Hacking News
-
@Gustav said in Hacking News:
I wonder if it has something to do with their renderer being written in Rust.
Unlikely. From what I understand, Rust is supposed to be reasonably performant, so it being in Rust shouldn't make the program inefficient enough to mess up the timing side channel. (Plus, this is GPU-side anyway.)
FWIW: The article says it is a timing side channel that uses the fact that GPUs do transparent buffer compression when transferring data. The latter is hidden away from the user, deep in hardware, and not really controllable from software. You can only observe the side effects (in this case, differences in performance).
Overall architecture of the renderer is a more likely cause.
-
@Gustav I’d be more willing to suggest that this is nothing to do with Rust because last I checked Safari doesn’t have Rust components, and more to do with the Chrome team botching the WebP implementation for performance that ended up downstream in Edge.
Remember, Safari may have brought forth WebKit but Google forked it long ago into Blink “for performance”. That would explain Chrome and Edge having it but not Safari.
It is possible that Safari is borrowing off Firefox’s Rust work but honestly… probably not. There’s still regular C++ bugs found in Safari.
-
Shhhh. Let @Gustav enjoy his daily dose of Rust addiction. He's not hurting anyone, is he?
-
@Arantor said in Hacking News:
It is possible that Safari is borrowing off Firefox’s Rust work
This isn't even remotely close to what I meant but whatever.
@cvi said in Hacking News:
FWIW: The article says it is a timing side channel that uses the fact that GPUs do transparent buffer compression when transferring data. The latter is hidden away from the user, deep in hardware, and not really controllable from software. You can only observe the side effects (in this case, differences in performance).
And that's what makes it weird. With something so disjointed from the actual code of the program, one would expect it behaves like Meltdown, ie. all software is equally vulnerable and there's nothing they can do about it. Either that, or the vulnerability only works for a specific combination of software and hardware - but apparently, the exploit is so portable it even works on ARM platforms with Qualcomm GPUs. The only common link in all that is Chrome. Normally that would indicate a bug in Chrome itself.
-
@Gustav you kept banging on about it being related to Rust even though Safari is exempt too (alongside Firefox) which suggests it’s nothing to do with Rust at all.
The common link is Chrome but that’s not really a common link to Safari any more - the architecture of Edge will mirror Chrome’s, in a way neither Safari nor Firefox would.
-
@Arantor said in Hacking News:
@Gustav you kept banging on about it being related to Rust
For a whole of one post, under a quote talking about Firefox.
The common link is Chrome but that’s not really a common link to Safari any more
Why would there be any common link to Safari to start with? Why do you keep banging on about it? Safari isn't vulnerable, Chrome is, nothing except Chrome is.
-
@Gustav said in Hacking News:
Normally that would indicate a bug in Chrome itself.
Or maybe just differences in how graphics buggers are handled in memory that make getting (legitimate!) access by the method used in one not work in the others?
-
@dkf across SIX different GPU vendors (maybe more) and at least two different CPU architectures?
-
@Gustav said in Hacking News:
Normally that would indicate a bug in Chrome itself.
Sure, but it's more likely just down to Chrome's rendering engine that makes it possible to observe the miniscule differences in performance. The "trololololo rust" thing isn't as much a leap of faith, but more on the level of throwing yourself of the earth and ending up in a trajectory that takes you out of the local solar system.
@Zerosquare said in Hacking News:
Shhhh. Let @Gustav enjoy his daily dose of Rust addiction. He's not hurting anyone, is he?
Huh, what? This is WTDWTF, we can't just let other people get away with stuff like that.
@Zerosquare You should look into rebooting @Zerosquare, there seems to be a malfunction.
-
@cvi said in Hacking News:
@Gustav said in Hacking News:
Normally that would indicate a bug in Chrome itself.
Sure, but it's more likely just down to Chrome's rendering engine that makes it possible to observe the miniscule differences in performance.
This explanation sounds too finicky to work across such a wide variety of hardware.
-
@Gustav said in Hacking News:
This explanation sounds too finicky to work across such a wide variety of hardware.
They all do on-the-fly compression for the same reasons, namely to save on bandwidth. The compression has to be lossless (it's done repeatedly, and using a lossy compression would degrade the results too much over time). The compression methods themselves are not disclosed, but there's only so many ways you can do this quickly enough (it essentially happens when caches are loaded or flushed). Even if the methods themselves are slightly different (and very proprietary), the cases where they work and won't work are similar enough (or at least you can identify a case where all will compress well and a case where none will compress).
-
WEBP
JUST SAY NO
-
@Gustav said in Hacking News:
This explanation sounds too finicky to work across such a wide variety of hardware.
It's a timing sidechannel. They're the very definition of finicky.
-
@Gustav said in Hacking News:
@Arantor said in Hacking News:
@Gustav you kept banging on about it being related to Rust
For a whole of one post, under a quote talking about Firefox.
The common link is Chrome but that’s not really a common link to Safari any more
Why would there be any common link to Safari to start with? Why do you keep banging on about it? Safari isn't vulnerable, Chrome is, nothing except Chrome is.
Edge is too. Which uses the same rendering engine as Chrome.
Which started out life using Safari’s rendering engine until Chrome eventually rewrote it.
-
@Arantor is there anything that isn't the same between Chrome and Edge?
-
@Gustav the icon's different. HTH.
-
@Gustav said in Hacking News:
@Arantor is there anything that isn't the same between Chrome and Edge?
I don't know, I don't recall the last time I opened Edge, even accidentally.
-
@Arantor I used Edge rather recently, only because UPS package tracking is completely broken in FF (or by one of the ad/tracker-blocking extensions), and I don't have Chrome installed on this computer.
-
With your Delivery Distortion Field, package tracking is going to be wrong anyways. So you have no reason to launch Edge.
-
@cvi said in Hacking News:
@Gustav said in Hacking News:
This explanation sounds too finicky to work across such a wide variety of hardware.
They all do on-the-fly compression for the same reasons, namely to save on bandwidth. The compression has to be lossless (it's done repeatedly, and using a lossy compression would degrade the results too much over time). The compression methods themselves are not disclosed, but there's only so many ways you can do this quickly enough (it essentially happens when caches are loaded or flushed).
Doesn't even matter how they do it, a block of white noise will always compress significantly less and thus take longer to transfer than a block of a single color.
-
@loopback0 said in Hacking News:
@Gustav the icon's different. HTH.
And they way it's forced down your throat on different platforms.
-
@LaoC said in Hacking News:
Doesn't even matter how they do it, a block of white noise will always compress significantly less and thus take longer to transfer than a block of a single color.
Stuff like BCn/DXT or ASTC for texture compression is a constant rate compression. White noise wouldn't do great with that (i.e., probably ends up low-pass filtered).
But, yeah, they can't use anything like that (at least not by itself) in this context, because it's lossy.
-
-
-
If you know anyone still using Exim, the second best day to migrate to Postfix is today.
-
Bing Chat contains ads to generate revenue. And that gets
misusedused properly by hackers:
https://www.bleepingcomputer.com/news/security/bing-chat-responses-infiltrated-by-ads-pushing-malware/
-
Nice walkthrough of a current 0day in ld.so.
-
@LaoC said in Hacking News:
Nice walkthrough of a current 0day in ld.so.
("Fix SXID_ERASE behavior in setuid programs (BZ #27471)").
Aw heck, never mind. Could be any one of us
-
@HardwareGeek said in Hacking News:
WEBP
JUST SAY NOThat's what this is for:
SomeFile.JPG
)
-
Each of the gazillion products using libcurl will need an urgent update on Tuesday.
-
@BernieTheBernie said in Hacking News:
Bing Chat contains ads to generate revenue. And that gets
misusedused properly by hackers:
https://www.bleepingcomputer.com/news/security/bing-chat-responses-infiltrated-by-ads-pushing-malware/Since Windows Copilot combines functionality provided by Bing Chat with some Windows-specific control options, that is another future source for ads revenue:
-
Frankfurt University Hospital was hacked.
A system administrator found a suspicious account with very wide privileges, and then they shut down their IT, and now try to get it back operating step by step. Causes a lot of trouble in everyday workflow.
-
Atlassian updated its advisory this week to confirm it has “evidence to suggest that a known nation-state actor” is exploiting the bug, which the company says could allow a remote attacker to create unauthorized administrator accounts to access Confluence servers.
-
If your mother is one of those people who enters "Youtube" into Google Search to watch some videos, expect some phone calls in your future:
Details: https://nitter.net/ericlaw/status/1712531148356661494?s=61&t=k-k4O62922fE4PcVGqLzkQ
EDIT: Some people in the comments are saying that the same scammer did this for Amazon as well during the previous weeks.
-
@JBert Next time, enter
Google
...
-
@JBert and Google has for years actively been training people to do that. They want people to be oblivious of what they’re doing.
Also super annoying, not sure if Chrome or ChrEdge, is when you start typing in the address bar up top on a new page tab and the text ends up in the search field in the middle of the page.
-
@topspin said in Hacking News:
They want people to be oblivious of what they’re doing.
People want to be oblivious of what they're doing, but yes, and all that.
-
@topspin said in Hacking News:
Google has for years actively been training people to do that.
And companies giving the directions to their website as "search for FooCo online".
-
Binance is mostly covered in the
Fool and Money
thread, but they are more valuable to hackers: simply store malicious JavaScripts in their blockchain. The scripts are very safe in the blockchain, and will remain their upto the end of Binance ( wasn't that yesterday?).
https://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/
-
Data from
23andme
are leaked again. There are fresh data of some 4 million users, mainly from the UK and Germany:
https://www.cshub.com/attacks/news/23andme-hacker-leaks-data
-
@BernieTheBernie said in Hacking News:
The scripts are very safe in the blockchain
The scripts would be safe in a lot of places. Is there any benefit to this particular one? Like for example that they'd run, unintentionally on the part of whoever credentials they run with, occasionally?
-
@Bulb said in Hacking News:
Is there any benefit to this particular one?
Lulz.
Hiding illegal material, be it innocuous stuff like JS or evil stuff like CSAM, in the eternally unchangeable blockchain really has to be pissing of the crypto weenies.
-
-
@topspin said in Hacking News:
@Bulb said in Hacking News:
Is there any benefit to this particular one?
Lulz.
Hiding illegal material, be it innocuous stuff like JS or evil stuff like CSAM, in the eternally unchangeable blockchain really has to be pissing of the crypto weenies.
Eh, drug dealers have been storing their sales records there since day 1
-
So how compromised is Okta?
-
@DogsB Okta-gonally fücked?
-
Shit like this gains headlines and security researchers wonder why nobody listens to them. Although this one is more probable than the iPhone security hole needing physical access to the device that every publication got in a tiz about.
Where was the uproar and analysis about the two updates in the last month concerning zero click exploitations?
-
Well, never thought I would see that headline.
-
Okta. Again.
-
@DogsB said in Hacking News:
Shit like this gains headlines and security researchers wonder why nobody listens to them. Although this one is more probable than the iPhone security hole needing physical access to the device that every publication got in a tiz about.
Where was the uproar and analysis about the two updates in the last month concerning zero click exploitations?
Did you write an article that didn't get enough attention? Because this is surely a major
If this ileakage site deserves not to be listened to it's more because of their own security-oblivious use of external resources from Google Tag Manager to jsdelivr et al.