Zero, Side Channel, Noyb, Security, WPA3

  • Google's Project Zero and the x86 CPU issue. Studied X86_BUG_CPU_INSECURE issue. Well, that happens. But what about x86 CPUs which aren't AMD or Intel, there are those out there too. kw: PCID, KPTI, FUCKWIT, CPU, ASLR, KASLR, Intel, KAISER, Meltdown, Spectre, timing attack, side channel attack, CVE-2017-5715, CVE-2017-5753, CVE-2017-5754, bounds check bypass, branch target injection, rogue data cache load, microcode updates, retpoline.
  • Based on the previous posts about cache timing and similar side channel attacks, this was quite expected result. Because in those years old posts, it has been clearly stated, that this is something which is very fundamentally broken from security perspective.
  • About new sites I've found - noyb.eu - from 34C4 talks. Site about consumer rights, privacy and legalization.
  • Security Nightmares - Nightmare, or daily life? That's a good question to begin with. Security issue history lesson first. Yet detecting and fixing issues costs money, what's the change that he issue will be actually exploited?
  • How to extend Python 3 with Go libraries - when required for performance critical code. Awesome post. As seen from post, it's not that complicated. But as seen in my previous blog posts, not that complicated thing can be extremely slow and painful to figure out, if you don't know exactly what you're doing and the documentation is way too extensive, or assumes that you know very well in general the environments you're trying to bind together, etc. Like the COM interface binaries with cx_Freeze. Or creating PyClockPro caching library so that it works as independent class or as decorator as single module file.
  • Updated BIOS and CPU Intel microcode on multiple computers. It's something that nobody ever does. Normally, but now it was just a good time to get it done. I used iucode-tool to update microcodes and Q-Flash to update bios firmware directly from USB flashdrive. Of course using msdos partition table and fat32 volums. I'm pretty sure it wouldn't work with gpt / exfat or ntfs or ext4.
  • Why Raspberry PI isn't vulnerable to Spectre and Meltdown - Very nice post. Especially where it goes to the CPU architecture design. But of course this isn't anything new. Many of IT people don't deal with this stuff too often, so it's good to remind yourself about very basics every now and then. kw: superscalar, out-of-order, branch prediction, speculative execution, caching.
  • Moar network fun. N00b people try to access bridge devices using gateway address and browser. Sure good luck, keep on trying. But failure is pretty much guaranteed.
  • Wi-Fi WPA3 - a new standard is coming. Cool, WPA-OTP should be unbreakable even with quantum computers. Smile. Post quantum encryption algorithms has been quite interesting discussion topic anyway. kw: Wi-Fi CERTIFIED WPA3™, Opportunistic Encryption, per client individualized encryption keys, 192 bit encryption.
  • Encountered Microsoft ActiveSync issues on Samsung phone. Quick search revealed that I'm and other people suffering from this crap-o-ware aren't alone. One work-a-round is to install official Outlook App. It seems that it's the WebView component that's somehow broken and is causing the problems indirectly. Ref 1. Unfortunately as usual, all the "solutions" should be defined as work-a-rounds and not solutions at all. Real solution would be fixing the problem. But nobody seems to even think about that. Aaah, classical software engineering.
  • Why people like to quote all previous emails? That's crazy. That's also often security problem. Some of the emails contain stuff which is reserved for limited audience, but when people are added to the delivery, those previous emails could (eh, will) leak to people whom those was not intended to. - Business as usual. Also it's pointless to quote everything, everyone got those emails already. Repeating same information again and again, is utterly silly.

2019-04-28