Just purchased a server license (for life). Not only is this update jam packed full of nice features, but a lot of their updates are. I’ve been self-hosting it (on a VPS) for the past year and it’s about time I supported them

My website’s the one linked in this post: https://snee.la/

My email is at the contact page: https://snee.la/contact/

sneela [at] tugraz [dot] at

I’ll be sure to reach out if I find myself being unable to replicate it.

No worries, and good luck! My email can be found on my website if you want it :D

I wasn’t even talking about tikzplotlib. It’s just that pgf backend is now supported by matplotlib and you can produce pgf files with.

Ah… I’ve think I’ve heard of it, but I never really registered that. Thanks for the info :D

I could give you the tikz source of Fig 2 if you’d like. The patterns and colors of the plots took me almost a day to choose. I wanted to go for a color-blind friendly pallette and keep it looking still snazzy. (https://github.com/simon-pfahler/colorblind)

I’m familiar with matplotlib -> PGFplots (using the Python tikzplotlib library). Unfortunately, I’ve decided against using it for the paper as it produces quite unmanageable outputs. Especially if I rerun experiments + with new data, and later want to change patterns, colors… It was always more of a hassle. I used it for my Master’s thesis.

Instead, Python program -> show plot -> if okay, generate CSV.

In LaTeX, have PGFplot code which reads CSV file and generates the data that way. Much, much easier to maintain.

Thanks for your words!

Yes! We use TikZ for the diagrams, which can be a nightmare sometimes… but it gets better the more I use it.

Regarding the plots, we use PGFplots. I often use matplotlib for quick plots while running experiments, but the paper itself uses PGFplots with the data in a CSV for that sweet, sweet scaling when you zoom in.

Thanks for the question!

As long as caches have existed, very similar styles of side channels have been demonstrated since the late 90s. A lot of the terminology we use (flush+reload, flush+flush…) are attack techniques that have been already demonstrated on CPU caches, and these demonstrations are at least a decade old.

Flush+Reload: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom

Flush+Flush: https://gruss.cc/files/flushflush.pdf

Invalidate+Compare (GPU caches, 2024): https://www.usenix.org/conference/usenixsecurity24/presentation/zhang-zhenkai

My colleague, Hannes, found similar styles of attacks existed with the Linux DNS cache too: https://hannesweissteiner.com/pdfs/dmt.pdf (also published at NDSS 26!)

The one really big difference between the page-cache side channel and other side channels is the “monitor” primitive. There are methods that the OS provides which directly report the presence of a page in cache. These are syscalls like mincore (mitigated in 2019), preadv2 + rwf_nowait (unmitigated), and cachestat (mitigated in 2025).

With these syscalls, we don’t even have to rely on timing information (is page access fast -> cached; is it slow -> not cached). These syscalls really set the page-cache side channel apart because you can nondestructively figure out whether a page is in cache.

The page-cache side channel was first explored in 2019. It was explored on Linux but also on Windows by my advisor et al.: https://gruss.cc/files/pagecacheattacks.pdf

Hope this answers your question :D

Thanks for cross-posting and tagging me!

Also fuck off with this attitude man. I’m not attacking you, learn how to speak to people.

Sorry. I get quite triggered when people add pseudo-labels to distributions, mainly Debian being outdated. Looking back, I was quite harsh and I apologize.

However, you’re actively spreading the false narrative by saying Debian’s not good for “general computing” - this is what triggers me. A distribution is nothing but its package manager and some defaults. Some have different defaults and package managers.

Older packages can be difficult for new users who want a computer to “just work”.

The only place this makes a difference is with the latest hardware which OP does not have. I have more recent hardware than OP and Debian 13 + KDE Plasma 6 works out of the box.

It’s fine for general computing, but not great.

Again, I really hate this sentence. I will tone down the rudeness this time in explaining why. I have daily-driven Debian for years with AMD + Intel CPUs, Nvidia GPUs (1070, 3060) with use cases ranging wildly through the years. I cannot fathom what kind of general computing cannot work. If you say specialized computing, I would still disagree as there are always ways to make things work.

Just off the top of my head where things are iffy with Debian: bat cannot be installed via a package manager, but not on most distros anyway. There’s a deb package though which works. Similar with dust, although more distros have it in their package manager.

Debian, like you said, is rock-solid stable. In my many years of developing code, university courses, daily work (research), maintaining servers with wildly different usages, Debian’s “outdated” packages have only let me down once and that was with a LaTeX package which could be installed via ctan anyway.

Debian is rock-solid stable, but lacks newer packages. It’s great for a server, not so great for […] general computing.

What the fuck??? I’ve been daily driving Debian for years now on my personal laptops, desktop, mini PC, and mutliple servers. I’ve found and reported Linux kernel vulnerabilities on my trusty Debian systems.

What do you mean it’s not so great for general computing? What can’t you do with Debian computing-wise that you can do with other distros? The only issues I’ve ever had was with some LaTeX packages being older versions. You just get that from CTAN and install that manually.

This is such a ridiculous comment. What do you do on a server that’s not general computing? You’re doing a subset of general computing??? How does a fucking distro actively prevent you from doing general computing???

CCC just wrapped up two days ago. https://events.ccc.de/congress/2025/infos/startpage.html

This happens every year with CCC, Defcon, and Blackhat. There are always interesting talks and you get a slew of posts from interested people.

…and there you go:

https://ccs25files.zoolab.org/main/ccsfb/1REOCPAR/3719027.3765061.pdf

https://misc0110.net/files/exfilstate_ccs25.pdf

From https://www.sigsac.org/ccs/CCS2025/accepted-papers/ (#378)

Literally published less than a day ago:

ExfilState: Automated Discovery of Timer-Free Cache Side Channels on ARM CPUs

At the same conference (CCS) that the paper referred to by the ars technica article was accepted.

You can implement a counting-thread that’s even more precise than the CPU’s timer (TSC on x86) platforms. This was shown in attacks on Intel SGX, where the rdtsc instruction to access the time-stamp counter is unavailable.

https://link.springer.com/chapter/10.1007/978-3-319-60876-1_1

https://arxiv.org/pdf/1702.08719

If you remove access to the timer, attackers will simply build one.

If the reports are somewhat technical (written with Latex for example), check out sioyek: https://sioyek.info/. It’s a PDF reader mainly for academic use.

Sioyek has made reading and reviewing papers SO much easier and it’s really, really convenient… once you get the hang of it. It takes a bit of time to get used to all the things, but it’s worth it. I also review students’ theses with it. Highlighting colors and adding comments is super easy (select text, h+g (green highlight), type comment).

If you have want to export your notes and comments, you will need this script though: https://github.com/ahrm/sioyek/blob/main/scripts/embedded_annotations.py

I can’t believe I didn’t know about it! Thanks :D

May I know what plugin you use in KDE? Sounds like it’s something I’d like to check out.

Quick searches show me Bismuth and kwin-tiling, and bismuth seems to be archived.

Installed it on my desktop and the process was painful (my fault) because I ran out of space on my boot ssd (128Gigs) while doing the upgrades.

I don’t really have much on my boot ssd and all my important data is on my laptop, backed up to my servers, or on my desktop’s HDD. I did a fresh install with a kde live usb stick and that went smooth, until something with the nvidia drivers prevented the display server from launching.

Thankfully, I’ve been through this charade multiple times in the past, and I’m significantly more experienced in dealing with the kernel these days. Adding the nvidia-drm modeset kernel command line launch param worked, and my system is running deb 13. I’m so happy I have KDE plasma 6.

Overall, a one hour process. Could have been faster if I had free space on my system lol. I’m a bit more reluctant to upgrade my servers at the moment, but I may in the upcoming months.

One minor thing: they updated their apt sources (https://repolib.readthedocs.io/en/latest/deb822-format.html, https://unix.stackexchange.com/questions/498021/deb822-style-etc-apt-sources-list#583015). Idk why, but the installer didn’t create & populate the .sources file. After a quick check of the man page, I created the file and it worked.

I need a recognisable domain name website that google or duckduckgo has picked as the product.

This doesn’t always work. For example, I used to (and still do) see a lot of fake websites when I l type revanced (https://revanced.app/) on duckduckgo, and I’ve nearly fallen for two of the fake ones before (I think two of .com / .org / .to…?)

Thankfully ublock origin warns users of this:

Otherwise, I’d have 100% downloaded some malware-loaded crap.

Not exactly what you asked, but do you know about ufw-blocklist?

I’ve been using this on my multiple VPSes for some time now and the number of fail2ban failed/banned has gone down like crazy. Previously, I had 20k failed attempts after a few months and 30-50 currently-banned IPs at all times; now it’s less than 1k failed after a year and maybe 3-ish banned at any time.

There was also that paid service where users share their spammy IP address attempts with a centralized network, which does some dynamic intelligence monitoring. I forgot the name and search these days isn’t great. Something to do with “Sense”? It was paid, but well recommended as far as I remember.

Edit: seems like the keyword is " threat intelligence platform"

PR Videos to save you a click:

https://www.youtube.com/watch?v=mWKhSrsj3V0

https://www.youtube.com/watch?v=-v283Og5DLw

Someone asked the same question on a cross-post: https://lemmy.world/comment/14943883

Tl;Dr is the recent rust drama.

More info: https://www.phoronix.com/news/Asahi-Linux-Lead-No-Upstream