Jarkko Sakkinen
Posts
4454Following
315Followers
470OpenPGP: 3AB05486C7752FE1
Jarkko Sakkinen
jarkko
@dangoodin @arstechnica @AAKL I'm happy to admit that I was wrong. Here it is not just about limitations tho of applicability. Besides the highly access controlled R&D labs I could imagine educational institutes using PXE for perhaps computer classes.
Even in Universities, the research groups that work with private sector usually the valuable R&D work is protected with planned security policies and access control. Probably a network that could be hacked with PXE vuln would be broken to start with and there would be multiple exploitation techniques in the toolbox.
In the end even for black hatters robbery is business and you tend to prefer tools and techniques which are hard to detect and easy to turn into profit in high volumes.
Even in Universities, the research groups that work with private sector usually the valuable R&D work is protected with planned security policies and access control. Probably a network that could be hacked with PXE vuln would be broken to start with and there would be multiple exploitation techniques in the toolbox.
In the end even for black hatters robbery is business and you tend to prefer tools and techniques which are hard to detect and easy to turn into profit in high volumes.
0
1
1
Jarkko Sakkinen
jarkko
@troglobit so i got refund but it required threatening with criminal charges. Overall weird customer experience. I've been mostly happy customer so far (and still do respect that Amazon does not sell individual customer data to 3rd parties). Amazon has made cost savings in logistic chains a science of its own but taking money without giving the product is where I draw the line :-)
1
0
0
@AAKL @arstechnica @dangoodin E.g. consider common ways to do remote attack such as taking advantage of memory error and/or finding RoP (return-oriented programming) chain to implement an exploit. Those happen all the time and nobody gives a dime. If you find such issues in JavaScript or browser engine you can make them "drive-by-shooting" by injecting them e.g. to an ad banner. That sort of stuff actually worries me not stuff that happens in R&D lab :-)
0
0
0
@AAKL @arstechnica @dangoodin To add, most of then I've seen PXE in practical use has been a lab space in hardware company in a network that is already closed from rest of the company network. This is not to say that would not be other uses for this too but yeah...
1
0
0
@AAKL @arstechnica @dangoodin
This is how you market your infosec company :-)
Not disregarding the vulnerability but you would need:
1. Access to local network.
2. PXE enabled in BIOS (I mean UEFI).
Practical exploiting scenarios are very limited so not loosing my sleep at night for this :-) I neither do not believe that TianoCore developrs are "scrambling" because of this...
This is how you market your infosec company :-)
Not disregarding the vulnerability but you would need:
1. Access to local network.
2. PXE enabled in BIOS (I mean UEFI).
Practical exploiting scenarios are very limited so not loosing my sleep at night for this :-) I neither do not believe that TianoCore developrs are "scrambling" because of this...
2
0
0
Jarkko Sakkinen
repeated
repeated
Linus Torvalds
torvaldsStaycation: day five.
Power still off, but outside is warming up. So now it’s a big ice rink outside with people playing bumper cars with the real things.
Not interested in partaking in that particular contact sport, and as a result I’m still not leaving the house even if the worry about frozen pipes is fading.
Instead trying to see how far I can get on the remaining merge window pulls on just battery power. Not very far I bet, but at least something.
PGE claims power back tonight. Of course, they did that yesterday too…
15
34
213
@roger_booth @polarity with their hardware designs I think the project is doing good for audio industry because their work can cut some of the R&D costs for small businesses and (crowd funded) startups alike. So I definitely would want support such good work for the community.
edit: oops s/hard/hardware/ :-)
edit: oops s/hard/hardware/ :-)
0
0
1
Jarkko Sakkinen
jarkko
I met the original creator of #RTIC last week and what they're doing felt exciting. It is AFAIK the leading hard real-time solution for #Rust. I'm thinking that could something similar as #Jailhouse (a partitioning #hypervisor) be used to provide environment inside Linux to run workloads for something like RTIC . #rustlang
0
0
0
Jarkko Sakkinen
jarkko
@wamserma JavaScript has this crippled number presentation where number is either 32-bit signed int or a double depending on operation applied.
So they added https://developer.arm.com/documentation/dui0801/h/A64-Floating-point-Instructions/FJCVTZS
:-)
So they added https://developer.arm.com/documentation/dui0801/h/A64-Floating-point-Instructions/FJCVTZS
:-)
1
0
0
@polarity @roger_booth i prefer this over phoscyon and abl303 because it does not have e.g. sequencer, yet another delay and stuff like that which is not that useful...
1
0
0
Jarkko Sakkinen
jarkko
@roger_booth @polarity i could support midilab but do not see any link to make a donation.
1
0
0
Jarkko Sakkinen
jarkko
Edited 1 year ago
To this day even tho I've contributed #Intel #SGX support to the kernel, I don't know how to check the chain as an end user.
E.g. Signal claims to use Intel SGX. How do I verify that for my benefit? There really should be some sort of universal standard for attestation of SGX/TDX/SNP workloads.
I mean the workload itself can be with a proprietary technology but attestation should be standardised. With that we could perhaps have something like certification chain that goes from data center up to the web browser.
I think confidential computing today is broken because of this and for most somewhat useless, expect in the white papers speaking about military grade security and all that :-) The hardware is expensive, attestation is broken and even the terminology is broken. In normal crypto-terminology confidentiality does not guarantee integrity. Better name would be thus trusted computing and somewhat easier to put into your mouth too. I've hated that term since I first heard about it.
E.g. Signal claims to use Intel SGX. How do I verify that for my benefit? There really should be some sort of universal standard for attestation of SGX/TDX/SNP workloads.
I mean the workload itself can be with a proprietary technology but attestation should be standardised. With that we could perhaps have something like certification chain that goes from data center up to the web browser.
I think confidential computing today is broken because of this and for most somewhat useless, expect in the white papers speaking about military grade security and all that :-) The hardware is expensive, attestation is broken and even the terminology is broken. In normal crypto-terminology confidentiality does not guarantee integrity. Better name would be thus trusted computing and somewhat easier to put into your mouth too. I've hated that term since I first heard about it.
2
0
0
Jarkko Sakkinen
jarkko
Edited 1 year ago
Another thing learned from local #rustlang meet up. There is one really useful sounding application for #Rust #embedded #USB stack: #firmware updates from web browser.
Some audio hardware uses #WebMIDI for this but this would widen the scope.
I'm not sure tho how the access would be provided to the device if the USB stack was compiled in wasm.
Some audio hardware uses #WebMIDI for this but this would widen the scope.
I'm not sure tho how the access would be provided to the device if the USB stack was compiled in wasm.
0
0
1
I was actually surprised how crappy the thing is in the standard ATM but obviously it will get fixed at some point.
Another thing I learned is that ARMv8 has special opcodes for JavaScript :D Fixing a horrible programming language with hardware features is pretty interesting.
Another thing I learned is that ARMv8 has special opcodes for JavaScript :D Fixing a horrible programming language with hardware features is pretty interesting.
1
0
0
@troglobit it took me about a week even to find a form to write anything to the customer service :-) well hidden feature.
1
0
0
@troglobit amazon goes kafka way with the algorithm...
1
0
1
Jarkko Sakkinen
repeated
repeated
The Last Psion | Alex
thelastpsion@bitbang.socialSide note: The article in that last toot is by the Castle Game Engine project, a game engine entirely in #ObjectPascal.
At first glance, their docs look to be very clearly written and approachable.
Also, they're written in #AsciiDoc, stored in a Git repo and turned into a static site. And you all know I love me a bit of AsciiDoc.
Thumbs up from me!
0
1
1