Domain: blogspot.be
Stories and comments across the archive that link to blogspot.be.
Comments · 11
-
Re:He and Linus are Spot On
He's also dead right in that Intel has been mixing up the two issues, Meltdown and Spectre, deliberately, so they could tell everyone that it wasn't just Intel that was affected, and they also gave the impression that Spectre had been fixed when it was Meltdown that had been mitigated - with a patch that creates unacceptable performance problems, to a lesser or a greater extent.
This, in spades. While Theo De Raadt is not my favorite IT personality, the mixing together of the issues (actually 3 of them!) has made it exceedingly hard for someone who isn't familiar with the inner working of modern CPU architectures to get the story straight, and Mr. De Raadt gets kudos for calling them out on it.
The following is what I could infer from what I found online. I'm almost certain a good portion of it is WRONG, and I hope the more knowledgeable part of the
/. crowd will help me out by correcting it. (No, I'm not being lazy - just stretched to the limit of my understanding of the primary sources, yet desperate to gain some working understanding beyond the "it's hard to explain but you should apply patches" advice found everywhere on the internet.)- There are three separate but somewhat related issues:
- Variant 1: bounds check bypass (CVE-2017-5753)
- Variant 2: branch target injection (CVE-2017-5715)
- Variant 3: rogue data cache load (CVE-2017-5754)
- Variant 3 is a true bug by any definition. It was named "meltdown" and is an Intel exclusive - AMD and ARM are not affected. If an attacker succeeds to run a malicious binary on an affected system, they can read kernel memory, including juicy secrets like passwords and decription keys. To put this into perspective, this is very nearly as bad as a local privilege escalation. And to put that into perspective, local privilege escalations are so common that there's a mantra in security: if a sufficiently skilled adversary gains "arbitrary code execution", it's virtually "game over" and you can go scrub your HDD. Nevertheless, the aforementioned "sufficiently skilled" bar lies quite high and may not be met by a lot of common threats (especially the automated ones). So, from a defense-in-depth perspective, the only sane advise is "patch your system now". The big news is that patching will come with a performance impact that is proportional with how frequently a process calls the kernel. A process that simply allocates a big chunk of memory, loads data into it, and starts chewing on that (think stuff like compression, crypto mining, scientific computation,...) will not feel much impact, while databases generally will.
- Variant 1, IF I understand correctly, allows an attacker to feed a non-buggy process carefully crafted input that tricks it into leaking data into memory space that is owned by the process in question, but not in use by it. The bad news here is that all CPUs (including AMD and ARM) are vulnerable and there's no way to patch it system-wide. One could argue that this is not a huge deal in and by itself because if the process and the system have no other bugs, the data could never be retrieved. However, it is apparently possible on certain browsers to make JavaScript read data from the "not-in-use" memory locations (which would be a feature for a "system" language like C, but I would classify it as a bug for a high-level interpreted language such as JavaScript). Given that a browser handles sensitive data (passwords), this is potentially devastating. Fortunately, it is easily mitigated by the fact that the leaked data doesn't live long by virtue of it physically only residing in the CPU cache and not the actual memory. The attack therefore relies on precise timing, and by decreasing the precision of the timing mechanisms that are available in JavaScript, browser manufacturers can put a stopgap into th
- There are three separate but somewhat related issues:
-
Re:Predictable results
Here's a linky to the University of Massasuchetts' Climate Systems Research Dep't ongoing study: the most recent pic is from June 1, this year. Note the graph under the heading The value of a photograph, showing the decrease in surface depth of the glacier studied (about 0.8 meters over the period from June 2015 'till March 2017). And here's a pdf linky to the most recent (2014) easily accessible scientific publication about Mt Kilimanjaro's summit ice fields by the same group. Right in the introduction they mention why and how the earlier 2015 prediction was wrong; the summit is now predicted to be ice-free by 2040.
-
Re:Prepare to be
Nonsense. Name one of the basic natural laws that has been 'broken'.
And no, Newtons' theory of gravity wasn't broken by that of Einstein: http://soi.blogspot.be/2013/05...
I'm saying this in front, because it the typical thing people who are not to knowledgeable about the topic come up with. No, it's not been 'broken'. It is *incorporated* into GR as a special case, but within its domain and a given framework, it remains valid.
-
Re:LFTR
Some rebuttals are in order, because otherwise people might think it's actually all valid, while, in fact, most is not.
Rebuttals:
http://pche-sts.blogspot.be/20...
http://energyfromthorium.com/2...
Many of those counter-arguments you raise, have been brought up before, and equally as much has it been shown to be largely complete nonsense.
-
Re:Thorium is fools erand
Rebuttals:
http://pche-sts.blogspot.be/20...
http://energyfromthorium.com/2...
Many of those counter-arguments in that slasdot-post you link to, have been brought up before, and equally as much has it been shown to be largely complete nonsense.
-
Re:Acceptable Ads
Just read http://branddna.blogspot.be/20...
They poisoned the well just by existing.
-
Re:Sigh
"Is this the sort of thing that the EU could override?"
Yes, that's why the morons want out.
Also, by definition, no encryption is unbreakable, you just need a few thousand years to crack it.
Or the right algorithms, the right computing power and encryption that is regulated to be limited to a certain level? I am sure Interpol or various intelligence agencies could push to have the right tools?
The problem with what the British government is asking is that it just takes one slip for the backdoor to be left wide open (see TSA security keys) and anyone who really cares about protecting their stuff and understands what they are doing probably will just encrypt their stuff with other encryption tools, that don't follow the rules. In the end what they are asking for only burns the general public.
The other thing is to compare decryption time to Moore's Law and thus estimating what sort of encryption level is needed for a given point in time (see here)
-
Re:close
.005% = 0.005/100 = 0.00005
Maybe Verizon is still hiring... -
Re:To America? Yes. To the GOP? No.
Posting a bunch of links of people doing things like fighting to keep raping men from being outlawed under the banner of "feminism" is a "massive MRA rant"? MRA's are now interchangeable with "channer trolls/opportunists/dupes"? Looks more like you've just decided to add "MRA" to a list of interchangeable cliches that you slap on anyone you disagree with to justify covering your eyes and rejecting whatever contradicts your worldview.
You posted "actually it's about ethics" with the intention of mocking that insistence. I posted "actually it's about equality" with a whole bunch of evidence of "feminists" doing things that are patently anti-equality (yknow, like trying to keep rape legal or harming domestic violence victims).
BTW Shadow, FWIW, the tactics of your fellow MRAs/channer trolls/opportunists/dupes lead me to actually sit down and watch Anita Sarkeesian's video series the other week. Well, I had to. And yes, it will impact some of my work in future, she makes some excellent points. Me, myself, probably won't make a difference to you, but I know plenty of others who have done the same. And by coming out into the open, you've also made it easier for us to see you, for me to, for example, warn my daughter (when she's old enough, I'm not going to scare the shit out of her right now) about the extremists in your group who write articles like "How to get away with rape" and "How to break a woman".
So thank you - to you and the people you defend and associate with - for making it easier to arm my daughter, and for ensuring I, and legions of other men who seriously had thought sexism against women was nothing like as serious as it is, open our eyes and start fighting for equality.
Seriously? "how to get away with rape"? You're just going to make shit up and try to pin it on me by associating me with some ridiculously hyperbolic villain cliche? What's next, moustache twirling and tying people to the train tracks?
You want to talk about "getting away with rape"? I just gave you a link to people literally fighting to stop rape from being outlawed. I just gave you a link to research publications discussing real harm done to real domestic violence victims, and real articles mocking domestic violence and victims. I gave you links to live videos of people committing felonies. If it's people talking about getting away with rape and breaking someone with abuse you want to talk about how about we talk about the mainstream people in your group that I've already supplied actual proof of.
Also you realise that you're rushing to defend as "[making] some excellent points" a whorephobic thief and plagiarist that's been caught repeatedly making patently untrue claims and generally passing off anti-feminist sexshaming nonsense as "feminist critique", right? You're talking about someone that shit all over Bayonetta, which is widely considered to be one of the single most positive feminist icons in gaming, and will plug a book she's got ties to before the bodies of dead kids are even cold?
-
Yet another?
I started mapping wifi networks with openwlanmap, which will likely be used by GNOME, a few weeks ago. Now it seems like Mozilla products will use their own database. Why cannot projects just work together, so we have 1 good database used by all FLOSS applications?
-
Re:Illusion of privacy
Google has been very adamant that the NSA does not have access to their servers.
No, Google did not choose to join a program that would give NSA access.
"we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. "
Source: http://googleblog.blogspot.be/2013/06/what.htmlWe know nothing about what Google did not choose to do, for all intents and purposes, because the NSA does have this goal i assume they have (or are going to) meet it. Likely in secret.
Furthermore as stated elsewhere encryption is irrelevant, with or without willing cooperation from Google Inc. the NSA is able to decrypt it.