If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#31
|
|||
|
|||
Core Isolatioin
On 23/02/2020 00:56, VanguardLH wrote:
Ken Springer wrote: And, I'm going to be up on a ladder with the ice dams I just mentioned! Attic insulation at my place is poor: very old, has settled, and probably the old fire-retardant paper pebbles. It's on my to-do list for home repairs to vacuum out the old crap and blow in new insulation. Crappy insulation is why I have ice dams: too much heat getting into the attic during the winter. Last summer I was going to put up the ice-melting cord that zigzags on the roof over the eaves, but it kept raining here almost every day. Wettest year on record here. So, for this winter, I used a snow rake on the roof to minimize the ice dams. Any sun that hits the exposed shingles melts remaining snow and the much thinner ice dams. Gotta be careful with a snow rake, though. Just let it drag down, and don't yank on any snags, especially at the edge of the roof. It'll still remove some of the stone chips in the shingles, so I really need to redo the attic insulation and add the de-icing cables. Might have to also add better drip molding as the shingles don't seem to extend enough over the fascia board. I can slide the gutters under the drop molding, or bend out the molding so it's 1/2-inch away from fascia. Do you know how to use paragraphs when writing? Your style is unique to lump everything in one block. |
Ads |
#32
|
|||
|
|||
Core Isolatioin
Water Mellon wrote:
On 23/02/2020 00:56, VanguardLH wrote: Ken Springer wrote: And, I'm going to be up on a ladder with the ice dams I just mentioned! Attic insulation at my place is poor: very old, has settled, and probably the old fire-retardant paper pebbles. It's on my to-do list for home repairs to vacuum out the old crap and blow in new insulation. Crappy insulation is why I have ice dams: too much heat getting into the attic during the winter. Last summer I was going to put up the ice-melting cord that zigzags on the roof over the eaves, but it kept raining here almost every day. Wettest year on record here. So, for this winter, I used a snow rake on the roof to minimize the ice dams. Any sun that hits the exposed shingles melts remaining snow and the much thinner ice dams. Gotta be careful with a snow rake, though. Just let it drag down, and don't yank on any snags, especially at the edge of the roof. It'll still remove some of the stone chips in the shingles, so I really need to redo the attic insulation and add the de-icing cables. Might have to also add better drip molding as the shingles don't seem to extend enough over the fascia board. I can slide the gutters under the drop molding, or bend out the molding so it's 1/2-inch away from fascia. Do you know how to use paragraphs when writing? Your style is unique to lump everything in one block. Given the multivariate nature of roofing problems, I think that particular rendering is a good measure of the mental turmoil involved :-) You have to be a little careful, about what is insulating the roof. It could be vermiculite (only bad if contaminated with asbestos). https://www.epa.gov/sites/production...rmiculite2.jpg There is a blown-in insulation process that uses paper, but I thought it was for cavities, and the guy uses a stick to pack the paper into place. It's intended to stop air penetration, as well as insulate, but this only works until the paper settles. The paper is soaked in borax, to inhibit the work of insects. Paul Paul |
#33
|
|||
|
|||
Core Isolatioin
Ken Blake wrote:
On 2/22/2020 3:58 PM, Ken Springer wrote: I don't killfile anyone, as every once in a while, they actually post something useful. Although that's true, for everyone I killfile it happens seldom enough, that I'm way ahead if I killfile them and don't have to read the crap they regularly post. But it's your choice. I can't tell you or anyone else what to do. But I *can* ask that you don't quote the trolls, so the rest of us who have them killfiled don't have to read their crap in your messages. I assume you mean "that you do not respond to the trolls", instead of 'only' not quoting the trolls. I have no experience with Thunderbird's filtering capabilities [1], but nospam has a tag in his MIDs, so perhaps TB can filter on direct responses to articles which have that tag in the last MID of their 'References:' header. My newsreader, tin, can do that (msgid_last=...). But of course if people respond to people who respond to nospam, you'll still see *their* posts. If you want to kill all responses, direct and indirect ones, i.e. 'ignore sub-thread started by bozo', then apparently TB does have *that* functionality: quote From: Ralph Fox Newsgroups: news.software.readers Subject: Looking for another newsreader Message-ID: Date: Sat, 09 Jul 2011 15:46:24 +1200 .... In Thunderbird, if^M (1) you killfilter Joh Bozo, setting the action to "Ignore Subthread", and (2) you do not have a check-mark in the setting "View Threads Ignored Threads" then you will see nothing of Joh Bozo and nothing of the subthreads that he starts. /quote HTH. [1] I use Thunderbird, but only for e-mail, not for NetNews/Usenet. |
#34
|
|||
|
|||
Core Isolatioin
On Thu, 20 Feb 2020 19:51:14 -0700, in alt.comp.os.windows-10, Ken
Springer wrote: Does anyone know of any negative effects of turning on the memory integrity of the Core Isolation feature? Depends on how you feel about TPMs. It'll let you try to turn it on, but without a TPM 2.0 plugged in, it'll fail. -- Zag No one ever said on their deathbed, 'Gee, I wish I had spent more time alone with my computer.' ~Dan(i) Bunten |
#35
|
|||
|
|||
Core Isolatioin
On 2/23/2020 1:01 PM, Frank Slootweg wrote:
Ken Blake wrote: On 2/22/2020 3:58 PM, Ken Springer wrote: I don't killfile anyone, as every once in a while, they actually post something useful. Although that's true, for everyone I killfile it happens seldom enough, that I'm way ahead if I killfile them and don't have to read the crap they regularly post. But it's your choice. I can't tell you or anyone else what to do. But I *can* ask that you don't quote the trolls, so the rest of us who have them killfiled don't have to read their crap in your messages. I assume you mean "that you do not respond to the trolls", instead of 'only' not quoting the trolls. Yes, I mean do not respond, but my point was that if you respond and quote, I get to read what you quoted, and my killfiling the troll hasn't completely had the effect I wanted. I have no experience with Thunderbird's filtering capabilities [1], but nospam has a tag in his MIDs, so perhaps TB can filter on direct responses to articles which have that tag in the last MID of their 'References:' header. My newsreader, tin, can do that (msgid_last=...). But of course if people respond to people who respond to nospam, you'll still see *their* posts. If you want to kill all responses, direct and indirect ones, i.e. 'ignore sub-thread started by bozo', then apparently TB does have *that* functionality: quote From: Ralph Fox Newsgroups: news.software.readers Subject: Looking for another newsreader Message-ID: Date: Sat, 09 Jul 2011 15:46:24 +1200 ... In Thunderbird, if^M (1) you killfilter Joh Bozo, setting the action to "Ignore Subthread", and (2) you do not have a check-mark in the setting "View Threads Ignored Threads" then you will see nothing of Joh Bozo and nothing of the subthreads that he starts. /quote HTH. [1] I use Thunderbird, but only for e-mail, not for NetNews/Usenet. I'm just the opposite. I use Thunderbird as my newsreader, but I don't use it for e-mail -- Ken |
#36
|
|||
|
|||
Core Isolatioin
Zaghadka wrote:
Ken Springer wrote: Does anyone know of any negative effects of turning on the memory integrity of the Core Isolation feature? Depends on how you feel about TPMs. It'll let you try to turn it on, but without a TPM 2.0 plugged in, it'll fail. I mentioned the TPM requirement (although, I think, you don't need a chip but the BIOS firmware can emulate one). Found this info: https://en.wikipedia.org/wiki/Truste...mplementations I already mentioned vulnerability of Intel's ME (Management Engine), a microcontroller in their CPU, used as part of the isolated environment for the system processes. A hack could allow remote code execution, even when your computer is powered off. TPMs are vulnerable, too. https://www.bleepingcomputer.com/new...-on-tpm-chips/ (Aug 2018) https://www.zdnet.com/article/tpm-fa...ptops-servers/ (dated Nov 2019) While the hacks have been fixed in the TPM specifications, that doesn't change the hardware or emulator you are currently using. If software based, the BIOS could get flashed or software updated, but are there actually updates for you to get yet? Doing brain surgery on your mobo by updating its firmware always has risk, especially if the new code is flawed or incompletely copied resulting in a non-bootable mobo that bars burning back the old code (assuming you first made a copy before updating the mobo's firmware). https://support.microsoft.com/en-us/...r-tpm-firmware But there's always a lag between vulnerability discovery to correction leaving a window of opportunity for compromise. That assumes a fix for your hardware/software setup ever emerges, and the update doesn't itself cause problems. It's not that the extra security in infallible. Never is. It hopefully raises the bar against malicious or unauthorized access. Alas, some security measures do not compound onto other security measures to raise the bar. Instead a vulnerability in one nullifies the other security measures; i.e., one attack vector is sufficient. So, it's more like a hurdle race where the runner (hacker) figures out how to get outside the lane to eliminate having to jump over the remaining hurdles. The problem with more security is that stability is too often compromised. Who wants a more secure machine that keeps crashing or exhibits unwanted and corruptive side effects? I gave up long ago on overclocking my hardware and decided to pay more for faster hardware rather than sacrifice stability. Oops, it crashed, but it's more secure. How can a crashed computer be considered to be secure at all? It isn't running! No one wants their computer to simulate Mission Impossible (TV series) with self-destructing message tapes. In another thread, T was asking about Veracrypt. Ken here wanted to know what might be the consequences of using Core Isolation. According to the above wiki article, TrueCrypt hence Veracrypt are not compatible with TPMs, but that's only for whole-disk (well, whole-partition) encryption, not when creating encrypted container files (that get mounted as drives). So, there is yet another incompatibility between Core Isolation and some more software. Bitlocker, in contrast, requires a TPM (real or emulated) to work, but Bitlocker is only a whole-disk encryption scheme, not where you create encrypted container files that you can mount anywhere and anytime as drives. Bitlocker isn't portable. Veracrypt is in one mode, and incompatible with TPMs in another. https://www.veracrypt.fr/en/FAQ.html "Some encryption programs use TPM to prevent attacks. Will VeraCrypt use it too?" No. ... |
#37
|
|||
|
|||
Core Isolatioin
Ken Blake wrote:
On 2/23/2020 1:01 PM, Frank Slootweg wrote: Ken Blake wrote: On 2/22/2020 3:58 PM, Ken Springer wrote: I don't killfile anyone, as every once in a while, they actually post something useful. Although that's true, for everyone I killfile it happens seldom enough, that I'm way ahead if I killfile them and don't have to read the crap they regularly post. But it's your choice. I can't tell you or anyone else what to do. But I *can* ask that you don't quote the trolls, so the rest of us who have them killfiled don't have to read their crap in your messages. I assume you mean "that you do not respond to the trolls", instead of 'only' not quoting the trolls. Yes, I mean do not respond, but my point was that if you respond and quote, I get to read what you quoted, and my killfiling the troll hasn't completely had the effect I wanted. I have no experience with Thunderbird's filtering capabilities [1], but nospam has a tag in his MIDs, so perhaps TB can filter on direct responses to articles which have that tag in the last MID of their 'References:' header. My newsreader, tin, can do that (msgid_last=...). But of course if people respond to people who respond to nospam, you'll still see *their* posts. If you want to kill all responses, direct and indirect ones, i.e. 'ignore sub-thread started by bozo', then apparently TB does have *that* functionality: quote From: Ralph Fox Newsgroups: news.software.readers Subject: Looking for another newsreader Message-ID: Date: Sat, 09 Jul 2011 15:46:24 +1200 ... In Thunderbird, if (1) you killfilter Joh Bozo, setting the action to "Ignore Subthread", and (2) you do not have a check-mark in the setting "View Threads Ignored Threads" then you will see nothing of Joh Bozo and nothing of the subthreads that he starts. /quote HTH. [1] I use Thunderbird, but only for e-mail, not for NetNews/Usenet. I'm just the opposite. I use Thunderbird as my newsreader, but I don't use it for e-mail OK, but you didn't say whether or not the above (Ralph Fox' post) solves your killfiling need/want or not. |
#38
|
|||
|
|||
Core Isolatioin
On 2/24/2020 10:42 AM, Frank Slootweg wrote:
Ken Blake wrote: On 2/23/2020 1:01 PM, Frank Slootweg wrote: Ken Blake wrote: On 2/22/2020 3:58 PM, Ken Springer wrote: I don't killfile anyone, as every once in a while, they actually post something useful. Although that's true, for everyone I killfile it happens seldom enough, that I'm way ahead if I killfile them and don't have to read the crap they regularly post. But it's your choice. I can't tell you or anyone else what to do. But I *can* ask that you don't quote the trolls, so the rest of us who have them killfiled don't have to read their crap in your messages. I assume you mean "that you do not respond to the trolls", instead of 'only' not quoting the trolls. Yes, I mean do not respond, but my point was that if you respond and quote, I get to read what you quoted, and my killfiling the troll hasn't completely had the effect I wanted. I have no experience with Thunderbird's filtering capabilities [1], but nospam has a tag in his MIDs, so perhaps TB can filter on direct responses to articles which have that tag in the last MID of their 'References:' header. My newsreader, tin, can do that (msgid_last=...). But of course if people respond to people who respond to nospam, you'll still see *their* posts. If you want to kill all responses, direct and indirect ones, i.e. 'ignore sub-thread started by bozo', then apparently TB does have *that* functionality: quote From: Ralph Fox Newsgroups: news.software.readers Subject: Looking for another newsreader Message-ID: Date: Sat, 09 Jul 2011 15:46:24 +1200 ... In Thunderbird, if (1) you killfilter Joh Bozo, setting the action to "Ignore Subthread", and (2) you do not have a check-mark in the setting "View Threads Ignored Threads" then you will see nothing of Joh Bozo and nothing of the subthreads that he starts. /quote HTH. [1] I use Thunderbird, but only for e-mail, not for NetNews/Usenet. I'm just the opposite. I use Thunderbird as my newsreader, but I don't use it for e-mail OK, but you didn't say whether or not the above (Ralph Fox' post) solves your killfiling need/want or not. I missed it, sorry. But I'll try what he suggests. I just set one of my my killfiles to "Ignore thread," and I'll see how it goes. I'll try to remember to report back in a couple of days -- Ken |
#39
|
|||
|
|||
Core Isolatioin
VanguardLH wrote:
While the hacks have been fixed in the TPM specifications, that doesn't change the hardware or emulator you are currently using. If software based, the BIOS could get flashed or software updated, but are there actually updates for you to get yet? Doing brain surgery on your mobo by updating its firmware always has risk, especially if the new code is flawed or incompletely copied resulting in a non-bootable mobo that bars burning back the old code (assuming you first made a copy before updating the mobo's firmware). There's a fix for that actually. My motherboard has a built-in hardware flasher. You can pull the Intel CPU out of the socket, remove the sticks of RAM, just apply 24 pin power, and the motherboard can be re-flashed by plugging in a USB stick with the flash image on it. This is meant to imply... it can't be bricked. Whether it's true or not, it would be pretty hard to test. If the BIOS chip wears out, that would be one failure mechanism. But at least the random nature of flash upgrading is covered now. I only have one motherboard with that feature. And as for TPM, it's possible an Intel chipset has that inside. All my motherboard got, was the TPM connector as evidence anyone thought about it. There's a pin header for one. And my computer store has TPM modules for sale. $17 in local currency. I'd buy one, but I doubt I'd notice the difference once it was plugged in. It would be even less useful than the Bluetooth dongle I bought. Paul |
#40
|
|||
|
|||
Core Isolatioin
Paul wrote:
VanguardLH wrote: While the hacks have been fixed in the TPM specifications, that doesn't change the hardware or emulator you are currently using. If software based, the BIOS could get flashed or software updated, but are there actually updates for you to get yet? Doing brain surgery on your mobo by updating its firmware always has risk, especially if the new code is flawed or incompletely copied resulting in a non-bootable mobo that bars burning back the old code (assuming you first made a copy before updating the mobo's firmware). There's a fix for that actually. My motherboard has a built-in hardware flasher. You can pull the Intel CPU out of the socket, remove the sticks of RAM, just apply 24 pin power, and the motherboard can be re-flashed by plugging in a USB stick with the flash image on it. This is meant to imply... it can't be bricked. Whether it's true or not, it would be pretty hard to test. If the BIOS chip wears out, that would be one failure mechanism. But at least the random nature of flash upgrading is covered now. I only have one motherboard with that feature. I've seen some mobos that have 2 EEPROM sets. One keeps a backup copy. One is the primary copy from which the CMOS copy comes from. If you flash and the primary EEPROM gets screwed up, you can copy from the backup EEPROM. Beats having to remove the EEPROMs to use an [E[E]]PROM burner to record the old ones before flashing in new code. At one place I worked, they had a reader/burner machine, so I could copy the code from the chips instead of relying on the flash program saving a copy. If something went wrong, I could swap the EEPROMs and be back to before. The flash programs that I've before used allowed you to save the current BIOS firmware onto removable media (floppy, optical, or USB). Sometimes they didn't tell you how, so you had to research on its command-line arguments. The problem was that an incomplete flash (power failure, chip burn failure, or other interruption) could render the mobo unbootable, so you couldn't use the saved copy of the firmware to burn it back in to get back to where you started. That's why I remember seeing places that would sell you EEPROM chips with code already burned on them for your brand and model of mobo. I suspect (but haven't been through this yet) that the mobo that I have which has a flash routine in its BIOS uses the Intel ME microcontroller inside the CPU. It can flash based on a file you point at. Or it can reach out via Internet to the mobo maker's web site to get the code, and burn that into the EEPROM. It completely bypasses using any OS to load a flash program. I wouldn't run one inside of Windows, anyway. The standalone bootable flasher still need an OS or, at a minimum, written in intruction code with a loader program that copies the program into memory and passes control to it to run without an OS. Those are the type that I've used in the past. I have used the BIOS-supplied flash tool, and it works very well. The mobo must be able to boot into the boot config screens to use it, though. And as for TPM, it's possible an Intel chipset has that inside. All my motherboard got, was the TPM connector as evidence anyone thought about it. There's a pin header for one. Actually, I think the alternate TPM (not the standalone chip for which is either soldered onto the mobo or there is a header for it) is in the chipset, not inside the CPU. In addition, AMD and Intel have software TPMs that run entirely inside the ME microcontroller, so they run in a [more] trusted execution environment. Core Isolation requires a TPM along with a hypervisor. That means a software-based "virtual" TPM can run inside the hypervisor isolated environment. And my computer store has TPM modules for sale. $17 in local currency. I'd buy one, but I doubt I'd notice the difference once it was plugged in. Probably requires some BIOS settings, too, like Secure Boot. Mine (an Asrock) has the option to enable/disable Intel's PTT (Platform Trust Technology) that uses Intel's ME (Management Engine) microcontroller in Intel's CPU. If this option is enabled, the TPM is emulated in the mobo's firmware (BIOS, which I suspect you need UEFI, not MBR). If disabled, a discete TPM chip can be used (there's a header for one). It could be a restriction in the firmware for my mobo, or something to do with the virtualized TPM feature of my mobo, but my recollection is that I had to disable CSM (Compatibility Support Module) in the BIOS if PTT were enabled (to use the ME microcontroller), and why I suspect you need a UEFI BIOS to use the virtual TPM feature (where "virtual" here means firmware code to do what a TPM chip does, so "emulated" would probably be a better term, but I've not seen a mobo called it that). This needs that, but not something else, and so on, so getting it all setup can be a royal pain. And then you might find something doesn't work right with the OS or the software you use. Seems way too much a mess to bother with for a home PC, or even typical workplace workstations, and more like something to harden a server deployed for commercial use, or a portable computer where data on it is highly sensitive to a business' survival. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|