Notices by David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)

I know people like to make fun of niche operating systems, but for the five years I was at Microsoft I used Windows (10 then 11) as my daily driver. It’s much less stable than a professional OS, but it does kind-of work. I wouldn’t say it’s ready for the desktop. The UI is inconsistent and changes randomly between releases, a load of common software is basically useable only in a VM, it lags and freezes periodically (unlike an OS designed for interactive use, random drivers run a load of things directly in interrupt handlers, so you get latency spikes that you wouldn’t see in a more mainstream desktop OS) and the update process can hose the system, so it’s mostly of interest to people who like tinkering with their machines than people who actually want to get work done. Oh and a load of random bits of the OS have ads, but that’s what you get from a free ad-supported system instead of one developed by an active open-source community.

I don’t think I’d recommend anyone use it as their daily driver or in a work setting, but it’s not totally unusable. It’s not at the level of maturity than you’d expect from, say, Linux or FreeBSD, especially not for client workloads. If you do have to use it, I recommend that you install FreeBSD in a Hyper-V VM for real work. That’s what I did and it works quite well.

@futurebird

'But you're always the one organising social activities!'

Yes, because then I am more in control of what's happening and it's less stressful.

I think we need to talk about the real problem with immigration.

First a few people come here from somewhere and everything is fine.

But then shops open to sell them the food that they’re used to.

And then I learn what things are supposed to taste like and develop standards.

And then I can no longer tolerate the low-quality version that all the supermarkets sell because now I know how bad it is.

Immigrants: They make food shopping more stressful.

Is improving the economy and enriching our culture really worth that?

@dalias @guardianproject @signalapp @fdroidorg

Okay, I am not going to argue any more. Allowing a third party to inject arbitrary code is literally what you do when you link a closed-source binary with no sandboxing.

If you think it's bad-faith criticism to state a fact, I am just going to mute you. Especially when you follow it up with 'usually promoting scammy fake secure messengers', which is something I was definitely not doing (and, if you pay attention to my previous posts, you'll see that I have encouraged people to use Signal rather than other things).

@dalias @guardianproject @signalapp @fdroidorg

When you are making a claim of security as a result of being open source, the fact that that you allow someone else to provide a binary and then inject it into your final build is a problem.

I can only assume that you're arguing for the sake of arguing, rather than making a real point.

@dalias @guardianproject @signalapp @fdroidorg The libraries are arbitrary (binary) code provided by a third party. I'm not sure what you think is a myth.

@guardianproject @signalapp @fdroidorg

'Our secure messenger is open source and auditable, except for the fact that we allow a data-mining company to inject arbitrary code into our binaries and don't provide a build that doesn't do that' is somehow a less compelling argument than it may first appear.

When I was a PhD student, around 20 years ago, some folks in my lab were working on visualisation for CT and scan data. CT scans take a load of cross-sectional images and the traditional way of looking at them is to scan through one slice at a time. This needs a lot of training because it's not how the human visual system evolved to see things.

Some folks in my lab were working on using techniques from volumetric rendering (a CT scan is basically a volumetric data set) to improve this. They had some demos at the time (using real CT scan data) that could:

• Give you a 3D image that you could rotate or zoom the images.
• Use isosurfacing to remove contiguous blocks of identical tissue, so you could remove skin, bone, and so on from the image and just see the organ that you were interested in.
• Use similar techniques to apply false colour to highlight things (e.g. seeing blood in a different colour to blood vessels). This included translucency, so you could make different kinds of tissue translucent.

At the time, this needed a fairly beefy desktop GPU. Today, the exact same code would run on an iPad without warming it up too much.

So I was incredibly disappointed when I saw a specialist looking at a CT scan in hospital a few weeks ago and they were still doing the scan-through-slices visualisation.

When someone talks about how 'AI will revolutionise health care', remember that there are old bits of well-understood IT that are not deployed in the health profession even after feedback from clinicians saying that it would definitely make their lives easier. Even getting records digitised so hospitals have instant access to patients' medical history is still not completely finished and that's based on 1960s technology.

Time for your regular reminder that VM security is better than process isolation not because VMs are magic (they use the same MMU as process isolation) but for two simple reasons:

• VMs have a much narrower interface to the hypervisor than processes do to the kernel.
• Hypervisor APIs are a lot less stateful than kernel APIs, the hypervisor is tracking a lot less stateful than and therefore has less that can get out of sync.

That’s it: smaller attack surface and smaller TCB.

You can build different kernel APIs that have these properties, or you can extend hypervisors with rich stateful APIs and have something that’s just as hard to secure as a modern kernel.

Post-Spectre, there’s one additional benefit: Hypervisors run relatively small numbers of VMs and their hot paths for communication are asynchronous, which means that you can typically do a lot more cache flushing and even unmap every page not associated with the current guest while operating on a guest. The latter is closely related to the second point: guest APIs make it obvious which VM a hypervisor is operating on behalf of.

@gwynnion What, you mean ‘we’re not as bad as them, we’ll enact their policies more slowly’ isn’t a compelling slogan to get out the vote?

@molly0xfff Ah, thanks. Odd design decision for Ghost, I wonder why they don't just need a standard sendmail interface or SMTP relay.

The 22nd amendment to the US constitution says:

No person shall be elected to the office of the President more than twice

Trump claims that he was elected in 2020. Even if he didn't serve as President, then he was ineligible to stand in 2024 and cannot now be President. So I think we should all support his claim that he won in 2020.

Margaret Thatcher apparently slept for only four hours a day. Interestingly, if I sleep for four hours a day, I find I am also in favour of policies that make everyone suffer.

The reason I get so annoyed about people pitching LLMs as a way to 'democratise programming' or as end-user programming tools is that they solve the wrong problem.

The hard part of programming is not writing code. It's unambiguously expressing your problem and desired solution. Imagine if LLMs were perfect programmers. All you have to do is write a requirements document and they turn it into a working program. Amazing, right? Well, not if you've ever seen what most people write in a requirements document or seen the output when a team of good programmers works from a requirements document.

The most popular end-user programming language in the world (and, by extension, the most popular programming language), with over a billion users, is the Calc language that is embedded in Excel. It is not popular because it's a good language. Calc is a terrible programming language by pretty much any metric. It's popular because Excel (which is also a terrible spreadsheet, but that's a different rant) is basically a visual debugger and a reactive programming environment. Every temporary value in an Excel program is inspectable and it's trivial to write additional debug expressions that are automatically updated when the values that they're observing change.

Much as I detest it as a spreadsheet, Excel is probably the best debugger that I have ever used, including Lisp and Smalltalk.

The thing that makes end-user programming easy in Excel is not that it's easy to write code, it's that it's easy to see what the code is doing and understand why it's doing the wrong thing. If you replace this with an LLM that generates Python, and the Python program is wrong, how does a normal non-Python-programming human debug it? They try asking the LLM, but it doesn't actually understand the Python so it will often send them down odd rabbit holes. In contrast, every intermediate step in an Excel / Calc program is visible. Every single intermediate value is introspectable. Adding extra sanity checks (such as 'does money leaving the account equal the money paid to suppliers?') is trivial.

If you want to democratise programming, build better debuggers, don't build tools that rapidly generate code that's hard to debug.

@jimcarroll Ah yes, Canadians, famed worldwide for their rude and unhelpful behaviour.

@ChrisMayLA6 @GeofCox Access to treatment for diabetes is the best case study I’ve seen for this. Cost cutting there increased the number of amputations and of prosthetics and long-term disability support needed and offset the cost savings by over and order of magnitude. But the two are in totally different parts of the NHS budget and so the people responsible for the cost savings looked good to their management.

I really like capability systems, but 'capability' is a terrible name.

In normal English, a capability is something intrinsic. If you have the capability to run a four-minute mile, it's something that you can do. You don't need some token to enable you to do it.

In a capability system, holding a capability doesn't grant you the ability to do the thing implicitly, it requires you to present the authorising capability when you try the action. This is one of the core advantages of capability systems over other kinds of access control. They respect the principle of intentional use. It's not enough that you have a capability to do a thing, you must use the correct capability when you try to do the thing. This eliminates a whole set of possible confused-deputy attacks.

Capabilities are more like inventory items in an adventure game. Just having them in the inventory doesn't let you solve a puzzle, you must use the correct inventory item on the correct object to solve the puzzle.

I can't think of a better word. 'Tool' might work (except that it's almost as bad as that time some French people named a theorem prover). Saying 'I don't have the right tool to accomplish this task' makes sense in English as a 'I need to hold this thing and use it correctly', whereas 'I don't have the capability to accomplish this task' sounds like you're talking about ambient authority.

Are there better words? Maybe something in another language?

@DemocracyMattersALot

the app is known to have been breached by Russian and Belarusian hackers

That is misleading. If you scanned a QR code in Signal, it would let you link a device that would then see all messages sent to you until you noticed and unlinked that device.

#Signal is a long way from perfect, but it has one key benefit: It is very easy for people to adopt. Download the app, follow a linear flow, start talking to existing contacts. In particular:

• It reuses an existing identifier (COI also does this, though doesn’t have a discovery protocol so you can’t tell which users will support the upgraded mode without trying to message them).
• The security of your communication does not depend on the instance you pick (you can’t pick an instance and you can’t choose to run one, which I consider a weakness, but most alternatives at least leak metadata to the person who runs your server and to the servers that you communicate with).
• It doesn’t ever fall back to an insecure mode. This eliminates downgrade attacks. OMEMO over XMPP and COI will both fall back to unencrypted modes and rely on UI patterns for users to detect this (remember how well the SSL padlock worked for this?)
• It reliably syncs keys across devices, so phone, tablet, and desktop clients can all see your messages and you can transparently move between them.
• Encrypted multi-party video chats just work. Now that chat links works you can just stick them in a calendar invitation and switch to using Signal for meetings instead of proprietary systems.

There’s a longer list of things that I would like them to fix, but that’s the set of things I need a chat program to support to be something I’d recommend to non-geeks. Being able to host your own server is nice. Needing to host your own server for security is a deal breaker.

Yay, after only seven years, the latest update to Microsoft Teams lets you past an email address into the 'recipients' box in the make-a-meeting UI and doesn't split it into {first} {second} {email@address} and treat them all as separate invalid email addresses (yes, even the email address, because it kept the angle brackets in the token that it parses. And, yes, it did split between spaces for things in quotes, but it dropped the quotes).

Now, if you paste "Some person" <email@address>, you get that person as an invitee, not Some, person and <email@address>.

Honestly, if I didn't have first-hand knowledge that people in the Office org at Microsoft use their products, I wouldn't believe it.