Slashdot Mirror

Interesting thing is that PCID predates INVPCID. And you can get some of the effects of an INVPCID on a processor which only supports PCID.

I.e.

http://forum.osdev.org/viewtop...

MOV to CR3. The behavior of the instruction depends on the value of CR4.PCIDE:

If CR4.PCIDE = 0, the instruction invalidates all TLB entries associated with PCID 000H except those for global pages. It also invalidates all entries in all paging-structure caches associated with PCID 000H.

If CR4.PCIDE = 1 and bit 63 of the instructionâ(TM)s source operand is 0, the instruction invalidates all TLB entries associated with the PCID specified in bits 11:0 of the instructionâ(TM)s source operand except those for global pages. It also invalidates all entries in all paging-structure caches associated with that PCID. It is not required to invalidate entries in the TLBs and paging-structure caches that are associated with other PCIDs.

If CR4.PCIDE = 1 and bit 63 of the instructionâ(TM)s source operand is 1, the instruction is not required to invalidate any TLB entries or entries in paging-structure caches.

See
https://www.intel.com/content/... page 145

This chap tried it, and apparently it works

http://www.dumais.io/index.php...

I.e. with bit 63 and 0:11 set to PCID a write to CR3 works like INVPCID in processors which don't have INVPCID.

This actually makes a difference. My 2012 Macbook pro has a

machdep.cpu.brand_string: Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz
machdep.cpu.features: FPU VME DE PSE TSC MSR PAE MCE CX8 APIC SEP MTRR PGE MCA CMOV PAT PSE36 CLFSH DS ACPI MMX FXSR SSE SSE2 SS HTT TM PBE SSE3 PCLMULQDQ DTES64 MON DSCPL VMX EST TM2 SSSE3 CX16 TPR PDCM SSE4.1 SSE4.2 x2APIC POPCNT AES PCID XSAVE OSXSAVE TSCTMR AVX1.0 RDRAND F16C

I.e. assuming the patches know the bit 63 set in writes to cr3 trick, they should be able to do page table invalidation per PCID even on rather old chips.

It looks like KAISER on Linux supports/will support this

https://github.com/nathanchanc...

https://lkml.org/lkml/2017/11/... [currently down(!) but the title is "Subject [PATCH 4/6] x86/mm/kaiser: Support PCID without INVPCID"]

Interesting fact, let us introduce our service in Lombok Island. Info Sewa Mobil Lombok Yuk baca tips dan berbagai macam info rental mobil di Lombok dan info liburan yang akan membantu anda menambah wawasan Bisnis di era saat ini mengalami banyak disruptive. Hal tersebut bisa kita lihat dari sepinya pusat perbelanjaan di Glodok dan beberapa tempat di Jakarta. Tergesernya pemain taxi besar seperti Blue Bird oleh taxi online seperti Grab, Gocar dan Uber di... rental mobil avanza lombok selengkapnya Bicara soal jasa rental mobil, baik itu untuk wilayah Lombok, Bali, Makassar, Balikpapan ataupun Yogyakarta memiliki pola yang sama. Namun tetap dimungkinkan ada ke khasan sesuai dengan daerah masing-masing. Semisal untuk daerah Bali, usaha rental mobil tidak bisa berjalan saat... selengkapnya Apakah anda suka jalan-jalan? Bila iya, tentu anda tidak asing dengan pulau Lombok, bukan? Apabila anda diberikan kesempatan untuk berlibur ke Lombok, saya rasa tentu anda tidak akan menolaknya. Bagi para traveler atau wisatawan yang hendak berlibur ke Pulau Lombok,... selengkapnya Lombok merupakan tujuan wisata yang menyimpan banyak potensi wisata yang luar biasa. Salah satu keunggulan pulau Lombok adalah keindahan wisata alam yang dimilikinya. Tentu ini merupakan karunia dari Sang Pencipta yang perlu dijaga dai disyukuri oleh segenap warga Lombok dan... selengkapnya

just the text and a couple light text ads, if you must.

If you run uBlock Origin in medium mode you can get rid of almost anything but that by default

https://github.com/gorhill/uBl...

Google's solution of them hosting the content with means they can run their ads on it, not the ones that the original website wanted.

It will be a binary equivalent kernel. Different drivers and HALs would get loaded. Actually last time I looked at Windows kernel mode they were moving to a single HAL for all x86 systems.

If you look at the Linux code it's shared between AMD and Intel though it does check whether CPU features are present, so different code paths run.

https://github.com/torvalds/li...

Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode, use me_cleaner with -S option to set the HAP bit, see me_cleaner: HAP AltMeDisable bit.

Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode, use me_cleaner with -S option to set the HAP bit, see me_cleaner: HAP AltMeDisable bit.

Change log:
2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode, Blackhat Dec 2017 presentation, Intel ME CVEs (CVSS Scored 9.0-10.0)

Intel CPU Backdoor Report
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

2017 Dec Update:
Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links (Added 2018 Jan 1):
Disabling Intel ME 11 via undocumented mode (NSA High Assurance Platform mode)
Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
EFF: Intel's Management Engine is a security hazard, and users need a way to disable it
Sakaki's EFI Install Guide/Disabling the Intel Management Engine
Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
CVE-2017-5689: An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs
CVE-2017-5705: Multiple buffer overflows in kernel in Intel Manageability Engine Firmware
CVE-2017-5706: Multiple buffer overflows in kernel in Intel Server Platform Services Firmware

I draw your attention to JerryScript

Curious. Thanks for sharing! In any case, note that this is a C library able to deal with JavaScript code rather than a pure JavaScript autonomous alternative. Although they use C in all the code samples, I guess that there shouldn't be problems with any other C-library-compatible language; but you would have to support the corresponding language environment + the library. By bearing in mind that resource minimisation is a quite important aspect in embedded systems, doing all that doesn't seem like the most optimal alternative.

They're not, actually. Most decent languages are written in themselves. Occasionally, they throw in a C runtime for convenience, but even that is technically optional.

Thank you for noting that you're not 100% sure it's right, and for the excellent summary. There's a ton of misinformation going around, especially with 0100010001010011 dude on Slashdot repeatedly posting that Meltdown is INTEL ONLY, which is false, as some ARM products are affected. What is true is that Meltdown does not affect AMD and affects only a few of ARM's processors.

As you state, it's important to rely on the original sources. Here is each CPU vendor's response to the security issues:
https://www.amd.com/en/corpora...
https://www.intel.com/content/...
https://developer.arm.com/supp...

Here are two corrections to make:
1) Meltdown:
One of your bold statements "AMD and ARM are not affected" is untrue. See here, from ARM directly:
https://developer.arm.com/supp...

ARM has confirmed that A75 is vulnerable to Meltdown. In addition, A15, A57, and A72 are vulnerable to a variant of Meltdown (Variant 3a) which ARM has added. ARM has stated that they believe this variant is NOT exploitable, however, there is already userspace code out there that can do some limited exploits:
https://github.com/lgeek/spec_...

AMD is not affected by Meltdown, in any form. From AMD's press release:
https://www.amd.com/en/corpora...

2) Variant 1: While other vendors may require application changes to address this issue, AMD appears to be able to address this with an OS update, based on their post:
https://www.amd.com/en/corpora...


Summary:
Variant 1: Some manufacturers (ARM) appear to not be able to fix it and are recommending compiler changes, but AMD will fix this in OS updates. Unclear how Intel is addressing this vulnerability.
Variant 2: Correct, from what I can tell.
Variant 3 (Meltdown): Affects nearly all Intel (within the last 10 years) and ARM A75 chips. AMD not affected.
Variant 3a (Modified Meltdown): Affects a larger set of high performance ARM chips

Finally, Intel has done a terrible job (intentionally?) at conflating the two issues, which is unfair. These are 3 separate security issues, with their own priorities and impacts. If you read Intel's official press release for this issue, there's no differentiation between variants 1-3, like there is for AMD and ARM:
https://www.intel.com/content/...

Change log:
2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode, Blackhat Dec 2017 presentation, Intel ME CVEs (CVSS Scored 9.0-10.0)

Intel CPU Backdoor Report
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

2017 Dec Update:
Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links (Added 2018 Jan 1):
Disabling Intel ME 11 via undocumented mode (NSA High Assurance Platform mode)
Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
EFF: Intel's Management Engine is a security hazard, and users need a way to disable it
Sakaki's EFI Install Guide/Disabling the Intel Management Engine
Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
CVE-2017-5689: An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs
CVE-2017-5705: Multiple buffer overflows in kernel in Intel Manageability Engine Firmware
CVE-2017-5706: Multiple buffer overflows in kernel in Intel Server Platform Services Firmware

Or online. As I have no idea of the size of the IAIAO and he wants it to use for photo editing under Windows, I assume he needs something like http://www.dell.com/en-us/shop...
Otherwise he could just use GIMP and ImageMagick under any Linux machine. I use a HP Chromebook that runs https://github.com/dnschneid/c... so I have both Linux an Chrome.

Crouton apparently stands for for ChRomium Os Universal chrooT envirONment ...or something like that. Only two disadvantages I found: Not possible to ssh to it. Not possible to mount NFS.

Change log:
2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode, Intel CPU CVE links (CVE-2017-5689 CVSS Score 10.0)

Intel CPU Backdoor Report
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

2017 Dec Update:
Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links (Added 2018 Jan 1):
Disabling Intel ME 11 via undocumented mode (NSA High Assurance Platform mode)
Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
EFF: Intel's Management Engine is a security hazard, and users need a way to disable it
Sakaki's EFI Install Guide/Disabling the Intel Management Engine
Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
CVE-2017-5689: An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs
CVE-2017-5705: Multiple buffer overflows in kernel in Intel Manageability Engine Firmware
CVE-2017-5706: Multiple buffer overflows in kernel in Intel Server Platform Services Firmware

Change log:
2018/01/01 - Added 14 Useful Links, Intel CPU CVE links (CVE-2017-5689 CVSS Score 10.0), how to disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode.

Intel CPU Backdoor Report
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

2017 Dec Update:
Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP bit.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links (Added 2018 Jan 1):
Disabling Intel ME 11 via undocumented mode (NSA High Assurance Platform mode)
Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
EEF: Intel's Management Engine is a security hazard, and users need a way to disable it
Sakaki's EFI Install Guide/Disabling the Intel Management Engine
Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
CVE-2017-5689: An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs
CVE-2017-5705: Multiple buffer overflows in kernel in Intel Manageability Engine Firmware
CVE-2017-5706: Multiple buffer overflows in kernel in Intel Server Platform Services Firmware

It is very shitty that these people are allowed to run rampant in open source projects but it is also quite delicious seeing the Codes of Conduct used against them. Unfortunately, as we have also witnessed, there is often selective enforcement of CoCs favoring SJWs, making the CoC effectively a tool for alienating all non-SJWs in the project. Look at this ridiculous comment on the report for example! He seriously doesn't think this public statement should constitute a code of conduct violation and inclusivity barrier: "never underestimate the wrath of a mildly inconvenienced white dude (and yes it is all dudes complaining)"

Toxic as fuck.

That's it? That's all you can respond to? I mean, I'm glad you have no valuable arguments to make against all the things I said and had to attack my anonymity. Kinda sucks for you that the messenger doesn't change the value of the message.

I'm calling those specific douches out because the messages they choose to carry into discussions are always supreme bullshit. There are rare occasions where I agree with them and what they say is a net positive but it is quite rare and if social justice can be dragged into the conversation in any way they ALWAYS end up spouting irrational SJW garbage.

Example in the comments on this Slashdot post: "If you stay on topic and don't be a wanker, you won't violate the code of conduct" while willfully ignoring that Codes of Conduct are exploited by identity politics-pushing SJWs to attempt to use the letter of the law without reference to the spirit, usually in order to gain an advantage within that environment. serviscope_minor knows good and damned well that this horseshit happens in any open source project that SJWs try to overtake.

The Code of Conduct shit is the foothold used to convert the project from a programming one to a political agenda enforcement one. The best move is to refuse to adopt a code of conduct at all since it legitimizes them and takes away the power to enforce the spirit of "don't be a dick" from the admins, but if one must be adopted, the Contribute In any Fucking Way You Want Code Of Conduct, the WTFPL of CoCs is definitely the best choice.

By the way, I'm logged in, asshole. I choose to post anonymously because there are very dangerous people in the SJW world who would be happy to harass and threaten me and attempt to destroy my completely unrelated livelihood for the cardinal sin of showing that they are a societal cancer in an irrefutable way.

That's it? That's all you can respond to? I mean, I'm glad you have no valuable arguments to make against all the things I said and had to attack my anonymity. Kinda sucks for you that the messenger doesn't change the value of the message.

I'm calling those specific douches out because the messages they choose to carry into discussions are always supreme bullshit. There are rare occasions where I agree with them and what they say is a net positive but it is quite rare and if social justice can be dragged into the conversation in any way they ALWAYS end up spouting irrational SJW garbage.

Example in the comments on this Slashdot post: "If you stay on topic and don't be a wanker, you won't violate the code of conduct" while willfully ignoring that Codes of Conduct are exploited by identity politics-pushing SJWs to attempt to use the letter of the law without reference to the spirit, usually in order to gain an advantage within that environment. serviscope_minor knows good and damned well that this horseshit happens in any open source project that SJWs try to overtake.

The Code of Conduct shit is the foothold used to convert the project from a programming one to a political agenda enforcement one. The best move is to refuse to adopt a code of conduct at all since it legitimizes them and takes away the power to enforce the spirit of "don't be a dick" from the admins, but if one must be adopted, the Contribute In any Fucking Way You Want Code Of Conduct, the WTFPL of CoCs is definitely the best choice.

By the way, I'm logged in, asshole. I choose to post anonymously because there are very dangerous people in the SJW world who would be happy to harass and threaten me and attempt to destroy my completely unrelated livelihood for the cardinal sin of showing that they are a societal cancer in an irrefutable way.

I recently tried to add an nvidia card to my workstation for a virtual machine, and it turned out that nvidia breaks the driver when they detect the card is in a virtual machine.

Specifically you get an unexplained "Code 43" error, and nvidia's excuse is that there is a bug which they will not fix. However if you spent some time to hide the VM, like removing hypervisor drivers, it would have magically worked. Unlucky as I am, it turns out nvidia also broke that workaround (at least it did not work for me).

There are 3rd party patchers for this thing: https://github.com/sk1080/nvid... which require a lot of involvement, and will probably break at the next update. Given so much effort by nvidia to make sure I would be unable to use the hardware I purchased, I gave up, and removed the nvidia card from the workstation.

Somewhat O/T but it turns out you can download the classic Computer Architecture : A Quantitative approach 5th edition, grey market PDF edition for free.

It would be cool to code your own special-purpose algorithm accelerators in VHDL or Verilog, etc.

Fancy that! Well, it's fun and games until there's enough demand for an ASIC implementation. https://github.com/teknohog/Op...

Obligatory:Intel CPU Backdoor Report (Jan 1 2018)

Change log:
2018 Jan - Added 14 Useful Links, Intel CPU CVE links (CVE-2017-5689 CVSS Score 10.0), how to disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode.

Intel CPU Backdoor Report
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

2017 Dec Update:
Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP bit.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links (Added 2018 Jan 1):
Disabling Intel ME 11 via undocumented mode (NSA High Assurance Platform mode)
Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
EEF: Intel's Management Engine is a security hazard, and users need a way to disable it
Sakaki's EFI Install Guide/Disabling the Intel Management Engine
Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
CVE-2017-5689: An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs
CVE-2017-5705: Multiple buffer overflows in kernel in Intel Manageability Engine Firmware
CVE-2017-5706: Multiple buffer overflows in kernel in Intel Server Platform Se

Meanwhile, enjoying my Ryzen, largely unaffected by Meltdown or Spectre in spite of some well meaning or self-serving FUD to the the contrary. Yes, I got an early part with the segfault bug, but AMD RMAed without fuss when presented with appropriate https://github.com/suaefar/ryz...>test data to eliminate the possibility of bad motherboard, memory or overclocking. Quite different attitude compared to Intel! And the Ryzen is sweet - 16 high performing CPU threads, tiny power consumption at idle and respectable under full load. Integer performance, iow, compiling is stellar and floating point is not shabby. Basically, Ryzen out-cores Intel's competing i7 parts by a wide margin, acquits itself well in single-core too and draws so little power that the CPU fan is off or barely turning for most normal desktop usage. And when all 16 threads are going full blast, iow doing real work, total system power is around 120 watts, the system still runs nearly silent. Can't say enough good things about it.

If you do step up to Ryzen, be aware of two things: 1) Check the production week stamped on the CPU, it has the form 17xx where xx is the week... make sure this is higher than week 25, otherwise run kill-ryzen.sh to verify the segfault bug and get an RMA promptly from AMD's only support site, if you see it. Windows users need to boot Linux to do this, get a live iso on a usb stick to do this in maximum comfort, and preferably, just overwrite Windows when done :-) Most of that early production is sold out already, so the chance of getting a bad part is slim, but be aware. Windows users for the most part don't seem to see any issue even with the early parts. Good for them, but it goes along with significantly lower performance without the upgrade to LInux :-) 2) Be aware that Ryzen has no on-board GPU, in spite of the fact that your Ryzen motherboard has video connectors... these are for AMD's APUs, which use the same socket. Respectable chips in their own right especially in terms of value for money, but when you run Ryzen you need to run a discrete GPU too. This is what you want anyway, because what is the point of crippling your high end desktop processor with a mickey mouse embedded GPU? To be specific: AMD's fattest APU has eight compute units (512 stream processors) vs 64 in the current Vega part, plus uses processor memory instead of higher bandwidth dedicated graphics memory.

Of course, what I really want is a threadripper... that's next.

You are getting downvoted but you're absolutely correct. There is a serious plague of identity politics bullshit permeating large open source projects. Sarah Sharp and Matthew J. Garrett (mjg in particular is a really shitty person) being total cunts within the Linux kernel dev community made it loud and clear that "show me the code" has eroded in favor of "behave as I dictate" as the primary decision-making tool. Drupal ousted Larry Garfield for having an autistic roommate-slash-sex partner that doesn't talk to other people by choice, citing their bullshit Code of Conduct which was derived from tranny feminazi shitcunt Coraline Ada Ehmke's tainted codes of conduct (Contributor Covenant and TODO Group Code of Conduct, both of which were smeared around by Coraline's greasy fingers and SJW crybully policing).

Hell, Github almost adopted one of those Codes of Conduct WITH THIS LANGUAGE IN IT:

"Our open source community prioritizes marginalized people’s safety over privileged people’s comfort." and will not act on "reverse" racism, sexism, etc."

That Reddit thread has links to a bunch of other SJW toxicity issues in open source, particularly related to Github's highly unethical conduct towards certain developers based on those developers' political beliefs or lack of linguistic hypersensitivity.

To bring this full circle, from that same Reddit thread and dealing directly with Rust: "When someone says "your code sucks" it's obviously racism/misogyny and/or trans/homophobia. Because there's no chance in the world that the code actually does suck. Also remember back in the days when you had IDE drives and the HDD was the master and the CDROM was the slave? Yeah, that master/slave metaphor obviously is racist too: https://github.com/rust-lang/rust-buildbot/issues/2

Now, cue the logic-free virtue signaling responses to me by PopeRatzo, serviscope_minor, AmiMoJo, GameboyRMH, Rei, turkeyfish, et al. who will be sorely butthurt by this fresh hot dose of reality.

That a pretty harsh statement. There are always bad apples in every community

And in some, there are people who are full on mental. Master/Slave has been used in technical parlance for decades without anybody ever having a problem with it.

My mileage did vary.

Ctrl+Q in Firefox for Linux is mapped to "immediately close all open HTML documents." But it's adjacent to Ctrl+W (close one document) and Ctrl+Tab (switch to next open document in the same window). Some Slashdot users claim that Firefox on some platforms instead binds quit to Ctrl+Shift+Q, but this is still adjacent to Ctrl+Shift+Tab (switch to previous open document in the same window). "Restore Previous Session" restores which documents were open, but it doesn't always restore changes made by scripts to the DOM of those documents, nor data entered into unsubmitted forms in those documents, especially if the form was added to the document by a script. Slashdot D2 comment forms are one example of this, as are comment forms on Explosm.net (the home of the webcomic Cyanide & Happiness).

There used to be an extension called "Keybinder" to disable the Ctrl+Q shortcut for quit. But as described on the README of its GitHub repository, it didn't make the transition because WebExtensions don't support anything analogous to XUL keysets. This is bug 1325692, which was marked "wontfix" for Firefox 57.

I developed a set of BASH scripts to automate building a GNU/Linux distribution from scratch based on Linux From Scratch releases. After creating the package build definition files you can launch the build process by running a single master script. https://github.com/gdhorne/abs...

I know a guy that wrote a Puppet/Chef alternative in KSH. Complex stuff certainly can be done, but it is almost always more convoluted than using a better language for such tasks.

Already it's being exploited and wasting everyone's computing power to scrape up cryptopennies

By default uBlock Origin includes a block list to protect against resource abusing scripts, such as coin mining scripts. And, if you think the default block list is not enough, you can add additional block lists to uBlock Origin like the NoCoin list. So protect yourself with uBlock Origin and browse happy.

Ah yes, because proxies don't exist in 2017...

C++17 was mostly just an incremental improvement over C++14, which was an incremental improvement over C++11, and the most-anticipated feature -- Concepts -- didn't quite make it into 17. Still, the work of the committee is gradually evolving C++ into a much nicer language. Modern C++ code written according to the C++ core guidelines is simpler, clearer, safer, more maintainable -- and often more efficient.

Unfortunately, all of the old language features that are no longer recommended are still present, so the language as a whole is also becoming bigger and more complex... but if you can manage to purge all the old-style C++ from your codebase, the result is a language subset that's getting progressively easier to learn. Well, mostly. Template metaprogramming is becoming simpler and easier, but that's encouraging more and more of it, and there are still several non-obvious idioms needed to do common things. C++17 eliminates the need for a few of these, Concepts (which should, finally, land in C++20) will eliminate a lot more.

C++'s size and complexity mean that it must be used carefully. I often find myself asking people on my team to justify the clever metaprogramming constructs they create. Sure, it's cool to write a function that accepts an arbitrary number of arguments of any type, but if you only call it twice, and both times with the same number and type of args, why bother writing the complex templates that future programmers will have to laboriously parse? And if you call it many times with many different argument sets, you need to think about code bloat since the compiler has to generate another copy of the function for each argument set. So, a little discipline is essential.

But, assuming you can apply the necessary discipline, modern C++ is in a class by itself. It allows tremendously simple, expressive code that is also near-maximally efficient and obviously safe, with all memory accesses bounds-checked, and no possibility of either dangling pointers or memory leaks.

C++ is becoming awesome. I regularly spend time playing with competitors, such as Rust, and also often use dynamically-typed languages (e.g. Python, Java, C#). I've invested significant time into purely functional languages, notably Haskell. But for code that has to be efficient and precise, I keep coming back to C++ and it's getting better and better.

If the FreeBSD version is ever finished, they'll use jails.

You mean, when this is "ever finished"?

No, does not seem like jails are in use...

The article seems to contain a typo; I'm sure he meant cixl, not cx. Take it from Eric Raymond, this is the future of programming: cixl - a minimal, decently typed scripting language https://github.com/basic-gongf...

Already it's being exploited and wasting everyone's computing power to scrape up cryptopennies

By default uBlock Origin includes a block list to protect against resource abusing scripts, such as coin mining scripts. And, if you think the default block list is not enough, you can add additional block lists to uBlock Origin like the NoCoin list. So protect yourself with uBlock Origin and browse happy.

Sort of. Kodi isn't client/server it's just a client that streams content from a network source (NFS, CIFS, etc). Plex consists of a server component that performs transcoding to various clients (so is client/server), including a really great web client.

The Kodi web client, called Chorus2 technically supports web streaming, but because it just delivers the video to your browser without any transcoding, relies on your browser support for playing video. The web client also isn't anywhere nearly as robust or well laid out as the Plex interface. And I say this as someone who dropped Plex for Kodi a month or two ago. One big tradeoff in the switch was giving up the web client, it's useless to me. Overall I'm still happier and wouldn't switch back.

So, their page says their software is open-source, including the "collector" ( https://github.com/18F/analyti... ). Unfortunately, all that seems to be is some JavaScript to fetch and process Google Analytics data.

I thought the US government would be able to do an adequate job of collecting and processing "meta-data" without giving all of that information to Google ...

I switched recently from Plex which I had been using forever to Kodi. With the right skin Kodi looks fantastic. The problem is it's not a client/server model like Plex is. You just run Kodi on a client and point it at files somewhere. So you can't do transcoding from the server to the client. And with plex the client can also be a web browser. Chorus2, the kodi web client, is pretty poor and the browser streaming is barely functional and in my experience is dependent on the browser support and media type because there's no transcoding.

But the UI is nice, it's highly configurable and using the shared mysql/maria database you can share your watch status and library between devices (I'm using NVIDIA Shields).

Overall Plex offers a far simpler experience and supports transcoding which opens up some options (streaming to small/mobile devices via the internet) but Plex has gotten pretty shady requiring accounts, almost changing their policy until user backlash and it's not open source. So the whole thing just rubs me the wrong way. I'm willing to put in a little extra elbow grease to get Kodi working well to not support Plex because it works well enough for my use case, which is a couple front ends attached to TVs streaming content from a NAS.

The Smartwatch market essentially is as dead as the smartphone market. Everyone is building more or less exactly the same device. The mass market hates innovation because it means risks.

Meanwhile there's some actual innovation in the field of home made smart watches. For example Travid Goodspeed's "GoodWatch"
https://github.com/travisgoods...
It runs for years with a single battery and has way better functionality than any commercial smartwatch. You even have a keyboard.

But it still has to be able to detect that the code is even there.

It's just a block list. Specifically, this block list. You can make use of the NoCoin block list in, for example, uBlock Origin.

Opera isn't doing anything particularly special here and it's a shame that they don't give the block list author any credit in the blog post (though they do in the comment section and in opera://about/credits in Opera 50 beta itself).

You should read this discussion that somebody else linked to earlier.

Please, read it all. It gives an excellent snapshot into the sorry state of the Rust community.

Keep in mind that some of the participants of that discussion are very prominent members of the Rust community.

Steve Klabnik (steveklabnik), for example, is currently listed as part of the Core team, the Dev Tools Peers team, the Documentation team, and the Style team.

Manish Goregaokar (Manishearth) is currently listed as part of the Dev Tools Peers team.

Pascal Hertleif (killercup) is currently listed as part of the Dev Tools team.

Felix Klock (pnkfelix) is currently listed as part of the Language, the Compiler, and the Moderation teams.

Matt Brubeck (mbrubeck) is currently listed as part of the Moderation team.

Ben Striegel (bstrie) is currently listed as part of the Community team.

So these aren't just random "trolls" trying to make the Rust project look bad.

These are important Rust contributors seriously engaging in some of the most pathetic discussion I've ever seen within a software development context.

That's the general mentality of the Rust community. In my opinion it's a strange mixture of immaturity and autism, combined with an obsession for political "correctness".

I can't trust people like that to develop critical foundational software like a programming language.

Thank you! I haven't laughed that hard since I spent an evening skimming David Hasselhoff reviews on Amazon. To me, this explains both why the language looks the way it looks and why it's so successful in cultivating armies of drones lobbying for it. The whole thing reads like a pile of AI-assistants having a discussion. I'm done with freaking hipster languages; Rust may be the worst offender right now, but they're all similar. Go, Swift, Julia; I've done deep dives into all of them and their communities all have the same icky stench surrounding them to some extent. It's beginning to look like a recipe: 1) Produce an inferior language that creates more problems than it solves 2) Lip stick and market the shit out of it like there's no tomorrow 3) Create a cult with rigid rules and zero deviation to fuel armies of mindless drones to do propaganda and harass anyone who objects I'm writing my own language to counter the whole movement, and I suggest others do the same thing to make sure we don't get overrun by these morons: https://github.com/basic-gongf...

What I really don't get is why the Rust community, despite all of the focus it places on diversity and inclusion and tolerance and all of that, is mainly made up of white males in their 20s. There's nothing wrong with being white or being male or being in your 20s, of course. It's just odd to look through the list of contributors and see one profile picture after another showing a white male in his 20s.

I find it strange because all of the other programming language communities I've dealt with, especially ones that didn't put any focus at all on stuff like diversity/inclusion/tolerance, naturally had very diverse communities.

For example, for about the past 20 years I've worked primarily with Java, working with numerous large teams of other programmers. In these teams there were people with pretty much every skin color. There were men and women and people who today would be considered as having an "alternate" gender. There were people of many different religions. There were people of all ages, from college student interns up to well-aged graybeards who started their programming careers toggling switches. These teams exhibited real diversity.

Rust is one of the least-diverse and most-homogeneous programming language communities around. It's almost as if their intense focus on diversity/inclusion/tolerance has actually prevented the natural diversity that we've seen naturally develop in the Java, Python, C++ and C# communities, for example, where identity politics are ignored.

I'll just leave this here

making an app like that doesn't take super programming abilities, just some time and effort\

Sooo.... like most software?

But my main worry is why should I trust an App built by a guy who admitted stealing NSA data?

It's OSS. I guess you hope that not a few people will be pouring over the code looking for issues.
https://github.com/guardianpro...

I seriously doubt Snowden had much to do with this other than giving it his stamp of approval. The primary (only?) contributor is not Snowden (obviously).

I'm sure too. The source code is here: https://github.com/guardianpro...

im seeing a lot of suspicious attempts at character assassination in the comments and theyre fairly easy to debunk, so here goes.

Even worse, I believe he was a sharepoint admin...

check wikipedia or the guardian project to figure out what this man actually did and who he worked for. He was a BAH contractor. Just because your employer is too daft to assign you anything but a menial job shoveling the sharepoint shit, doesnt mean you're too stupid to do real work.

I'm sure that after requiring full access to all your phone's sensors, the app would never share that data with Russian hackers.

except that Haven is open source you tit. It has 5 developers and currently 1 asshole from slashdot trying to torpedo it
  https://github.com/guardianpro...

And how many micro ops or real world CPU cycles does that translate to?

It's pretty good

https://github.com/openssl/ope...

# Performance.
#
# Given aes(enc|dec) instructions' latency asymptotic performance for
# non-parallelizable modes such as CBC encrypt is 3.75 cycles per byte
# processed with 128-bit key. And given their throughput asymptotic
# performance for parallelizable modes is 1.25 cycles per byte. Being
# asymptotic limit it's not something you commonly achieve in reality,
# but how close does one get? Below are results collected for
# different modes and block sized. Pairs of numbers are for en-/
# decryption.
#
# 16-byte 64-byte 256-byte 1-KB 8-KB
# ECB 4.25/4.25 1.38/1.38 1.28/1.28 1.26/1.26 1.26/1.26
# CTR 5.42/5.42 1.92/1.92 1.44/1.44 1.28/1.28 1.26/1.26
# CBC 4.38/4.43 4.15/1.43 4.07/1.32 4.07/1.29 4.06/1.28
# CCM 5.66/9.42 4.42/5.41 4.16/4.40 4.09/4.15 4.06/4.07
# OFB 5.42/5.42 4.64/4.64 4.44/4.44 4.39/4.39 4.38/4.38
# CFB 5.73/5.85 5.56/5.62 5.48/5.56 5.47/5.55 5.47/5.55

Compared to the normal, non AES-NI x86-64 implementation which looks pretty good to me it's about 10x better

https://github.com/openssl/ope...

# Version 2.1.
#
# aes-*-cbc benchmarks are improved by >70% [compared to gcc 3.3.2 on
# Opteron 240 CPU] plus all the bells-n-whistles from 32-bit version
# [you'll notice a lot of resemblance], such as compressed S-boxes
# in little-endian byte order, prefetch of these tables in CBC mode,
# as well as avoiding L1 cache aliasing between stack frame and key
# schedule and already mentioned tables, compressed Td4...
#
# Performance in number of cycles per processed byte for 128-bit key:
#
# ECB encrypt ECB decrypt CBC large chunk
# AMD64 33 43 13.0
# EM64T 38 56 18.6(*)
# Core 2 30 42 14.5(*)
# Atom 65 86 32.1(*)
#
# (*) with hyper-threading off

It makes sense to hardware accelerate something like AES, after all people have being doing it in FPGAs for ages.

http://ece-research.unm.edu/ji...

On ARM and x86 people have built crypto coprocessors

https://en.wikipedia.org/wiki/...

And how many micro ops or real world CPU cycles does that translate to?

It's pretty good

https://github.com/openssl/ope...

# Performance.
#
# Given aes(enc|dec) instructions' latency asymptotic performance for
# non-parallelizable modes such as CBC encrypt is 3.75 cycles per byte
# processed with 128-bit key. And given their throughput asymptotic
# performance for parallelizable modes is 1.25 cycles per byte. Being
# asymptotic limit it's not something you commonly achieve in reality,
# but how close does one get? Below are results collected for
# different modes and block sized. Pairs of numbers are for en-/
# decryption.
#
# 16-byte 64-byte 256-byte 1-KB 8-KB
# ECB 4.25/4.25 1.38/1.38 1.28/1.28 1.26/1.26 1.26/1.26
# CTR 5.42/5.42 1.92/1.92 1.44/1.44 1.28/1.28 1.26/1.26
# CBC 4.38/4.43 4.15/1.43 4.07/1.32 4.07/1.29 4.06/1.28
# CCM 5.66/9.42 4.42/5.41 4.16/4.40 4.09/4.15 4.06/4.07
# OFB 5.42/5.42 4.64/4.64 4.44/4.44 4.39/4.39 4.38/4.38
# CFB 5.73/5.85 5.56/5.62 5.48/5.56 5.47/5.55 5.47/5.55

Compared to the normal, non AES-NI x86-64 implementation which looks pretty good to me it's about 10x better

https://github.com/openssl/ope...

# Version 2.1.
#
# aes-*-cbc benchmarks are improved by >70% [compared to gcc 3.3.2 on
# Opteron 240 CPU] plus all the bells-n-whistles from 32-bit version
# [you'll notice a lot of resemblance], such as compressed S-boxes
# in little-endian byte order, prefetch of these tables in CBC mode,
# as well as avoiding L1 cache aliasing between stack frame and key
# schedule and already mentioned tables, compressed Td4...
#
# Performance in number of cycles per processed byte for 128-bit key:
#
# ECB encrypt ECB decrypt CBC large chunk
# AMD64 33 43 13.0
# EM64T 38 56 18.6(*)
# Core 2 30 42 14.5(*)
# Atom 65 86 32.1(*)
#
# (*) with hyper-threading off

It makes sense to hardware accelerate something like AES, after all people have being doing it in FPGAs for ages.

http://ece-research.unm.edu/ji...

On ARM and x86 people have built crypto coprocessors

https://en.wikipedia.org/wiki/...

Well you can still serve web pages from your 486, just not with AES-NI.

Actually openssl seems like it has pretty performant AES encoding even on MMX and just regular x86. It's unlikely to be bottleneck.

https://github.com/openssl/ope...

What scripts were you running? I've been using dehydrated and it hasn't been fragile at all, plus it's a bash script and bash is widely supported on pretty much any flavor of Linux I've ever used. You don't even have to run it on the machine that will be using the certs (though I did have to write a custom script to do DNS updates; presumably there are other clients that have that built-in).

There's also built-in support for ACME in some webservers (e.g. Apache) if you really can't get an ACME client running on at least one system.

Here you go: https://github.com/RasPlex/Ope... Pre-compiled packages for Debian Jessie (x86 & x64), Ubuntu Trusty (x64), Ubuntu Xenial (x86 & x64) and Ubuntu Yakkety (x86 & x64), along with RasPlex for Raspberry Pi v1 and v2, embedded builds for several architectures, and installers for Windows and MacOS.

uBlock Origin does all the things uMatrix does now

https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode

https://www.wilderssecurity.com/threads/umatrix-help.388516/#post-2620652

That post is December 2013. The truth is that I am not using uMatrix anymore, I use uBO in medium mode. With 3rd-party cookies and all plugins blocked by default in browser, this is really what works for me.

Isn't it based off of this?
PowerShell/Win32-OpenSSH