Meetings are the worst, but if you need to run a staff meeting, and at some point you will, may as well run it efficiently. This post may be longer than it needs to be, but there’s some good points.

in the absence of information, humans fill the gap with the worse possible version of the truth.

Try to avoid that.

75k - The number of restaurants around the world that use the Aloha point of sale system. Aloha is an industry stalwart that has managed to stay relevant while often still looking like it was designed in 1998.

Plus some NCR history.

Why we left Medium, and how!

A bit more detail here than just, oh look, we moved.

Also, interesting that they managed to keep almost identical look and feel (for people who like the design of medium), but it loads super fast. Proves medium could be doing a lot better, if motivated.

We need to add package versioning to Go. More precisely, we need to add the concept of package versions to the working vocabulary of both Go developers and our tools, so that they can all be precise when talking to each other about exactly which program should be built, run, or analyzed. The go command needs to be able to tell developers exactly which versions of which packages are in a particular build, and vice versa.

source: trivium

This is a paper about the trade-offs between transaction throughput and database recovery time. Intuitively for example, you can do a little more work on each transaction (lowering throughput) in order to reduce the time it takes to recover in the event of failure.

And/or string scanner.

source: L

In this blog I’m going to introduce you to a concept I’ve been working on for almost 2 years now. Vectorized emulation. The goal is to take standard applications and JIT them to their AVX-512 equivalent such that we can fuzz 16 VMs at a time per thread. The net result of this work allows for high performance fuzzing (approx 40 billion to 120 billion instructions per second [the 2 trillion clickbait number is theoretical maximum]) depending on the target, while gathering differential coverage on code, register, and memory state.

Further since we’re running emulated code we are able to run a soft MMU implementation which has byte-level permissions. This gives us stronger-than-ASAN memory protections, making bugs fail faster and cleaner.

https://gamozolabs.github.io/fuzzing/2018/11/19/vectorized_emulation_mmu.html

source: solar

Consider the following code snippet that I’m borrowing from an OWASP page on command injection:

The page claims “it is not possible to inject additional commands” so it must be secure!

And... it’s not. Good grief.

How to trick users into clicking that phish link.

A system running Intel’s McAfee VirusScan Enterprise for Linux can be compromised by remote attackers due to a number of security vulnerabilities. Some of these vulnerabilities can be chained together to allow remote code execution as root.

About time Linux started taking AV software seriously and installing some backdoors.

I said I will rewrite ttyplot examples to make them work on OpenBSD. Here they are, but a small notice before:

Couple caveats, mostly want current.

Also: https://github.com/tenox7/ttyplot

source: L

Faster, features, etc.

The OAuth 2.0 protocol itself is insecure. The document specifies some security measures that are optional (which boils down to missing for the casual developer). Apart from that, there are additional loopholes as well.

source: solar

Since ROP relies on RET instructions, where the address of the next instruction to execute is fetched from a stack, stack corruption plays a critical role in ROP attacks. CET enables the OS to create a Shadow Stack, which is designed to be protected from application code memory accesses, and stores CPU-stored copies of the return addresses. This helps ensure that even when an attacker is able to modify/corrupt the return addresses in the data stack for the purpose of carrying out a ROP attack, the attacker is not able to modify the Shadow Stack, and the CET state machine in the CPU detects mismatches between the address on the shadow and data stack to help prevent the attack via an exception reported to the OS.

In just four words, he summarizes the pervasive tendency towards a visual uniformity that seems to draw in nearly every major tech brand operating today.

EVERYBODY FALL IN LINE!

I wasn’t sure this was real at first. The new Pinterest logo looked like a spoof, but it’s real.

Beware of struggling to obey prescriptive injunctions that don’t come naturally to you; they can warp your ability to use your native language sensibly.

Also some fun stats about who gets sick in Spanish hotels.

The world’s largest retailer announced Friday that it is testing a delivery program in Silicon Valley that would allow customers to use smart-home technology to remotely open the door for delivery workers and watch a live stream of the delivery by linking their phones with home security cameras.

But can you yell at them to put the milk in the back instead of by the door?

Update: Amazon to enter the home invasion fray: https://www.theverge.com/2017/10/25/16538834/amazon-key-in-home-delivery-unlock-door-prime-cloud-cam-smart-lock

Since we would send this five billion times per day, every byte we could shave off would save five gigabytes of outgoing data, for a saving of 25 cents per day per byte removed.

It all adds up.

source: HN

Silver certificates and provisional currencies.

In this paper we present KAISER, a system that overcomes limitations of x86 and provides practical kernel address isolation. We implemented our proof-of-concept on top of the Linux kernel, closing all hardware side channels on kernel address information. KAISER enforces a strict kernel and user space isolation such that the hardware does not hold any information about kernel addresses while running in user mode.

source: solar