I suspect that the direction of impact could be rather surprising to some of those who believe in scarcity driven theories of economics.
Nothing in Bitcoin's pricing is set by scarcity driven economics. It's all based on speculation and so far every time a major country has made any kind of announcement on bitcoin the price has spiked (in either direction) without any change in scarcity.
I did. A security vulnerability on such a low layer is not serious unless I have very serious failures on every other layer. This bug isn't wormable, MITMable, and requires someone to have a serious grudge directly against a person to do something useful. This is NSA out to get you level of bug and that makes it far less severe than script kiddies bugs, or bugs that rely on monetary extortion.
Whatever you think of my grammar the fact is that a calculator that miscalculates and then makes decisions on its result is bad. A security vulnerability that requires executing code on the target combined with detailed knowledge of the target system in order to do achieve anything malicious is quite low in the grand scheme of security vulnerabilities. It is not wormable, it is not automatable, and it can be defended against through layered security.
The FDIV bug was far worse, thinking otherwise is extremely shortsighted.
Ever wonder why military or even automotive grade chips are running so much slower and cooler? It's because they are rated for much longer lifetime than consumer grade devices - they are limited so they last the required number of years.
No you haven't worked in the industry for a decade. With a line like that I will wager that you haven't worked in the industry for even a day. There are very big differences between the automotive / military grade chips and they go miles beyond life expectancy (something that is usually handled through derrating).
In any case it's quite telling that Apple seem to feel a need to derate their 2 year old phones. (Posted from a non-derated 4 year old phone that has suffered dearly at my hands).
Funny how no other phone makers have problems with their phones shutting down. Apple gimped their device to cover up their fucked up power system design. Nothing more nothing less.
There's a difference between getting slower due to bogged down bloated software, and getting slower due to limiting CPU speed. While I agree with the sentiment the updates have over time added features too which basically makes it a trade-off.
Phones are only now getting to the Windows 7 era of computing, a point where they are baseline enough that there's little to add in the core OS to bloat it down. I expect the trend of getting slower not to continue (by accident, I'm sure there are nefarious reasons for it too).
I am willing to bet a marsbar that you weren't "told to ignore risk" but rather that the risk assessment process was handled by a different department or at a different paygrade.
Humans are horrible judges of risk which is why it *should* never be left up to individual people (especially people within a single field) to determine.
You know, he's not wrong. This is, in impact, way bigger than Intel's FDIV fiasco and that ended up in recalls.
No it's not. It is more wide spread but it certainly isn't bigger.
- The FDIV scenario could cause a wrong result from a processor. This can merely cause a security breach. - Security can be layered and worked around. A calculator that produces the wrong answer checked by a calculator with the same fault can not work around itself. - This fiasco relies on a targeted attack on a specific user. The FDIV bug is something a user would hit at random (and according to a citation needed quote on Wikipedia would do so every 24 months)
In its impact the FDIV bug was far more serious than meltdown or spectre.
To answer AC's question a few moths later: "What's the big advantage with RISC over ARM or x86?"
Before discussing the advantage you need to discuss the difference. What's the difference between RISC over ARM or x86? Nothing.
a) ARM is RISC b) x86 is CISC only in the instruction set. The processors themselves have had far more in common with RISC processors since the days of the Pentium Pro.
The cause of the volatility is obvious. Fear Of Missing Out [wikipedia.org] combined with greed which is what drives most asset bubbles.
No, that is only the cause of the most recently spike in price. The cause of volatility is incredibly low trading volumes against items with pegged value which means that even small transactions can have a real impact on value.
If I convert 50m BTC into USD it would register enough to influence the price. If I convert 50m EUR into USD no one would notice.
In a usable stable currency, FOMO would not cause a change in value.
You largely validated his posting with this one sentence. This is exactly what he's complaining about.
And if you don't take that sentence out of context you'll have seen the point. What happened to OpenBSD and Theo is the fault of precisely one person: Theo.
Hell when we discussed this on Slashdot there were a lot of posters saying that Theo's actions at the time would hurt the OpenBSD community as people would not disclose the vulnerabilities to them. Looks like they were right too.
I agree the OpenBSD community is in a bad place. I also agree with Theo, but only in that his actions have spoken louder than his words.
It also wasn't helped that there was no real coordination in releases.
There was, the problem is exactly what they were trying to avoid. It was under non-disclosure back in November. The actual full disclosure date wasn't supposed to be until tomorrow (9th Jan) so coordinated releases could take place. Unfortunately someone jumped the gun and we're left with the clusterfuck that this has become (Microsoft patches released, Apple patches released, UEFI patches not ready yet, Linux patches scheduled for original date).
This one of the very few downsides of Opensource. It's difficult to release bug information under NDA as efforts to patch the bugs result in the bug being revealed. That and Theo shat the bed with his past irresponsible patching of a bug early that was covered under a coordinated release schedule.
Secrets are only kept when few people know about them.
Isn't he? Firstly clearly the distribution was too wide as it was given there was a moratorium on disclosure scheduled for tomorrow to allow all patching to be in place in advance.
Secondly he has in the past jumped the gun on responsible disclosure, parroting OpenBSD as the secure alternative patting himself on the back for being the first.
Thirdly there are multiple groups now that refuse to work with him for this very reason. The OpenSSL team also disclosed to others before OpenBSD for the same reason.
He shat in his bed, and now is complaining that he has to sleep in it.
Systemd is probably the cause of the slow boot time.
So to be clear, systemd whose single useless feature people advertise as faster boot time is the result of the slow boot time despite the fact that Gentoo doesn't even use systemd?
What next? Systemd kicked your dog and slept with your wife while you were debugging a sysvinit script?
Lots of people. TPM has found its niche in corporate computers, as well as laptops and modern devices with advanced security features. It is also a required component for Windows 10 certification for system builders. Of the 5 computers in my house (excluding embedded ones) the only one which doesn't have a TPM chip is my server.
Not only will many modern devices ship with TPM hardware installed but many will default to using it for things like Bitlocker and other encryption keys.
Maybe that is a good thing - you probably wouldn't want to be working with such a stupid thinking lot?
Depends on who is doing the stupid thinking. Quite often there are plenty of wonderful places to work at with some of the dumbest mouth breathing droolers in existence working in the HR front line. I personally have had fights with our HR department about how they have handled positions opened in my team and how they cut their candidate pool. In one case a former acquaintance who was an absolute genius / guru was disqualified by some automatic form because they system didn't understand that not every degree in the world is equivalent.
You only say that because you don't understand what you are actually doing with modern software.
Ain't no such thing as an orderly exit from a bubble.
Depends on the investment impact of the bubble. Bitcoin for better (not for worse) doesn't have that much physical investment.
I suspect that the direction of impact could be rather surprising to some of those who believe in scarcity driven theories of economics.
Nothing in Bitcoin's pricing is set by scarcity driven economics. It's all based on speculation and so far every time a major country has made any kind of announcement on bitcoin the price has spiked (in either direction) without any change in scarcity.
Meltdown is INTEL ONLY. But nice spin!
No, the specific example used worked on Intel only and the original researchers postulated as to how it could also work on AMD and ARM.
Gauge their seriousness as you wish.
I did. A security vulnerability on such a low layer is not serious unless I have very serious failures on every other layer. This bug isn't wormable, MITMable, and requires someone to have a serious grudge directly against a person to do something useful. This is NSA out to get you level of bug and that makes it far less severe than script kiddies bugs, or bugs that rely on monetary extortion.
Whatever you think of my grammar the fact is that a calculator that miscalculates and then makes decisions on its result is bad.
A security vulnerability that requires executing code on the target combined with detailed knowledge of the target system in order to do achieve anything malicious is quite low in the grand scheme of security vulnerabilities. It is not wormable, it is not automatable, and it can be defended against through layered security.
The FDIV bug was far worse, thinking otherwise is extremely shortsighted.
Ever wonder why military or even automotive grade chips are running so much slower and cooler? It's because they are rated for much longer lifetime than consumer grade devices - they are limited so they last the required number of years.
No you haven't worked in the industry for a decade. With a line like that I will wager that you haven't worked in the industry for even a day. There are very big differences between the automotive / military grade chips and they go miles beyond life expectancy (something that is usually handled through derrating).
In any case it's quite telling that Apple seem to feel a need to derate their 2 year old phones. (Posted from a non-derated 4 year old phone that has suffered dearly at my hands).
Funny how no other phone makers have problems with their phones shutting down. Apple gimped their device to cover up their fucked up power system design. Nothing more nothing less.
There's a difference between getting slower due to bogged down bloated software, and getting slower due to limiting CPU speed. While I agree with the sentiment the updates have over time added features too which basically makes it a trade-off.
Phones are only now getting to the Windows 7 era of computing, a point where they are baseline enough that there's little to add in the core OS to bloat it down. I expect the trend of getting slower not to continue (by accident, I'm sure there are nefarious reasons for it too).
Very nice, are you ready to pay for a smartphone like you pay for a durable product like a car?
At just a little shy of $1000 I already pay for it like a car. Hell I pay for it more than most laptops. Why do most laptops seem to last longer?
I am willing to bet a marsbar that you weren't "told to ignore risk" but rather that the risk assessment process was handled by a different department or at a different paygrade.
Humans are horrible judges of risk which is why it *should* never be left up to individual people (especially people within a single field) to determine.
You do realise that OpenBSD and FreeBSD are two different entities, right?
You do realise there's more in common between them than what sets them apart, including a lot of sharing between developers.
You know, he's not wrong. This is, in impact, way bigger than Intel's FDIV fiasco and that ended up in recalls.
No it's not. It is more wide spread but it certainly isn't bigger.
- The FDIV scenario could cause a wrong result from a processor. This can merely cause a security breach.
- Security can be layered and worked around. A calculator that produces the wrong answer checked by a calculator with the same fault can not work around itself.
- This fiasco relies on a targeted attack on a specific user. The FDIV bug is something a user would hit at random (and according to a citation needed quote on Wikipedia would do so every 24 months)
In its impact the FDIV bug was far more serious than meltdown or spectre.
To answer AC's question a few moths later: "What's the big advantage with RISC over ARM or x86?"
Before discussing the advantage you need to discuss the difference. What's the difference between RISC over ARM or x86? Nothing.
a) ARM is RISC
b) x86 is CISC only in the instruction set. The processors themselves have had far more in common with RISC processors since the days of the Pentium Pro.
CISC CPUs don't really exist in modern computing.
The cause of the volatility is obvious. Fear Of Missing Out [wikipedia.org] combined with greed which is what drives most asset bubbles.
No, that is only the cause of the most recently spike in price. The cause of volatility is incredibly low trading volumes against items with pegged value which means that even small transactions can have a real impact on value.
If I convert 50m BTC into USD it would register enough to influence the price.
If I convert 50m EUR into USD no one would notice.
In a usable stable currency, FOMO would not cause a change in value.
I think we sometimes fail to realize most of humanity never engaged in any critical thinking beyond headlines and sound bites to begin with.
And I will continue to call them out for doing so as an attempt to not aim for mediocrity.
You largely validated his posting with this one sentence. This is exactly what he's complaining about.
And if you don't take that sentence out of context you'll have seen the point. What happened to OpenBSD and Theo is the fault of precisely one person: Theo.
Hell when we discussed this on Slashdot there were a lot of posters saying that Theo's actions at the time would hurt the OpenBSD community as people would not disclose the vulnerabilities to them. Looks like they were right too.
I agree the OpenBSD community is in a bad place. I also agree with Theo, but only in that his actions have spoken louder than his words.
We don't like return on investment says two major investors.
It also wasn't helped that there was no real coordination in releases.
There was, the problem is exactly what they were trying to avoid. It was under non-disclosure back in November. The actual full disclosure date wasn't supposed to be until tomorrow (9th Jan) so coordinated releases could take place. Unfortunately someone jumped the gun and we're left with the clusterfuck that this has become (Microsoft patches released, Apple patches released, UEFI patches not ready yet, Linux patches scheduled for original date).
This one of the very few downsides of Opensource. It's difficult to release bug information under NDA as efforts to patch the bugs result in the bug being revealed. That and Theo shat the bed with his past irresponsible patching of a bug early that was covered under a coordinated release schedule.
Secrets are only kept when few people know about them.
Isn't he? Firstly clearly the distribution was too wide as it was given there was a moratorium on disclosure scheduled for tomorrow to allow all patching to be in place in advance.
Secondly he has in the past jumped the gun on responsible disclosure, parroting OpenBSD as the secure alternative patting himself on the back for being the first.
Thirdly there are multiple groups now that refuse to work with him for this very reason. The OpenSSL team also disclosed to others before OpenBSD for the same reason.
He shat in his bed, and now is complaining that he has to sleep in it.
As of this weekend
That phrase no longer means what you think it does.
Systemd is probably the cause of the slow boot time.
So to be clear, systemd whose single useless feature people advertise as faster boot time is the result of the slow boot time despite the fact that Gentoo doesn't even use systemd?
What next? Systemd kicked your dog and slept with your wife while you were debugging a sysvinit script?
Who is using TPM?
Lots of people. TPM has found its niche in corporate computers, as well as laptops and modern devices with advanced security features. It is also a required component for Windows 10 certification for system builders. Of the 5 computers in my house (excluding embedded ones) the only one which doesn't have a TPM chip is my server.
Not only will many modern devices ship with TPM hardware installed but many will default to using it for things like Bitlocker and other encryption keys.
I don't have the same "might be spying on me" concerns about Apple's products.
Then you are just another headline and soundbite grabbing unthinking idiot.
Maybe that is a good thing - you probably wouldn't want to be working with such a stupid thinking lot?
Depends on who is doing the stupid thinking. Quite often there are plenty of wonderful places to work at with some of the dumbest mouth breathing droolers in existence working in the HR front line. I personally have had fights with our HR department about how they have handled positions opened in my team and how they cut their candidate pool. In one case a former acquaintance who was an absolute genius / guru was disqualified by some automatic form because they system didn't understand that not every degree in the world is equivalent.