the Precision 7xxx stuff definitely qualifies. My 7510 came with Ubuntu, and the experience was just as polished as any Windows machine (better in some ways, as they had configured their way…
sesearch is one way of doing it, for example: $ sesearch -A -s some_app_t -c file -p read -p write allow some_app_t some_type_t:file { read write }; allow some_app_t some_other_type_t:file { read write }; allow…
I don't see why you should get to run random, unauditable code on my machine or decide for me how I consume your content.
The Google Cloud status page had a message about some 'long-lived' OAuth tokens being invalidated on the same day that the mass logouts occurred. They took it down quite quickly, and it doesn't appear in the incident…
It's available on my laptop at least: $ egrep '^(model name|microcode)' /proc/cpuinfo | head -n2 model name : Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz microcode : 0x9e $ egrep -o ' (hle|rtm) ' /proc/cpuinfo | head -n2…
Multiple accounts can be quite usable if you get the separation right. Separate uids for personal emails/banking and porn browsing should be a given, at least.
I'm familiar with grsec (having an interest, albeit not as an expert, in some of the issues it addresses, and as a long-time Hardened Gentoo user), but that doesn't override my point that 'CONFIG_MODULES=n' seems neater…
I can see why it might be a burden when you're dealing with hundreds of servers, but on a personal machine, where the occasional disruption won't get you sacked, it's pretty straightforward (though I say this as someone…
...or just roll your own kernel with CONFIG_MODULES=n. If you only need a specific set of modules, you might as well just build them in and just forget LKMs altogether. It's not very convenient when you run into some…
It must be used with care though, otherwise you'll end up with so many holes in your policy that you defeat whole point of using SELinux in the first place. Definitely don't use the output directly.