Slashdot Mirror
Linus Responds To RdRand Petition With Scorn
hypnosec writes "Linus Torvalds, in response to a petition on Change.org to remove RdRand from /dev/random, has lambasted the petitioner by called him ignorant for not understanding the code in the Linux Kernel. Kyle Condon from the UK raised a petition on Change.org to get Linus to remove RdRand from /dev/random in a bid 'to improve the overall security of the linux kernel.' In his response, Torvalds asked Condon and the supporters of the petition to gain an understanding of Linux drivers and cryptography, and then 'come back here and admit to the world that you were wrong.' Torvalds stressed that kernel maintainers knew what they were doing and the petitioner didn't. Torvalds, in a similar outburst just yesterday, hoped that 'ARM SoC hardware designers all die in some incredibly painful accident.' This came in response to a message from Kevin Hilman when he noted that there were quite a few conflicts in the ARM SoC pull request for Linux 3.12 which were a result of the platform changes conflicting with driver changes going in to the V4L tree."
You have the source code, remove rdrand from the kernel yourself.
try We The People website.
The Truth Will Out!
You have none
~^\-/^|-|^\-/^~ May the force be with me!
This douche bag just wishes painful death on people who disagree with him. That is so much better. The guy may be brilliant and he may have created a wonderful thing for the world. But he is every bit the douche bag that Jobs and Ballmer have ever been.
The TFA makes it look like Linus went on full rampage mode and tore a insightful request down by being mean.
Actually reading his responses, Linus is pretty level headed and just says no, you can't have this.
Guess submitter got his feelings hurt?
World domination.. duh
~^\-/^|-|^\-/^~ May the force be with me!
"I hope that ARM SoC hardware designers all die in some incredibly painful accident"
Did Linus Torvalds just put out a hit on ARM SoC hardware designers? We report, you decide.
'"ARM SoC hardware designers all die in some incredibly painful accident."
I mean, maybe Linus hasn't had the experience of losing someone in an incredibly painful accident. Of course it's hyperbole I know that but - these events actually really take place everywere, every day.
Someone who has no social skills but uses his persona to stay at the head of the ship.
In any other company, even if the owner, he would have been taken out to the parking lot and given a good hiding by every other employee.
Linux is a fantastic OS and has spawned a generation of users, programmers and eco system based on open source mentallity, it is just a shame such a social retard is allow to rant as he is.
Then he wonders why Linux adoption rate on the desktop is nearly zero.
Any soccer mom reading this will think Linux is an OS developed by some 12-year-old dumbass, and will obviously refuse to use it..
Sounds like he's under a lot of stress. I wonder if there's something *outside* the realm of kernel development that's causing him to lose it.
If telephones are outlawed, then only outlaws will have telephones.
Why is this guy such a dick? It's like all his dependencies are broken and he can't link the nice part of his brain to the people around him...
"So if you see any, send them my love, and possibly puncture the
brake-lines on their car and put a little surprise in their coffee,
ok?"
I like the surprise in the coffee it. However the root cause of things like this coming up from time to time is the kernal design itself. It is an aspect of having a monolithic kernal, with all kinds of drivers inside it.
I have not met him, and since I am not a hacker I don't know if this is standard behaviour or not.
The only thing I would say, being an admirer and supporter of Linux and of him personally, is a Mexican saying: "lo cortes no quita lo valiente" (that loosely translated is "be brave, but be courteous").
IANAL but write like a drunk one.
Shouldn't we be welcoming RdRand with open arms? It's a mathematically proven high-quality random number generator that lets chips like Ivy Bridge & Haswell produce large amounts of true random data (not a simple PRNG data) at multi-gigabit speeds.
There are some excellent slides describing RdRand here: http://software.intel.com/en-us/tags/20757
I would strongly recommend using it wherever feasible as it is a great boon to security in Linux.
So is some AMD/ARM fanboy saying that it's not fair that AMD/ARM haven't bothered to implement RdRand yet so therefore nobody should be allowed to use it? How about we extend that logic to other pieces of hardware? Say, when AMD comes out with an improved GPU, let's say that Linux shouldn't support it because Intel doesn't have the same hardware.. fair is fair right?
AntiFA: An abbreviation for Anti First Amendment.
There was an incident a few years ago (that led to at least one subsystem maintainer resigning) where RdRand was used as the EXCLUSIVE entropy source for some items if it were present. http://cryptome.org/2013/07/intel-bed-nsa.htm - Matt Mackall resigned over it.
This is BAD.
If it is now merely feeding the pool as one of multiple sources, then it's OK. If anything is directly exposed to raw rdrand output, something is very wrong.
retrorocket.o not found, launch anyway?
torvold is becoming another Theo de Raadt. Such self-righteous attitude has no place when one is providing a public service, and it should not be supported. Does the society owes him that he can come out and blast anyone like that..
I call for a linux fork. We should start building a truly secure distribution and don't care too much about the whistles and bells. Is it feasible?
I didn't think God played dice.
why is a UK person using an American petition system, designed to allow American citizens an easy way to petition their government, to influence an internationally created, autonomous software project?
508 resource limit reached, so I can't read the petition. closed as wontfix sounds exactly right.
ARM SoC hardware designers world wide smile into their hand.
I am very small, utmostly microscopic.
So now Linus is advocating a closed source approach? Interesting turn of events. It would not surprise me if NSA has forced Linus to cooperate.
I have to admit I didn't know much about the controversy so I went and found some articles.
Here is an article showing some weaknesses in Linux's random generation: Analysis of the Linux Random Number Generator
As reported by Bruce Schneier for this Wired article: http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
If you believe there's something broken in the kernel (or other open source project), you don't create a petition, you create and submit a patch. If you don't know enough or don't have the skills to create a patch, you're probably not qualified to criticize the implementation.
"Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge." -- Isaac Asimov
Can You Say Linux? I Knew That You Could.
Maintaining your own kernel tree over time is most certainly non-trivial by most peoples standards
Some people just had to complain about every-single-thing, even if it's downright inane.
Open source is just that, you can read the source of the programs, and with the source, you have the options to do the following :
1. Determine if the program has any backdoor / malware embedded
2. Change/alter the source to your own liking
3. Learn from the code and perhaps in a latter day you might be able to apply what you have learned in your own program (and I am not talking about cut and paste)
If all the above are STILL not good enough for you, the offerings from Apple and Microsoft are always available.
Muchas Gracias, Señor Edward Snowden !
I would first like to point out that if you really read this particular response, he was not as flaming as is being reported. Sounds like someone is exaggerating over a grudge. However...
Of all modern figures, Linus Torvalds is close to the top of my list of people who I respect and admire the most. His work has truly changed the world for the better. Can you imagine what things would be like if Linux had never happened? I shudder at the very notion. Regardless of this, Linus has in fact shown over the years that he can have an unreasonably short fuse. He is not RMS, but he's not far and when he does take a hard-line bad attitude stance, I sometimes fear that it is at the detriment of potential progress. Important, high profile maintainers have quit over the years due to his attitude, and it would be nice if he could be more diplomatic in those situations where he unnecessarily goes off like a stick of dynamite. I think there is a degree where his power has gone to his head. But as long as Linux keeps marching forward, I am happy enough with that.
Brought to you by Carl's Junior.
I'd like to think that, aside from emotion and arrogance, Linus wouldn't compromise the linux kernel in the ways that are being accused. They're suggesting that after 20 years of work, he'd allow questionably secure code for closed hardware into the kernel for increased random data creation? I understand the usefullness of increased entropy with what it has to offer, however I can't see him compromising principles for a seemingly small benefit, on a somewhat limited cpu set.
Granted we're dealing w/ basic cpu instruction here, but if we were seeing security concerns beyond the basic tenent of it being available and in kernel, I'd like to think the community would have spotted those by now. Am I wrong in that assessment?
That's some mighty fine editing there, Lou. FWIW, if that was copy/pasted from the original article, they've fixed it over there. Otherwise... wow.
Program Intellivision!
Linus Torvald referred to this file, before complaining about rdrand. 1. (Disclaimer) Going solely by the comments, he's very right. Used in conjunction with other entropy sources and a cryptographically secure hashing function, RdRand can only help with randomness. It's just another entropy source. The worst it can do is just not help. 2. This may be the coffee talking, but /drivers/char/random.c is a beautiful piece of code.
ARM chip designers view hardware as disposable. Why worry about software security updates when you are just going to replace the phone every 18 months?
Cursing about it on LKML is useless though. Linus should start a change.org petition to address this issue.
I'm wondering how clever it is for Linus to make statements like "So if you see any, send them my love, and possibly puncture the brake-lines on their car and put a little surprise in their coffee, ok?"
With stories of kids getting arrested and sent to jail for saying things like "I'm going to kill someone. Nah just kidding." he may be setting himself up for this. I can imagine U.S gov wanting to take that opportunity, with him being so prominent and open source operating systems possibly proving to be the only guaranteed escape from NSA eavesdropping.
Signature intentionally left blank.
While I respect your technical prowess and make great use of your work, every time you go off like this, you move a little further down the "crackpot" scale. You know, the one anchored firmly by RMS...
Instead of blowing a gasket, why not nicely suggest that a read of the source code will show that rdrand is just one of the entropy sources used, and it is used in such a way that it cannot compromise the end result. Vitriol is no way to go through life, son.
I'd read TMZ.
Man, I can't wait until the /. submitters discover Theo de Raadt.
If you were me, you'd be good lookin'. - six string samurai
Well the summary was apparently written with the authors testicles. It hurts my brain.
Law of News and Headlines #480261:
For any headline or teaser line in the form of a Yes/No question, the appropriate answer is ALWAYS "No"
There are other ways to generate random numbers if you need to do something secure. If you were say, getting a random number for a video game, I don't see any reason why you would care if intel subverted that in some way. I'm not a kernel developer, but it is my understanding that /dev/random does not rely entirely on rdrand. But I would imagine using rdrand is more efficient since it is built into the chip.
neorush
when steve jobs did it he was a monster beating up innocent geeks
I can understand both sides in the discussions, but... the following shifted my point of view entirely:
>> Ok. I still really despise the absolute incredible sh*t that is
>> non-discoverable buses, and I hope that ARM SoC hardware designers all
>> die in some incredibly painful accident. DT only does so much.
>>
>> So if you see any, send them my love, and possibly puncture the
>> brake-lines on their car and put a little surprise in their coffee,
>> ok?
Those paragraphs in Linus Trovald's response makes me think about the possibility of a needed psychological evaluation for him as he might be in a cognitive bias and can be also a candidate for an anger management program.
I believe one of the issues with this instruction as a source of random numbers is that the instruction whitens the output with no access to the raw entropy data. Any physical process that acts as an entropy source will have some (possibly small) biases - it won't necessarily appear to be completely random in particular ways.
This can be audited to see that the output conforms to the physical processes which are described.
If the instruction whitens the output through some algorithmic transform (e.g. hashing) to give apparently random numbers as output, there is no way to distinguish that from say encrypting a counter with a secret key - whose output will also appear to be random - but is trivially crackable if you know the secret key.
So it becomes an exercise in trust in Intel, rather than something which an be independently verified. There was a good comment on the cryptography mailing list about this - that it would be better to have hardware entropy sources, leaving the final steps of random number generation to software.
The NSA has apparently compromised random number hardware and software packages throughout the industry.
Could this be fixed by using an entropy server?
Suppose some group hosted a random number server. A verified source of true randomness which can be trusted by the reputation of the people involved, in the same way that we trust the people who make Tor, Mozilla, and linux.
It would be a single point of failure, but also a single point of defense. We could put all the best practices and best ideas of security into one place, by means of technology, software and legalities. It could be hosted in a privacy-friendly country, it could be monitored and defended by the EFF using legal means, it could use the best technology for generating randomness and have open and easily-inspected software and procedures.
To use the system, a client would:
This is slightly weak because the NSA could record the conversation and "simulate" the client computer to recover the generated keys, but doing this is much harder than cracking weak keys. In the server model the weak key is used once, instead of being used all the time. Also, simulating a computer (including nuances of software version and hardware quirks) is much harder than finding weak keys.
(To find weak keys, gather all the keys you can find and calculate GCD on pairs of keys. In practice, about 1 percent of all keys on the net have common factors. Most of these come from systems with low entropy - headless systems (routers, firewalls, servers) with no user interaction for randomness.)
In one action we could fix the security of much of the software used in the internet.
Any volunteers?
(I'd love to, but it has to be outside the US. I'll donate $1000 towards costs if the idea is viable.)
The first bit regarding RdRand was inappropriate/rude, but the second half regarding ARM SoC developers most was beyond inappropriate without a doubt. He suggests twice that they're worthy of death, suggests specific methods of murdering them. Here's the bit the submitter didn't include:
"So if you see any, send them my love, and possibly puncture the brake-lines on their car and put a little surprise in their coffee, ok?"
Linus went out of his way to be nasty and insulting; it is not necessary nor acceptable to treat others in such a way. This kind of behavior has come up before here on Slashdot, and it is still immature, abusive, and mean-spirited.
Linus is exploiting his social status to bully others and I'm tired of people making excuses for it, particularly because he's in a leadership position and serves as a role model to many. The Linux dev community needs to stand up to language and behavior like this, or otherwise the message to young/new programmers they can/should act this way if they're successful enough, and if they're the target of such nastiness, the community will accept and condone it.
In general, I'm tired of excuses being made for bullies simply because they're valuable. Linus is no different from the varsity football star who goes around slamming people into lockers; a gorilla beating his chest. Were you ever bullied as a kid in school? Do you have a child in school being bullied? Remember how it made you feel? Yeah.
Please help metamoderate.
Just the ones who put in non discoverable busses. So he got that one about right,
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Hey Linus,
Do us a favour and don't ever run for any public position.
P.S. You're an obnoxious asshole
It's not a "cop out" at all. The party that manages the code doesn't want to remove a feature that there's no logical reason to remove. The petition was one sentence, linked to no debate, made no points and didn't even attempt to negotiate. It could have said, "Do it, because we say so." and it would have been just as informative. I think you need to look up the definition of "cop out", because the petition creators could have actually done something useful, and didn't.
Okay then, lets fix this.
The NSA has compromised products and devices in the design phase - both software and hardware. We don't know which products are compromised or how, but we do know that some are.
Random number generators cannot be verified - it's a computationally infeasible problem. If the NSA has subtly tampered with a product, there's no way to tell from the outside looking in. You *might* be able to tell by looking at the generator source. (Note that the linux random number generator has at least one undocumented source of entropy.)
There is no reasonable way to look at the source code/microcode of the rdrand instruction.
Additionally, there is no way to verify the underlying source of randomness of the rdrand instruction. There could be vulnerabilities on the silicon die.
The whole point of open source is that people can peek at the software and see what's going on.
Since there is no way to inspect the random number generator and no way to verify it's operation, it should not be used by default.
It's a security risk, plain and simple, and risk management should be up to the user. However small the risk is, forcing everyone to take it multiplies the chance that someone will get burned by it.
Here's your logical argument. If Linus wants to debate this, let him address these issues. Linus needs to show the premises wrong, or that the conclusion doesn't follow from the premises.
If he can't, then he should abide by the recommendation.
The difference: God doesn't believe he's a kernel programmer.
Like Hans Reiser's Wife, eh?
I don't know anything about how RDRand works so this may be a stupid question, but would it be possible for someone to write a drop-in replacement for it?
Linus is the word for God on the lips and hearts of Linux users.
Seriously, guy gets adulated, now believes he's God.
What's new?
For hire.
he sounds like a fucking ass hat. Something beyond being reasonable must make up for him being a social disorder, does he send cute boxes of flowers to those committees he is pleased with? Is it all negative, unnecessary crap being spewed? If so, is there a dark retarded side to his followers, programmers taking pride in not being chastised by Linus?
"Linux Torvalds says something AGAIN that would get him fired from VIRTUALLY ANY COMPANY ON EARTH, and Slashdot fanbois rush to SUCK HIS DICK so hard it breaks".
Look... Linus is a super-genius that has accomplished more in half a lifetime than most of us will accomplish in our ENTIRE lifetime (and this is coming from someone who has 7 published tech books and an 8th on the way- an accomplishment that itself dwarves most other peoples', yet is almost nothing next to what Linus has done)... he is virtually always right when he says something technical and he deserves to be listened to on any technical topic he chooses to speak. His name will echo through the halls of technology history for decades to come, and rightly so. He deserves every accolade he gets.
Yet, with all of that being true, he's a socially-inept bully, plain and simple. If only he could solve that problem with clever algorithms and architectural knowledge, he'd probably be up for sainthood already. Instead, he embarrasses himself every time he opens his mouth in this way, and so do you if you defend him. Belittling people, even when they are completely, amazingly, HOPELESSLY wrong about something, is simply not acceptable.
If a pion (n-) collides with a proton in the woods & noone is there to hear it, does lamdba decay into the source pa
Let me traumatize you further by calling you a FUCKING IDIOT.
This should not even be a topic, if you don't like rdrand then remove it, or make it a module. If that's too much, then find a distro that does not use it. The dev's that are complaining about it perhaps should not be dev's, and maybe should look at becoming used car salesmen instead.
Aside from codename coincidence is there objective evidence RdRand is compromised?
Some degree of paranoia is healthy, certainly Eugen's stand against RdRand bypass of the entire entropy pool is sensible if for nothing else than to protect systems against any innocent defects which may exist in RdRand.
It is however difficult in the absence of supporting evidence to see how unbounded paranoia can be useful.
For all I know removing RdRand outright out of unsubstantiated fears is what the NSA is banking on.
Maybe you should seek professional help. That might be more useful than venting your frustrations here.
Or we have a strong indication that some Intel engineers thought it gives good entropy stream without overhead of /dev/random and available right from CPU power on.
Seriously now, may be we shall start McCarthy-like courts and excommunicate anyone we suspect of being NSA agent based on "well, he did some changes for reasons I don't know - must be malicious"? May be that's what they want, in fact - make everyone suspect and every change require a commision and a background check for the patch submitter until the system collapses in on itself and people come back to MS fold.
Not all of us are as excited as you about the politically correct world we increasingly find ourselves surrounded by.
There was a time when being mean-spirited towards people based on their religion, their language, or their skin color was deemed socially acceptable. Those days are long gone.
Now we're approaching an era when being mean-spirited towards people based on their incompetence or their ignorance is socially unacceptable. Pretty soon, it won't be acceptable to be mean-spirited towards anyone. Not idiots, not rapists, not murderers.
Some of us dread that day. Some of us see the argument that you set forth and want nothing more than to say "Fuck you, Nancy. Fuck you very much."
I'm tired of society bending those of us who are thick skinned and can handle hearing critical messages to the will of the weak. If you can't grow a pair and brush off offensive language, that's your problem. It's rather inconsiderate for you to burden the rest of us with your weakness.
Chuuch. Preach. Tabernacle.
Yes, RDRAND could do evil things. It could go play Towers of Hanoi when you execute it. It could Halt and Catch Fire. It could email your MAC address to the KGB. So could any other instruction, if Intel wanted to be malicious, just when you thought it was safe to go back in the register pool.
If the NSA has convinced Intel to do evil things with RDRAND, the most likely one would be to hand out low-quality entropy when claiming that it's high-quality. It's still useful, and like any entropy source, it shouldn't be the only entropy source you use, and you shouldn't use it without hashing it together with a bunch of other hopefully-not-broken entropy. But it's still useful, and as somebody said, the NSA isn't your only enemy.
Especially when you're starting up a machine (physical or virtual), you really need good entropy and you don't have a lot of sources available yet. If you don't trust RDRAND, or even if you do, hash it together with some secret password and the clock and whatever else you've got.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
When dealing with computers, spell things right. When dealing with people, don't insult them unless there's an unusual reason. When dealing with people who are wrong, all that you need to say is "You're wrong".
Let me spell this out for you. I'll use small words.
There is a style of humor where one says ridiculous things, with the understanding that these things are so patently ridiculous that the audience can understand that the things are not meant literally. Often, practitioners of this style of humor will go really over-the-top, mostly because this makes the joke funnier but also to make it crystal-clear that it's a joke.
This is one such example. If I genuinely thought Linus was setting up a murder on the ARM SOC designers, I would be concerned and upset. If I even thought there was a culture of fear and bullying, causing the ARM SOC designers to be unhappy, I'd be concerned. As it is, I was amused.
I suppose you were also upset over his trash-talking of CVS and Subversion in his Git lecture? "The problem with 'CVS done right' is that it leaves you nowhere to go... it's impossible to do CVS right." I think I laughed out loud at that one, but Nervous Nellies on /. were wringing their hands over this horrible hatefulness.
Let me predict your response. "Oh sure, the brake-cutting thing is a joke, but it's a mean, hurtful, hateful joke that will make people feel bad." I have to disagree. It's so wildly disproportionate that it's impossible for anyone to take it seriously, and I can't believe the ARM SOC designers are going to really worry about it.
Also, even with over-the-top dark humor, there are lines one doesn't cross; and Linus hasn't crossed those. It is not funny to joke about murdering or raping someone's family, for example; it's not funny to make jokes that remind people of horrible real-world atrocities; it's not funny to use offensive epithets related to race, etc. Linus didn't go there.
Also, if one or more of the ARM SOC designers were to trash-talk Linus back, he wouldn't get all bent out of shape about it; he'd be amused. (The Linux kernel is nontrivial, therefore it has some dark corners that are ugly. Someone could poke fun at Linus over those.)
Now if you will pardon me, I need to get back to work. Some of these bugs are so bad I'm going to hunt down the coders and remove their livers with a rusty spoon.
Were you ever bullied as a kid in school? Do you have a child in school being bullied? Remember how it made you feel? Yeah.
I was bullied sometimes. Mostly it was words but it got physical at times. Not a fond memory.
This is not remotely similar.
Check out the code names.
Kind of hard to believe Intel could be coerced into including a sneaky key into their hardware.
Either trust it - or use something else.
All your ghosts are just false positives.
...there's bigger issues at[sic] foot with things like microcode.
RDRAND is the bigger issue because trying to validate RNG output is essentially impossible. OTOH, most other types of CPU output are easily verifiable and any accidental triggering (easy to do in a general-purpose part put into thousands of different configurations and applications) of surreptitious behavior in some CPUs would eventually happen under the watch of people who know how to detect and single-out discrepencies (i.e. there's too high a risk that other types of tampering would show, especially when most environments are bound to have significant numbers of both compromised and non-compromised CPUs).
AES belongs in the verifiable category: Give different AES implementations the same (random-seeded) input, and you should get identical output. Its nothing like random number harvesting in that regard.
I agree with Linus' take that XOR'ing RDRAND with the rest doesn't compromise the kernel's random output--it can only push it toward more randomness, not less-- though relying on one reasonable assumption: That the chipset is not rigged somehow to reduce the randomness of the timings of data flows. I believe there is very little room for tampering here (after all, it would not do to cause large delays or even screw-up data in the process) and the difference in the raw data's quality should be detectable.
If it is now merely feeding the pool as one of multiple sources, then it's OK. If anything is directly exposed to raw rdrand output, something is very wrong.
That's exactly right. Even if the hardware RdRand has a "work reduction factor" built in, i.e. it's not as random as it seems to be, there's some randomness there, and it can be fed into the entropy pool along with other sources of randomness.
Randomness sources inside deterministic computers are scarce. Disk timing, clock jitter, network arrival times, etc. are useful, but generate random bits at a low rate. Thus, "/dev/random" will block if not enough random bits are currently available. This usually isn't a problem, but if every TCP connection you open is SSL and you need random bits for key generation, the supply could run out. If, say, you wanted to fill a DVD with random bits for a one-time key system, /dev/random would probably be a bottleneck. Is Torvalds making that argument?
There's another application of randomness. The only known theoretically unbreakable cryptosystem is a one-time key system where 1) the keys are truly random and 2) are used only once, 3) then destroyed. One time key systems have been broken in practice due to violations of each of those rules. Venona violated rule 1 and 2, and there have been spy cases where the spy hadn't destroyed their keying material when captured.
A reasonable cryptosystem is to make two identical DVDs of random bits. Each party has a DVD, and they can communicate as many bits as they have random bits in common. This is a pain, but it works. Such systems are used by the US for embassy-to-capital links. In the paper-tape era, this was a huge pain, but a DVD can store enough data for a thousand hours of phone calls.
Any reduction in randomness in a one-time key system makes it very vulnerable. It doesn't take much to provide an entry into the cypher.
You need to spend more time with a dictionary.
1. Random numbers exist in theory not reality. 2. Given #1 We settle for "sufficiently" random. 3. Our tools for #2 are predictable, given the method and parameters at time of generation, we only need to corrupt or derive the seed. 4. Given #3 we either use the tool that creates #2 or we create one that is as "good" as #2. 5. Some idiot who believes #2 or #4 is an infallable solution needs to relearn statistics and probablity and rethink #1. (The answer is 42) All "random" generation systems can be corrupted into predictability. The fact that a CPU instruction can be subverted through design or microcode does not negate "good enough".
Just the ones who put in non discoverable busses. So he got that one about right,
If you follow the thread a bit you'll find some reasonable explanation why we have non-discoverable buses. The vast majority of sensors and devices use stuff like I2C and SPI, which simply does not support discovery and never will. It has nothing to do with ARM SoC.
The whole point of a SoC is to as cheaply as possible make a system that does one particular thing and make it as small and power-stingy as possible. Every system is by definition a custom one-off. It will have random I2C devices on random pins, and a bunch of magic arbitrary GPIOs that control stuff.
So.. some comments say that we can't know for sure if RdRand is flawed because NSA could tell Intel to do it etc... but can't we really? There are standard methods for checking if RNG is working OK or not.. the most simple one is to run a huge number of tests and see if the result is uniformly distributed. Surely it would be hard to see the actual implementation on hardware level but we don't need to see it.. we only need to know if it is statistically random. What am I missing? See also http://en.wikipedia.org/wiki/Randomness_test, http://en.wikipedia.org/wiki/Diehard_tests
Now we're approaching an era when being mean-spirited towards people based on their incompetence or their ignorance is socially unacceptable.
I think we've been in an era for a long time where it is inappropriate to wish others dead simply because they design computer hardware in a way that you don't like. Designing embedded computers in a way that is appropriate for embedded computers but not desktop systems is neither ignorant nor incompetent, per se. To paraphrase so many of the posters here regarding RdRand, "if you don't like that hardware, don't use it."
Your desire to classify this as simply "being mean spirited" is the era we do not want to approach. Refraining from wishing others dead "in painful ways" is hardly political correctness, especially when the reason you want them dead is a disagreement over a CPU design. It's called basic human decency, and it will, I hope, never disappear no matter how much you'd like it to.
People who "dread that day" are probably just mean spirited bullies themselves. There is absolutely no reason to be "mean spirited" to any person at any time. Conflicts should always be handled in a professional manner. Once you start dehumanizing people, even in return for horrific dehumanization of others, you chip away at your own humanity. Dehumanizing someone for simply having a difference of opinion on how to design computer hardware is a sign of a frightening decline into sociopathy.
Being concise, efficient and most especially professional in the face of those who are not does not mean suffering fools and it's quite disingenuous to clam otherwise. It simply means not being a petty, insulting git. I hope the day never comes when your attitude becomes dominant because it means we will have lost a great deal as a civilization.
Maintaining your own kernel tree over time is most certainly non-trivial by most peoples standards
Some people just had to complain about every-single-thing, even if it's downright inane.
Open source is just that, you can read the source of the programs, and with the source, you have the options to do the following :
1. Determine if the program has any backdoor / malware embedded
2. Change/alter the source to your own liking
3. Learn from the code and perhaps in a latter day you might be able to apply what you have learned in your own program (and I am not talking about cut and paste)
If all the above are STILL not good enough for you, the offerings from Apple and Microsoft are always available.
So every user should have the knowledge and ability to edit and recompile their own copy of their OS? So much for 2013/14 being the Year of *nix on the desktop
When I came out of my mother's womb I didn't know how to code, and I believe the vast majority of those who have contributed to the Linux kernel didn't know how to code when they came out of their respective mother's wombs, either.
But unlike the FREELOADERS who assume that OTHERS MUST DO EVERYTHING FOR THEM FOR FREE, those Linux Kernel developers, along with many others who have contributed to other FOSS projects, decide that the life of freeloading ain't that satisfying, and they invested part of their valuable lifetimes to learn how to code.
If you feel like others must serve your wish, Sir, so that you can get to enjoy EVERYTHING for no charge, please get a good look at yourself at the mirror.
Instead of being freeloaders, get the fuck up from that comfy lazyboy of yours and start doing something useful, for a change !
That Linus is a bully is a well documented.
Also, even with over-the-top dark humor, there are lines one doesn't cross; and Linus hasn't crossed those. It is not funny to joke about murdering or raping someone's family, for example; it's not funny to make jokes that remind people of horrible real-world atrocities; it's not funny to use offensive epithets related to race, etc. Linus didn't go there.
Also, you are a hypocrite. You have some sort of totally subjective "line" where you will suddenly be offended, but that other people may have different lines is totally lost on you. You're like those people who claim to find a comedian incredibly funny all the time until they have a joke that hits their own pet weakness then all of a sudden that comedian isn't funny anymore. Yep. Hypocrite. Your opinion is invalid until you can reconcile that and get back to us with an apology and an explanation of how you have altered your opinion to no longer be a hypocrite.
But attacking ARM SoC makers wasn't an attack on ignorance or stupidity. He's just annoyed because their design isn't the design he'd prefer to have. He wants these ARM boards to be like PCs with a big system style rather than the chaotic world of embedded systems and SoCs. The outburst is more of a sign that Linus is over stressed and needs a long vacation (or retirement) rather than someone doing something stupid that needed to be pointed out.
It also means that many people who would otherwise want to port Linux and contribute to it might head off to platforms like NetBSD instead. A willingness to endure abuse may be a requirement as a side show act but it shouldn't be necessary to participate in open source development.
Troll or astroturfer?
The first couple of times this post appeared, I was willing to give the poster the benefit of the doubt. (Disagreeing with me isn't proof of anything, except, occasionally, common sense.) But essentially the same post has now repeated several times.
I'm beginning to tilt towards astroturfer.
I think we've pushed this "anyone can grow up to be president" thing too far.
Perhaps some BSD derivative might be more appropriate. The impression I got (admittedly, I'm full of ignorance on the subject) is that Linus though the ARM SoC designers were intentionally designing systems to be incompatible. Perhaps I'm wrong?
OTOH, various past experiences have prepared me to believe that LOTS of companies want to set up a walled garden, and want someone else to provide the software to make it work. I have scant sympathy for any misfortune that happens to someone like that.
I think we've pushed this "anyone can grow up to be president" thing too far.
Dear Linus,
Go fucking die in a fire you arrogant piece of shit.
PS - Thx for linux!
Most embedded systems are not designed to be compatible with each other, that's true. But that's also normal. They're not being built as general purpose computers. Not that they're intentionally incompatible but because there's no need to be compatible.
I have used Linux personally and professionally since 1996. I have immense respect for Linus and his amazing operating system.
Because I have a lot of experience with the innards of operating systems, last year I began a personal project to [re]develop a small part of TCP/IP that has been excluded from the network stack, with the idea of convincing the Linux folks to merge this bit of code back into the stack.
However, after seeing numerous reports of Linus' behavior, I ditched the project and decided to go into ham radio instead. I don't need anyone screaming at me, irrespective of the quality of the code produced.
The ham radio community is generous with their time and knowledge and I haven't met the first screamer.
Circle the wagons and fire inward. Entropy increases without bounds.
Nice guy.
Some people contribute to the world in ways other than Linux kernel development.
Stop being a coder snob.
Just because it CAN be done, doesn't mean it should!
Not to mention that Linux runs on more types of hardware than any other O/S kernel.
Linux also dominates the embedded, mobile, & server markets.
If you count actual instances of Linux installed across all devices, then Linux is more more mainstream than all the other O/S's put together!
So how is Linux _NOT_ mainstream?
It simply means not being a petty, insulting git.
Linus named his source control program "git", was it in "honor" of himself?
Just because it CAN be done, doesn't mean it should!
But this means it needs a custom kernel so adds complexity to an open source kernel like Linux when it has to work on a million different ARM based chips with undiscoverable busses.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Yes, it was:
Quoting Linus: "I'm an egotistical bastard, and I name all my projects after myself. First 'Linux', now 'Git'".
Chuuch. Preach. Tabernacle.
I think we've been in an era for a long time where it is inappropriate to wish others dead simply because they design computer hardware in a way that you don't like.
Die in a fire.
Chuuch. Preach. Tabernacle.
There is absolutely no reason to be "mean spirited" to any person at any time.
Die in a fire.
Chuuch. Preach. Tabernacle.
I agree with all of your points regarding the ARM SoC issue, but regarding the RdRand issue Linus was spot on.
However, my point wasn't so much about Linus being justified in his actions or not. It was about society becoming emasculated.
The other two replies to my comment really highlight this fact; overly sensitive people whining about how something is "inappropriate" or appealing to "basic human decency" or calling out "mean spirited bullies" or fretting about "dehumanizing people". Our ever-more-comfortable society has led us to become so far removed from natural existence that talk like this has become commonplace. People feel butthurt about Linus calling people names as though it's some crime against humanity, forgetting about the existence of things like sex slavery, wars, or genocide.
All I'm saying is (and this isn't directed towards you, Darinbob): if Linus's rants hurt your feelings, I hope you never have to feel real pain. It would crush you.
Chuuch. Preach. Tabernacle.
California (and probably many other states as well) allow the [i]public[/i] to create and present to the voters, laws which the legislature never considers. Many such laws have been passed. The end result is a few good laws get passed, tens of millions of dollars get spent on elections, and many laws get passed, overturned by courts, and otherwise just don't work.
While Linus may or may not be arbitrary, may or may not be obnoxious, may or may not be overbearing, he almost certainly knows more about the subject and it's viability than people who come across and sign a petition on change.org withoout taking the time to fully understand it.
Randomness is a resource, you have to obtain it from somewhere. CPUs are explicitly designed to -Not- be random, in operation. To use a CPU to generate a number, is not something that should be depended upon to be random.
A real random number generally requires separate hardware, such as noise from a stressed diode.
That said, if a program wants to use a documented instruction it should be able to. If you want good crypto just don't use that instruction. It is not the job of an OS to prevent programs from running.