WingNews logo WingNews GitHub [2]

knweiss's comments

knweiss | 3 years ago | on: Apple's feedback mechanism is broken

Feedback and bug reports (exception: security) should be public and users should be able to vote. Apple then could prioritize much better.

Also, take a look at their user forums: They are full of bug reports with hundreds of users having the same problems - and nothing happens. I really wish they would react much better with official acknowledgments, references to open bugs, workarounds, etc. It is depressing how much collective time is wasted.

knweiss | 8 years ago | on: Spectre Mitigations in Microsoft's C/C++ Compiler

IMHO it's worth mentioning that this discussion is about Spectre variant 1 (as is the original article). I.e. we should not write "Spectre" when we talk about a specific Spectre variant.

I'm mentioning this because (at least to my understanding) in Spectre variant 2 the entire address space of the victim process can be used to find the "gadget" i.e. an usable target for the indirect branch. This means that making only your input validation code "spectre-free" is not good enough for variant 2. (This is why e.g. OpenSSH recently started using the (Spectre variant 2!) retpoline compiler flags of GCC/LLVM if available. See this thread for details: https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-Fe...)

knweiss | 9 years ago | on: How is NSA breaking so much crypto? (2015)

From the OpenSSH moduli(5) man page:

  "When performing Diffie-Hellman Group Exchange, sshd(8)
  first estimates the size of the modulus required to
  produce enough Diffie-Hellman output to sufficiently
  key the selected symmetric cipher. sshd(8) then randomly
  selects a modulus from /etc/ssh/moduli that best meets
  the size requirement."
The problem is

a) OS distributions ship pre-computed moduli in the /etc/ssh/moduli file. I.e. most users don't change these moduli. This facilitates pre-computation attacks.

b) These moduli are often too short (<2048 bit).

You can create your own moduli with ssh-keygen (see the "MODULI GENERATION" section in the ssh-keygen manpage).

FWIW: Here's my open bug for RHEL7 where I try to convince Red Hat to improve the situation (including more details and references):

https://bugzilla.redhat.com/show_bug.cgi?id=1396943

knweiss | 9 years ago | on: Apple File System

"Although APFS does checksum metadata blocks it does not do anything to provide resilience for data blocks. That is a huge omission in a modern filesystem, a point I tried to politely but forcefully make in the File System Lab directly to a responsible engineer."

knweiss | 10 years ago | on: Google XRay: A Function Call Tracing System [pdf]

Brendan, did you read this awesome blog post (which mentions your work btw) about Google's tracing framework which may explain the kind of problems they want to solve? http://danluu.com/perf-tracing/

"Sampling profilers, the most common performance debugging tool, are notoriously bad at debugging problems caused by tail latency because they aggregate events into averages. But tail latency is, by definition, not average."

knweiss | 10 years ago | on: It takes two to ChaCha (Poly)

Check out the "Intel AVX Instructions Optimization" slide on http://anandtech.com/show/10158/the-intel-xeon-e5-v4-review/....

Quote:

On Haswell, one AVX instruction on one core forced all cores on the same socket to slow down their clockspeed by around 2 to 4 speed bins (-200,-400 MHz) for at least 1 ms, as AVX has a higher power requirement that reduces how much a CPU can turbo. On Broadwell, only the cores that run AVX code will be reducing their clockspeed, allowing the other cores to run at higher speeds.

knweiss | 10 years ago | on: Distribution packages considered insecure

The job of the distributions would be much easier if more software projects would a) consequently use semantic versioning (MAJOR.MINOR.PATCH, see http://semver.org for details) and b) explicitly and officially designate that they no longer support the version MAJOR.MINOR branch.

The latter should be a signal for the distribution to upgrade to a newer and supported upstream version instead of (halfheartedly) trying to support the software themselves.

knweiss | 10 years ago | on: Making a 4K Fractal Movie with Fractal EXtreme

FWIW: The new Ultra HD Blu-Ray Disc format which supports 4K, HDR, and Dolby Atmos/DTS:X will launch soon (if you can still tolerate an optical medium). Watch for the new "Ultra HD Premium" logo on compatible devices.

knweiss | 10 years ago | on: Subresource Integrity

The next step: A distributed, content-addressed caching system that allows the web browser to fetch the data from the fastest/nearest caching server by hash.

IPFS comes to mind.

page 1
more