@@i9169345I don't know much about CPUs, so I can't say much about his description of speculative execution, but I CAN say that he is right about all browsers on iOS and iPadOS being based on WebKit. Apple forces ALL browsers that wish to be on its mobile App Stores to use WebKit, they're not allowed to use their own browser engine. This is not the case on Mac, though, so on mac only Safari is affected.
I came in the comments to say this! Worst description of "branch prediction speculation attack" given. Basically, if and when a new security breach is discovered at procesor level, more precisely, on these "speculative execution" that all processors nowadays have, it's game over. You either ignore it, or move to a newer one to evade the breach. Fixing it comes with a performance hit, or open ways for new ones because the fix didn't fix it properly... I have things to say about apple products... but i let ppl buy them, because there is money to make on their back. :)
@ Actually, Firefox DOES run on WebKit on iPhone and iPad. Apple requires it if a browser wants to be on the app store, all ios browsers are just reskinned WebKit.
Regarding Deep Seek, it's important to note the news is about the official app; not the AI itself; the AI variants of it can be downloaded and run locally (specifics depends on your hardware) without privacy concerns. Don't get any executable from them, only stuff that's meant to be loaded on trusted open-source third-party apps (not enough space in a YT comment to get into all the details; not really that complicated, just too many alternatives and the need to make sure I'm saying things in ways that won't confuse people that don't already know what they're doing. Watch videos about running local LLMs and such, get to know how things work, what alternatives are available etc and once you're comfortable enough try it out. edit: Gah, came back to read the reply and found tons of typos on my comment, I hope I caught everything now and I hope people still made sense of what I had wrote initially despite the mistakes.... I need sleep -___-
What does Javascript have to do with any of this? This would all be feasible in any language since they're all human errors in the programs, including the chip issues which stem from naive design by Apple's relatively novice chip designers. The extension issue in Chrome fundamentally stems from the C++ code that Chrome itself runs on, not Javascript
@SXZ-dev Jim Keller - Apple Chip Principle designer is one of the most famous and old in industry chip designer. 35+ years in industry. Your point is invalid.
I don't generally comment on videos, but I want to make an exception for this channel. Both of you have done a wonderful job of covering topics I would never hear about in my day today or have missed my news feed. I appreciate some more of the helpful insights and smaller commentaries on these things. I have picked up many good tips and practices from you guys. Thank you!
I think SPECTRE/Meltdown pair was the first instance that were with PoC in the wild and exploited by non-researchers. Remember being in security conferences a few of years earlier and seeing some of the ground works, with MFENCE covert channel signaling etc, and almost no one at that time understood the potential impact. Wikipedia etc. has some prior art, but they were completely out of the public consciousness as SPECTRE/Meltdown was being worked on. No one asked “couldn’t this be used for…” at conference, no one blogged about it etc. So sure, there was a few early NSA papers and other prior art if people do archeological studies, but they are not reflecting the public awareness at the time.
using ai models through a website is a strange usecase anyway. i would want to have the models to have locally, then no information has to be sent at all. DeepSeek is more open than facebooks lama or the (not open) ai by openai.
for a very generalized explanation of branch prediction... it's not bad, but it's far simpler then that. if we have a fork in the road, one side says 2+2=4 and the other says 2+2=Fish, the cpu will pick one or the other route then continue down that branch until it's told otherwise. when it gets the information that Mr. Crocker turned 2+2 into fish, and gravity into gravy, it will forgo all the logic it just computed and go down that branch instead.
speculative and theoretically How many attacks were actually happened with Spectre and Meltdown? that actually had impact . And those were on the hardware that 90% of the world uses . a controlled environment of a researcher is not the same as the real world.
Bro and all bros sincerely take the Dale Carnegie courses or whatever similar version is the new hot take on sounding educated and intelligent when you speak.
I personally think MANDATORY multi-factor authentication is the worst. I can't count the number of times I have been locked out of an account I own simply because i didn't have my phone on me or its battery was dead. Portability across any internet-enabled device is one of the BIG selling points of web-based applications&services and mandatory multi-auth breaks this. Turn it on by default so people have to explicitly opt out if they don't want it, but don't force it when some of your userbase perceives it more as nag than a feature. Give me the option to decide for myself if the added inconvenience this adds is worth the additional security, based on my own threat model for that particular service
Sorry, but that's the worst description of speculative execution I have ever heard😭.
This, and the WebKit based firefox.... 👀
@@i9169345no it's right, iOS Firefox is WebKit, all iOS browsers are
@@i9169345I don't know much about CPUs, so I can't say much about his description of speculative execution, but I CAN say that he is right about all browsers on iOS and iPadOS being based on WebKit. Apple forces ALL browsers that wish to be on its mobile App Stores to use WebKit, they're not allowed to use their own browser engine. This is not the case on Mac, though, so on mac only Safari is affected.
I came in the comments to say this!
Worst description of "branch prediction speculation attack" given. Basically, if and when a new security breach is discovered at procesor level, more precisely, on these "speculative execution" that all processors nowadays have, it's game over. You either ignore it, or move to a newer one to evade the breach. Fixing it comes with a performance hit, or open ways for new ones because the fix didn't fix it properly...
I have things to say about apple products... but i let ppl buy them, because there is money to make on their back. :)
@ Actually, Firefox DOES run on WebKit on iPhone and iPad. Apple requires it if a browser wants to be on the app store, all ios browsers are just reskinned WebKit.
Regarding Deep Seek, it's important to note the news is about the official app; not the AI itself; the AI variants of it can be downloaded and run locally (specifics depends on your hardware) without privacy concerns. Don't get any executable from them, only stuff that's meant to be loaded on trusted open-source third-party apps (not enough space in a YT comment to get into all the details; not really that complicated, just too many alternatives and the need to make sure I'm saying things in ways that won't confuse people that don't already know what they're doing. Watch videos about running local LLMs and such, get to know how things work, what alternatives are available etc and once you're comfortable enough try it out.
edit: Gah, came back to read the reply and found tons of typos on my comment, I hope I caught everything now and I hope people still made sense of what I had wrote initially despite the mistakes.... I need sleep -___-
Digital Spaceport & NetworkChuck YT channels have good tutorials. As suspect will Low Level at some point.
lol minus internet connection completely
I self hosted the 30 or 33bil model and it sucks. Didn't see any improvement from others I've hosted.
Funny that guy doesn't know that Apple is forced in EU to let developers use non-webkit engines in browsers.
Microsoft out of all companies trying to warn us about "breaches of privacy" like windows 10 doesn't have a keylogger
That ears have huge security holes
"There's always free cheddar in the mousetrap, baby!"
~Tom Waits
3:10 it's not "attacking" anything at the side. just it exploits vulnerabilities in or gains information from the side.
Web just needs to move away from javascript
What does Javascript have to do with any of this? This would all be feasible in any language since they're all human errors in the programs, including the chip issues which stem from naive design by Apple's relatively novice chip designers.
The extension issue in Chrome fundamentally stems from the C++ code that Chrome itself runs on, not Javascript
@SXZ-dev Jim Keller - Apple Chip Principle designer is one of the most famous and old in industry chip designer. 35+ years in industry. Your point is invalid.
@@d1namis You didn't even adress his point
Nope Nathan is having fun! And Thank you for still keeping the show going in his absence! Excited to see him return
They should have called it SneakPeek!!
chatgpt stores your info in the US, but its the same info (most likely)
Is the specex attack on macOS kinda old or is it a different one that was newly found
I don't generally comment on videos, but I want to make an exception for this channel. Both of you have done a wonderful job of covering topics I would never hear about in my day today or have missed my news feed. I appreciate some more of the helpful insights and smaller commentaries on these things. I have picked up many good tips and practices from you guys. Thank you!
I think SPECTRE/Meltdown pair was the first instance that were with PoC in the wild and exploited by non-researchers.
Remember being in security conferences a few of years earlier and seeing some of the ground works, with MFENCE covert channel signaling etc, and almost no one at that time understood the potential impact.
Wikipedia etc. has some prior art, but they were completely out of the public consciousness as SPECTRE/Meltdown was being worked on. No one asked “couldn’t this be used for…” at conference, no one blogged about it etc. So sure, there was a few early NSA papers and other prior art if people do archeological studies, but they are not reflecting the public awareness at the time.
Am I having a de ga vu, I may have heard the apple silicone issue a while ago
Why do you talk so fast?
Be careful which websites you visit is a terrible fix. 😅
I can't always audit the content of all 100 open tabs.
Back to drawing board. Good ol dx 486 redesign?? Perhaps. or Maybe Apple should bring back PowerPC cpu?
Fix your ears.
using ai models through a website is a strange usecase anyway. i would want to have the models to have locally, then no information has to be sent at all. DeepSeek is more open than facebooks lama or the (not open) ai by openai.
The most apple user looking apple user ever.
for a very generalized explanation of branch prediction... it's not bad, but it's far simpler then that. if we have a fork in the road, one side says 2+2=4 and the other says 2+2=Fish, the cpu will pick one or the other route then continue down that branch until it's told otherwise. when it gets the information that Mr. Crocker turned 2+2 into fish, and gravity into gravy, it will forgo all the logic it just computed and go down that branch instead.
speculative and theoretically
How many attacks were actually happened with Spectre and Meltdown? that actually had impact . And those were on the hardware that 90% of the world uses .
a controlled environment of a researcher is not the same as the real world.
I wish Signal hadn't changed their logo from blue to purple. It looks so ugly now!
Bro and all bros sincerely take the Dale Carnegie courses or whatever similar version is the new hot take on sounding educated and intelligent when you speak.
I personally think MANDATORY multi-factor authentication is the worst.
I can't count the number of times I have been locked out of an account I own simply because i didn't have my phone on me or its battery was dead.
Portability across any internet-enabled device is one of the BIG selling points of web-based applications&services and mandatory multi-auth breaks this.
Turn it on by default so people have to explicitly opt out if they don't want it, but don't force it when some of your userbase perceives it more as nag than a feature.
Give me the option to decide for myself if the added inconvenience this adds is worth the additional security, based on my own threat model for that particular service
nice earrings 🤣
I thought the same thing 👂
Wow I'm impressed with the speed and clear delivery of so much information
1st comment
@@kaspeck congratulations
Yaaaayy