Midwest Dev Chat

MidwestDevChat.com github.com/skidvis/Midwest-Dev-Chat

  • The newest 15 messages in the super-cool #privacy_security channel.

  • 02/13 14:00:11 Lexie: @Fredy absolutely. ideally both are happening all the time. but it seems easier to get tech-savvy non-activists to hide activists in noise than to reach all the activists and get them to start using privacy tools correctly.

  • 02/13 14:03:41 Fredy: That's a good assumption. It's also probably also a good assumption that many tech-y types probably know one or more such activists that they might personally be able to assist. I know this is true for me. I don't fear for my job (that much) while making plain my protest of the current state of affairs, but I know many that are in educational and even public service that are becoming more active while risking their livelihoods. I'm particularly keen on finding some basic solutions for them to help protect their identities online (and offline).

  • 02/13 17:20:15 Lexie: @Fredy good call. That would be an interesting segment of activists to try to cover - government employees.

  • 02/13 17:24:17 Fredy: @Lexie for sure. Thanks for putting that blog post together.

  • 02/15 08:52:49 Ryleigh: Welp, ASLR had a good long run https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/

  • 02/15 12:11:32 Sonny: ouch

  • 02/15 13:13:43 Ryleigh: Like, I'm not even mad. I'm just impressed. In the linked paper, they describe the specifics of their timing measurement:
    >>>Recent work shows that timing side channels can be
    exploited in the browser to leak sensitive information such
    as randomized pointers [6] or mouse movement [48]. These
    attacks rely on the precise JavaScript timer in order to tell the
    difference between an access that is satisfied through a cache or
    main memory. In order to thwart these attacks, major browser
    vendors have reduced the precision of the timer. Based on our
    measurements, both Firefox and Chrome have decreased the
    precision of performance.now() to exactly 5µs.
    [...]
    Instead of measuring how long
    a memory reference takes with the timer (which is no longer
    possible), we count how long it takes for the timer to tick
    after the memory reference takes place. More precisely, we
    first wait for performance.now() to tick, we then execute
    the memory reference, and then count by executing
    performance.now() in a loop until it ticks.

  • 02/23 20:27:30 Ryleigh: First sha1 collision announced: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html?m=1> hat tip @Brett

  • 02/23 20:27:44 Brett: has joined the channel

  • 02/23 22:19:27 Ernestine: What does it mean exactly when they talk about "computing the collision?"

  • 02/23 22:19:58 Ernestine: Is that really just generating the data that _results_ in the collision?

  • 02/23 22:32:44 Brett: yup

  • 02/27 13:49:01 Lexie: apropos of nothing, I love this picture from my coworking space’s security cameras … of me taking a picture of the security cameras.

  • 02/27 13:49:20 Lexie: uploaded a file: Private image uploaded, members only. Sorry.

  • 02/27 13:59:00 Ryleigh: notes watching youuuuuuu notes
    notes watching meeeeeeee notes

  • *Usernames have been changed to protect the innocent.

Check out all the cool channels!

Join the conversation!