One giant leaf for mankind.
445 posts • joined 12 Jul 2008
China's really cotton'd on to this whole Moon exploration thing: First seed sprouts in lunar lander biosphere
Many years ago, we had an ISDN connection at the office, and a bank of modems. HTTP connections were forced to go through a Squid proxy. I had a similar little script which grepped the log for "interesting" keywords, but not much interest was shown in this from above.
However, one day all our sales people and managers were gathered together at a hotel for a big meeting. One of my colleagues in network admin was due to address them, and took the opportunity to remind them that, as in the T's and C's they had acknowledged, our network was monitored for inappropriate (and expensive: on-demand ISDN had a per-call cost) usage. There were no sackings as a result, just a few red faces as he stood at the lectern and read out a few of the less unsafe-for-work domains that had been visited the previous night.
What an unfortunate pair of names, when combined I parsed it as something quite different:
This two-year-old X.org give-me-root hole is so trivial to exploit, you can fit it in a single tweet
Re: Thanks for making this public
The CVE was raised back in July
Raised doesn't mean made public.
I monitor CVEs for a living (it's tedious and boring: since early 2017 there has been a huge increase in ones of no relevance). The first I saw of it was this tweet, yesterday at 9:30 pm.
The NIST site says published on the 25th, too.
Theo de Raadt of OpenBSD is not happy
Nobody at OpenBSD was made aware of the bug until very late on, despite an OpenBSD developer being on the X security team. The release of 6.4 could have been delayed until after the public annoucement.
Can it re-phrase this into a form that doesn't cause schoolboys to fall asleep?
And spotteth twice they the camels before the third hour, and so, the Midianites went forth to Ram Gilead in Kadesh Bilgemath, by Shor Ethra Regalion, to the house of Gash-Bil-Bethuel-Bazda, he who brought the butter dish to Balshazar and the tent peg to the house of Rashomon, and there slew they the goats, yea, and placed they the bits in little pots. Here endeth the lesson.
libssh and libssh2
There are two similarly named projects:
Red Hat / Centos, at least, use libssh2.
Note also that it only affects servers, not clients. sftp servers seem to be the most likely to be vulnerable and exposed.
Sounds very familiar
LWN article: Random numbers from CPU execution time jitter (2015) and HAVEGE: a linux "random" number generator that relies on instructions taking an unpredictable number of clock cycles to execute.
The consequences can be tragic
Re: What about all the other diseases?
That makes as much sense as complaining that a blood test for ebola can't detect a sprained ankle.
I was referring only to diseases diagnosed by inspecting the retina. What's the point of an automated system when a specialist has to look at it anyway to diagnose other diseases?
As for the prosecution, sorry - I missed a sarcasm tag. As with the case of Dr Hadiza Bawa-Garba, the case should never have been brought in the first place.
You will not, and will not allow any third party to ... (v) publish or provide any Software benchmark or comparison test results.
I can see why Debian aren't happy, seeing as without new instructions made available by microcode updates, some of the mitigations incur a significant performance hit.
One law for them, another for us
Do not forget the case of poor Daniel James Cuthbert, found guilty of an offence under the Computer Misuse Act back in 2005 for adding ../.. to the URL of a charity's web site.
There is a very thin line between "intending to secure access" and checking to see if insecurities may be present.
Re: What we need
Interested in your thoughts regarding Betamax v VHS
I contracted for a while at Pye TVT in Cambridge (working on a TV video effects console for the 1986 World Cup). Pye was a subsidiary of Philips, and there was a factory shop. Lots of employees, contractors and their friends and families ended up with Video 2000 recorders. Rumour had it that e.g. Dixons allocated the cassettes equally to all shops, and the manager of the Cambridge branch spent a lot of time on the phone talking to other branches to get their spare stock sent to him.
Getting back on topic, I also worked on the Acorn Archimedes and the Sinclair QL.
Dual use is hard.
Many years ago, I worked on computer aided mapping: semi-automated line following. Measuring the boundaries of all the woodland in the UK to calculate the total area, better 1:1250 maps with accurate buried utilities to stopping backhoes cutting fibre optic cables, what could possibly be wrong with that? Then came the Falklands war. Digitise the contours and produce a wire-frame perspective of Mount Tumbledown as viewed from Port Stanley, please.
A few years later, I worked on CNC blade tip grinders to make jet engines more fuel efficient. Making 747s greener is great. But what if the US Navy want some for their fighters? Or the Army for an AGT1500 turbine in an M1 Abrams tank?
Fibre break(s) near Manchester, too
Bury is north of central Manchester, so these may be separate incidents.
Re: CVE-2018-3693 "BCBS" Bounds Check Bypass Store"
Yes - the ARM one is the same as the Intel one.
CVE: CVE-2017-5753, CVE-2018-3693
CVE-2018-3693 "BCBS" Bounds Check Bypass Store"
Note that -3639 is a very similar "speculative store bypass" from May: don't get confused as I did for a short time. Could -3693 be the same as the Intel one?
arm64: spectre-v1 write fixes (CVE-2018-3693)
These patches inhibit spectre-v1-write gadgets found in arch/arm64, using the same mitigation applied to existing spectre-v1-read gadgets.
This issue is also known as CVE-2018-3693, or "bounds check bypass store". More details can be found in the Arm Cache Speculation Side-channels whitepaper, available from the Arm security updates site .