"Methane doesn't last long in the atmosphere - it eventually degrades into carbon dioxide, which does hang around."
FSVO 'not lasting long' - the forcing effect of Methane is 20 times higher than CO2 over a one century timescale. On a decade scale or less it's about 100 times higher.
This means that 1-5GT of methane burping out of the Arctic ocean around the Leptav sea continental shelf would not make for happy fun times, vs 1-5GT of CO2, which would merely be a bad day on planet Earth. (I pick those locations for a reason, look them up and then 'anoxic event' for a something more worrying than mere sea level rises)
Water vapour is a greenhouse gas, but the quantities are largely related to existing temperatures (warmer = moister) and the practical effect (increased clouds cover) means an increased planetary albedo (reflectivity) which reduces primary heat input so for the most part it's self cancelling.
"There is a cottage industry of open source guys that chase down and punish the slimeballs"
There isn't. The copyright trolling activities have been curtailed and Harald Welte, etc never made a career out of it. They only ever settled for covering costs and getting things opened up.
The problem is that in order to be effective a case will need to be brought in China and the hypernationalism that's pervading the politics means that "plucky Chinese company vs big bad foreigner" will result in chinese courts ruling against the plaintiff every time.
Blocking exports to EU/USA/Australasia may not achieve much, as
1: these companies make 90% of their sales inside China. 2: The devices are imported to the EU/US/Australiasia under a huge range of names and by a lot of resellers, making blcoking them difficult.
Apparently there's a chinese saying which more or less translates as "If you can cheat and get away with it, then cheat" - which may explain a lot about the chinese way of doing business at times.
You'd hope so, but government-level MiTM (eg, china and vietnam) proxies are attempting to silently do this without relying on root certificates installed on the client (or they're intercepting and regenerating the signature too)
Company firewalls are the least of your worries. Governments worldwide are a much larger threat, thanks to state paranoia. (The worst a company can do is fire you)
"there are no machines capable of driving on arbitrary roads at arbitrary times/climates/scenarios."
That's exactly what the DARPA challenge has been about for the last 20 years and I'll wager that most humans would fail that same test you've posited - else we wouldn't see so many "russian dashcam" and "american dashcam" crash videos.
In the current models, if a machine can't drive a particular road or conditions, it will stop and ask for assistance, or take it very slowly until the route has been learned.
I regularly encounter vehicles on narrow roads driven by people who think they can't possibly pass when the road is 3 times the width of the vehicle. The skill level of the average human driver is amazingly poor - and this is in a country with quite stringent driver testing.
Indeed, assuming the sensitive sites are standalone.
SSL has allowed mutiple hostnames per IP for several years. If you can avoid the DNS lookups (or encrypt them - and you _can_ encrypt them) from being visible then putting the sensitive site on a multihomed webserver makes sense to protect the people accessing it.
"The right thing for intel to do IS to recall all CPUs for users that request it."
Are you kidding?
This is the same Intel who released Atom chips which _will_ drop dead at ~2 years of runtime and will only exchange them if they do so within the warranty period.
"at the time, this kind of timing attack was not a thing."
It's a classic race condition.
Any time there's a possibility of a race condition, sooner or later it will bite you in the ass. The only way to win is to ensure there's never a race to be won.
""You", if you are Intel, or pretty much any supplier... do care about what "neckbeards"... because we write the code that allows your future products to differentiate"
This is a point that a lot of chinese embedded Linux sellers and developers miss.
Huawei HiSilicon, I'm looking at you! - Kirin SDKs are opensource, but a lot of other embedded chipset SDKs are not - eg HI35xx DVR/NVR/camera chipsets, mostly using shitty code supplied by XiongMai.
I'm talking about completely unpackable linux distros containing locally modified busybox, initrd, mtd and netfilters, but also containing stripped, obfuscated monolithic packages clearly containing GPL code acting as a webserver and DVR.
The uc-httpd package from Xiongmai is the single largest vulnerability in networked DVRs and they haven't bothered fixing the traversal or "remote hacker can get root shell" holes 2 years after Mirai should have provided a wakeup call.
At some point the Linux dev community is going to have to take a collective stand against this IP piracy, because it's getting worse, not better.
At least Intel have 'fessed up and fixes are incoming. There are millions of embedded linux systems with gaping holes that will never be fixed because the suppliers refuse to release their sources.
" It it took me 2 weeks to pound it through some thick skulls that we didn't want or going to pay the microsoft tax."
Historically, the windows tax was only about $30-50 on a Dell or other system.
More recently with Win10 that's bumped up to more like $140 - which means that a lot more people are sitting up and taking notice. As a result Windows "sales by default" are falling away rapidly in enterprise environments.
When Itanium showed up the prime factors against using it weren't "It's not x86"
They were that it was far more expensive than the x86, ran slower for most workloads, generated a LOT more heat and were primarily targetted as server CPUs (no desktop/laptop CPUs) - meaning you had to run multiple architectures across your fleet, which most managers don't like doing.
If you want to sell a new architecture, then making it hard/expensive for developers to actually have test systems, etc is not a good way to go about it.
Intel discovered very quickly that they couldn't leverage their near-monopoly on x86 supply into market dominance in another processor type based on the manufacturer name alone. Even IBM stopped being able to sell simply on the strength of their name decades ago.
At which point, if whoever did it can be identified, he'll be sent off and possibly banned from the game. "Overenthusiastic rucking" has been banned for a long time due to the injuries inflicted.
yes you get thuggish behaviour on the field, but thugs don't usually last long in teams who care about their position in rankings.
If a rugby player tackled an opponent the way american footballers do, he'd be banned for life.
As with boxing gloves, the padding players wear doesn't protect _from_ impacts, it allows them to inflict much harder impacts.
Head trauma is taken extremely seriously in rugby. head high tackles and "blocks" seen in American football are completely banned.
I know (and tell) the standard jokes about rugby players but having grown up in a rugby-crazy country (I don't like the sport myself) I can tell you that the brain-damaged behaviour usually starts long before they start playing the game - and conversely, that the top players (even the forwards) are skillful and intelligent. (Basically, the ability to be thuggish on the field attracts thugs, but thugs seldom if ever move out of the bottom rung sports teams. Paradoxically a lot of top cricketers are thugs when off the field.)
I'd hope that he's facing federal murder charges out of this (interstate activities), along with the 2 CoD players (one for inciting the murder and the other as an accessory)
The sooner this kind of thing gets stomped on _hard_, the better off everyone is.
Transparent proxies at the mobile company's gateways make little-to-no difference. The bottleneck is INSIDE the mobile network (specifically at the last hop to the cellular site and the link from base station to mobile) and it doesn't matter if what's being moved is cached data or fresh off 't web.
What you're stating is an argument for caching on the device. Running proxies at every single edge station is a nightmarish scenario which would provide very limited benefit.
" Can't remember the last time my ISP actually cached a website. "
In my ISP days, we were only getting a 20% hit rate in the 1990s and eventually gave it up as not worthwhile. Ditto when operating corp transparent proxies. The costs of operation were higher than the savings
ISPs which continued doing it tended to do so specifically so they COULD act as MiTM
" there is little benefit to https for many sites, which simply present publicly available information. "
The benefit is for users, not sites.
Snoopers can still collect metedata about what connections you're making (and what DNS queries you made. HINT!), but they can't see the content of what you're accessing.
One of the lessons about crypto is that if you only encrypt the sensitive stuff then anything encrypted is a big red "kick me" flag for a snooper and the're likely to keep the raw packets around until they can decode it. If you encrypt everything including your shoppings lists, then they may spend a long time cracking your shopping list.
In other words, encrypting everything is a little like stegenography, The sensitive stuff is just as visible as the non-sensitive stuff, but you have to know how to look at either, else it just looks like a gif of Claudia Schiffer (and for those who don't get the reference, take a closer look at the 1990s usenet postings of Ms Schiffer's pictures)
Slashdot Mirror
They may be illegal, but concussion is one of the most common American football injuries.
It simply doesn't happen in Rugby.
"Methane doesn't last long in the atmosphere - it eventually degrades into carbon dioxide, which does hang around."
FSVO 'not lasting long' - the forcing effect of Methane is 20 times higher than CO2 over a one century timescale. On a decade scale or less it's about 100 times higher.
This means that 1-5GT of methane burping out of the Arctic ocean around the Leptav sea continental shelf would not make for happy fun times, vs 1-5GT of CO2, which would merely be a bad day on planet Earth. (I pick those locations for a reason, look them up and then 'anoxic event' for a something more worrying than mere sea level rises)
Water vapour is a greenhouse gas, but the quantities are largely related to existing temperatures (warmer = moister) and the practical effect (increased clouds cover) means an increased planetary albedo (reflectivity) which reduces primary heat input so for the most part it's self cancelling.
"Nobody expects perfection. Just some quality control for the amount paid. "
And support after sale, rather than abandoning the product when it gets "too hard" to handle problems.
| Not it isn't, it's a statistical timing thing.
What do you think a race condition is?
"There is a cottage industry of open source guys that chase down and punish the slimeballs"
There isn't. The copyright trolling activities have been curtailed and Harald Welte, etc never made a career out of it. They only ever settled for covering costs and getting things opened up.
The problem is that in order to be effective a case will need to be brought in China and the hypernationalism that's pervading the politics means that "plucky Chinese company vs big bad foreigner" will result in chinese courts ruling against the plaintiff every time.
Blocking exports to EU/USA/Australasia may not achieve much, as
1: these companies make 90% of their sales inside China.
2: The devices are imported to the EU/US/Australiasia under a huge range of names and by a lot of resellers, making blcoking them difficult.
Apparently there's a chinese saying which more or less translates as "If you can cheat and get away with it, then cheat" - which may explain a lot about the chinese way of doing business at times.
I'm very familiar with the Alpha thanks - and still have a couple of ancient DS20s that are on life support.
Itanium was no Alpha.
You'd hope so, but government-level MiTM (eg, china and vietnam) proxies are attempting to silently do this without relying on root certificates installed on the client (or they're intercepting and regenerating the signature too)
Company firewalls are the least of your worries. Governments worldwide are a much larger threat, thanks to state paranoia. (The worst a company can do is fire you)
"there are no machines capable of driving on arbitrary roads at arbitrary times/climates/scenarios."
That's exactly what the DARPA challenge has been about for the last 20 years and I'll wager that most humans would fail that same test you've posited - else we wouldn't see so many "russian dashcam" and "american dashcam" crash videos.
In the current models, if a machine can't drive a particular road or conditions, it will stop and ask for assistance, or take it very slowly until the route has been learned.
I regularly encounter vehicles on narrow roads driven by people who think they can't possibly pass when the road is 3 times the width of the vehicle. The skill level of the average human driver is amazingly poor - and this is in a country with quite stringent driver testing.
Goat.se would be better for this task, just make sure the image is tweaked every day,
Indeed, assuming the sensitive sites are standalone.
SSL has allowed mutiple hostnames per IP for several years. If you can avoid the DNS lookups (or encrypt them - and you _can_ encrypt them) from being visible then putting the sensitive site on a multihomed webserver makes sense to protect the people accessing it.
Cross border murder incitement.
With the CoD idiots as accessories.
"The right thing for intel to do IS to recall all CPUs for users that request it."
Are you kidding?
This is the same Intel who released Atom chips which _will_ drop dead at ~2 years of runtime and will only exchange them if they do so within the warranty period.
"at the time, this kind of timing attack was not a thing."
It's a classic race condition.
Any time there's a possibility of a race condition, sooner or later it will bite you in the ass. The only way to win is to ensure there's never a race to be won.
""You", if you are Intel, or pretty much any supplier ... do care about what "neckbeards" ... because we write the code that allows your future products to differentiate"
This is a point that a lot of chinese embedded Linux sellers and developers miss.
Huawei HiSilicon, I'm looking at you! - Kirin SDKs are opensource, but a lot of other embedded chipset SDKs are not - eg HI35xx DVR/NVR/camera chipsets, mostly using shitty code supplied by XiongMai.
I'm talking about completely unpackable linux distros containing locally modified busybox, initrd, mtd and netfilters, but also containing stripped, obfuscated monolithic packages clearly containing GPL code acting as a webserver and DVR.
The uc-httpd package from Xiongmai is the single largest vulnerability in networked DVRs and they haven't bothered fixing the traversal or "remote hacker can get root shell" holes 2 years after Mirai should have provided a wakeup call.
At some point the Linux dev community is going to have to take a collective stand against this IP piracy, because it's getting worse, not better.
At least Intel have 'fessed up and fixes are incoming. There are millions of embedded linux systems with gaping holes that will never be fixed because the suppliers refuse to release their sources.
" It it took me 2 weeks to pound it through some thick skulls that we didn't want or going to pay the microsoft tax."
Historically, the windows tax was only about $30-50 on a Dell or other system.
More recently with Win10 that's bumped up to more like $140 - which means that a lot more people are sitting up and taking notice. As a result Windows "sales by default" are falling away rapidly in enterprise environments.
"It's a better chip with a better future."
When Itanium showed up the prime factors against using it weren't "It's not x86"
They were that it was far more expensive than the x86, ran slower for most workloads, generated a LOT more heat and were primarily targetted as server CPUs (no desktop/laptop CPUs) - meaning you had to run multiple architectures across your fleet, which most managers don't like doing.
If you want to sell a new architecture, then making it hard/expensive for developers to actually have test systems, etc is not a good way to go about it.
Intel discovered very quickly that they couldn't leverage their near-monopoly on x86 supply into market dominance in another processor type based on the manufacturer name alone. Even IBM stopped being able to sell simply on the strength of their name decades ago.
"No, you just get cleats to the face."
At which point, if whoever did it can be identified, he'll be sent off and possibly banned from the game. "Overenthusiastic rucking" has been banned for a long time due to the injuries inflicted.
yes you get thuggish behaviour on the field, but thugs don't usually last long in teams who care about their position in rankings.
If a rugby player tackled an opponent the way american footballers do, he'd be banned for life.
As with boxing gloves, the padding players wear doesn't protect _from_ impacts, it allows them to inflict much harder impacts.
Head trauma is taken extremely seriously in rugby. head high tackles and "blocks" seen in American football are completely banned.
I know (and tell) the standard jokes about rugby players but having grown up in a rugby-crazy country (I don't like the sport myself) I can tell you that the brain-damaged behaviour usually starts long before they start playing the game - and conversely, that the top players (even the forwards) are skillful and intelligent. (Basically, the ability to be thuggish on the field attracts thugs, but thugs seldom if ever move out of the bottom rung sports teams. Paradoxically a lot of top cricketers are thugs when off the field.)
I'd hope that he's facing federal murder charges out of this (interstate activities), along with the 2 CoD players (one for inciting the murder and the other as an accessory)
The sooner this kind of thing gets stomped on _hard_, the better off everyone is.
"Of more value is ensuring that all your traffic goes over a VPN."
This adds latency and attracts extra attention if you're being watched (as does using Tor)
if you're at this level of paranoia then you want some kind of fuzzing system which is going out and querying thousands of random URLs.
"On mobile devices the effect is componded"
Transparent proxies at the mobile company's gateways make little-to-no difference. The bottleneck is INSIDE the mobile network (specifically at the last hop to the cellular site and the link from base station to mobile) and it doesn't matter if what's being moved is cached data or fresh off 't web.
What you're stating is an argument for caching on the device. Running proxies at every single edge station is a nightmarish scenario which would provide very limited benefit.
" Can't remember the last time my ISP actually cached a website. "
In my ISP days, we were only getting a 20% hit rate in the 1990s and eventually gave it up as not worthwhile. Ditto when operating corp transparent proxies. The costs of operation were higher than the savings
ISPs which continued doing it tended to do so specifically so they COULD act as MiTM
" there is little benefit to https for many sites, which simply present publicly available information. "
The benefit is for users, not sites.
Snoopers can still collect metedata about what connections you're making (and what DNS queries you made. HINT!), but they can't see the content of what you're accessing.
One of the lessons about crypto is that if you only encrypt the sensitive stuff then anything encrypted is a big red "kick me" flag for a snooper and the're likely to keep the raw packets around until they can decode it. If you encrypt everything including your shoppings lists, then they may spend a long time cracking your shopping list.
In other words, encrypting everything is a little like stegenography, The sensitive stuff is just as visible as the non-sensitive stuff, but you have to know how to look at either, else it just looks like a gif of Claudia Schiffer (and for those who don't get the reference, take a closer look at the 1990s usenet postings of Ms Schiffer's pictures)
If they _want_ the printer or videos, they'll do it.
If not, too bad, they clearly didn't want it enough.
Null cypher means the man in the middle can decrypt, tweak the http and then re-encrypt the web page.
Think it doesn't happen? Think again (company firewall systems, the Great Firewall of China, various other ones)