Maciej Pasternacki

I lost track of speculative execution issues. Is there a maintained summary listing → impact (in/cross-process, kernel mem, VMs) → kind of mitigations (OS, software, microcode) → what OS/compiler versions have the patch → how to turn on/off the mitigations for each of them?

It is disappointing when the "deploy or how to install" section of the docs says "just throw it in a Docker, bro". If it's so fragile to install in normal circumstances maybe it's something to fix. It's like closing door to a room with a broken water pipe.

People periodically propose encryption backdoors for ticking-bomb scenarios. If they do not detail about how to do key ceremonies in a trustable transparent way with multi-stakeholder control, they don’t understand the problem. https://data.iana.org/ksk-ceremony/34/KC34_Script.pdf … https://data.iana.org/ksk-ceremony/34/AT34_Laptops_Script.pdf …

Fun fact: During key rotation ceremonies, ICANN has a locksmith ready to drill the locks of the safes holding DNSSEC private keys, if for some reason they won’t open. Physical security’s role is to buy you time in an attack, and draw defender attention. Not to be unbreachable.https://twitter.com/dnastacio/status/1010273557597868032 …

Matthew Macy has now submitted a Call For Testing of #OpenZFS #ZFS native encryption for #FreeBSD 12-CURRENT users! Holy cow! https://lists.freebsd.org/pipermail/freebsd-current/2018-August/070832.html … #CFT

This reminds me of the time Homebrew updated the SHA of Handbrake withouy bumping the version, to match the malware's signature, rather than heed the security warning.

if i was new and you told me that theres a superhero who's blind and uses echolocation to fight and one who's an adrenaline junkie who flies around using gadgets and that one is called batman and one is called daredevil i would punch you in the face if i found out which was which

A useful set of intuitions to develop: 1) Why does this business work? 2) What does this business working tell you about the wider world? There's basically nothing in the economy where the answers to these two questions are boring. e.g. secure document destruction services.

Just realized that since we read serial nineteenth-century novels only as whole books, we are basically bingewatching the nineteenth century.

cs researcher: we need to figure out ways to write safer code with fewer bugs so it can be exploited less often. Hu et. al.: what if *takes a huge bong rip* we added more bugs to the system instead. https://arxiv.org/pdf/1808.00659.pdf … (this paper is lit)

...and imagine if one of them find a new attack vector, only to have it rejected with "That is not mentioned in the user story. Create a new user story, and after triage and story point estimation, it may make it into sprint 27 or maybe sprint 28."

I wonder if they had user stories for each hack ("as an unauthorized user, I want to...") and daily standup meetings... :)