AMD: Microcode Signature Verification Vulnerability
https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w [github.com]
2025-02-03 19:53
tags:
bios
cpu
exploit
hash
security
systems
virtualization
This vulnerability allows an adversary with local administrator privileges (ring 0 from outside a VM) to load malicious microcode patches. We have demonstrated the ability to craft arbitrary malicious microcode patches on Zen 1 through Zen 4 CPUs. The vulnerability is that the CPU uses an insecure hash function in the signature validation for microcode updates. This vulnerability could be used by an adversary to compromise confidential computing workloads protected by the newest version of AMD Secure Encrypted Virtualization, SEV-SNP or to compromise Dynamic Root of Trust Measurement.
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html
source: HN
The Art of Dithering and Retro Shading for the Web
https://blog.maximeheckel.com/posts/the-art-of-dithering-and-retro-shading-web/ [blog.maximeheckel.com]
2025-02-03 19:47
tags:
gl
graphics
interactive
programming
visualization
web
I spent the past few months building my personal website from the ground up, finally taking the time to incorporate some 3D work to showcase my shader and WebGL skills. Throughout this work, I got to truly understand the crucial role that post-processing plays in making a scene actually look good, which brought some resolutions to long-term frustrations I had with my past React Three Fiber and shader projects where my vision wouldn’t materialize regardless of the amount of work and care I was putting into them.
Taking the time to build, combine, and experiment with custom post-processing effects gave me an additional creative outlet, and among the many types I got to iterate on, I always had a particular affection for the several “retro” effects I came up with. With subtle details such as dithering, color quantization, or pixelization/CRT RGB cells, they bring a pleasant contrast between the modern web landscape and a long-gone era of technology we 90s/early 2000s kids are sometime longing for.
source: HN
JavaScript Temporal is coming
https://developer.mozilla.org/en-US/blog/javascript-temporal-is-coming/ [developer.mozilla.org]
2025-01-30 20:14
tags:
browser
javascript
library
programming
update
web
Implementations of the new JavaScript Temporal object are starting to be shipped in experimental releases of browsers. This is big news for web developers because working with dates and times in JavaScript will be hugely simplified and modernized.
source: HN
Bilinear down/upsampling, aligning pixel grids, and that infamous GPU half pixel offset
https://bartwronski.com/2021/02/15/bilinear-down-upsampling-pixel-grids-and-that-half-pixel-offset/ [bartwronski.com]
2025-01-27 23:28
tags:
graphics
programming
So I figured it’s an opportunity for another short blog post – on bilinear filtering, but in context of down/upsampling. We will touch here on GPU half pixel offsets, aligning pixel grids, a bug / confusion in Tensorflow, deeper signal processing analysis of what’s going on during bilinear operations, and analysis of the magic of the famous “magic kernel”.
source: HN
Where Do Those Undergraduate Divisibility Problems Come From?
https://grossack.site/2025/01/16/undergrad-divisibility-problems.html [grossack.site]
2025-01-20 19:25
tags:
math
Oftentimes in your “intro to proofs” class or your first “discrete math” class or something similar, you’ll be shown problems of the form “prove that for is a multiple of for every ”… But where do these problems come from? And have you ever stopped to think how magical this is? If I gave you some random polynomial in and asked you if it always output multiples of , the answer would almost always be “no”! So if you really needed to come up with an example of this phenomenon, how would you do it? In this blog post, we give one approach!
source: HN
Bypassing disk encryption on systems with automatic TPM2 unlock
https://oddlama.org/blog/bypassing-disk-encryption-with-tpm2-unlock/ [oddlama.org]
2025-01-17 16:26
tags:
crypto
linux
security
storage
Have you setup automatic disk unlocking with TPM2 and systemd-cryptenroll or clevis? Then chances are high that your disk can be decrypted by an attacker who just has brief physical access to your machine - with some preparation, 10 minutes will suffice. In this article we will explore how TPM2 based disk decryption works, and understand why many setups are vulnerable to a kind of filesystem confusion attack. We will follow along by exploiting two different real systems (Fedora + clevis, NixOS + systemd-cryptenroll).
source: HN
Physically Based Rendering: From Theory To Implementation
https://pbr-book.org/ [pbr-book.org]
2025-01-17 16:21
tags:
book
gl
graphics
Physically Based Rendering describes both the mathematical theory behind a modern photorealistic rendering system and its practical implementation. A method known as literate programming combines human-readable documentation and source code into a single reference that is specifically designed to aid comprehension. The book’s leading-edge algorithms, software, and ideas—including new material on GPU ray tracing—equip the reader to design and employ a full-featured rendering system capable of creating stunning imagery.
source: HN
Why The Weak Nuclear Force Is Short Range
https://profmattstrassler.com/articles-and-posts/particle-physics-basics/the-astonishing-standard-model/why-the-weak-nuclear-force-is-short-range/ [profmattstrassler.com]
2025-01-15 22:22
tags:
physics
The “range” of a force is a measure of the distance across which it can easily be effective. Some forces, including electric and magnetic forces and gravity, are long-range, able to cause dramatic effects that can reach across rooms, planets, and even galaxies. Short-range forces tail off sharply, and are able to make a significant impact only at distances shorter than their “range”. The weak nuclear force, for instance, dies off at distances ten million times smaller than an atom! That makes its effects on atoms rather slow and rare, which is why it is called “weak”.
source: HN
Go 1.24 interactive tour
https://antonz.org/go-1-24/ [antonz.org]
2025-01-15 21:07
tags:
garbage-collection
go
programming
update
Go 1.24 is scheduled for release in February, so it’s a good time to explore what’s new. The official release notes are pretty dry, so I prepared an interactive version with lots of examples showing what has changed and what the new behavior is.
source: L
Justified Text: Better Than Expected?
https://cloudfour.com/thinks/justified-text-better-than-expected/ [cloudfour.com]
2025-01-15 21:06
tags:
design
html
web
I was pleasantly surprised by the results in Chromium browsers at medium and large container widths. Hyphenation seems conservative and readable, yet there are no unsightly gaps or “rivers” between words. Safari and Firefox hyphenate a bit more frequently, but not distractingly so.
source: L
Why is my CPU usage always 100%?
https://www.downtowndougbrown.com/2024/04/why-is-my-cpu-usage-always-100-upgrading-my-chumby-8-kernel-part-9/ [www.downtowndougbrown.com]
2025-01-13 22:14
tags:
bugfix
c
investigation
linux
programming
systems
That’s really weird! Why would top be using all of my CPU? It says 100% usr in the second line. Sometimes the usage showed up as 50% usr and 50% sys. Other times it would show up as 100% sys. And very rarely, it would show 100% idle. In that rare case, top would actually show up with 0% usage as I would expect. The 2.6.28 kernel did not have this problem, so it was something different about my newer kernel.
source: HN
It's time to abandon the cargo cult metaphor
http://www.righto.com/2025/01/its-time-to-abandon-cargo-cult-metaphor.html [www.righto.com]
2025-01-13 19:14
tags:
article
history
hoipolloi
The cargo cult metaphor is commonly used by programmers. This metaphor was popularized by Richard Feynman’s “cargo cult science” talk with a vivid description of South Seas cargo cults. However, this metaphor has three major problems. First, the pop-culture depiction of cargo cults is inaccurate and fictionalized, as I’ll show. Second, the metaphor is overused and has contradictory meanings making it a lazy insult. Finally, cargo cults are portrayed as an amusing story of native misunderstanding but the background is much darker: cargo cults are a reaction to decades of oppression of Melanesian islanders and the destruction of their culture. For these reasons, the cargo cult metaphor is best avoided.
I doubt anyone is going to avoid anything, but the history is very interesting.
The history and use of /etc/glob in early Unixes
https://utcc.utoronto.ca/~cks/space/blog/unix/EtcGlobHistory [utcc.utoronto.ca]
2025-01-13 18:57
tags:
sh
text
unix
One of the innovations that the V7 Bourne shell introduced was built in shell wildcard globbing, which is to say expanding things like *, ?, and so on. Of course Unix had shell wildcards well before V7, but in V6 and earlier, the shell didn’t implement globbing itself; instead this was delegated to an external program, /etc/glob (this affects things like looking into the history of Unix shell wildcards, because you have to know to look at the glob source, not the shell).
source: HN
WorstFit: Unveiling Hidden Transformers in Windows ANSI!
https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/ [blog.orange.tw]
2025-01-10 14:54
tags:
exploit
programming
security
text
turtles
windows
The research unveils a new attack surface in Windows by exploiting Best-Fit, an internal charset conversion feature. Through our work, we successfully transformed this feature into several practical attacks, including Path Traversal, Argument Injection, and even RCE, affecting numerous well-known applications!
source: HN
California’s “Protecting Our Kids from Social Media Addiction Act” Is Partially Unconstitutional… But Other Parts Are Green-Lighted – NetChoice v. Bonta
https://blog.ericgoldman.org/archives/2025/01/californias-protecting-our-kids-from-social-media-addiction-act-is-partially-unconstitutional-but-other-parts-are-green-lighted-netchoice-v-bonta.htm [blog.ericgoldman.org]
2025-01-07 08:24
tags:
policy
social
web
California SB 976, “Protecting Our Kids from Social Media Addiction Act,” is one of the multitudinous laws that pretextually claim to protect kids online. Like many such laws nowadays, it’s a gish-gallop compendium of online censorship ideas: Age authentication! Parental consent! Overrides of publishers’ editorial decisions! Mandatory transparency!
NetChoice made a variation of my argument, saying that age authentication always acts as a speed bump for readers accessing desired content. The court says that’s not so. The court notes that “many companies now collect extensive data about users’ activity throughout the internet that allow them to develop comprehensive profiles of each user for targeted advertising” and, mining that data, age authentication could “run in the background” without requiring any affirmative steps from readers to complete the authentication.
How to Proceed When a Technology is Not Mature
https://www.basicinstructions.net/basic-instructions/2025/1/6/how-to-proceed-when-a-technology-is-not-mature [www.basicinstructions.net]
2025-01-07 08:16
tags:
comic
future
tech
Do you ever feel like we aren’t getting the future we were promised, but we are getting the one we were threatened with.
How to triangulate a polyline with thickness
https://jvernay.fr/en/blog/polyline-triangulation/ [jvernay.fr]
2025-01-05 22:33
tags:
c
gl
graphics
interactive
programming
visualization
To render any geometric figure to a GPU (with OpenGL / Direct3D / Vulkan / ...), they must first be triangulated, i.e. decomposed as a series of triangles. Some figures are trivial to transform into triangles: for instance, a segment with thickness is represented by a rectangle, which can be rendered with two triangles. But a segment strip with thickness (aka. polyline) is not trivial.
Ultimately, this exploration has been a rabbit hole, also partly due to some digressions along the path — let’s prototype with a bare implementation of GeoGebra in vanilla JavaScript — let’s do a WebGL + WASM demo to verify the algorithm works correctly ... 😅 At least, it gives some fancy interactive visuals for this blog post. 😁
source: HN
Don't clobber the frame pointer
https://nsrip.com/posts/clobberfp.html [nsrip.com]
2025-01-05 09:34
tags:
bugfix
compiler
cpu
go
programming
Recently I diagnosed and fixed two frame pointer unwinding crashes in Go. The root causes were two flavors of the same problem: buggy assembly code clobbered a frame pointer. By “clobbered” I mean wrote over the value without saving & restoring it. One bug clobbered the frame pointer register. The other bug clobbered a frame pointer saved on the stack. This post explains the bugs, talks a bit about ABIs and calling conventions, and makes some recommendations for how to avoid the bugs.
source: L
Do You Have Aura — or Are You Mid? A Gen-Z Slang Dictionary.
https://www.thefp.com/p/what-the-heck-is-gen-z-talking-about-2024-essay-contest-winner [www.thefp.com]
2025-01-04 18:20
tags:
essay
hoipolloi
language
life
Bro, this intro is high-key gonna slap. Just let me cook.
When a Telescope Is a National-Security Risk
https://www.theatlantic.com/science/archive/2024/12/vera-rubin-telescope-spy-satellite/680814/ [www.theatlantic.com]
2025-01-04 18:07
tags:
opsec
policy
science
space
In the early months of 2023, the astronomer Željko Ivezić found himself taking part in a highly unusual negotiation. Ivezić is the 59-year-old director of the Vera Rubin Observatory, a $1 billion telescope that the United States has been developing in the Chilean high desert for more than 20 years. He was trying to reach an agreement that would keep his telescope from compromising America’s national security when it starts stargazing next year.
This task was odd enough for any scientist, and it was made more so by the fact that Ivezić had no idea with whom he was negotiating. “I didn’t even know which agency I was talking to,” he told me on a recent video call from his field office in Chile. Whoever it was would communicate with him only through intermediaries at the National Science Foundation. Ivezić didn’t even know whether one person or several people were on the other side of the exchange. All he knew was that they were very security-minded. Also, they seemed to know a great deal about astronomy.
source: jwz