David Chisnall (*Now with 50% more sarcasm!*)

@david_chisnall@infosec.exchange
2.7K Followers
83 Following
6.8K Posts

I am Director of System Architecture at SCI Semiconductor and a Visiting Researcher at the University of Cambridge Computer Laboratory. I remain actively involved in the #CHERI project, where I led the early language / compiler strand of the research, and am the maintainer of the #CHERIoT Platform.

I was on the FreeBSD Core Team for two terms, have been an LLVM developer since 2008, am the author of the GNUstep Objective-C runtime (libobjc2 and associated clang support), and am responsible for libcxxrt and the BSD-licensed device tree compiler.

Opinions expressed by me are not necessarily opinions. In all probability they are random ramblings and should be ignored. Failure to ignore may result in severe boredom and / or confusion. Shake well before opening. Keep refrigerated.

Warning: May contain greater than the recommended daily allowance of sarcasm.

No license, implied or explicit, is granted to use any of my posts for training AI models.

David Chisnall (*Now with 50% more sarcasm!*)17h ago
Graham Sutherland / Polynomial22h ago

as usual, leave it to the FSF to have the most nonsense contrarian take, like "using a JS based tool to block LLMs is malware".

their slide into incoherence and irrelevance knows no bounds.

David Chisnall (*Now with 50% more sarcasm!*)19h ago
mhoye1d ago
"America has been vaccinating people for fifty years. If vaccines caused autism, America would have trains, okay? We would have so many trains." - Jon Allen
David Chisnall (*Now with 50% more sarcasm!*)1d ago
CHERIoT Platform2d ago
Why did you write a new RTOS for CHERIoT? (Part 2)

Back in October last year, I wrote a bit about why we wrote a new RTOS for CHERIoT. Reading that again, I realise that it had a lot of high-level concepts but missed out on some detail. This time, I wanted to take a closer look at some CHERIoT RTOS features to show that being able to rely on CHERI lets us build them in fundamentally different ways to other systems.

#CHERIoT

Why did you write a new RTOS for CHERIoT? (Part 2)

Back in October last year, I wrote a bit about why we wrote a new RTOS for CHERIoT. Reading that again, I realise that it had a lot of high-level concepts but missed out on some detail. This time, I wanted to take a closer look at some CHERIoT RTOS features to show that being able to rely on CHERI lets us build them in fundamentally different ways to other systems.

CHERIoT Platform
David Chisnall (*Now with 50% more sarcasm!*)1d ago
mx alex tax1a - 2020 (5)1d ago

still laughing at the xlibre guy not knowing that ^ is xor and c doesn't have a builtin exponentiation operator

this is the kind of thing we learned when we were, idk, 16?

David Chisnall (*Now with 50% more sarcasm!*)1d ago
My wife points out that, although I am very sarcastic person, I am always serious when I use the word 'fabulous'.
David Chisnall (*Now with 50% more sarcasm!*)1d ago
I realised my previous post about why we wrote a new RTOS for #CHERIoT was light on details. The core reason is at the end of the new post: We don't want to build a system that is secure, where people can then layer insecure things on top, we want to build the core that enables you to build secure systems. And that requires rethinking a lot of core OS abstractions with usability and security as core requirements. We can't do that by retrofitting CHERI to an existing system.
Why did you write a new RTOS for CHERIoT? (Part 2)

Back in October last year, I wrote a bit about why we wrote a new RTOS for CHERIoT. Reading that again, I realise that it had a lot of high-level concepts but missed out on some detail. This time, I wanted to take a closer look at some CHERIoT RTOS features to show that being able to rely on CHERI lets us build them in fundamentally different ways to other systems.

CHERIoT Platform
David Chisnall (*Now with 50% more sarcasm!*)1d ago
SellaTheChemist1d ago
Nice to see that my faculty has at last caught up with my little Royal Society stunt.
David Chisnall (*Now with 50% more sarcasm!*)1d ago
abadidea1d ago
a blog post by my friend eevee which is, y’know, preaching to the choir about exactly what you think, but. yeah. https://eev.ee/blog/2025/07/03/the-rise-of-whatever/
The rise of Whatever

This was originally titled “I miss when computers were fun”. But in the course of writing it, I discovered that there is a reason computers became less fun, a dark thread woven through a number of events in recent history. Let me back up a bit.

David Chisnall (*Now with 50% more sarcasm!*)1d ago
BastilleBSD 2d ago

Copy files between your host and jails with ease using bastille jcp. No need to
mount or exec—just push or pull directly.

Bastille 1.0 is tried, tested and available soon!

#BastilleBSD #FreeBSD

David Chisnall (*Now with 50% more sarcasm!*)2d ago
Lesley Carhart 2d ago
I need adult supervision because,-
×
BeyondMachines 3d ago
Strong Password Policy 101
Edit: for bonus points it messes with your OCD. There's a method to the madness
Show threadClaudius Link3d ago
@beyondmachines1
The "closing" strong is missing a /
Therefore, it can't be accepted 😜
Show threadBeyondMachines 3d ago
@realn2s that's intentional 🤡
so hackers will try to close the strong and fail login!
Show threadClaudius Link3d ago
@beyondmachines1
😂
Inconceivable!
Show threadBeyondMachines 3d ago

@realn2s When you have three locks on your door and leave one unlocked.

When burglars tamper with the locks they unlock two and lock one.

Show threadBee O'Problem 3d ago
@realn2s @beyondmachines1
Show threadAleksei3d ago
@beyondmachines1 @realn2s now hackers know 😭
Show threadDan Kalafus3d ago

@beyondmachines1 @realn2s I can just imagine trying to remember this...

"Let's see, did I intentionally not close the <strong> tag? Or was it the <body> tag? Or the <html> tag? Wait, did I include an <html> tag?"

Show threadTim Hergert3d ago
@beyondmachines1 that certainly was a bold move.
Show threadBeyondMachines 3d ago
@cjust i'm sure pun not intended
Show threadTim Hergert3d ago
@beyondmachines1 I tend to post a lot of puns - with the intentions of making people laugh. Unfortunately, a friend of mine took a random sampling of 10 of my most recent ones, and sadly not one pun in ten did.
Show threadGolden Bunny of Destiny 🕯🇺🇦🇵🇸3d ago
@beyondmachines1 Missing the numbers, please try again
Show threadTimothy Wolodzko3d ago
@beyondmachines1
Show threadn1k03d ago
@beyondmachines1 @9x0rg Error: non-closed strong tag
Show threadThe Turtle3d ago
@beyondmachines1 it's also cool that it allows for an italic password or maybe even a BLINK password!
Show threadReg Braithwaite 🍓3d ago
@beyondmachines1 My eye twitches at the unclosed <strong>, but that makes it secure for exactly the same reason that misspellings in otherwise easy-to-remember words made passwords that kept us all safe in the 1990s.
Show threadJim Flanagan3d ago
@beyondmachines1 Password makes a body strong
Show threadMatija Šuklje3d ago

@beyondmachines1,

the “strongness” is leaking 

Show threadBleistifterin3d ago
@beyondmachines1 did I miss the number?
Show threadCaptMorgan3d ago
@beyondmachines1 the HTML is improperly formatted. Embarrassing 😳
Show threadTripTilt /// tt3d ago
@beyondmachines1
don't forget to close the strong tag!
Show threadGraham Downs3d ago
@beyondmachines1 Your <strong> is missing a closing tag. :P
Show threadWestern Infidels3d ago

@GrahamDowns @beyondmachines1 Oh, man. What rotten luck.

This kind of password should actually be pretty good, I think. It's long, it draws on a large character set, it's hard to guess, yet it's easy to remember.

Unless it includes a typo.

Show threadBeyondMachines 3d ago
@GrahamDowns intentional. There's a method to the madness
Show threadNazo3d ago
@beyondmachines1 @GrahamDowns It's so strong that the strength leaks out into everything else!
Show threadGraham Downs2d ago
@beyondmachines1 fair enough. :-)
Show threadKlaus Frank3d ago
@beyondmachines1 ngl if this wasn't posted as a meme online this wouldn't even be such a bad password. It is easy to remember and hard to brute force. Also (at least before it become a meme) very unlikely to be within anyones dictionary either.
Show threadNazo3d ago

@agowa338 @beyondmachines1 The irony is probably nothing will take it because it doesn't have mixed case letters or any numbers.

You could create an almost infinite number of huge variations like this and all would be memorable while being super hard to actually guess -- and none would be accepted by most password policies.

https://xkcd.com/936/

Password Strength

xkcd
Show threadSpaceLifeForm3d ago

@beyondmachines1

Did it say it was strong? I do not see any numbers.

Show threadMichael Rowe3d ago
@beyondmachines1 @film_girl oh this is perfect, and yes it really does hit my OCD
Show threadBart Louwers2d ago
@beyondmachines1 ERROR: password needs to contain a number.
Show threadIan K Tindale20h ago
@beyondmachines1 I’d forget that the second isn’t