Didn't all the major browsers alter their timing APIs to make this impossible/difficult?

I'm not an expert, but I think you can only make this harder by intentionally making timers less precise (even adding some random fuzz). Someone may correct me if I'm wrong, but I think statistically, a less precise timer means you will just need a longer runtime.

Suppose you want to measure the distribution of the delay between recurring events (which is basically what's at the heart of those vulnerabilities). Suppose the delays are all sub-milliseconds, and that your timer, to pick something ridiculous, only has a 2 second granularity.

You may at first think that you cannot measure the sub-millisecond distribution with such a corse timer. But consider that event and timers are not synchronized to each other, so with enough patience, you will still catch some events barely on the left or on the right side of your 2 second timer tick. Do this over a long enough time, and you can reconstruct the original distribution. Even adding some randomness to the timer tick just means you need more samples to suss the statistic out.

Again, I am not an expert, and I don't know if this actually works, but that's what I came up with intuitively, and it matches with what I heard from some trustworthy people on the subject, namely that non-precision timers are not a panacea.

> Even adding some randomness to the timer tick just means you need more samples to suss the statistic out.

If each timer draws from the same random distribution then sure, you could work out the real tick with greater accuracy, but I don’t know if that is practical.

If the timers draw from different distributions then it is going to be much harder.

I imagine there is an upper limit of how much processing can be done per tick to before any attack becomes implausible.

> If the timers draw from different distributions then it is going to be much harder.

Again, I'm an amateur, but I think you just need to know that distribution, which I guess you usually do (open source vs. closed source barely matters there), law of large numbers and all.

Anyway, looking through literature, this article presents some actual ways to circumvent timers being made corse-grained: https://attacking.systems/web/files/timers.pdf

In that article, the "Clock interpolation" sounds vaguely related to what I was describing on a quick read, or maybe it's something else entirely... Later, the article mentions alternative timing sources altogether.

Either way, the conclusion of the article is that the mitigation approach as a whole is indeed ineffective: "[...] browser vendors decided to reduce the timer resolution. In this article, we showed that this attempt to close these vulnerabilities was merely a quick-fix and did not address the underlying issue. [...]"

I believe your understanding of the literature is correct (I too am an amateur when it comes to side channel attacks). My memory is vague here but I believe that while it still lets you exploit side channels, it still requires extra time to do so which lowers the throughput you get out of the gadget.

They are not a panacea (in some cases - the way Cloudflare Workers does them it does more effectively limit attacks vs how browsers have to work) but slowing down an attack is valuable because it can make the attack infeasible because your ability to retrieve anything damaging is bounded by how long you visit that website.

Fair. Better than nothing.

They temporarily disabled high resolution timing APIs until they rearchitected how JS got executed in the wake of spectre/meltdown. They sandboxed JS into separate processes by domain (site-isolation) & created the concept of cross-origin isolation. The combination of the two lets you gain back sub-millisecond timers and SharedArrayBuffer which are two gadgets that were particularly useful for the Spectre paper.

It would block requests to OCSP responders, for one.

The 4chanx extension (userscript, run it in violentmonkey or equivalent) lets you nest comments in a chain to make following threads easy while maintaining the overall chronological state of the threads. You can also hide a reply, and it will automatically hide the entire chain of replies to that reply.

I _think_ iMazing can do what you want: https://imazing.com/configurator

Disclaimer: I've never used this feature. I only use it for backups and copying files to my iPhone.

never even thought to check if iMazing had any of this functionality. disclaimer noted, great tip regardless. thank you.

Note that Ruby also has \z which is what you generally want instead of \Z.

(\Z allows a trailing newline, \z does not)

You want \Z in Python, and \z in most other languages, to match on end of string. But in some languages $ really does match end of string. As always, you must check your docs.

K-Lite Mega Codec Pack!

I remember always installing that. Also GOM Player was also a thing.

That and Media Player Classic

Or ffdshow

Hah, I saw this:

    Steve was not a big fan of authority, so he also liked the idea of a site without editors.

and remembered him getting prod database access to censor comments criticizing him. I guess it's true what they say about power corrupting you.

Sometimes, those who are most vocal against authority, are projecting their own potential misuse of authority onto others, unable to see someone wielding power differently.

Imagine you did all of that, received and accepted an offer, and then they made you work on snap. Grim.

Magnesium glycinate!

Same here. "Learnings" sounds ESL to me.