I guess I wasn't clear, but I was saying apps can have two stacks, one stack for return addresses and one for parameters. Even if you clobber the parameter stack, you won't clobber the return address stack without the CPU detecting it automatically.
Why I said one stack for program counters: In loose terms, for a subroutine call the cpu pushes the value of the program counter onto the stack, and then changes the program counter to the new address. The return command just pops the program counter off the stack, and execution continues from there.
Visual studio and GCC have stuff like canaries, BUT they slow things down. I'm saying that with hardware support they shouldn't slow things down, or at least not much for most circumstances.
And it wouldn't be a drastic change - only new code needs to use the new features. Old code can still behave the same way and be vulnerable. It's just like SSE, SSE2 and so on - e.g. you need to use the new pop and push commands to get the hardware assisted checksumming behaviour. No SSE2? Fallback to x87 style calculations.
Reference parameters should be much better - since you'd have fewer bytes to check than if you had to checksum 1 kilobyte of parameters to see if they had been tampered with.
A possible advantage of keeping the stacks separate is if the CPU can assume that the stack only contains return addresses it could make it easier for the CPU speculative stuff to predict where the code path is going to be and issue the fetches etc.
Maybe one could even do something like Perl's taint mode but in hardware. So the CPU might _never_ execute anything that's tainted - you'd have to explicitly untaint it. Not sure if that really could be done though;).
Sure some attacks will still be possible, there'll always be attacks, but the current situation is a lot worse than it could be.
Sure, there'll always be a place for unsafe languages but most programmers shouldn't be using C++ (or C) - there's plenty of evidence that they obviously don't know how to write safe C++. Just look at Bugtraq every day.
As for the raw bytes, fine for my code to get turned into instructions, but not fine for an attacker's arbitrary _data_ to somehow being treated as raw instructions.
Why is it _still_ so common for function parameters/data to be pushed onto stacks that are also used for program counters (return addresses)? It's a stupid idea for modern computers - bad hygiene (poorly controlled mixing of code and data).
For better security such "local parameters and data" should be placed on a separate stack. When you call a sub with parameters, you push the parameters to the parameter stack and then push your return address to the normal stack and call as normal, the called sub can then pop the parameters from the parameter stack.
Even if a programmer screws up, you just get wrong data going to the wrong function BUT you are lot less likely to get arbitrary data being executed (return to "data" etc).
Sure sometimes you pass an address of a function to another function for performance/flexibility reasons (instead of an index/handle to a list of allowed functions) but really that shouldn't be the norm and so could be made a lot more difficult to exploit.
If Intel and AMD were interested in making things more secure they could create separate parameter/data stack registers and instructions for such a purpose.
Perhaps they should also allow quick tamper checks of function parameters. A function expecting parameters A and B of length X and Y could do a "startpop <some number>" and then "pop+sum" parameters off the parameter stack and then pop the checksum and halt if things don't match up.
After all their transistors aren't getting much faster, just more plentiful. They are running out of ways to use transistors meaningfully - they've added MMX, SSE2, AMD64/EMT64 etc, so why not make the easy exploits harder?
Uh if that happens then the language used is obviously unsafe.
Next you'll be telling me it's not the fault of a computer system (O/S + hardware) if user A's processes can change the memory contents of user B's processes, and it's actually a problem in the application... Who wants to do cooperative multitasking and memory management nowadays?
Why should potentially arbitrary code be executed because a program tries to put data somewhere it won't fit? Sure there should be an error and things could go wrong (e.g. program dies with exception and stack trace). But to do it the C/C++ way should be considered _unacceptable_ nowadays.
I said plain html - make it easier for search engines to index meaningfully AND for people to use. Most companies shouldn't be having all those silly flash + javascript pages - they aren't in the entertainment or ad industry and shouldn't pretend they are. Craigslist seems to be doing ok for all that "ugliness".
But if you want to generate static html pages from a DB hey that's not that bad an idea. Might actually work quite well if you can store the "Last Modified" times of the files/data in the db and restore them correctly. Lots of webservers are very good at serving up static files. Could keep multiple copies around and use a symlink to point to the version you want.
After all, as I mentioned - it's not as if many companies (even the big ones) get their own site search engines right. So they might as well just embed a google search form and use it as their site search.
Uh what makes you think OpenOffice isn't as bug ridden if not more so? AFAIK it crashes often enough that I _know_ it is bug ridden AND _will_ also have exploitable bugs.
In fact, people say some of those demo docs crash OpenOffice too.
Uh, a dangerous file is still a dangerous file whether it comes from a stranger or someone you know. It's not like you can only catch diseases from strangers;).
Macs are not more secure by design, so if everyone bought a mac, their computers would be worm infested spam spreading zombies in no time. If you are a Mac user and you want to be safe, stay a minority.
A safe way to open a suspicious file is to use a different pristine machine and reimage that machine after that. Virtual machines might be ok but there is still a chance of "breaking out" if there's a bug in the virtualization system.
Whoopee OpenOffice is getting more and more compatible with MS Office by the day...;)
But as long as people write most of their complex stuff in C or C++ this will keep happening.
People should switch to programming languages and frameworks that just won't run "arbitrary code of an attacker's choice" when something exceptional occurs.
After all these decades aren't there any easy to learn, safe and fast programming languages?
And maybe some (not all) blogs should be ranked higher because more people find what they say about those businesses more interesting and useful than what those businesses say about themselves.
If I want to find contact information and other objective information (menus, product/price lists) for the business then I'll try their website first, but if I'm wondering whether to do business with them, frankly their website is secondary.
Even if I'm looking for docs on a particular product I don't bother with starting from their website, I start with google - most corporate website search engines are crap - for example you get lots of useless PR releases bullshit instead of actual tech specs or drivers. They should just put all their pages in plain HTML where search engines can index them. But I guess someone has to waste lots of company money on paying expensive "web designers" to charge megabucks just to create all that crap and slap on a useless search engine.
I mean who cares what "Divinci's Pizza" says about their pizza? Who even cares about Divinci's pictures of their pizza? A blogger's recent opinion and pictures of their pizzas, restaurant etc would be far more interesting for someone trying to figure out whether Divinci is worth a try.
If Google starts to rank businesses higher just because businesses pay them AND[1] Google's searches become less useful to me, I'll just switch search engines. Same goes if it's bloggers or whoever else instead.
[1] If McDonald's wants to pay 10 million USD to Google a year just to be top ranked for "McDonald's Corporation" go ahead - I don't think it will make my search results less useful.
I wish there were even half that amount of competition and innovation in the furniture sector.
It's been bugging me for years that you can't get a good chair for a reasonable price (compared to the progress in the high tech sector). One with an adjustable back to seat angle, adjustable overall tilt angle and adjustable height from floor. With decent padding and shape so you don't get pressure sores, and it actually feels comfortable sitting in it.
I mean it takes how long before you get people to figure out that sitting up straight isn't that good for your back? Sitting up straight, or in those common but crappy chairs sure didn't feel good to me. And it's not even the furniture industry that was interested to find out:
Seems lots of people don't know the difference between "Serving and Worshipping Money" and having Money serve them.
Maybe many of the 24 or so craiglist bunch know the difference.
There are people who end up super rich because what they like is making yet more money. But there are also people who end up super rich just by doing what they like even if it's not about making more money.
If you like to make people happy and they give you lots of money in return, and most other people don't mind and won't mind, except Fanatic Worshippers and High Priests of the Money God, it's hard to see what you are doing wrong.
People say WoW addicts have no life, how about those who worship and serve Money?
"I agree. This is a big problem for larger companies that want maximum performance, but don't have that much data. They stripe 8, 16, 32 drives, and it's a pain in the wrist to find someone that can sell small enough drives so that you don't massively overshoot the space requirements."
Huh? That's silly. Why can't they use 32 large capacity drives? Should work better than striping 32 low capacity ones. They using crappy hardware?
The seek times will go down esp if the drives are so large that the data ends up only on one track/cylinder on each drive;).
If you want some limits and predictability you can always make small partitions on each drive. If you have crappy hardware or O/S, many cheap high capacity drives can be made to appear like 32GB drives with a jumper setting.
If those companies really have that much money they can use drives based on nonvolatile RAM.
An organism has an advantage if can create a model of its environment, predict outcomes and make a good choice.
And that's where brains/minds come in. I suggest that brains are not so much neural networks that do fancy pattern matching etc, but more of systems that model stuff.
When brains start needing to model brains including themselves that's where things get interesting. If brains start to try to model a Creator that could get even more interesting;).
There seem to be many ways where quantum physics/computing could help make better modelling systems, but whether they are used at all is a good question.
Seems like people have neurons for all sorts of stuff - someone could have a single neuron that fires wildly when thinking of a very specific thing - but why and how does it realize it is time to fire? It's like you have 100 billion neurons playing Bingo or checking their lottery tickets, and the winners spit out numbers which are then sent to the "big screen" for everyone to check - and the whole cycle repeats.
Now if you could do many of these "contests" in parallel via quantum computing one can see how that would be an advantage, but is this what happens?
"Irschick et al. (1996) showed that two front feet of a tokay gecko (Gekko gecko) produced 20.1 N of force parallel to the surface with 227 mm2 of pad area".
So a pad area of 15mm x 15mm can hold about 2kg. So a pad area of 10cm x 10cm ( 4" x 4") should be able to hold about 90 to 100kg (200-220 pounds). Attaching four pads each of that area to a human doesn't seem like a big problem, and should provide a fair safety margin.
That's of course assuming the synthetic gecko pad performs as well as the tokay's.
As for surfaces not being able to hold your weight, that's what the brain is for;).
Note: Geckos have much better terminal velocity to "splat" velocity ratios than humans. That part of the scaling is more of a concern:p.
Nowadays you can make do with a decent PC and perhaps a midi keyboard or two. Decent mikes, A/D recorders, other equipment (mixer) and more instruments could be better of course.
But if you are a Mozart or Beethoven, you'd just need a PC, some software and nothing much else.
1) I'm sure humans are adaptable and can figure things out- you don't have to fasten the sticky bits to the feet and hands y'know. Especially when humans are likely to want to have their hands and fingers free to manipulate stuff - opening/fixing stuff or answering the phone and checking email 100 metres up in the air;).
Also if the sticky bits are at the knee/shins and not the feet, you could hang by the forearm pads and then peel off+use the feet to jump at the same time. Harder to do that if the sticky bits were at the feet (you could have sticky bits at the feet just not as sticky).
2) There are quite a number of people with accidentally shortened legs, might be good fun for them:).
It doesn't scale? I've pulled geckos off walls and stuff (even when they die of old age/etc they still stay stuck), and they sure stick pretty well, so given the surface area of a fair number of gecko feet, I'm not sure why that wouldn't hold up a human - at least a not too obese one (an obese tummy might get in the way of wall crawling too;) ).
I use KDE, not everything is restored, and it's not always restored in the right order too - I prefer to have stuff in the same place on the taskbar.
Which is why I find KDE's method of ordering tasks on the taskbar quite annoying (I submitted a bug but the KDE devs don't seem to care):
[1] If you have a double height taskbar, the tasks are ordered vertically then horizontally. The problem with that is if you remove or insert a task, ALL tasks AFTER that task will change vertical position.
Windows orders tasks horizontally then vertically, which is much better since only the rightmost and leftmost tasks change position.
I can keep track of 20+ tasks as long as KDE doesn't keep moving them around (if you click on the calendar all the tasks get repositioned yet again).
OK looks like they changed stuff - it now sends my browser to an html-only version. It never used to do that when I first used gmail which was two years ago, so I pretty much gave up on it.
I guess I wasn't clear, but I was saying apps can have two stacks, one stack for return addresses and one for parameters. Even if you clobber the parameter stack, you won't clobber the return address stack without the CPU detecting it automatically.
;).
Why I said one stack for program counters: In loose terms, for a subroutine call the cpu pushes the value of the program counter onto the stack, and then changes the program counter to the new address. The return command just pops the program counter off the stack, and execution continues from there.
Visual studio and GCC have stuff like canaries, BUT they slow things down. I'm saying that with hardware support they shouldn't slow things down, or at least not much for most circumstances.
And it wouldn't be a drastic change - only new code needs to use the new features. Old code can still behave the same way and be vulnerable. It's just like SSE, SSE2 and so on - e.g. you need to use the new pop and push commands to get the hardware assisted checksumming behaviour. No SSE2? Fallback to x87 style calculations.
Reference parameters should be much better - since you'd have fewer bytes to check than if you had to checksum 1 kilobyte of parameters to see if they had been tampered with.
A possible advantage of keeping the stacks separate is if the CPU can assume that the stack only contains return addresses it could make it easier for the CPU speculative stuff to predict where the code path is going to be and issue the fetches etc.
Maybe one could even do something like Perl's taint mode but in hardware. So the CPU might _never_ execute anything that's tainted - you'd have to explicitly untaint it. Not sure if that really could be done though
Sure some attacks will still be possible, there'll always be attacks, but the current situation is a lot worse than it could be.
Sure, there'll always be a place for unsafe languages but most programmers shouldn't be using C++ (or C) - there's plenty of evidence that they obviously don't know how to write safe C++. Just look at Bugtraq every day.
As for the raw bytes, fine for my code to get turned into instructions, but not fine for an attacker's arbitrary _data_ to somehow being treated as raw instructions.
Why is it _still_ so common for function parameters/data to be pushed onto stacks that are also used for program counters (return addresses)? It's a stupid idea for modern computers - bad hygiene (poorly controlled mixing of code and data).
For better security such "local parameters and data" should be placed on a separate stack. When you call a sub with parameters, you push the parameters to the parameter stack and then push your return address to the normal stack and call as normal, the called sub can then pop the parameters from the parameter stack.
Even if a programmer screws up, you just get wrong data going to the wrong function BUT you are lot less likely to get arbitrary data being executed (return to "data" etc).
Sure sometimes you pass an address of a function to another function for performance/flexibility reasons (instead of an index/handle to a list of allowed functions) but really that shouldn't be the norm and so could be made a lot more difficult to exploit.
If Intel and AMD were interested in making things more secure they could create separate parameter/data stack registers and instructions for such a purpose.
Perhaps they should also allow quick tamper checks of function parameters. A function expecting parameters A and B of length X and Y could do a "startpop <some number>" and then "pop+sum" parameters off the parameter stack and then pop the checksum and halt if things don't match up.
After all their transistors aren't getting much faster, just more plentiful. They are running out of ways to use transistors meaningfully -
they've added MMX, SSE2, AMD64/EMT64 etc, so why not make the easy exploits harder?
Uh if that happens then the language used is obviously unsafe.
Next you'll be telling me it's not the fault of a computer system (O/S + hardware) if user A's processes can change the memory contents of user B's processes, and it's actually a problem in the application... Who wants to do cooperative multitasking and memory management nowadays?
Why should potentially arbitrary code be executed because a program tries to put data somewhere it won't fit? Sure there should be an error and things could go wrong (e.g. program dies with exception and stack trace). But to do it the C/C++ way should be considered _unacceptable_ nowadays.
I said plain html - make it easier for search engines to index meaningfully AND for people to use. Most companies shouldn't be having all those silly flash + javascript pages - they aren't in the entertainment or ad industry and shouldn't pretend they are. Craigslist seems to be doing ok for all that "ugliness".
But if you want to generate static html pages from a DB hey that's not that bad an idea. Might actually work quite well if you can store the "Last Modified" times of the files/data in the db and restore them correctly. Lots of webservers are very good at serving up static files. Could keep multiple copies around and use a symlink to point to the version you want.
After all, as I mentioned - it's not as if many companies (even the big ones) get their own site search engines right. So they might as well just embed a google search form and use it as their site search.
Uh what makes you think OpenOffice isn't as bug ridden if not more so? AFAIK it crashes often enough that I _know_ it is bug ridden AND _will_ also have exploitable bugs.
In fact, people say some of those demo docs crash OpenOffice too.
Uh, a dangerous file is still a dangerous file whether it comes from a stranger or someone you know. It's not like you can only catch diseases from strangers ;).
Macs are not more secure by design, so if everyone bought a mac, their computers would be worm infested spam spreading zombies in no time. If you are a Mac user and you want to be safe, stay a minority.
A safe way to open a suspicious file is to use a different pristine machine and reimage that machine after that. Virtual machines might be ok but there is still a chance of "breaking out" if there's a bug in the virtualization system.
Whoopee OpenOffice is getting more and more compatible with MS Office by the day... ;)
But as long as people write most of their complex stuff in C or C++ this will keep happening.
People should switch to programming languages and frameworks that just won't run "arbitrary code of an attacker's choice" when something exceptional occurs.
After all these decades aren't there any easy to learn, safe and fast programming languages?
So it's not the sig, but what you put in the url field? In your case: http://www.pineight.com/lj/
It'll be interesting to see how dynamic it can be - e.g. when you change it to something else, after making lots of posts.
And maybe some (not all) blogs should be ranked higher because more people find what they say about those businesses more interesting and useful than what those businesses say about themselves.
If I want to find contact information and other objective information (menus, product/price lists) for the business then I'll try their website first, but if I'm wondering whether to do business with them, frankly their website is secondary.
Even if I'm looking for docs on a particular product I don't bother with starting from their website, I start with google - most corporate website search engines are crap - for example you get lots of useless PR releases bullshit instead of actual tech specs or drivers. They should just put all their pages in plain HTML where search engines can index them. But I guess someone has to waste lots of company money on paying expensive "web designers" to charge megabucks just to create all that crap and slap on a useless search engine.
I mean who cares what "Divinci's Pizza" says about their pizza? Who even cares about Divinci's pictures of their pizza? A blogger's recent opinion and pictures of their pizzas, restaurant etc would be far more interesting for someone trying to figure out whether Divinci is worth a try.
If Google starts to rank businesses higher just because businesses pay them AND[1] Google's searches become less useful to me, I'll just switch search engines. Same goes if it's bloggers or whoever else instead.
[1] If McDonald's wants to pay 10 million USD to Google a year just to be top ranked for "McDonald's Corporation" go ahead - I don't think it will make my search results less useful.
The game showed promise, but the engine was crap it was really sluggish for the low quality graphics it produced.
PvP had some problems because with some video drivers the marines could still see Predators even when they where cloaked and standing still.
Was not too bad in the end I guess, but could have been a lot better. Hope they do another one that's much better.
"as much competition as other high-tech sectors"
7 /sit-posture.htmls +chair+back&ie=UTF-8&oe=UTF-8&sa=N&tab=wn
;).
I wish there were even half that amount of competition and innovation in the furniture sector.
It's been bugging me for years that you can't get a good chair for a reasonable price (compared to the progress in the high tech sector). One with an adjustable back to seat angle, adjustable overall tilt angle and adjustable height from floor. With decent padding and shape so you don't get pressure sores, and it actually feels comfortable sitting in it.
I mean it takes how long before you get people to figure out that sitting up straight isn't that good for your back? Sitting up straight, or in those common but crappy chairs sure didn't feel good to me. And it's not even the furniture industry that was interested to find out:
http://www.cbc.ca/canada/edmonton/story/2006/11/2
http://news.google.com.my/news?hl=en&q=135+degree
I guess someone in the USA may now start to sue the furniture makers for damaging them, just like the tobacco industry
Seems lots of people don't know the difference between "Serving and Worshipping Money" and having Money serve them.
Maybe many of the 24 or so craiglist bunch know the difference.
There are people who end up super rich because what they like is making yet more money.
But there are also people who end up super rich just by doing what they like even if it's not about making more money.
If you like to make people happy and they give you lots of money in return, and most other people don't mind and won't mind, except Fanatic Worshippers and High Priests of the Money God, it's hard to see what you are doing wrong.
People say WoW addicts have no life, how about those who worship and serve Money?
"I agree. This is a big problem for larger companies that want maximum performance, but don't have that much data. They stripe 8, 16, 32 drives, and it's a pain in the wrist to find someone that can sell small enough drives so that you don't massively overshoot the space requirements."
;).
Huh? That's silly. Why can't they use 32 large capacity drives? Should work better than striping 32 low capacity ones. They using crappy hardware?
The seek times will go down esp if the drives are so large that the data ends up only on one track/cylinder on each drive
If you want some limits and predictability you can always make small partitions on each drive. If you have crappy hardware or O/S, many cheap high capacity drives can be made to appear like 32GB drives with a jumper setting.
If those companies really have that much money they can use drives based on nonvolatile RAM.
That drive can't transfer at 300MB/sec. Should be more like 60-70MB/sec.
You want faster you have to go 15000rpm SCSI or RAID.
Current flash drives are quite slow though, not sure why.
An organism has an advantage if can create a model of its environment, predict outcomes and make a good choice.
;).
And that's where brains/minds come in. I suggest that brains are not so much neural networks that do fancy pattern matching etc, but more of systems that model stuff.
When brains start needing to model brains including themselves that's where things get interesting. If brains start to try to model a Creator that could get even more interesting
There seem to be many ways where quantum physics/computing could help make better modelling systems, but whether they are used at all is a good question.
Seems like people have neurons for all sorts of stuff - someone could have a single neuron that fires wildly when thinking of a very specific thing - but why and how does it realize it is time to fire? It's like you have 100 billion neurons playing Bingo or checking their lottery tickets, and the winners spit out numbers which are then sent to the "big screen" for everyone to check - and the whole cycle repeats.
Now if you could do many of these "contests" in parallel via quantum computing one can see how that would be an advantage, but is this what happens?
Well that applied to the Sony rootkit thing too. So what happened?
In contrast that silly UK guy is going to get deported to the US because he was looking for UFOs by getting into US Gov machines without permission.
"Irschick et al. (1996) showed that two front feet of a tokay gecko (Gekko gecko) produced 20.1 N of force parallel to the surface with 227 mm2 of pad area".
;).
:p.
So a pad area of 15mm x 15mm can hold about 2kg. So a pad area of 10cm x 10cm ( 4" x 4") should be able to hold about 90 to 100kg (200-220 pounds). Attaching four pads each of that area to a human doesn't seem like a big problem, and should provide a fair safety margin.
That's of course assuming the synthetic gecko pad performs as well as the tokay's.
As for surfaces not being able to hold your weight, that's what the brain is for
Note: Geckos have much better terminal velocity to "splat" velocity ratios than humans. That part of the scaling is more of a concern
But then you'd have to change the unit test module and the relevant docs and support guides.
Plus I heard requests from sales and marketing that the next version should be multilingual.
Second coming of Christ? I think that would be more in line with trying to install Vista on a 10 year old Compaq and/or waiting for it to boot up.
Nowadays you can make do with a decent PC and perhaps a midi keyboard or two.
Decent mikes, A/D recorders, other equipment (mixer) and more instruments could be better of course.
But if you are a Mozart or Beethoven, you'd just need a PC, some software and nothing much else.
1) I'm sure humans are adaptable and can figure things out- you don't have to fasten the sticky bits to the feet and hands y'know. Especially when humans are likely to want to have their hands and fingers free to manipulate stuff - opening/fixing stuff or answering the phone and checking email 100 metres up in the air ;).
:).
Also if the sticky bits are at the knee/shins and not the feet, you could hang by the forearm pads and then peel off+use the feet to jump at the same time. Harder to do that if the sticky bits were at the feet (you could have sticky bits at the feet just not as sticky).
2) There are quite a number of people with accidentally shortened legs, might be good fun for them
It doesn't scale? I've pulled geckos off walls and stuff (even when they die of old age/etc they still stay stuck), and they sure stick pretty well, so given the surface area of a fair number of gecko feet, I'm not sure why that wouldn't hold up a human - at least a not too obese one (an obese tummy might get in the way of wall crawling too ;) ).
I use KDE, not everything is restored, and it's not always restored in the right order too - I prefer to have stuff in the same place on the taskbar.
Which is why I find KDE's method of ordering tasks on the taskbar quite annoying (I submitted a bug but the KDE devs don't seem to care):
[1] If you have a double height taskbar, the tasks are ordered vertically then horizontally. The problem with that is if you remove or insert a task, ALL tasks AFTER that task will change vertical position.
Windows orders tasks horizontally then vertically, which is much better since only the rightmost and leftmost tasks change position.
I can keep track of 20+ tasks as long as KDE doesn't keep moving them around (if you click on the calendar all the tasks get repositioned yet again).
http://www.google.com.my/search?num=100&hl=en&safe =off&q=site%3Amicrosoft.com+windows+hibernate+prob lem&meta=
;).
The funny one is having >=1 GB of memory makes it fail with windows
But if your notebook has crap drivers/hardware that cause bsods, Microsoft/Linux distro XYZ can't do much about those.
Apple has more control over what goes into an ibook so it's no surprise hibernate works better.
OK looks like they changed stuff - it now sends my browser to an html-only version. It never used to do that when I first used gmail which was two years ago, so I pretty much gave up on it.
:).
Well maybe I'll start using it now