Slashdot Mirror
Slashback: Letters, Time, Revision
Pardon me, do you have the time? Several months ago, we featured a short piece about investigations into clockless computing. Reader xenophrak writes with an update: "Sun Microsystems announces new technology that lets processors run various components of their internals in an asynchronous fashion. The 'FLEETzero' (warning, PDF) chips do not abide by a global clock pulse, and see lower power requirements and heat due to this new feature.
From the web page: 'At the ASYNC 2001 conference, Sun Microsystems Laboratories described FLEETzero, a prototype chip with raw speed roughly twice that of today's chips. Where today's chips use 'synchronous' circuits with a global clock to manage activity, the new, faster FLEETzero chip uses radical new circuits with low-power, asynchronous logic elements that produce timing signals only where and when needed.'
This could have some good impacts on embedded devices, and total processor throughput."
As usual, not so simple. On Saturday you read about Brian K. West, an ISP employee who claimed to be facing unfair threats of prosecution from the FBI for doing nothing more than accidentally discovering a security hole in a local newspaper. A followup posting at Politech indicates that the story isn't quite that simple. Specifically, the FBI's interest in West seems to stem more from alleged attempts at cracking into the violated site than from a simple "found a problem" report. If what the FBI says is true, it changes the story quite a bit.
Time to get a yardstick near the refrigerator ... f97hs writes "Yepps. Delayed almost a week due to regression bugs, the awaited bug-fix release is finally here. Unfortunately, it seems it still can't compile the KDE ARTS-lib (due to, I think, problems with virtual baseclasses). Worth noting is that in order to speed the compiler up, the default to -finline-limit has been lowered. This sometimes leads to considerably slower resulting code, so use -finline-limit=5000 if you compile something you want to be FAST. The mirrors are here and the official release letter from Mark Mitchell might also be worth a read."
No compiler can make up for poor programming...
The amount of needless string copying is mind
boggling (extrapolating from the bugs in kdelibs-2.2/kdoctools)...
--
"If the cows start flying, there is nothing for me
to do in space" -- captain Zelenyj (Green) from
the "Mistery of the Third Planet".
In Soviet Washington the swamp drains you.
Of course there is always more to the story than the Defendant claims. I think most of the posts WRT that story were suspicious of his claims.
Carl G. Jung
--
"With one breath, with one flow, You will know Synchronicity" -La Policia
Security gurus are fond of likening this kind of crime to analogous physical crimes, such as trespassing or breaking and entering. That bears closer examination.
Consider the situation where somebody forgets to lock their front door. Negligent, but not an excuse for entering the house in their absence. On the other hand, trying a door to see if your neighbor remembered to lock it is not considered a hostile act -- as long as you don't enter.
Pushing the simile a little further: suppose you notice that somebody's smashed open your neighbor's front door with a sledge hammer. I suppose it's still technically trespassing, but who would fault you for entering the house to make sure nobody needs help?
So consider the actions of Brian West, and other people like him, are analagous to the above. When is it like just trying the door, and when is it like entering the house uninvited. I don't think the analogies are obvious, though people seem to find it convenient to assume they are.
overclocking these chips is out of the question.
"..don't you eat that yellow snow."
he says in the letter
"- Fixes for some embedded targets that worked in GCC 2.95.3, but
not in GCC 3.0."
so I have to ask what targets ?
I hope its Mips and ARM targets (cover 90% of volume shipments so I guess its those)
and is ARM-standalone back or not ?
oh well anyone know anything ?
regards
john jones
this has been done at manchester for a long time by the armulator led by the guy that helped create it
jez it all gets invented in manchester then the yanks claim they had it first
whats that you say ?
BABY
regards
john jones
Obviously the compiler still needs to produce really fast code when I tell it to, though.
I often use these analogies myself when trying to determine if a computer crime is really a criminal act or not, as everybody has their own opinion about what is okay on the Internet....
So I definitely agree with your line of thinking. Plus, it's a public webserver, for crying out loud: You were already invited to tour most of the premises!
True, West may have poked and prodded more than necessary, but why does the company think it's more important to jail a nosy Samaritan than it is to actually fix their own unsecured property?
--TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
Thank god you added this last bit.
Otherwise it would have sounded like you worked for a certain very big software company.
It actually sounds like something they would do, y'know.
;-)
- - -
radiofreenation.com
is a news site based on Slash Code
"If You have a Story, We have a Soap Box"
- - -
"It is a greater offense to steal men's labor, than their clothes"
GCC can definitely be considered the success story of the Free Software movement. In terms of C++ standards compliance GCC is believed to be the first compiler to achieve full ISO compliance. No other compiler (commercial or otherwise) can make the same claim. And despite constant complaints about how much GCC sucks on platform X or Y it's still the most portable compiler out there. How many platforms has MIPS pro ben ported to? Or Sun Workshop C++? Or Visual C++? Or Borland C++? GCC is one of the killer apps of the whole community. Something we should be cherish and be thankful for.
Your pizza just the way you ought to have it.
From what I understood, a major component of KDE's speed issues is C++ linking, which is an ld.so problem. ld is part of the whole gnu compiler collection system by the way.
Waldo Bastian wrote an excellent paper on the subject of KDE's speed a couple of months ago.
A lot of KDE's speed issues have been hacked at in the new 2.2 release, but the ld issues are still being worked on.
So before you go blaming all of KDE's problems on the current bug reports in one small portion of a big big project, please read the literature at hand.
"I may not have morals, but I have standards."
Nah, if I got it right (note that I didn't read the article, it's 5am here and I'm too tired to download that PDF), different parts of the chip do their job at their own speed, somehow synchronizing between themselves when needed. So, effectively, there's no external clock, but your statement that 'everything is clocked' isn't wrong either.
-- B.
This sig does in fact not have the property it claims not to have.
Where did the guy speaking up for the FBI see the FBI's affidavit? I am assuming that if it is available for the public to see the rest of us should be able to look it over.
A, "hey, I noticed your door's unlocked," from any Joe Schmoe I can appreciate, but what doesn't deserve my thanks is a, "hey, for the past few hours I tried breaking & entering into your place and finally discovered that your backdoor is vulnerable to the XYZZY-lockpick exploit -- you're most welcome...Oh, and btw, nice porn collection you've got there under your bed. Might I suggest a safe?"
Maybe Brian considers himself a kind of Neighborhood Watchman... whose only crime is making damn sure your doors are properly locked, and that a midget thief can't squeeze in through your doggy-door. ;-)
Power to the Peaceful
Good analogy and it has a little merit except for the smal fact that if you were found on the premises by said neighbour without permission you are in fact guilty of trespass - the police would maybe charge you - certainly your neighbour would not be happy.
The adage of trying the door is another one i find intersting - point - your neighbour is not home so you go and check if the door is locked just to see ? what do you do if the door is open ? walk in ?
Thats analagous to saying if you leave your door unlocked im justified in stealing everything you own (which would not stand up in a court of law - your insurance company would not pay out but as the thief you would still be charged with theft)
The difficulty comes in trying to apply these standards to computer crime - did he hack it or not ? well from reading all of the linked info the answer looks to be yes he did - including the alleged use of stolen passwords. So he's not the white hat he says he is - if he found a hole and reported it that would be fine - but finding the hole and removing data left him open to charges of hacking or theft of company data - he may have only be doing this in what he saw as a misguided attempt to say - look i got this stuff so your system is compromised you need to fix it - but isnt that asking for trouble ? the company no doubt already feels foolish at having the flaw pointed out so if they find you possess data taken from them they are going to get pissed and try and cover their asses by accusing the user of hacking their systems - the onus of proof then reverts back to him.
Finding the flaw - good thing
Taking file - dumb thing
Does this guy have anything else in his background that would interest the DOJ in him ?? before we simply condemn the company and govt maybe we need to find out if he has a history of cracking systems ? and why was he trying that doot ? (just postulating BUUT) was it that he was looking for a hole for other reasons - found it and maybe got worried he might be caught later so he announced the hole to the company to try and make himself look good ?
I dont know - personally im a IT manager and spend money to keep people out of my systems, that means i dont like the 'just trying to find if you have any holes in your system' excuse - i pay consultants for that and i would consider that anyone looking for an open door to be up to no good - this company wasnt a high profile target and if i was the law and the IS manager at the other company i would be asking what one of my competitors would be doing trying to see if i had any holes in my system - i would immediately suspect corporate espionage (it happens dont laugh) and call in the cops as well.
I think he may have done a silly thing for whatever reasons - but i also wonder if he is being completely honest?
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Read this
http://www.bkw.org/pdf/stigler-news-hack.pdf
this issue is more than the newspaper - he is accused (and looks like he admitted it) of hacking into a bank and looking at client account balances etc - the guys screwed sorry
Also he hacked into the newpapers site on a rival web hosting company - he was trying to get the newspapers business and no doubt thought he could poke holes in the other company security thus making them look incompetent and getting him the business - this is a stupid move and guaranteed to fail - instead he got jammed and i would not be surpised if he finds his company on the receivin end of a civil lawsuit for his actions - which can only be determined at undermining the business of the other company.
Also when he gets caught he then places his story on websites in a way which is deigned to garner the voluble support of the free source and white hat community - it looks (IMHO) like a simple attempt to cover himself with support (ala dimitri) of the voluble community who he expected i think to defend him.
A bit of reasearch proves this guy is in trouble because he deserves it - once you start hacking into banks you gurantee deepshit if you get caught (and the bank he hacked appears to have Federal Deposit Insurance thus he committed a federal crime) You cannot hack into banks just to check their security or look around.
Maybe this is a lesson to all the would be white hats out there - just because you can doesnt mean you should
Now im dont want to look like im trolling - i would defend the guy if he was in the right - so please understand me when i say that this person deserves no support from our community
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
It still doesn't support the export keyword.
This is no big slight on GCC, because to the best of my knowledge, no other compiler implements export either. Still, it's wrong to claim GCC is ISO C++ compliant. It's not.
Yes, but if you look at the affidavit
1) He tries hundreds (that's with an 's' there) of times to break into their web app
2) After the hundreds of attempts he finally gets a combination to give him a password file
3) Instead of stopping at the point he *knew* he that he had broken their security, he continue on and goes back logs in as one of the employees
It's a gray area, but there has to be a limit, it sure seems that attempting hundreds (again with an 'S') of attacks against a site, finally getting a password list, and still not stopping? Please, there has to be a sane limit here.
I've purposely ignored the bank portion of this because the above sure looks like illegal activity (curiosity is one thing but to spend hours is another). If you throw the bank stuff into it, it screams of a classic shake down. Walks into the office, I've got a floppy disk with advertisement I want you to put on your site... oh, I "accidentally" got into your site, and in the past I "accidentally" got into the 1st National Bank's website, I also talked to them about their security didn't act very nice to me, so I then talked to the Sr. VP.... It almost has a feel of the mobster saying "Hey, we wouldn't want nothing to happen to your nice establishment. Nasty accidents can happen and we don't want that to happen to you, we'll be your *insurance* to make sure that no "accidents" occur. Capish?"
It sounds like they're talking about an asynchronous design.
There are two major styles of logic design: synchronous and asynchronous.
In a synchronous design you have a large number of edge-triggered D-type flip-flops driven by a common clock. This may be all the flip-flops on the chip, or the chip may be divided into several "clock domains", each with all the flip-flops driven by a common clock.
Only edge-triggered D flip-flops are used.
The flip-flops' C inputs are only driven by the domain's clock - never by combinatorial logic (except for combinatorial logic responsible for enabling/disabling a domain's clock.)
D inputs are driven by combinatorial logic from their own and other flip-flops' Q and not-Q outputs and from input pads.
Set and reset inputs are unused, except perhaps for system reset.
Combinatorial logic may not contain loops (which would oscilate if they contain an odd number of inversions, be bistable {implied R/S flip-flops} with an even number of inversions).
Propogation of a signal through the slowest path in combinatorial logic from one flop's output to another's input is enough less than one clock period that the flop's input will be "set up" properly by the next clock edge after the one which changed the driving output.
Synchronous designs tend to be orginized into pipelines - alternate layers of flops and combinatorial logic. Timing is tightly controlled and special care is taken at clock domain boundaries. Clock speed is limited by the "critical path" - the slowest path in the slowest pipeline stage.
Asynchronous logic is essentially any logic that violates one or more of the above rules. For example:
A flip-flop's C input may be driven from another flip-flop's Q or not-Q output or from combinatorial logic. (Canonical example: a ripple counter.)
R/S or J/K flip-flops or D latches may be used.
Set or reset inputs may be used for significant functionality during normal operation.
Propagation time of a signal through combinatorial logic may be semantically significant. "Races" may be deliberately created to produce desired effects, including oscilating timing loops.
Asynchronous designs are characterized by waves of state-change propagating through the logic at the logic's maximum speed, and lack of state-change when nothing interesting is happening. Asynchronous includes a hybrid approach, with large waterfalls of asynchronous circuitry occasionally hitting a register and resynchronizing with a clock ala the layer of D flops at the end of a synchronous pipeline stage.
Most large digital chips and systems today are designed using the easier synchronous style. It allows the use of a number of powerful tools to automate the design process and to automatically generate programs for the machines that test each chip as it comes off the fab. (In a synchronous design it's easy to add a multiplexer to tie some or all of the flops into a set of shift-register "scan chains". These let the tester stop the chip, shift out all the state, shift in a new state, and restart the chip.)
But asynchronous designs, though harder to do properly, have a couple major advantages:
In a synchronous design several of the gates in each flop are switching all the time. CMOS logic mostly consumes power when it switches, so power consumption is mostly proportioinal to clock speed. In a good asynchronous design the state only changes when information is being processed, and only as necessary. Power consumption is mostly proportional to work done, and can easily be a factor of ten lower than an equivalent synchronous design.
Synchronous designs run as fast as their component logic is capable of running.
Automated fabrication testing of asynchronous designs is harder, though there is (or once was) a method to do this: the "Cross Check Array" and the associated test automation tools (which can also deal with synchronous designs at less overhead than fullscan). But Cross Check's technology never caught on in the US. They merged into another company some years ago and I don't know if their technology is available to anybody but Sony - who invested early in return for an unlimited license and was using it throughout their chips as of the Play Station 1 generation.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Funny you should bring that up... Just this morning I stumbled across a computer on Bryan's Rice-Boy Page that has a racing stripe, has a clock display that's higher than the processor, and even has a VTEC sticker.
Nyah, who needs karma anyway? It's funny, dammit. Laugh.
The truth about Scientology, Xenu, and you: Operation Clambake
Asynchronous cpu's have been around for several years. There are async ARM's available, IIRC. The advantages are usually less in speed and more in reduced power consumption (from the large clock line) and reduced radio interference, which can be important on mixed digital-analog devices like mobile phones.
Really, twice the speed of current devices isn't that impressive; Intel already has p4's operating that fast in their labs.
Even Slashdot wants to hide some things
I dont like to be seen to be attacking anyone but the facts (and i have read all the stuff on him i can find) seem to be
Yes, but if you look at the affidavit
1. He contacts a customer of another (rival) companies services and tries to convince them to use him
2. He seems to decide to get this customer to use him by breaking into the rival companies system - as if aiming to impress them
3. This isnt so easy to do - he needs several hundred attacks to enter the competitors system and then he does it by stealing a password file or hacking one (this is by defenition unauthorised access) Instead of stopping whewn he was sure that he had broken security, he goes one on and goes back logs in using an unauthorised account ans stolen password
4. he then steals files off the system, no doubt trying to prove he was there
5. he boasts about it to the prospective customer at the same time he tells the comany they have a hole in their system (one he had to work hard to find)
6.He then brags that he broke into a bank and looked at their systems - the bank says they dont have a lin to the web - someone is lying here and it think i know who - i suspect he made the claim to establish his bonafides as a l33t haxor but it backfired and that claim is now in court records.
Either that or as another poster said he was making threats that he could do some serious damage here.
You Said :
After all, to truly verify any suspected security hole, one must gain access to at least some information that seems as if it should be protected. Which is in itself a violation of applicable law.
"The term 'exceeds authorized access' under 18 USC | 1030(e)(6) means to access a computer without authorization and to use such access to obtain information in the computer that the accessor is not entitled to obtain." That is so broad, it could apply to looking over your bank teller's shoulder at her computer screen.
I say:
Thats the point it is broad and if the company in question had not hired you to find breaches then you have no right to be attempting to gain access to what is deemed a private system (the fact it has publicly accessible web pages is irellevant) - YOU HAVE NO RIGHT TO REMOVE OR COPY DATA FROM ANY SYSTEM WITHOUT PERMISSION. Thats the fact - the thing that pisses me off is the way in which people think that if you say youre working to fix a problem then its ok to hack into a system - its considered illegal and if you get caught (or brag about it) then you will get in trouble. The white hat argument is used so often it is becoming redundant and this guy is not a white hat.
Any way he could have copied 1 file - maybe an old memo or something - please he took hundreds of files including passwords (check it out - its mentioned as being in the court transcript) - this blows away the small amounts of data routine.
I would like to ask a few questions about mr west so i dont look to be seen as attacking him
1. What age is he (speaks to maturity of action)
2. Has he had any prior offences ?
3. How long has he been in business
These are simple things.
The FBI have charged him based on a complaint from the owners of the system he broke into - thats the law and their right - the problem is all the 'whit hat' and hotmail exploit type hackers and code red designers have turned this subject into a hot potato and they are cracking down hard on hackers - this is apparent and has been for a while - you play where you should not there are consequences.
thats the thing that gets me - you need to know that in life there are consequences for every action - these guys think that they can do what they like, and then cry out when caught contray to the law (and you might think the law sucks but its there and if broken it has penalties),
The fact is this guys is going to be hung by his own mouth as much as anything
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Then he is old enough to know better IMHO
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Several people on the GCC list have tried to optimize -finline-limit, and they have come to very different conclusions. It totally depend on the application. Setting it to 5000 may very well slow the resulting code a lot compared to the default. Try for youself.
Basically, the inline code have been rewritten in 3.0 (to work on trees instead rtl), which gives a lot more oppertunities for inlining and for further optimizations. However, the old heuristics for inlining have not been adopted to the new code, which means way to much code is inlined in 3.0, which again means much slower compile times, fatter binaries, and even slower binaries because of more cache misses.
In 3.0.1 the inline limit was set down to cure the worst symptoms. However, what is really needed is new heuristics, which will be in 3.1.
I have one source file which takes almost a day to compile with 3.0 at -O3. It isn't particular long (2k lines) or advanced. The rest of the project (~150 files) takes maybe 6 hours to compile. I don't know why that file is hit so hard.
In any case, I switched back to 2.95. SUre, I cpmile without optimization most of the time, but I like at least to test the program with optimization once or twice a week, to catch any bugs that are only triggered by the optimizer.
Obviously, a day (or even 6 hours) is not acceptable in those circumstances.
There are three issues
1. Speed of compiler.
2. Size of generated code.
3. Speed of generated code.
When comparing gcc 2.95 and gcc 3.0 with regard to inlining alone, the gcc 3.0 inliner is worse on all three counts. They changed the inliner to apply earlier (at the tree level instead of at the rtl level), which gives it far more oppertunities for inlining. This results (for C++ that uses STL) in order of magnitude slower compiles, several times larger binaries, and, because of cache misses and pipelining issues, significantly slower executables.
The problem is that the old inlining heuristics doesn't work with the new (and potentially much better) inliner. As a band-aid, they decreased one of the old parameters in 3.0.1, the inline limit. This avoids the huge compile times and binaries, but also sometimes misses important inlines. Exactly when you get the important inlines, but without the ridiculous inlines, depend on the application. Sometimes you can't.
For 3.1 the GCC developers will install all new inlining heuristics, which will hopefully be consistently better than 2.95. The potential is there with the new tree-based inliner.
In hindsight, it was probably a mistake to release gcc 3.0 before without the new inline heuristics, however 3.0 was already delayed, and is much better for most code.
The statements about him breaking into the bank, is in section 17, document page number 7 (my Adobe lists it as page 8, due to the coverpage)
It states that he told the site he hacked that he had gotten into the 1st National Bank in McAlester, was able to look at checking, savings & funds transfer; then goes to tell that he informed a bank officer, who also acted in a hostile manner; so he then accessed the bank 2 additional times, and then told a senior VP of an Oklahoma City branch.
Perhaps I should have made my point clearer. But nowhere do I mention what specific electronic transactions are analogous to trespass and which ones are not. My point was that the analogy is not as simple as people like to think it is. This is true of people on boths sides of the debate.