Demi Obenour

@spendergrsec @srslypascal @ace__pace Does that mean that io_uring will be turned back on in a future version of @grsecurity? Would unpriv userns be okay if it didn’t grant CAP_NET_ADMIN?

@srslypascal @ace__pace For io_uring, just needs more time. For unpriv userns I don't think there's enough time :)

Our big brain move was to take the step of disabling io_uring from the beginning, apparently it costs others 1M to learn such obvious lessons :) security.googleblog.com/2023/06/learni…

Why would the government have an obligation to search for and save the life of a billionaire who willingly took a submarine to the ocean floor but not a kid with cancer who can’t afford healthcare?

@JadedSE @SwiftOnSecurity Why Azure AD Application Proxy as opposed to e.g. an on-premises proxy server?

Killing your VPN with this isn't a joke. I deployed this at my last org for a highly distributed workforce, and we were able to downsize our VPN usage by ~95% to a handful of users with real edge cases

@SwiftOnSecurity There still needs to be an on-premises device fronting the management interface.

@AlwaysCurious__ I'm not aware of past architecture but that's not how it works now

Note you may already be licensed for Azure AD Application Proxy, which is literally the use case this is for. Everything is behind an authenticated reverse proxy. No public services. Kill your VPN.

I will be SO happy when an intranasal COVID-19 vaccine that produces sterilizing immunity becomes widely used.

@kpcyrd IMO only the first makes any sense. Main reason we can’t have per-user /tmp is Xorg but that is deprecated.

Linux security is so broad, it ranges from "you can write whatever to /tmp it's all namespaced anyway" to "you need to consider the permissions of every file you create because Debian ships world-readable home directories by default"

@RnaudBertrand Imagine if the USA closed all their overseas bases, cut military spending by 90%, and tried to actually compete with China by building infrastructure, educating citizens and growing their own economy. Radical concept, I know.

@SwiftOnSecurity The correct solution is an _on-premises_ reverse proxy connected to the device via a physical cable (no switches!). Preferably with the reverse proxy server’s own listening endpoint bound to a VPN interface.

@SwiftOnSecurity Sorry, but Azure AD Application Proxy is _not_ the correct tool for this, because the connection from the cloud to the on-premises management interface is still unprotected.

To the best of my knowledge, formal verification (preferably with the proofs made publicly available) is the only way to stop the stream of easy software-only attacks.

The point is that being certified to e.g. EAL5+ and AVA_VAN.5 has turned out to not actually mean very much. Devices meant to guard against state-level actors have repeatedly fallen to much weaker attackers.

That bugs have been found in Google’s Titan M2 is not okay. The standard for security chips like that should be EAL7: formal verification.

@IronbugVR @javierdavalos @Apple @unity @FigminXR If I am correct, Apple isn’t forbidding passthrough because they want to, but rather because allowing passthrough would violate their security model.

@javierdavalos @Apple @unity @FigminXR Anything we can do as a consumer to help push these big companies in that direction?

Dear @Apple & @Unity: Nice to meet you, I make @FigminXR, likely the most popular #MixedReality app in the world. ♥️ I really love the idea of a shared app space in #AppleVision, fantastic, well done! 🙁 I'm not happy that #AR devs are forced to make use of it. You don't allow us to make simple direct ports like you do with #VR Apps. Please allow the creation of fully immersive #AR apps that don't require Unity #PolySpatial, it's literally one line of code: "passthroughEnabled = true" I'm certain that our customers will eventually demand we support the shared app space, there is no need to force our hand, they will. Many #AR pioneers would love to be part of your ecosystem but you are making it exceedingly hard, please reconsider. cc @DanMillerDev @vvuk

@javierdavalos @Apple @unity @FigminXR That leaves only one other option, and that is to ensure that untrusted apps cannot access sensitive data at all. This results in a declarative API, which is exactly what Apple implemented.

@javierdavalos @Apple @unity @FigminXR I’m not sure if confinement (preventing a process from exfiltrating data) is even possible on Apple’s GPUs, and even if it was, the overhead would almost certainly be prohibitive.

@hdevalence Why “with valves”?

for indoor air, if you don’t already have a way to clean your air, you need one. good news is box fan filters work well, because the biggest thing is to max out the volume of processed air. for outdoor air, get N95 masks WITH VALVES that conform to the face, like the 3M 9211

one thing i haven’t seen much discussion of in the east coast smoke discourse is that it’s in all likelihood going to be like this for weeks of months, this isn’t a one-off event