<awygle>
azonenberg_work: especially since both 10baseT and 1.1 have been done in FPGAs without additional support circuitry
<qu1j0t3>
gruetzkopf: nice!
<gruetzkopf>
i'd go 100baseT
<awygle>
i feel like any truly universal bus would have to look a lot like "pcie but external" just because of its ubiquity
<awygle>
we need a pcie 0.5 standard :p
<azonenberg_work>
gruetzkopf: 100baseT would require... a couple of resistors
<azonenberg_work>
:p
<gruetzkopf>
i know
<gruetzkopf>
awygle: PCIe works just fine over a RS232 transport
<rqou>
azonenberg_work: iirc you need at least usb full speed 12 mbps
<rqou>
i guess you _can_ bitbang that
<whitequark>
rqou: there are low speed usb2 devices
<whitequark>
for example, this cursed chip
<gruetzkopf>
using pcie for everything would require proper iommu support
<rqou>
i believe bulk endpoints aren't allowed on low speed?
<gruetzkopf>
nothing cares
<rqou>
unless you want to shuffle everything over a control transfer or something
<rqou>
i thought some devices would get upset if you tried it?
<awygle>
could you have a PCIe 1.1 hub thing which coalesces TLPs from a bunch of PCIe-over-UART type links? That would be cool
<gruetzkopf>
sure
<gruetzkopf>
i've also seen an implemention of rapidIO over uart
<awygle>
then you wouldn't even need to do much hacking of things, the higher level never needs to know
<gruetzkopf>
there's a standard for pcie-over-ethernet
<gruetzkopf>
don't have the specs yet, but i've likely seen enough to implement it
Miyu has quit [Ping timeout: 240 seconds]
<rqou>
so now we can run Ethernet over pcie over Ethernet
<rqou>
over OpenVPN, over IP, over Thunderbolt
<rqou>
:P
<azonenberg_work>
Don't forget adding jtag over jtag over IP in there somewhere
<rqou>
also MPLS and SONET?
<rqou>
also needs a T/E carrier i guess
<rqou>
also some wireless
<gruetzkopf>
pcie over wifi sounds great
<gruetzkopf>
is LATENTYELLOW a thing yet?
<q3k>
BGP multiprotocol support for PCIe routing when
<azonenberg_work>
gruetzkopf: LATENTYELLOW will probably be a border router/firewall
<azonenberg_work>
But the name hasnt been assigned to a project yet afaik
<whitequark>
ok, I have this part configured to present itself as a Dell dock
<whitequark>
and it does in fact discover this partner altmode
<whitequark>
interestingly, it prefers Thunderbolt altmode over that
<whitequark>
and doesn't enter either
<whitequark>
nope, doesn't seem to make any difference whatsoever
<whitequark>
ugh I give up
<TD-Linux>
you guys would really enjoy broadcast standards
<TD-Linux>
SDI-over-"IP" where each RTP packet has to be timed to microsecond accuracy
<rqou>
wtf
<rqou>
but yeah I've noticed that all "professional A/V" standards are terrible
<azonenberg_work>
rqou, TD-Linux: i've heard some horror stories about that from MatthiasM in ##fpga among others
<TD-Linux>
they might be working with kierank who does this in software
<azonenberg_work>
I dont understand why you need 1588 and all that stuff for A/V purposes
<azonenberg_work>
if a few packets get there too soon, you just buffer them
<azonenberg_work>
i mean all of A/V is awful, things lke h/v sync and blanking intervals are vestiges from CRTs
<rqou>
i can maybe understand 1588 for synchronizing recording
<azonenberg_work>
rqou: these gizmos are things like muxes and mixers etc
<rqou>
although I'd probably go all out and run synchronous Ethernet
<TD-Linux>
they designed this in 1990 when RAM was 1000 dollars per kilobyte and you couldn't afford any buffering
<azonenberg_work>
i *think* the idea is to synchronize the blanking intervals so frames on all sources start at the same time
<azonenberg_work>
but i'm not quite sure why this is a problem
<azonenberg_work>
The bigger issue would be if you were trying to mix sources that had clock drift so one was 60 fps and the other was 59.998 or something
<azonenberg_work>
but you can fix that by just having a "leap frame" where every hour or so, that source drops / replicates a single video frame
<azonenberg_work>
or even interpolating so there's not a noticeable glitch
<rqou>
uh you don't want that
<TD-Linux>
most of this is legacy from analog ntsc broadcast where you'd genlock sources together and do analog effects
<azonenberg_work>
TD-Linux: yeah thats what i'm thinking
<TD-Linux>
and then they... kind of just did the same with digital
<azonenberg_work>
it looks like in a pure digital environment there is no reason to do this
<azonenberg_work>
except "everything else expects it to be done this way"
<rqou>
every ethernet company ever already has to explain why connecting two test sets gives 9.9998 gbps rather than 10
<rqou>
complete with "that spreadsheet where you input clock error and it outputs effective bandwidth"
<azonenberg_work>
lol
<rqou>
as in, BRCM had one, my father wrote one, etc.
<azonenberg_work>
But in most cases, losing 1 Kbps on a 10G link isn't much of a problem
<azonenberg_work>
you rarely will be saturating the link to that extreme
<rqou>
customer bitches at you :P
<azonenberg_work>
so it just means the link is 95% vs 94.9% utilized
<azonenberg_work>
rqou: this is also why i'd never succeed in "business"
<rqou>
also, if there's a telco involved, then there's Billing(TM)
<azonenberg_work>
rqou: see, if i ran an ISP
<sorear>
A/V hell in one number: 29.97 Hz
<azonenberg_work>
sorear: don't forget 24 Hz too
<azonenberg_work>
movies are so jerky
<azonenberg_work>
Once all of the baby boomers age out of hollywood executive positions and gamers take their place, maybe we'll finally get 60fps in theaters
<rqou>
oh yeah 29.97/59.94 are also hilarious hacks
<azonenberg_work>
rqou: anyway if i ran an ISP, I'd give everyone an uncapped single-mode 1/10Gbase-R link
<rqou>
there's a fucked up version of 24fps too iirc?
<rqou>
azonenberg_work: then your customers will complain that they only got 998 mbps
<azonenberg_work>
dedicated point to point duplex fiber from their border router to a block-level aggregation switch
<azonenberg_work>
Then probably 40Gbase-LR from there on up to the network core
<azonenberg_work>
QoS at the edge switches as well as higher up
<sorear>
i'm of the opinion that motion interpolation and deinterlacing make very little sense and synchronizing sources is less awful than the alternatives (which is not a comment on the merits of any particular implementation)
<azonenberg_work>
Everyone gets a minimum amount, say 25 Mbps full duplex, guaranteed with no oversubscription
<azonenberg_work>
Burstable to full line rate on a best-effort basis (in case of contention, everyone has equal access to the available b/w beyond their guaranteed baseline)
<azonenberg_work>
Then billed at 95th percentile bandwidth used
<rqou>
azonenberg_work: but you _still_ have issues with clocks not being in sync occasionally causing a packet to be dropped
<azonenberg_work>
rqou: yes, then you either have a momentary glitch or you retransmit
<sorear>
SONET TTH
<azonenberg_work>
In a studio environment honestly i'd use TCP and retransmit
<rqou>
but that's not acceptable to Telcos(TM)
<rqou>
hence the use of SDH, yes
<azonenberg_work>
rqou: let's see, a 4K video frame at RGB24 (none of that stupid 4:2:2 etc)
<azonenberg_work>
is 199065600 bits or 189.8 Mbits
<sorear>
gamma is at least as stupid as 4:2:2 and if you don't do that you need 10-12 bits per component to match human sensitivity
<azonenberg_work>
Which takes 4.7 ms at 40 Gbps
<azonenberg_work>
Or ~1/200 sec
<TD-Linux>
4:2:2 is stupid only because there is no horizontal bias in eyes and 4:2:0 is superior. and gamma isn't dumb at all :)
<azonenberg_work>
So uncompressed RGB24 4Kp60 video can comfortably fit in a 40GbE stream using only about ~1/3 of the bandwidth
<azonenberg_work>
This means that if you send one frame, wait about 1/60 sec, then another
<q3k>
azonenberg_work | Then probably 40Gbase-LR from there on up to the network core
<azonenberg_work>
you have PLENTY of time for TCP retransmits before the frame needs to be displayed to the end user
<TD-Linux>
also if retransmits are expensive there are also FEC schemes you can use
<q3k>
from what, a 48x 1GbE distribution switch to customers?
<azonenberg_work>
Assuming a studio environment with round trip latency << 10 ms
<azonenberg_work>
q3k: i was thinking more like 48x 10GbE but sure, start with 1G
<rqou>
azonenberg_work: now do it again for RGB30 4k 144fps :P
<azonenberg_work>
rqou: sure, you might need some minimal compression
<azonenberg_work>
But then the fields are smaller
<sorear>
FEC is great
<azonenberg_work>
and you have even more time to retransmit
<azonenberg_work>
Or FEC, yes
<azonenberg_work>
But you still don't need clock sync is my point
<azonenberg_work>
You can just do digital composition one frame at a time
<q3k>
azonenberg_work: in a residential setting this does still sound like a waste
<azonenberg_work>
q3k: i still want it :p
<implr>
especially the duplex fiber
<q3k>
azonenberg_work: in a non-residential setting you'd rarely need this many ports
<implr>
why, if you don't intend to exceed 10g, you can do bidirectional over single fiber
<azonenberg_work>
implr: you can do more than that actually
<implr>
the modules are a bit more expensive, but probably still cheaper than running more fiber
<TD-Linux>
azonenberg_work, note also that if you end up resyncing to a clock through many devices, then each one will insert/drop frames and it does add up
<azonenberg_work>
pretty sure there are CWDM based 10G/40G optics for that
<rqou>
yes, you can buy them on fs.com
<TD-Linux>
then again, in digital you should need to chain devices anyway, one computer should be able do do it all in software generally
<TD-Linux>
but broadcast loves hw boxes
<azonenberg_work>
TD-Linux: Also 60 FPS is a very slow framerate
<azonenberg_work>
compared to CPU / FPGA clock speeds
<implr>
yeah, I mentioned 10G because those are very popular, above that they get rarer, at least from what I've seen
<azonenberg_work>
there is no reason you need crazy PTP sync to microseconds for that
<azonenberg_work>
sync to +/.- a few ms is plenty if you have some buffering
<implr>
anyway, (10)GPON isn't _that_ far from what you're proposing and has the benefit of being widely deployed today, for quite cheap
<implr>
well maybe except the asymmetry, that sucks
<azonenberg_work>
implr: the big thing i find missing is the QoS and asymmetry
<sorear>
that's less useful if you have a live feed
<azonenberg_work>
I want a link that can burst to 1/10G symmetric on a best effort basis
<azonenberg_work>
with at least 25/25 Mbps symmetric guaranteed up to tier 1
<azonenberg_work>
i.e. I should always be able to push 25 Mbps directly to Cogent or Level3 no matter what else is happening on my ISP's network
<sorear>
if the feed is going for 24+ hours you need either frame skip/duplication (jarring), motion resampling (kinda dodgy), large buffers (oops latency), or synchronization
<implr>
you can have qos over gpon, that's a different layer imo
<azonenberg_work>
sorear: one frame skip an hour is that bad?
<azonenberg_work>
how far off do you expect these clocks to be?
<q3k>
azonenberg_work: that's more or less what I get here
<azonenberg_work>
q3k: o_O
<implr>
ooor you could probably do that on L2 - the timeslots are entirely allocated and controlled by the OLT, so if you hack that you can do whatever you want
<q3k>
azonenberg_work: i don't think I ever had my connection drop under 25Mbps
<azonenberg_work>
implr: right now here i have (well, will have once i get my cable modem plugged in etc)
<azonenberg_work>
75 Mbps down / 15 up
<q3k>
azonenberg_work: netflix times like now it dips to 80Mbps
<azonenberg_work>
over DOCSIS
<q3k>
azonenberg_work: usually i get 250Mbps
<azonenberg_work>
i can get up to gig down if i want to pay
<azonenberg_work>
But that's gig down by like 25 Mbps up or something obscenely asymmetric
<rqou>
what's weird about A/V is that they complain about latency and then use a bajillion separate boxes that each do only one thing
<azonenberg_work>
lol
<implr>
the gpon I have from the local shitty countrywide giant isp is 1:10 asymmetric, so 300/30
<sorear>
if they did more than one thing each, they'd cost more than one arm and one leg each
<azonenberg_work>
No gpon available here
<azonenberg_work>
just comcast :p
<rqou>
lol that too why does a/v stuff always cost so goddamn much?
<q3k>
rqou: capitalism
<rqou>
it just seems like a really strange, insular world over there
<q3k>
i suppose it's all mostly because you're paying extra for reliability
<q3k>
same as when you're buying big iron network equipment
<sorear>
all of these niche markets seem to have similar problems
<sorear>
*cough* fpga toolchains
<awygle>
which means the problems are economic
<awygle>
rather than technical
<awygle>
which is pretty obvious regardless
ym has joined ##openfpga
X-Scale has quit [Ping timeout: 252 seconds]
mumptai_ has joined ##openfpga
mumptai has quit [Ping timeout: 240 seconds]
ym has quit [Quit: Leaving]
azonenberg_work has quit [Ping timeout: 245 seconds]
azonenberg_work has joined ##openfpga
_whitelogger has joined ##openfpga
X-Scale has joined ##openfpga
Bike has quit [Quit: Lost terminal]
<cyrozap>
rqou: Also A/V has DRM, so that adds a lot of cost and raises the barrier to entry into the market.
<cyrozap>
Also DRM (usually) adds latency.
_whitelogger has joined ##openfpga
<azonenberg_work>
cyrozap: yeah things like that need to go bye-bye :p
<azonenberg_work>
I want displays that just take RGB data and splat it out on the display
<azonenberg_work>
with, at most, some adjustments to calibrate it to sRGB after panel nonlinearities
<cyrozap>
Reposting the message _whitelogger missed: "Also the boxes don't just do one thing each: consumer TVs like to do things like "overscan" and "color-correction" and "dynamic contrast" and "picture-in-picture" and "frame interpolation that makes every movie and <30fps video look like a soap opera"."
<cyrozap>
azonenberg_work: You can kind of get that with commercial displays, but those usually cost $$$$ to $$$$$.
<awygle>
so uh, why would it be that every wall panel in my apartment has a small but noticeable breeze coming from its holes/screws?
<awygle>
Are building walls typically under positive pressure?
Miyu has joined ##openfpga
<azonenberg_work>
awygle: you mean electrical boxes?
<cyrozap>
azonenberg_work: I was thinking of buying this (https://www.amazon.com/dp/B01LXN1NBI/) a few years ago, but at that time it was $800 and a TCL 4K "smart" TV of the same size was only $500, so I went with the TCL.
<azonenberg_work>
cyrozap: i went out of my way to get a "dumb" tv with no wifi capabilities, etc when $wife's parents insisted on getting a tv
<azonenberg_work>
when they visited
<azonenberg_work>
it took a while and cost a bit more
<azonenberg_work>
awygle: So, couple of reasons
<azonenberg_work>
what kind of building construction is it?
<azonenberg_work>
Single family wood frame? Steel trusses with steel studs?
<azonenberg_work>
What are the exterior walls made of?
<awygle>
Based on the wifi/Bluetooth strength it is made of cardboard
<azonenberg_work>
Lol :p
<azonenberg_work>
Can you give me some basics on the building? Based on observable chateristics
Miyu has quit [Ping timeout: 245 seconds]
<azonenberg_work>
What's the exterior look like - all glass skyscraper? masonry? siding of some sort?
<awygle>
I know none of these things but it's an apartment building, brand new, 6 stories. The exterior looks like, idk, stucco lol
<cyrozap>
azonenberg_work: I have to *REBOOT MY TV* every few days because the 4K display is treated as two panels internally and the panel controllers get out of sync sometimes. And unfortunately, none of the firmware updates have fixed it.
<azonenberg_work>
cyrozap: loool
<azonenberg_work>
meanwhile, my 4K computer monitor has a boot-time issue where it flickers a few times when resuming from suspend but thats it
<awygle>
It also has weird fake metal or ceramic panels
<awygle>
My 4k TV also needs reboots because the wifi adapter hard locks up
<awygle>
Haven't tried with wires yet, which is actually achievable in this place, so I should.
* azonenberg_work
is glad his monitor has no wifi capability to lock up :p
<cyrozap>
awygle: You connect your TV to the internet?
<azonenberg_work>
awygle: ok so, i'm going to guess it's probably a steel frame, concrete floors, and wood framing for interior non-bearing walls
<awygle>
cyrozap: smart TV, yes
<azonenberg_work>
are the boxes you notice this issue with on exterior walls, interior, or both?
<awygle>
azonenberg_work: interior
<azonenberg_work>
Only interior?
<awygle>
uh sec
<rqou>
brb pwning awygle's tv using shodan :p
<awygle>
No, both
<azonenberg_work>
Huh... at least now (not sure for how long) WA energy code requires that openings into boxes on exterior walls, or any boxes that penetrate into an un-insulated space like an attic, be sealed
<cyrozap>
awygle: I mean you trust it enough to put it on your home network?
<azonenberg_work>
So we put foil tape over screw holes that we didn't use for mounting, and then caulked around the wire penetrations
<azonenberg_work>
I would expect those to leak air less
<rqou>
at least smart TVs seem slightly more robust than "if you nmap this subnet a giant metal crane will decapitate someone"
<azonenberg_work>
Interior walls, it makes a bit more sense to have airflow through them if there are pressure gradients
<awygle>
cyrozap: I basically do not care about that kind of thing at all. I am open to being convinced I should, I suppose, but I currently don't.
<cyrozap>
awygle: Also your TV is probably reporting on what you're watching, even if it were perfectly secure.
<awygle>
of course. welcome to the 21st century
<awygle>
anyone who can pay knows everything about me
<awygle>
probably down to gross anatomical measurements
<rqou>
awygle: but what if someone who doesn't speak English as their first language manages to insert a virus into the operating system of the TV and captured a picture of your defiling and wants you to pay bitcoins for them to delete it? :P :P
* azonenberg_work
idly wonders if adwords lets you target advertising to "people more than 6 feet tall"
<azonenberg_work>
etc
<rqou>
(did i get this right?)
<azonenberg_work>
rqou: lol you've got that spam too? it seems ike a recent campaign
<rqou>
i didn't
<awygle>
I literally could not watch TV without an internet connection anyway, not sure what the alternative is
<rqou>
i know whitequark did
<azonenberg_work>
the cool part to me, from a tradecraft perspective, is that they included one of my old passwords in the subject line
<rqou>
ooh that's new
<azonenberg_work>
Pretty sure it's the one that got pwned when linkedin got breached back in... whenever that was
<awygle>
other than manually mapping the ports or similar software very-secure-door-next-to-easily-broken-window approaches
<azonenberg_work>
But i also used it on a bunch of other IDGAF forums and stuff, it was kinda my "i need a password but don't really care about protecting this account" password at the time
<azonenberg_work>
So i can't prove it came from LI
<cyrozap>
awygle: What do you mean? Do you not have OTA broadcasts where you are?
<awygle>
cyrozap: well they exist but I don't watch them
<awygle>
and don't have an antenna
<azonenberg_work>
These days most of my passwords are unique per site, so if one gets pwned i'll have full traceability to how they got it
<awygle>
they don't yet OTA Crunchyroll :-P
* azonenberg_work
wishes he could crunch on delicious rolls
<awygle>
I feel like I've accidentally blundered into a massive value conflict lol
<azonenberg_work>
But until my mouth doesn't have a giant bleeding hole in it, that seems like a bad idea :p
<rqou>
btw re: ad targeting
<awygle>
It must be as incomprehensible to you that I don't care about security as it is to me that you do
<cyrozap>
awygle: You can OTA anything if you have an SDR :)
<awygle>
cyrozap: lol not a bad idea for an air gap I guess
<azonenberg_work>
cyrozap: see i'd just nix the TV and have a "media computer"
<azonenberg_work>
an rpi or similar in the DMZ with a display attached
<rqou>
about a year ago multiple people i know who were "vaguely weebs" got targeted by an ad campaign for some random shitty chinese clothing seller
<azonenberg_work>
that you can hook to youtube or whatever
<awygle>
I did that for a while but it was hard to justify. In order to get acceptable performance it ended up being a lot of capital tied up in a mostly useless box.
<rqou>
somehow they managed to be selling an item that seems like it might match the weeb aesthetic
<awygle>
Since you still need the fancy TV
<rqou>
but it seems like the people buying the ad campaign got lucky completely by accident
<rqou>
because i kept seeing these ads for some time after that
<rqou>
and all of the other items were just random shit
<rqou>
from the same seller though
<azonenberg_work>
awygle: no you need a cheap <$100 monitor :p
<awygle>
I never ever click on any ad ever
<rqou>
so somehow they picked some targeting that was well correlated with weebs
<azonenberg_work>
awygle: same here
<awygle>
azonenberg_work: my TV is 55 inches
<rqou>
oh no we never clicked it
<rqou>
just multiple people i know saw it
<azonenberg_work>
When i see an ad, i go out of my way to ensure i never see it again
<azonenberg_work>
creating new filter rules, tweaking noscript lists, etc
<awygle>
because I want to be comfy on my couch and not hunched over a monitor like I am all day
<azonenberg_work>
My reaction isn't "w/e" or "ooh shiny clicky clicky"
<azonenberg_work>
it's "kill it with fire"
<awygle>
anyway I'm going back to discussing OSS licensing on Twitter :-P
<cyrozap>
azonenberg_work: That's what my setup is. Mini PC running Kodi (LibreELEC) with some apps for YouTube, Twitch, etc. Then I use the OTA antenna for things like "watching election results" and "in case some disaster is happening and my internet goes out but my power doesn't".
<rqou>
the shared craptop that a bunch of people in a "hackerspace-like environment" all used would also get really nice ads
<rqou>
basically you only ever see digikey/TI ads on that machine :P
<azonenberg_work>
cyrozap: in case of a disaster i'd fall back to broadcast FM
<awygle>
cyrozap: I'd considered trying to hack kodi onto the TV. I think it works with rokus? And it's a roku TV.
<azonenberg_work>
Which is a lot easier to keep running than internet
<azonenberg_work>
That, or ham radio :p
<cyrozap>
azonenberg_work: Yeah, I really should get an emergency radio
<azonenberg_work>
i have a ham HT that can tune to broadcast FM channels
<azonenberg_work>
unsure if it goes down to the broadcast AM range, havent tried
<rqou>
probably not
<azonenberg_work>
it's primarily VHF/UHF but can tune in RX mode out to ~800 MHz or so
<rqou>
those need rather large antennas
<rqou>
those "big coils on a rod" antennas
<cyrozap>
awygle: Roku is super locked down. Encrypted updates + signature verification. That's why I use a $50 ODROID-C2 (quad core aarch64) for Kodi.
<rqou>
no pwnage yet?
<azonenberg_work>
Realistically, i don't see there being a disaster that magically takes out my power, internet, and all FM stations
<azonenberg_work>
but leaves AM online :p
<cyrozap>
rqou: I'm not sure if anyone has even tried yet.
<rqou>
any of them happen to be Tegras? :P
<awygle>
cyrozap: huh, then maybe I should trust it after all :-P
<azonenberg_work>
cyrozap: I have a couple of those that i wanted to set up for when i needed "a computer" but didnt care about performance
<rqou>
odroid?
<azonenberg_work>
never had time to DO it
<awygle>
I have AM/FM receivers but nothing worth a damn for transmit, should probably get one
<azonenberg_work>
rqou: yeah, the C2 specifically
<azonenberg_work>
i want to set one of them up in the SAR room just running some kind of inventory system for my gear
<rqou>
idk about the C2 but somebody dropped an "exploit" a while back pointing out that (at least for some of the parts) odroid can help bypass exynos secure boot :P
<azonenberg_work>
right now its a giant libreoffice spreadsheet
<cyrozap>
awygle: No, you still shouldn't, because someone could still find something like the Broadcom WiFi chip exploit and get root code exec through the kernel driver, as just one example.
<rqou>
because the exynos bootrom requires a signed second-stage bootloader
<rqou>
the normal android one does sig checks
<rqou>
this particular odroid one didn't :P
<rqou>
but it was generic enough to boot on phones
<azonenberg_work>
rqou: odroid is exynos based? i didnt check to see what the particular chipset was
<awygle>
cyrozap: legitimately curious, to what end? DDOS some company?
<rqou>
some odroids were exynos based
<rqou>
ok not the c2
<cyrozap>
azonenberg_work, rqou: Yeah, that was the X-something. The C2 is an Amlogic S905.
<awygle>
I just don't understand the threat model that has me terrified of my TV, but my laptop is fine.
<rqou>
anyways this "exploit" was just offhand mentioned during the 34c3 mmc talk
<cyrozap>
awygle: Join thousands of TVs to a botnet to DDoS the internet?
<azonenberg_work>
awygle: your TV is running somebody else's firmware that exists to serve their financial goals
<azonenberg_work>
Not yours
<azonenberg_work>
That's the bigger issue to me
<awygle>
so is my laptop, on several levels
<cyrozap>
awygle: It could also nmap your internal network and exploit other systems, adding them to the botnet.
<cyrozap>
Until your whole home network is hosting CP and you get a friendly visit from the FBI.
rohitksingh has quit [Ping timeout: 252 seconds]
<azonenberg_work>
awygle: at least on the laptop only the bios and low level firmware are blac kboxes
<azonenberg_work>
instead of the whole OS image
<awygle>
azonenberg_work: it's a windows laptop :-P
<azonenberg_work>
i am a lot more likely to trust that phoenixbios isn't exfiltrating my confidential client files to some cloud service without my knowledge
<azonenberg_work>
than some ranodm android distro that a cheap chinese tv manufacturer decided to throw together from who knows where
<rqou>
oh btw azonenberg_work the intel me jtag/rce PoC got released about a week ago
<azonenberg_work>
oh?
<rqou>
in case you haven't seen
<awygle>
arright well this has been fun but I'm gonna go to bed now
<cyrozap>
azonenberg_work: +1 to that, I like to have control of the computers I own. If I don't they don't get to connect to my home network.
<rqou>
azonenberg_work: it was even posted in this channel; lurk moar
<azonenberg_work>
cyrozap: yeah i have a bunch of el cheapo chinese IP cams that i use as security cameras
<azonenberg_work>
But those things are on an isolated vlan that doesnt route anywhere :p
<azonenberg_work>
in OR out
<rqou>
azonenberg_work: you should spend some time in $WORK's network :P
<rqou>
although they've done massive cleanups
<azonenberg_work>
rqou: this is the nice thing about being the only person on the network other than $wife
<azonenberg_work>
I control everything and i can sandbox things up the wazoo
<azonenberg_work>
And have rules like "if it's got wifi on it, it goes in a semi-DMZ isolated from the internal R&D network"
<rqou>
i hope you never have a child and have to play the computer childproofing game
<azonenberg_work>
rqou: lol well if i give them a 64-bit linux VM, they will have a hard time breaking it too badly
<cyrozap>
azonenberg_work: My eventual goal is to have all the systems on my network talking to each other over WireGuard and block/isolate all clear-net traffic, so even if a rogue device cracks my WiFi/is inadvertently joined, it wouldn't be able to talk to anything.
<rqou>
what if your hypothetical child really wants to watch minecraft videos? :P
<azonenberg_work>
cyrozap: I have a bunch of stuff that isn't TLS capable, like test equipment
<rqou>
or pr0n? :P
<azonenberg_work>
so i have to rely on network segmentation
<azonenberg_work>
rqou: youtube and pr0n work just fine on linux
<azonenberg_work>
Just not the malware that comes with the latter :p
<rqou>
i meant for the "must discipline child" part :P
<azonenberg_work>
and if it did get infected with something, being a VM means a quick revert
<rqou>
or is that a job for $wife? :P :P :P
<azonenberg_work>
rqou: well having everything locked down with mac address security at the switch layer will mean when i kick them offline, they're off :p
<azonenberg_work>
It's entirely possible i will have all of the non-lab ports 802.1x'd
<rqou>
uh, that can be bypassed
<azonenberg_work>
(i can't do that in the lab, too much legacy gear)
<rqou>
802.1x is pretty weak authentication
<azonenberg_work>
rqou: it's a lot better than "wide open"
<rqou>
basically you can MITM actively and just forward the 802.1x packets only
<azonenberg_work>
Yes, you can MITM
<azonenberg_work>
this.... will get noticed on a network this small
<cyrozap>
azonenberg_work: Yeah, that's the problem with proprietary firmware--can't upgrade the protocols it uses. My plan for that is to put mini-PCs in between my network and the test equipment/printers/etc., using them as encryption/decryption hardware.
<azonenberg_work>
Also the MITM would need to be physical in nature
<azonenberg_work>
unplug cable and insert something else
<azonenberg_work>
Because my stuff is all on a different vlan from anything any other family member would have access to
<azonenberg_work>
My desktop will also be connected by a SFP+ interface and the potential kid computer would be copper
<azonenberg_work>
So plugging their computer into my wall port physically will not work
<rqou>
inb4 potential kid figures out how to use media converters :P
<azonenberg_work>
if i catch them with a 10G media converter in their room and a secret run of multimode down to the office
<rqou>
which will already make them ahead of some network techs :P :P :P
<azonenberg_work>
i'll be pretty impressed
<azonenberg_work>
But yeah, i'm not saying any of this cannot be bypassed by someone with physical access
<azonenberg_work>
but it will take *serious* effort
<azonenberg_work>
By the time the kid is 10 or so (the youngest i would reasonably expect a very smart kid to have any chance of figuring out stuff like that) i'd have a good handle on their technical abilities and could make sure to stay one step ahead
<rqou>
inb4 mitm by just bending your fiber too much :P
<azonenberg_work>
If my kid pulls off IVY BELLS in my network without me noticing
<azonenberg_work>
he can keep whatever access he gets :p
<rqou>
i guess at that point you can probably just explain to them how pr0n works :P
<azonenberg_work>
The main reason for segmentation would be to keep their inevitably-pwned system from moving laterally to the pristine lab network
<azonenberg_work>
Not to keep them from going to places they shouldn't
<azonenberg_work>
Putting the "kid computer" in a visible part of the living room is a much more effective means of keeping them honest
<azonenberg_work>
than trying to do IP/DNS based firewalling, especially with the modern trend of most stuff being TLS
<azonenberg_work>
you can't even whitelist wikipedia, there's plenty of dicks on there
<rqou>
lol
<rqou>
somehow our k12 institutions still seemed to believe they could do it
<rqou>
there was somebody on birbsite that was getting RTd by somebody i follow that was expressing immense displeasure at spyware for kids
<azonenberg_work>
But yeah right now the "family/guest wifi network" aka vlan 2 isn't locked down at all from the internet outbound
<azonenberg_work>
It's just completely isolated from vlan "everything but 2"
rohitksingh has joined ##openfpga
<azonenberg_work>
Basically i assume i'm the only one in the house who knows how to lock down a computer, assume everything that isn't mine is full of malware
<awygle>
Or just sex ed...
<azonenberg_work>
and design the network around that premise
<rqou>
awygle: but would anyone think of the children? /s
<azonenberg_work>
awygle: like i said this isn't a pr0n-proofed network, it's a "keep the virus the pr0n was attached to out of my lab" network
<awygle>
How *do* you lock down a computer?
<azonenberg_work>
awygle: for starters, anything that opens a socket to the internet lives in a VM with minimal capabilities
<rqou>
don't you know, children don't need to know anything until they turn 18 at which point they would have magically acquired all relevant knowledge of sex ed from god /s
<azonenberg_work>
and its not all the same one
<azonenberg_work>
my facebook/twitter VM doesn't do anything else
<azonenberg_work>
a full root compromise gives you zero access to my online banking credentials or my IRC
<azonenberg_work>
Other than that, patch frequently, run noscript and adblock
<rqou>
interestingly, i place very little emphasis on securing online banking
<azonenberg_work>
don't run random binaries or open invoice.pdf.exe
<azonenberg_work>
its not rocket surgery, clients are actually fairly hard to pwn without social engineering or user stupidity
<rqou>
i've basically given up trying to get banking in the US to be "secure" by current (somewhat paranoid) standards
<azonenberg_work>
rqou: i compartmentalize that too
<rqou>
i always have to lament "my RuneScape account is more secure than my bank"
<azonenberg_work>
i have a savings account that i never give out the info for
<azonenberg_work>
a checking account that i use for general purpose stuff
<azonenberg_work>
another checking account that is literally a clearing house for SWIFT transfers
<azonenberg_work>
none of the checking accounts ever hold significant funds for any length of time
<awygle>
I feel like I'm missing stuff because the general security attitude seems massively split brain to me (not to mention exhausting)
<azonenberg_work>
Thus, if compromised, the max an attacker can get away with is the content of that account
<azonenberg_work>
Which isnt all that much (one of them has like $200 in it right now)
<rqou>
i don't bother with any of this because US banking seems obsessed with keeping humans (both for pwning and fixing things) in the loop
<rqou>
and US consumer protection laws are really good
<azonenberg_work>
rqou: yes but my goal isnt to *eventually* get the money back
<rqou>
and US banking cybersecurity is laughable
<azonenberg_work>
The goal is to avoid a situation where i need to spend money right now on (say) groceries
<azonenberg_work>
and my CC is unusable because it just got shut down for a fraud alert
<azonenberg_work>
etc
<azonenberg_work>
Maintaining availability is the big issue
<awygle>
I have accounts at four separate banks
<awygle>
With different credentials obviously
<azonenberg_work>
thats one of the reasons i compartmentalize, if my CC at bank X is pwned at least i can use my debit card at bank Y for a few emergency purchases
<azonenberg_work>
And i never give that account info out anywhere
<azonenberg_work>
i never buy anything on it
<azonenberg_work>
Specifically so i can keep it clean and uncontaminated if i need it
<azonenberg_work>
i didn't even do this consciously by choice, i needed an account at a local bank to get a safety deposit box
<awygle>
Cash is better for that lol
<azonenberg_work>
awygle: yes, there is a reason i keep some cash reserves too
<azonenberg_work>
but its pretty hard to pay (say) your comcast bill in cash
<azonenberg_work>
you have to bring it to the post office, buy a money order, snail mail it in
<rqou>
in general i have a totally different way of securing things
<azonenberg_work>
Having a clean credit/debit card that you only use as a backup is much better
<rqou>
i use TOTP 2FA for anything that supports it and store all the keys in a YubiKey
<awygle>
not really. and that's hardly an emergency. you can be months late on that before shut off
<rqou>
i then have a random password that syncs across _all_ my devices that i only consider nominally secure
<azonenberg_work>
My cash reserves are more intended for "there's some kind of disaster and the stores won't take credit cards"
<azonenberg_work>
(mass power outage or something)
<rqou>
so i essentially consider 2FA to only be 1FA, but with a physical token rather than a password
<awygle>
right
<rqou>
and then i just run a reasonably-up-to-date client endpoint
<azonenberg_work>
awygle: And realistically given the amount of stuff we have in the freezer plus the SAR closet
<azonenberg_work>
we'd need a pretty extended situation for me to consider dipping into emergency cash vs just opening that can of soup we forgot about
<azonenberg_work>
I will say, it was a giant pain in the butt when my primary CC got hit by a gas station skimmer
<azonenberg_work>
changing all of the accounts that i had on autopay
<awygle>
I most recently used cash because my phone died halfway to a friend's house and I had to buy a car charger from a cash only convenience store (at an exorbitant price)
<azonenberg_work>
no financial loss, but the lost time was significant
<azonenberg_work>
I might actually get a second CC and have one just for relatively trusted things like amazon and utility bills
<azonenberg_work>
that i want to keep working if the CC i use at brick-and-mortar stores is pwnd
<awygle>
I have three CCs
<awygle>
that is one reason why
<azonenberg_work>
yeah its a sane compartmentalization strategy
<azonenberg_work>
initially i falsely assumed that pwned websites would be the way my card would get stolen
<azonenberg_work>
So i relied on things like paypal etc rather than giving sites the number directly as much as possible
<azonenberg_work>
so it was exposed in less places
<azonenberg_work>
but these days, physical card readers are a bigger thread especially for legacy non-EMV readers like the gas station had
<rqou>
don't worry, the liability shift is coming any day now :P
<azonenberg_work>
I never confirmed it was the gas station but ~a month after the incident i went back there and noticed they now had chip readers on all the pumps :p
<rqou>
wait really?
<rqou>
i've literally never seen EMV readers on a gas pump
<azonenberg_work>
Yes, they actually hold the card in place with a little latch while authorizing the transaction
<azonenberg_work>
then release
<azonenberg_work>
i suspect there's no rush to roll them out
<azonenberg_work>
but when a pump gets skimmed, they deploy the new reader as part of the remediation
<azonenberg_work>
i.e. this is a high-fraud-risk area, so let's harden it
<azonenberg_work>
Now if only EMV were designed sanely and did online challenge-response signature authentication on the purchase...
<azonenberg_work>
we've known how to do this for decades
<azonenberg_work>
but nobody does it
<rqou>
wait it doesn't?
<rqou>
i just know the spec is a clusterfuck with "euro" and "american" styles of implementing it
<rqou>
also most american readers until very recently were slow as shit
<azonenberg_work>
my understanding is that the emv card basically sends out a signed blob saying "yes, you typed the pin correctly"
<azonenberg_work>
but the account number etc is sent in the clear alongside
<azonenberg_work>
which can be burned to a magstripe and used in a non-emv reader
<azonenberg_work>
or for online purchases, etc
<rqou>
wait no it can't?
<azonenberg_work>
and american readers now still are
<rqou>
you don't have the verification value?
<azonenberg_work>
a lot of sites dont ask for the CVV2, at least as of a while ago
<azonenberg_work>
Magstripe readers do not require it because the CVV2 is (by design) not burned to the magstripe
<rqou>
there's also a verification value on the magstripe
<rqou>
that's different from both the CVV2
<azonenberg_work>
i dont remember the specifics
<rqou>
and different from what the EMV chip will send
<azonenberg_work>
i just remember reading some papers showing that EMV basically doesnt provide much security
<rqou>
i've definitely noticed some american readers get faster recently
<rqou>
surprisingly, google pay (when it's supported) is really really fast
<azonenberg_work>
". If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing construction of a magnetic stripe card, which, while not usable in a Chip and PIN terminal, can be used, for example, in terminal devices that permit fallback to magstripe processing for foreign customers without chip cards,
<azonenberg_work>
and defective cards."
<azonenberg_work>
(i note that most american EMV cards are chip-and-signature, not chip-and-PIN, so the card doesnt actually authenticate the user in any way)
wolfspraul has joined ##openfpga
<rqou>
the more i mess with it the more i find that smartcards aren't actually all that useful
<rqou>
since they have very limited ways of interacting with the user
<azonenberg_work>
yeah
rohitksingh has quit [Ping timeout: 246 seconds]
_whitelogger has joined ##openfpga
rohitksingh has joined ##openfpga
_whitelogger has joined ##openfpga
<gruetzkopf>
euro-emv is (was) somewhat sane
<gruetzkopf>
but now our banks insist that small purchases should not need pin nor signature
<rqou>
that has always been the case in the US
<rqou>
leading to hilarity such as trying to buy 2 tickets from a kiosk (in europe with a US card) failing while buying 1 ticket twice works
<gruetzkopf>
my bank silently enabled that for me when they replaced a broken card
<gruetzkopf>
guess how happy i was
<gruetzkopf>
(as someone who regularly changes the 12-digit pin on the card)
<rqou>
oh you mean not 1111/1234/4321/9999/8888? :P
<feuerrot>
gruetzkopf: 12 digits is the upper limit?
<gruetzkopf>
yep
<azonenberg_work>
i dont know if most us banks even allow >4 digit pins
<rqou>
shitibank has 6
GuzTech has joined ##openfpga
futarisIRCcloud has joined ##openfpga
rohitksingh has quit [Quit: Leaving.]
<whitequark>
rqou: poke
<gruetzkopf>
PEEK("rqou"): NULL
* whitequark
had a long and bizarrely obscene dream about platform firmware today
<whitequark>
I'm not even going to quote details it's too embarrassing
<gruetzkopf>
:(
<whitequark>
ok it involved making out with an anthropomorphic version of XPS13 ACPI
<whitequark>
don't ask
mumptai_ has quit [Quit: Verlassend]
GuzTech has quit [Ping timeout: 244 seconds]
rohitksingh has joined ##openfpga
rohitksingh has quit [Client Quit]
rohitksingh has joined ##openfpga
<cr1901_modern>
I can't wait for rule 34 of ACPI-tan
<whitequark>
cr1901_modern: that wasn't even the weirdest part of it
<whitequark>
there was only a single physical body but it contained multiple (dozens) of personalities
<whitequark>
one of which was my own
futarisIRCcloud has quit [Quit: Connection closed for inactivity]
<cr1901_modern>
Sounds like a fascinating cute short story or VN could be spun out of your dream.
<cr1901_modern>
>it contained multiple (dozens) of personalities
<cr1901_modern>
There's some anime this reminds me of that I can't pin down (prob more than one). Sharon Apple comes to mind.
<cr1901_modern>
err Macross Plus*
<whitequark>
cr1901_modern: "My Little Firmware Can't Be This Cute" "tags: EFI ACPI Thunderbolt selfcest"
<cr1901_modern>
bahahaha XD
<whitequark>
absolutely cursed
<cr1901_modern>
It's so awful, I love it!
<whitequark>
though "little" is stretching it
<whitequark>
there's a 64 MB flash for UEFI, a 1 MB flash with the TPS65982 firmware, and another 1 MB flash with Alpine Ridge firmware
<cr1901_modern>
This probably isn't true but I want to believe: I remember reading once that Intel's reference impl for UEFI has more lines than the Linux kernel.
<whitequark>
this is definitely not true
<whitequark>
however, there's a version of UEFI that's essentially based on Linux
<whitequark>
so you boot can boot Linux with Linux
<cr1901_modern>
And then you can boot userspace Linux, so you can boot Linux with Linux using Linux :)
* cr1901_modern
is spending the morning watching part of a playthru of a VN's main route to see if he wants to pay to $12 obtain the other 20 endings not on YT.
sensille has left ##openfpga [##openfpga]
<gruetzkopf>
64 MiB ?!
<gruetzkopf>
this slightly older dell has like 12MiB EFI+ME, 1MiB ethernet (BRCM)
<whitequark>
gruetzkopf: oh sorry 32
rohitksingh has quit [Ping timeout: 252 seconds]
<gruetzkopf>
the scary FSK-at-24-MHz-center-over Vbus is a thing because USB PD is older than typec
<gruetzkopf>
i've never seen it implemented
<whitequark>
azonenberg_work: ping
s_frit has quit [Remote host closed the connection]
s_frit has joined ##openfpga
Miyu has joined ##openfpga
Bike has joined ##openfpga
unixb0y has joined ##openfpga
GuzTech has joined ##openfpga
<zkms>
gruetzkopf: ah, so it was meant to be used on connectors without the CC wires and so they had to transmit data over the DC bus?
<gruetzkopf>
yes
<awygle>
why not use the data lines, is PD without data supported?
rohitksingh has joined ##openfpga
<whitequark>
awygle: then you need to implement an USB EP
<whitequark>
if you're routing the data lines e.g. to a smartphone, what do you do if it's completely discharged?
<whitequark>
it needs to negotiate PD to turn on
<awygle>
couldn't it just draw a trickle? Non PD is like 100mA or something, right?
<awygle>
Power the PD controller, negotiate more, start charging
<whitequark>
awygle: yeah but that requries you to not like, slap shit together with linux
<whitequark>
wait
<whitequark>
that requires you to have a PDcontroller that can insert itself into data path
<awygle>
well, yes. it's certainly a different design
<awygle>
ah well whatever, many things are designed differently than I'd have designed them. the world is a rich tapestry and all that crap
<whitequark>
this also means chargers now have to be USB hosts
<whitequark>
do you really wanna go there
<whitequark>
"USB condoms" would stop working
<awygle>
what is a usb condom
<jn__>
a USB interposer that lacks the data wires, usually
<jn__>
a power-only cable is one variant
<awygle>
ah
Bike has quit [Quit: Lost terminal]
rohitksingh has quit [Quit: Leaving.]
s_frit has quit [Remote host closed the connection]
azonenberg_work has quit [Ping timeout: 246 seconds]
rohitksingh has quit [Quit: Leaving.]
rohitksingh1 has joined ##openfpga
azonenberg_work has joined ##openfpga
_whitelogger has joined ##openfpga
rohitksingh1 has quit [Quit: Leaving.]
<whitequark>
rqou: poke
<whitequark>
azonenberg_work: poke
<azonenberg_work>
ack
<azonenberg_work>
whitequark:
<whitequark>
azonenberg_work: I can't for the life of me figure out this SWD shit
<whitequark>
the device responds to me with an ACK of 101
<whitequark>
consistently and repatably
<whitequark>
and it's the same with the Thunderbolt adapter and a bog standard STM32F103CB
<balrog>
whitequark: btw remind me what are you working on?
<azonenberg_work>
whitequark: I'm going to be doing some hands-on testing monday
<azonenberg_work>
going in to $dayjob to try with a LA
<azonenberg_work>
and see whats actually going on
<whitequark>
azonenberg_work: I can give you SSH like right now
<azonenberg_work>
I wanted to bring up my FTDI implementation too
<whitequark>
balrog: I'm trying to get an Apple Thunderbolt 3 to 2 adapter to work with my Thunderbolt 3 laptop
<azonenberg_work>
And i'll PM you a SSH key but wont have time to test for a few hours
<whitequark>
I can wait a few hours sure
<balrog>
whitequark: and your laptop isn't Apple?
<whitequark>
balrog: no
<balrog>
and it doesn't work out of the box?
<azonenberg_work>
whitequark: so you confirmed that the thunderbolt adapter acts the same as the stm32 does?
<azonenberg_work>
i.e. you are confident it is indeed real swd?
<whitequark>
balrog: no
<whitequark>
azonenberg_work: yes
<azonenberg_work>
OK
<whitequark>
I found that it wasn't responding before because there is a "disable SWD" strap
<azonenberg_work>
So, if you can hook it up to the stm32 and PM me the login info i'll check it out later today
<azonenberg_work>
(that would make sense)
<whitequark>
I reflashed it with my own firmware and SWD appeared
<balrog>
"The Apple Thunderbolt 3 to Thunderbolt adapter (Product ID: MMEL2AM/A) has been found to be incompatible with certain Windows systems in our internal testing. As a result, we do not recommend this adapter for Windows Thunderbolt systems. "
<whitequark>
balrog: see the thing is
<balrog>
"with certain windows systems"
<whitequark>
I reverse-engineered it and sniffed the USB PD comms
<whitequark>
the adapter appears perfectly compliant
<whitequark>
it's the laptop
<azonenberg_work>
lol
<balrog>
uhhhh
<whitequark>
but I have no idea what's wrong with it
<balrog>
is there a thunderbolt firmware update available for the laptop?
<whitequark>
unless you install my firmware, anyway
<whitequark>
lol
<balrog>
lol
<balrog>
some people report different results depending on which port on the laptop is used
<whitequark>
i actually found it way easier to make it work with displayport
<whitequark>
i have only one usb c port
<whitequark>
but yes
<whitequark>
this is a thing
<whitequark>
not all usb c ports have thunderbolt capability
uovo has joined ##openfpga
zjoel has quit [Quit: Leaving]
<feuerrot>
gruetzkopf: I still have to ask someone, if I can also get the 'Interface Specifications for the SECCOS ICC - EMV Commands and SECCOS EMV Applications' - afaik they should specify which Commands I have to send to the card to change the pin