Monthly Archives: July 2022

New working speculative execution attack sends Intel and AMD scrambling

Source: Ars Technica

Article note: Oh great, the cheaper retpoline based mitigation for speculation attacks isn't adequate, so we get another 10-20% performance hit to mitigate better. What was the nominal generation-over-generation performance gain from adding all this complexity again?
New working speculative execution attack sends Intel and AMD scrambling

Enlarge

Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability.

Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which chipmakers introduced in 2018 to mitigate the harmful effects of speculative execution attacks. Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they’re about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is canceled.

Is it a trampoline or a slingshot?

Retpoline works by using a series of return operations to isolate indirect branches from speculative execution attacks, in effect erecting the software equivalent of a trampoline that causes them to safely bounce. Stated differently, a retpoline works by replacing indirect jumps and calls with returns, which many researchers presumed weren’t susceptible. The defense was designed to counter variant 2 of the original speculative execution attacks from January 2018. Abbreviated as BTI, the variant forces an indirect branch to execute so-called “gadget” code, which in turn creates data to leak through a side channel.

Read 14 remaining paragraphs | Comments

Posted in News | Leave a comment

End-to-end encryption’s central role in modern self-defense

Source: Ars Technica

Article note: *Raised Fist*
A tunnel made of ones and zeroes.

Enlarge (credit: Getty Images)

A number of course-altering US Supreme Court decisions last month—including the reversal of a constitutional right to abortion and the overturning of a century-old limit on certain firearms permits—have activists and average Americans around the country anticipating the fallout for rights and privacy as abortion “trigger laws,” expanded access to concealed carry permits, and other regulations are expected to take effect in some states. And as people seeking abortions scramble to protect their digital privacy and researchers plumb the relationship between abortion speech and tech regulations, encryption proponents have a clear message: Access to end-to-end encrypted services in the US is more important than ever.

Studies, including those commissioned by tech giants like Meta, have repeatedly and definitively shown that access to encrypted communications is a human rights issue in the digital age. End-to-end encryption makes your messages, phone calls, and video chats unintelligible everywhere except on the devices involved in the conversations, so snoops and interlopers can’t access what you’re saying—and neither can the company that offers the platform. As the legal climate in the US evolves, people who once thought they had nothing to hide may realize that era is now over.

Read 12 remaining paragraphs | Comments

Posted in News | Leave a comment

EU Parliament passes DMA, DSA to reign in big tech and force interoperability and openness

Source: OSNews

Article note: It'll be interesting to see how that shakes out.

On Tuesday, Parliament held the final vote on the new Digital Services Act (DSA) and Digital Markets Act (DMA), following a deal reached between Parliament and Council on 23 April and 24 March respectively. The two bills aim to address the societal and economic effects of the tech industry by setting clear standards for how they operate and provide services in the EU, in line with the EU’s fundamental rights and values.

The Digital Services Act was adopted with 539 votes in favour, 54 votes against and 30 abstentions. The Digital Markets Act – with 588 in favour, 11 votes against and 31 abstentions.

The DSA and DMA will fundamentally change the way big technology companies operate, and as consumers we’ll enjoy the fruits of far less lock-in and more competition. Things like alternative application stores and sideloading on iOS, or interoperability between messaging services, are going to be amazing.

Posted in News | Leave a comment

Why Your Next Home Computer Should Be an Old Xeon Workstation

Source: Hacker News

Article note: Refurb/Off-Lease/Last-Gen/Used upmarket computers are awesome, I was just posting about this. Especially on laptops, pay for a great chassis, do not pay for tiny generation-to-generation tweaks. Make sure you don't get into grossly power inefficient territory (which sometimes makes "server" market stuff unsuitable because of the different PM design), but, especially once you patch all the risky speculation tricks, the generation-over-generation gains have been pretty modest for a decade.
Comments
Posted in News | Leave a comment

USB installer tool removes Windows 11’s Microsoft account requirements (and more)

Source: OSNews

Article note: The OSNews take is _exactly_ what I was thinking when I saw this thing go by.

An easy workaround for this requirement is the Rufus USB formatting tool, which can create USB install media for Windows and all kinds of other operating systems. Rufus has already offered some flags to remove Windows 11’s system requirement checks from the installer, removing the need for clunky Windows Registry edits and other workarounds. But the beta of version 3.19 will also remove the Microsoft account requirement for new installs, making it easy to set up a new Windows PC with a traditional local account.

The hoops people jump through to be allowed to use a mediocre operating system when better alternatives are abundant.

Posted in News | Leave a comment

YouTube removes criticism of dangerous fractal wood burning, leaves lethal tips

Source: Hacker News

Article note: The incentives of content farming are a race to the bottom, where the splashiest most engaging title and preview, the most polished video, and the fastest output win, eventually forcing out any other content to the advantage of the people gaming the system. You know, like academic research.
Comments
Posted in News | Leave a comment