Hacker Newsnew | past | comments | ask | show | jobs | submit | mlosapio's commentslogin

This is bad advice. You should use a PIN on your TPM and not a password protecting the drive header.


I don't think this is true, a decent password is as secure if not even more secure.


Sort of. The better analogy would be spinning up compute localized to the s3 object; which would be pretty interesting.

This feature they did release deserves little fanfare.


Ummm. Linux’s NFS client includes a kernel page cache.

You can just mmap or read the file without doing anything else. That is zero or one memcpy overhead.

S3 clients have to copy the data over the network, assemble the tcp packets, decrypt and checksum for ssl, and then memcpy the result. That’s at a minimum. They may be doing other work, like verifying the s3 checksum, or allocating memory to store the object.

They have to do that once per lambda process, again, at a minimum. They might do it once per lambda invocation.

I wonder how amazon bills DRAM if multiple lambdas mmap the same thing read only.


Ummm, I'm pretty sure that before data from remote NFS server make it into kernel cache they too have to be copied over network, assembled from TCP packets, possibly decrypted (k5p) and verified (k5i) with NFS over Kerberos (otherwise you would have no confidentiality/integrity), and moved into newly allocated memory. Sure, once it is in kernel cache and data are not modified there may be just "Is this handle still up to date?" remote calls but you could achieve the similar cache with object storage.


Yes.


Is the dm-crypt decryption key stored on the NitroKey with a pin/passphrase to access the key to mount the decrypted the disk?


From what I understand the key is verifying that BIOS and unencrypted part of disk is unaltered. It is not verifying that any of the encrypted part of the hard drive has been tampered with. As such, it is not storing the hard drive decryption key on the USB stick.


So this is much like UEFI secure-boot then?


Measured boot allows to verify the integrity of the installed firmware (which itself verifies the integrity of the Linux boot partition) by a separate Nitrokey. The idea is that you have your Nitrokey nearby and therefore safe against compromise, other than the laptop which may be left unattended.


iOS Walkie Talkie has been down since Wednesday


This is a fantastic piece! I’ve been advocating for “complexity points” for years now. MBSA (make boring sexy again!)


Awesome feature that will likely unlock a bunch of services or service providers like Iceberg, Snort and Suricata to be able to capture and inspect traffic inside the cloud.


the floodgates are open! my favorite, from the folks behind bro: https://www.corelight.com/company/newsroom/news/corelight-cl... https://www.corelight.com/products/corelight-sensors/#cloud


Thank you to the project maintainers; while RedHat does release the source code anyone who’s actually compiled from source knows that it’s never push-button easy


Volunteer Firefighter and SRE here.

ICS is crucial in any and all of our incidents and should be the model on how any disaster is handled


Thank you Caroll Spinney for helping teach generations how to be compassionate, patient and respectful of your neighbors. You brought to life custumes and characters that will forever define Americana


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: