Core Isolatioin

On 23/02/2020 00:56, VanguardLH wrote:
Ken Springer wrote:

And, I'm going to be up on a ladder with the ice dams I just mentioned!
Attic insulation at my place is poor: very old, has settled, and
probably the old fire-retardant paper pebbles. It's on my to-do list
for home repairs to vacuum out the old crap and blow in new insulation.
Crappy insulation is why I have ice dams: too much heat getting into the
attic during the winter. Last summer I was going to put up the
ice-melting cord that zigzags on the roof over the eaves, but it kept
raining here almost every day. Wettest year on record here. So, for
this winter, I used a snow rake on the roof to minimize the ice dams.
Any sun that hits the exposed shingles melts remaining snow and the much
thinner ice dams. Gotta be careful with a snow rake, though. Just let
it drag down, and don't yank on any snags, especially at the edge of the
roof. It'll still remove some of the stone chips in the shingles, so I
really need to redo the attic insulation and add the de-icing cables.
Might have to also add better drip molding as the shingles don't seem to
extend enough over the fascia board. I can slide the gutters under the
drop molding, or bend out the molding so it's 1/2-inch away from fascia.

Do you know how to use paragraphs when writing? Your style is unique to
lump everything in one block.

Water Mellon wrote:
On 23/02/2020 00:56, VanguardLH wrote:
Ken Springer wrote:

And, I'm going to be up on a ladder with the ice dams I just mentioned!
Attic insulation at my place is poor: very old, has settled, and
probably the old fire-retardant paper pebbles. It's on my to-do list
for home repairs to vacuum out the old crap and blow in new insulation.
Crappy insulation is why I have ice dams: too much heat getting into the
attic during the winter. Last summer I was going to put up the
ice-melting cord that zigzags on the roof over the eaves, but it kept
raining here almost every day. Wettest year on record here. So, for
this winter, I used a snow rake on the roof to minimize the ice dams.
Any sun that hits the exposed shingles melts remaining snow and the much
thinner ice dams. Gotta be careful with a snow rake, though. Just let
it drag down, and don't yank on any snags, especially at the edge of the
roof. It'll still remove some of the stone chips in the shingles, so I
really need to redo the attic insulation and add the de-icing cables.
Might have to also add better drip molding as the shingles don't seem to
extend enough over the fascia board. I can slide the gutters under the
drop molding, or bend out the molding so it's 1/2-inch away from fascia.

Do you know how to use paragraphs when writing? Your style is unique to
lump everything in one block.


Given the multivariate nature of roofing problems, I think
that particular rendering is a good measure of the mental
turmoil involved :-)

You have to be a little careful, about what is insulating the roof.
It could be vermiculite (only bad if contaminated with asbestos).

https://www.epa.gov/sites/production...rmiculite2.jpg

There is a blown-in insulation process that uses paper, but I thought
it was for cavities, and the guy uses a stick to pack the paper into
place. It's intended to stop air penetration, as well as insulate,
but this only works until the paper settles. The paper is soaked in
borax, to inhibit the work of insects.

Paul


Paul

Ken Blake wrote:
On 2/22/2020 3:58 PM, Ken Springer wrote:

I don't killfile anyone, as every once in a while, they actually post
something useful.

Although that's true, for everyone I killfile it happens seldom enough,
that I'm way ahead if I killfile them and don't have to read the crap
they regularly post.

But it's your choice. I can't tell you or anyone else what to do. But I
*can* ask that you don't quote the trolls, so the rest of us who have
them killfiled don't have to read their crap in your messages.

I assume you mean "that you do not respond to the trolls", instead of
'only' not quoting the trolls.

I have no experience with Thunderbird's filtering capabilities [1],
but nospam has a tag in his MIDs, so perhaps TB can filter on direct
responses to articles which have that tag in the last MID of their
'References:' header. My newsreader, tin, can do that (msgid_last=...).

But of course if people respond to people who respond to nospam,
you'll still see *their* posts.

If you want to kill all responses, direct and indirect ones, i.e.
'ignore sub-thread started by bozo', then apparently TB does have *that*
functionality:

quote

From: Ralph Fox
Newsgroups: news.software.readers
Subject: Looking for another newsreader
Message-ID:
Date: Sat, 09 Jul 2011 15:46:24 +1200
....
In Thunderbird, if^M
(1) you killfilter Joh Bozo, setting the action to "Ignore Subthread",
and
(2) you do not have a check-mark in the setting "View Threads
Ignored Threads"
then you will see nothing of Joh Bozo and nothing of the subthreads
that he starts.

/quote

HTH.

[1] I use Thunderbird, but only for e-mail, not for NetNews/Usenet.

On Thu, 20 Feb 2020 19:51:14 -0700, in alt.comp.os.windows-10, Ken
Springer wrote:

Does anyone know of any negative effects of turning on the memory
integrity of the Core Isolation feature?

Depends on how you feel about TPMs. It'll let you try to turn it on, but
without a TPM 2.0 plugged in, it'll fail.

--
Zag

No one ever said on their deathbed, 'Gee, I wish I had
spent more time alone with my computer.' ~Dan(i) Bunten

On 2/23/2020 1:01 PM, Frank Slootweg wrote:
Ken Blake wrote:
On 2/22/2020 3:58 PM, Ken Springer wrote:

I don't killfile anyone, as every once in a while, they actually post
something useful.

Although that's true, for everyone I killfile it happens seldom enough,
that I'm way ahead if I killfile them and don't have to read the crap
they regularly post.

But it's your choice. I can't tell you or anyone else what to do. But I
*can* ask that you don't quote the trolls, so the rest of us who have
them killfiled don't have to read their crap in your messages.

I assume you mean "that you do not respond to the trolls", instead of
'only' not quoting the trolls.



Yes, I mean do not respond, but my point was that if you respond and
quote, I get to read what you quoted, and my killfiling the troll hasn't
completely had the effect I wanted.


I have no experience with Thunderbird's filtering capabilities [1],
but nospam has a tag in his MIDs, so perhaps TB can filter on direct
responses to articles which have that tag in the last MID of their
'References:' header. My newsreader, tin, can do that (msgid_last=...).

But of course if people respond to people who respond to nospam,
you'll still see *their* posts.

If you want to kill all responses, direct and indirect ones, i.e.
'ignore sub-thread started by bozo', then apparently TB does have *that*
functionality:

quote

From: Ralph Fox
Newsgroups: news.software.readers
Subject: Looking for another newsreader
Message-ID:
Date: Sat, 09 Jul 2011 15:46:24 +1200
...
In Thunderbird, if^M
(1) you killfilter Joh Bozo, setting the action to "Ignore Subthread",
and
(2) you do not have a check-mark in the setting "View Threads
Ignored Threads"
then you will see nothing of Joh Bozo and nothing of the subthreads
that he starts.

/quote

HTH.

[1] I use Thunderbird, but only for e-mail, not for NetNews/Usenet.


I'm just the opposite. I use Thunderbird as my newsreader, but I don't
use it for e-mail


--
Ken

Zaghadka wrote:

Ken Springer wrote:

Does anyone know of any negative effects of turning on the memory
integrity of the Core Isolation feature?

Depends on how you feel about TPMs. It'll let you try to turn it on,
but without a TPM 2.0 plugged in, it'll fail.

I mentioned the TPM requirement (although, I think, you don't need a
chip but the BIOS firmware can emulate one). Found this info:

https://en.wikipedia.org/wiki/Truste...mplementations

I already mentioned vulnerability of Intel's ME (Management Engine), a
microcontroller in their CPU, used as part of the isolated environment
for the system processes. A hack could allow remote code execution, even
when your computer is powered off. TPMs are vulnerable, too.

https://www.bleepingcomputer.com/new...-on-tpm-chips/
(Aug 2018)
https://www.zdnet.com/article/tpm-fa...ptops-servers/
(dated Nov 2019)

While the hacks have been fixed in the TPM specifications, that doesn't
change the hardware or emulator you are currently using. If software
based, the BIOS could get flashed or software updated, but are there
actually updates for you to get yet? Doing brain surgery on your mobo
by updating its firmware always has risk, especially if the new code is
flawed or incompletely copied resulting in a non-bootable mobo that bars
burning back the old code (assuming you first made a copy before
updating the mobo's firmware).

https://support.microsoft.com/en-us/...r-tpm-firmware
But there's always a lag between vulnerability discovery to correction
leaving a window of opportunity for compromise. That assumes a fix for
your hardware/software setup ever emerges, and the update doesn't itself
cause problems.

It's not that the extra security in infallible. Never is. It hopefully
raises the bar against malicious or unauthorized access. Alas, some
security measures do not compound onto other security measures to raise
the bar. Instead a vulnerability in one nullifies the other security
measures; i.e., one attack vector is sufficient. So, it's more like a
hurdle race where the runner (hacker) figures out how to get outside the
lane to eliminate having to jump over the remaining hurdles. The
problem with more security is that stability is too often compromised.
Who wants a more secure machine that keeps crashing or exhibits unwanted
and corruptive side effects? I gave up long ago on overclocking my
hardware and decided to pay more for faster hardware rather than
sacrifice stability. Oops, it crashed, but it's more secure. How can a
crashed computer be considered to be secure at all? It isn't running!
No one wants their computer to simulate Mission Impossible (TV series)
with self-destructing message tapes.

In another thread, T was asking about Veracrypt. Ken here wanted to
know what might be the consequences of using Core Isolation. According
to the above wiki article, TrueCrypt hence Veracrypt are not compatible
with TPMs, but that's only for whole-disk (well, whole-partition)
encryption, not when creating encrypted container files (that get
mounted as drives). So, there is yet another incompatibility between
Core Isolation and some more software. Bitlocker, in contrast, requires
a TPM (real or emulated) to work, but Bitlocker is only a whole-disk
encryption scheme, not where you create encrypted container files that
you can mount anywhere and anytime as drives. Bitlocker isn't portable.
Veracrypt is in one mode, and incompatible with TPMs in another.

https://www.veracrypt.fr/en/FAQ.html
"Some encryption programs use TPM to prevent attacks. Will VeraCrypt use
it too?"
No. ...

Ken Blake wrote:
On 2/23/2020 1:01 PM, Frank Slootweg wrote:
Ken Blake wrote:
On 2/22/2020 3:58 PM, Ken Springer wrote:

I don't killfile anyone, as every once in a while, they actually post
something useful.

Although that's true, for everyone I killfile it happens seldom enough,
that I'm way ahead if I killfile them and don't have to read the crap
they regularly post.

But it's your choice. I can't tell you or anyone else what to do. But I
*can* ask that you don't quote the trolls, so the rest of us who have
them killfiled don't have to read their crap in your messages.

I assume you mean "that you do not respond to the trolls", instead of
'only' not quoting the trolls.

Yes, I mean do not respond, but my point was that if you respond and
quote, I get to read what you quoted, and my killfiling the troll hasn't
completely had the effect I wanted.

I have no experience with Thunderbird's filtering capabilities [1],
but nospam has a tag in his MIDs, so perhaps TB can filter on direct
responses to articles which have that tag in the last MID of their
'References:' header. My newsreader, tin, can do that (msgid_last=...).

But of course if people respond to people who respond to nospam,
you'll still see *their* posts.

If you want to kill all responses, direct and indirect ones, i.e.
'ignore sub-thread started by bozo', then apparently TB does have *that*
functionality:

quote

From: Ralph Fox
Newsgroups: news.software.readers
Subject: Looking for another newsreader
Message-ID:
Date: Sat, 09 Jul 2011 15:46:24 +1200
...
In Thunderbird, if
(1) you killfilter Joh Bozo, setting the action to "Ignore Subthread",
and
(2) you do not have a check-mark in the setting "View Threads
Ignored Threads"
then you will see nothing of Joh Bozo and nothing of the subthreads
that he starts.

/quote

HTH.

[1] I use Thunderbird, but only for e-mail, not for NetNews/Usenet.

I'm just the opposite. I use Thunderbird as my newsreader, but I don't
use it for e-mail

OK, but you didn't say whether or not the above (Ralph Fox' post)
solves your killfiling need/want or not.

On 2/24/2020 10:42 AM, Frank Slootweg wrote:
Ken Blake wrote:
On 2/23/2020 1:01 PM, Frank Slootweg wrote:
Ken Blake wrote:
On 2/22/2020 3:58 PM, Ken Springer wrote:

I don't killfile anyone, as every once in a while, they actually post
something useful.

Although that's true, for everyone I killfile it happens seldom enough,
that I'm way ahead if I killfile them and don't have to read the crap
they regularly post.

But it's your choice. I can't tell you or anyone else what to do. But I
*can* ask that you don't quote the trolls, so the rest of us who have
them killfiled don't have to read their crap in your messages.

I assume you mean "that you do not respond to the trolls", instead of
'only' not quoting the trolls.

Yes, I mean do not respond, but my point was that if you respond and
quote, I get to read what you quoted, and my killfiling the troll hasn't
completely had the effect I wanted.

I have no experience with Thunderbird's filtering capabilities [1],
but nospam has a tag in his MIDs, so perhaps TB can filter on direct
responses to articles which have that tag in the last MID of their
'References:' header. My newsreader, tin, can do that (msgid_last=...).

But of course if people respond to people who respond to nospam,
you'll still see *their* posts.

If you want to kill all responses, direct and indirect ones, i.e.
'ignore sub-thread started by bozo', then apparently TB does have *that*
functionality:

quote

From: Ralph Fox
Newsgroups: news.software.readers
Subject: Looking for another newsreader
Message-ID:
Date: Sat, 09 Jul 2011 15:46:24 +1200
...
In Thunderbird, if
(1) you killfilter Joh Bozo, setting the action to "Ignore Subthread",
and
(2) you do not have a check-mark in the setting "View Threads
Ignored Threads"
then you will see nothing of Joh Bozo and nothing of the subthreads
that he starts.

/quote

HTH.

[1] I use Thunderbird, but only for e-mail, not for NetNews/Usenet.

I'm just the opposite. I use Thunderbird as my newsreader, but I don't
use it for e-mail

OK, but you didn't say whether or not the above (Ralph Fox' post)
solves your killfiling need/want or not.


I missed it, sorry.

But I'll try what he suggests. I just set one of my my killfiles to
"Ignore thread," and I'll see how it goes. I'll try to remember to
report back in a couple of days


--
Ken

VanguardLH wrote:

While the hacks have been fixed in the TPM specifications, that doesn't
change the hardware or emulator you are currently using. If software
based, the BIOS could get flashed or software updated, but are there
actually updates for you to get yet? Doing brain surgery on your mobo
by updating its firmware always has risk, especially if the new code is
flawed or incompletely copied resulting in a non-bootable mobo that bars
burning back the old code (assuming you first made a copy before
updating the mobo's firmware).

There's a fix for that actually.

My motherboard has a built-in hardware flasher. You can pull the Intel
CPU out of the socket, remove the sticks of RAM, just apply 24 pin power,
and the motherboard can be re-flashed by plugging in a USB stick with
the flash image on it. This is meant to imply... it can't be bricked.
Whether it's true or not, it would be pretty hard to test. If the BIOS
chip wears out, that would be one failure mechanism. But at least the
random nature of flash upgrading is covered now.

I only have one motherboard with that feature.

And as for TPM, it's possible an Intel chipset has that inside.
All my motherboard got, was the TPM connector as evidence anyone
thought about it. There's a pin header for one.

And my computer store has TPM modules for sale. $17 in local currency.
I'd buy one, but I doubt I'd notice the difference once it was
plugged in. It would be even less useful than the Bluetooth
dongle I bought.

Paul

Paul wrote:

VanguardLH wrote:

While the hacks have been fixed in the TPM specifications, that doesn't
change the hardware or emulator you are currently using. If software
based, the BIOS could get flashed or software updated, but are there
actually updates for you to get yet? Doing brain surgery on your mobo
by updating its firmware always has risk, especially if the new code is
flawed or incompletely copied resulting in a non-bootable mobo that bars
burning back the old code (assuming you first made a copy before
updating the mobo's firmware).

There's a fix for that actually.

My motherboard has a built-in hardware flasher. You can pull the Intel
CPU out of the socket, remove the sticks of RAM, just apply 24 pin power,
and the motherboard can be re-flashed by plugging in a USB stick with
the flash image on it. This is meant to imply... it can't be bricked.
Whether it's true or not, it would be pretty hard to test. If the BIOS
chip wears out, that would be one failure mechanism. But at least the
random nature of flash upgrading is covered now.

I only have one motherboard with that feature.

I've seen some mobos that have 2 EEPROM sets. One keeps a backup copy.
One is the primary copy from which the CMOS copy comes from. If you
flash and the primary EEPROM gets screwed up, you can copy from the
backup EEPROM. Beats having to remove the EEPROMs to use an [E[E]]PROM
burner to record the old ones before flashing in new code. At one place
I worked, they had a reader/burner machine, so I could copy the code
from the chips instead of relying on the flash program saving a copy.
If something went wrong, I could swap the EEPROMs and be back to before.

The flash programs that I've before used allowed you to save the current
BIOS firmware onto removable media (floppy, optical, or USB). Sometimes
they didn't tell you how, so you had to research on its command-line
arguments. The problem was that an incomplete flash (power failure,
chip burn failure, or other interruption) could render the mobo
unbootable, so you couldn't use the saved copy of the firmware to burn
it back in to get back to where you started. That's why I remember
seeing places that would sell you EEPROM chips with code already burned
on them for your brand and model of mobo.

I suspect (but haven't been through this yet) that the mobo that I have
which has a flash routine in its BIOS uses the Intel ME microcontroller
inside the CPU. It can flash based on a file you point at. Or it can
reach out via Internet to the mobo maker's web site to get the code, and
burn that into the EEPROM. It completely bypasses using any OS to load
a flash program. I wouldn't run one inside of Windows, anyway. The
standalone bootable flasher still need an OS or, at a minimum, written
in intruction code with a loader program that copies the program into
memory and passes control to it to run without an OS. Those are the
type that I've used in the past. I have used the BIOS-supplied flash
tool, and it works very well. The mobo must be able to boot into the
boot config screens to use it, though.

And as for TPM, it's possible an Intel chipset has that inside.
All my motherboard got, was the TPM connector as evidence anyone
thought about it. There's a pin header for one.

Actually, I think the alternate TPM (not the standalone chip for which
is either soldered onto the mobo or there is a header for it) is in the
chipset, not inside the CPU. In addition, AMD and Intel have software
TPMs that run entirely inside the ME microcontroller, so they run in a
[more] trusted execution environment.

Core Isolation requires a TPM along with a hypervisor. That means a
software-based "virtual" TPM can run inside the hypervisor isolated
environment.

And my computer store has TPM modules for sale. $17 in local currency.
I'd buy one, but I doubt I'd notice the difference once it was
plugged in.

Probably requires some BIOS settings, too, like Secure Boot. Mine (an
Asrock) has the option to enable/disable Intel's PTT (Platform Trust
Technology) that uses Intel's ME (Management Engine) microcontroller in
Intel's CPU. If this option is enabled, the TPM is emulated in the
mobo's firmware (BIOS, which I suspect you need UEFI, not MBR). If
disabled, a discete TPM chip can be used (there's a header for one). It
could be a restriction in the firmware for my mobo, or something to do
with the virtualized TPM feature of my mobo, but my recollection is that
I had to disable CSM (Compatibility Support Module) in the BIOS if PTT
were enabled (to use the ME microcontroller), and why I suspect you need
a UEFI BIOS to use the virtual TPM feature (where "virtual" here means
firmware code to do what a TPM chip does, so "emulated" would probably
be a better term, but I've not seen a mobo called it that). This needs
that, but not something else, and so on, so getting it all setup can be
a royal pain. And then you might find something doesn't work right with
the OS or the software you use. Seems way too much a mess to bother
with for a home PC, or even typical workplace workstations, and more
like something to harden a server deployed for commercial use, or a
portable computer where data on it is highly sensitive to a business'
survival.