Bin Laden had been kicked out of Saudi Arabia nine years earlier, precisely for anti-US, anti-Western rhetoric. He was forced to leave in 1992 and officially stripped of Saudi citizenship in 1994. So no, he wasn't a Saudi in 2011.
Bin Laden had helped kick the Soviet Union out of Afghanistan, ending in 1989. That made him a hero to many Arabs.
A few years later, Iraq invaded Kuwait. Saudi Arabia borders Iraq and Kuwait, so with Iraq invading its neighbors, Saudi Arabia was a next logical target for invasion. Bin Laden offered to mass a defensive army on the border to protect Saudi Arabia from invasion by Iraq. The Saudis turned him down, instead requesting help from the United States in this role. Note, this is the Saudis choosing the US over bin Laden a decade before 9-11.
Based on his experience in Soviet-occupied Afghanistan, bin Laden very much did not like the idea of non-muslim military forces in Saudi Arabia. He spoke up about the Saudi royal family getting help from the outsiders (the US), saying some rather nasty things about the "infidels" and that got him kicked out of the country.
Had bin Laden been allowed to bring in the calvary to save the day in Saudi Arabia, he would be even more of a hero, he probably thought. He probably saw it as the US stealing his glory. On top of that, the royal family publicly chose the US over him, which would have been insulting. See why he was pretty pissed at the US?
Osama wanted revenge on the US partly because the Saudis rejected him, choosing to partner with the US instead.
To understand the relationship between the United States and Saudi Arabia, one must understand there are two governments in Saudi Arabia. There's the House of Saud, which is the royal family. They are responsible for international relations and members of the family hold many posts in government.
There is also the Ulama, the Islamic religious establishment. The Ulama runs a lot of the internal government, including schools. All royal proclamations (laws) have to be approved by the Ulama to take effect. The royal family nominates a new king, subject to the approval of the Ulama.
So over all the royal family *exercises* power, does things, but always subject to the authority of the Islamic religious authorities. The House of Saud is focused on day-to-day administration, the Ulama on the big picture. The official constitution of the country is the Qur'an.
Throughout the Middle East, including in Saudi Arabia, some of the Islamic leadership does things that the US doesn't like, including how they treat Christians and jews. Within that context of a region unfriendly to US values, the royal families of Saudi Arabia and Jordan have been relatively friendly to the United States and Western Europe.
So in short, the US tends to be friendly with part of the Saudi government - the royal family, while being very displeased by the actions of a separate part, the Ulama.
The article says that the vendor asked "we'd really like to own this information... what will it take to make that happen?" The people who discovered the vulnerabilities then replied with the $60,000 figure.
It probably would have been better for them to not quote a price or even mention money, especially since the FBI was on the call. Instead they could ask "what do you have in mind?" The vendor brought up "own the information", let THEM make a cash offer if they choose to go that direction.
Quoting a security professional from the article:
-- "When you're performing Coordinating Disclosureâ"calling the vendor for the first timeâ"for me it's super important to really stress, 'Look I'm not trying to sell you anything. I'm not trying to extort you. I'm not trying to set this up as a future sales call for all of my wonderful products,'" said Rapid7's Beardsley. "I am very cognizant of that for a couple reasons. One, I don't want to go to jail. And two, it's an emotional thing for most people, especially people who've never had to deal with [disclosure] before." --
Federal law says extortion is "a communication requesting money or other valuable thing... threatening to damage... the reputation of the addressee". Requesting $60,000 was probably a mistake.
If you want to possibly accept an offer of an NDA for money, maybe the best way to do that would be something like:
I'm not demanding anything. You mentioned an NDA. I'm sorry, I can't negotiate that with you; if you choose to make a specific offer I can only accept or decline.
I probably wouldn't do an NDA at all. I would be willing to do some consulting for them to help them understand and fix the problem before information is made public. Obviously, if I know they did a good job of fixing it, would would require that any disclosure I make acknowledge that they fixed it. If they choose not to get the information needed to fix it, full honest disclosure might need to include that fact. Either way I'm going to make an honest disclosure. They can affect what I disclose by changing the facts - either fixing it or not fixing it, and letting me see that it is fixed properly, or not communicating with me. Those are facts that could be part of an honest disclosure.
I wouldn't want to go to "if you pay me I won't disclose" - any way you do that, whether or not it's a federal crime will be up to the opinion of a judge or jury.
Did you get a better understanding after you read the statute I quoted, because it sounds like you're now saying something very different?
Your original comment:
>> Threatening to release it unless they pay you is extortion, a felony. >> At the federal level it carries a prison sentence of up to three years.
> No, no it fucking isn't.
So you said that threatening to release embarrassing information unless someone pays isn't extortion. "No, no it fucking isn't", you said.
Now we know federal law defining extortion is almost exactly the words I used, the words you said "fucking isn't". Extortion is asking for money with "any threat to injure the property or reputation".
Do you still think the federal statute isn't law, so threatening to release embarrassing information unless you're paid "fucking isn't" extortion?
To say "A threat would be we'll steal all your money. Releasing publicly is the responsible behavior for security researchers". We know federal law defines extortion as "a threat to... damage the reputation". Are you claiming federal law isn't law? Or are you saying "I wish that wasn't law"?
One more thing about "Releasing publicly is the responsible behavior for security researchers" - Are you still unclear about warning customers, by releasing information, versus "I'll release embarrassing information *unless you pay me*"? That "unless you pay me" part is what changes it from a public service to a felony, extortion.
And yes, putting the public in danger by keeping quiet about a dangerous bridge *because you got paid off by extorting money from the construction company* would also be quite unlawful.
> This is more like an engineer knowing a bridge is defective and telling people not to use it.
If you said "I'll tell people the bridge is defective unless you pay up", that would be extortion.
That's why I pointed out you'd either a) release the information regardless of whether they pay or b) don't mention anything about releasing the information.
Here's the federal statute, 18 U.S. Code $â875 (d) --... any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to injure the property or reputation of the addressee --
The "interstate commerce" part is there to give the feds jurisdiction. Email counts as communication via interstate commerce.
Threatening to release it unless they pay you is extortion, a felony. At the federal level it carries a prison sentence of up to three years.
Colloquially, it's called blackmail, though in federal law blackmail is only if you threaten to tell about a crime they committed.
To not commit the crime of extortion, one would need to be clear you WILL release a warning to customers so that customers can protect themselves - whether or not the company pays. The company would be paying for details of the problem, not paying to prevent information from being released. Alternatively, don't mention releasing the information at all. You don't want to give the impression that you'll release it unless you're paid, because that's extortion.
If company comes back offering payment in exchange for an NDA, that would be an interesting legal situation. Is it extortion if the "victim" proposes it? Probably not at the federal level. At least if the communication accepting the NDA offer is kept short - "I accept your offer". You wouldn't want to restate the offer "if you pay me I won't release it", because that could be considered a threatening communication (extortion).
I haven't read the text of the law in every state. It could still violate state law if you accept an NDA in exchange for payment after you've already mentioned releasing it.
I keep getting called about joining their team responsible for security of in-vehicle computers. I've met some of the people on that team. THAT team seems to be pretty good, well-staffed.
Apparently somebody on another team screwed up, though.
TI and others make units designed for automotive use which are speced for those kinds of temperatures. They are expected to work under the hood of a car, in Texas.
Just Google automotive micros or socs as needed, or call any manufacturer.
Milspec parts are similar temperatures plus a higher reliability rating.
Or, submitter could ask Zach, who works in signaling, which would then text Ray.:)
It takes several seconds to load a web page. With only 35 million seconds in a year, that means a company can show a web page no more than 10 million times in a year.
So for example let's Facebook, where a single user might load a page 1,000 times in a year. 10 million total page loads (based on second per year) divided by 1,000 page loads per user in a year. Facebook can have no more than 100,000 users. That's what you proved.
Unless of course a web site can serve pages to two people at once.* Or a phone spam company can set their computer to call more than one person at a time.
* That's not a crazy limitation. I have a web server that maxes out at two simultaneous clients. It's an ESP32, a $13 computer. So we can reason that the spam callers will need to spend more than $13 on equipment if they want to call billions of people.
Okay, Mr. Kernel, does the driver kbdray handle a Microsoft Natural keyboard? By the way, that driver is newwer than the kernel.
Go ahead and take your time answering, I'll wait. . . . . . . . . . . . . .
How can a kernel (from last year) figure out what hardware is supported by a driver (which was written last week)? Where is the code that knows which hardware is supported by that driver?
The driver knows which hardware it supports! The kernel figures out which driver goes to which hardware by asking the driver. On Linux, for example, udev does the poll. It actually has two methods for asking drivers what hardware they support. The simplest method is udev can call a function within the driver, passing the type and vendor IDs to the driver. The driver then responds yes or no. The other mechanism is the driver can call driver_register, passing it's device_driver structure which includes a list of which hardware it supports.
I highly recommend before you tell me any more about how we write drivers, you try actually writing one. If you're on Mac, there's one we need. What it needs to do is claim a particular memory segment for itself, then use that memory to - do nothing. That segment has a few bad bits, and should not be used. Very handy on MacBooks with soldered-on RAM.
If you DO decide to write a simple driver as a learning exercise, here's a little tip:
> Each individual driver needs access to and control of one piece of hardware.
Somebody might have TWO audio cards. Or FOUR disks. Maybe even zero SCSI cards. In your code, remember basically everything needs to be a linked list, because you may be handling one, two, twenty, or zero pieces of hardware. Also other drivers may claim the same hardware, so be ready for that.
> Two women doing a space walk together is history. On reflection, wouldn't you agree that it is news for nerds?
How, precisely, are their genitals relevant to the job?
Obviously their genitalia isn't involved in any way.
Beethoven composing his greatest works after he became deaf is interesting because you might think a deaf person couldn't compose great music. Women doing spacewalks is interesting only if you're thinking "even women can do it". It's patronizing sexism, and it's infuriating to me because my four year old daughter picks up on that. She hears that it's special when a woman manages to do something, and understands your implicit reason you think it's special when a woman accomplishes something - because in general women can't accomplish anything. That's the unspoken assumption.
Can a device driver access your hard drive? Yes, that's what the sd and ahci drivers are FOR. If the sd driver couldn't access your block devices, how would anything access them? If the ahci couldn't access your SATA controller, you couldn't use your SATA controller.
Can device driver's access your network card? Pretty tough to use a network card if drivers can't read it, write it, and otherwise control it.
So the hardware drivers must, at minimum, have access to and control of your hardware - and therefore all your data.
Yes if you design a system where (really slow) device drivers run as separate processes, you could use the MMU to limit which *memory* it has access to, but still drivers have control of hardware.
Here I say "hardware drivers" not to be redundant, but because you CAN have a userspace driver which adds certain *functionality* to be accessed *through* a piece of hardware, which in turn has a hardware driver. A classic example is a modem attached to a serial port. At least from the perspective of the kernel, the hardware is the serial port. That hardware must be controlled by a hardware driver which has full control of the hardware. The hardware driver can accept requests from the userland modem driver. I've written drivers like that before. The userland modem driver doesn't need direct control of hardware, it can go through the serial port driver and any security gates we decide to put in.
So you're the guy who fell for it and downloaded the "driver" for the thumb drive you bought?
USB devices present themselves to the OS as one of 21 classes, such as:
01 Audio Speaker, microphone, sound card, MIDI 02 Communications Modem, Serial, Ethernet 03 Human interface device (HID) Keyboard, mouse 05 Physical Interface Device (PID) Force feedback joystick 06 Image (PTP/MTP) Webcam, scanner 08 Mass storage (MSC or UMS) USB flash drive, memory card reader, digital audio player
Note "storage device" doesn't distinguish between a flash drive and a spinning disk. The OS tells the USB device "store these bytes" or "play this sound". The OS has no idea how the hardware actually does that. Firmware within the device knows about the memory chips whatever hardware is involved.
If you lookup which chips devices can use to implement USB, you'll notice all the USB interface chips have flash memory included in the chip. Wonder what that's for?:) That's for storing your hardware driver, within the device.
The other option for implementing a "USB device" is to use a ft232rl USB to serial converter or similar in your device, then build a serial device. In that case the actual USB device is the USB to serial port, which then has a serial device attached.
Malice, negligence or just "shit happens", low-level hardware drivers are a problem. The protection is pretty much the same no matter how the vulnerability got there.
Hardware drivers and the kernel require powerful capabilities - and are responsible for ENFORCING security policy. Since they control security, they can't be controlled by it.
At one point people developed the idea of the microkernel as a theoretical way of reducing the attack surface. In practice, that evolved into virtualization - the hardware drivers being separate from the application software, to the extent of being two separate operating systems. Virtualization gives a good layer of security (though nothing is perfect).
Another good solution is exemplified by USB 2.0, where the hardware driver is stored within the hardware itself, as firmware, and totally separate from the operating system. The OS trusted driver needs only be a generic driver that an talk to that class of hardware via a standard interface protocol.
Thunderbolt goes the opposite way, exposing your PCI-E bus to externally connected devices, giving them the same level of trust as internal parts.
True, Juanita Broaddrick is straight up rape. There's not sufficient evidence to prove it beyond a reasonable doubt, but the evidence suggests he very likely did rape her.
We may be arguing about an intermediate thing, while we could agree on the conclusion. Perhaps I'm even misunderstanding your point, getting hung up on how you get there.
We can agree, I think that the end of the Mueller investigation isn't necessarily the end of potential trouble for people associated with Trump. If that's your point, agreed.
Thanks for the Rosenstein quote.
I may be splitting hairs on something that doesn't much matter. You mentioned "other stuff, like Cohen's financial chicanery and the campaign finance crimes and whatever else were handed off to other authorities." According to Mueller, he investigated that to a certain point, then farmed out the prosecution to other parts of DOJ. So it wouldn't be accurate to say "Mueller wasn't allowed to look at campaign finance", for example.
Btw if that's the case, you might want to educate some Stanford law professors and former federal prosecutorsnwho have been writing about the investigation.
David Alan Sklansky, a former federal prosecutor, is the Stanley Morrison Professor of Law at Stanford Law School. He is also a faculty co-director of the Stanford Criminal Justice Center (SCJC). In his article "Mueller Charges Trump Campaign Officials", Sklansky writes:
" The two men were charged with tax evasion, money laundering, false statements, and conspiracy.... All of these charges stem from the ongoing investigation led by special counsel Robert Mueller".
I don't suppose by chance you get all of your information from CNN? If so, is that intentional, you want to hear a fairy tale, or accidental?
My point was that Clinton tried to deny it. Even after the tapes were played on national television. Over and over, for decades, various women accused him of sexual assault, sexual harassment, and other similar behavior, and Bill always put on that smile and tried to play completely innocent.
Trump doesn't hide that he's - what the word? A bit of a perv? He and Bill Clinton would get along together well, especially in the company of some Colombian prostitutes. Clinton got busted for lying about it, Trump got some heat for bragging about it.
On a slightly more serious note, #nevertrump is traditional pachyderms.
Trump is the opposite of family values, of slow steady wins the race, making careful, incremental changes, etc. He mobilized a different group of voters, neither red not blue - including, for example, many members of large unions. Those were traditionally solid Democrat. The largest unions are now officially on record decrying AOC's policy proposals.
You're claiming Muller didn't investigate Cohen and dig evidence related to the crimes for which he was charged, and hand that evidence over to prosecutors like any investigator does? Muller would be very surprised to hear that! Muller would also be guilty of perjury if that were so, since he submitted sentencing recommendation for Cohe to the court, and in it made statements to the court about him investigating the crimes Cohen was charged with.
Slashdot Mirror
Bin Laden had been kicked out of Saudi Arabia nine years earlier, precisely for anti-US, anti-Western rhetoric. He was forced to leave in 1992 and officially stripped of Saudi citizenship in 1994. So no, he wasn't a Saudi in 2011.
Bin Laden had helped kick the Soviet Union out of Afghanistan, ending in 1989. That made him a hero to many Arabs.
A few years later, Iraq invaded Kuwait. Saudi Arabia borders Iraq and Kuwait, so with Iraq invading its neighbors, Saudi Arabia was a next logical target for invasion. Bin Laden offered to mass a defensive army on the border to protect Saudi Arabia from invasion by Iraq. The Saudis turned him down, instead requesting help from the United States in this role. Note, this is the Saudis choosing the US over bin Laden a decade before 9-11.
Based on his experience in Soviet-occupied Afghanistan, bin Laden very much did not like the idea of non-muslim military forces in Saudi Arabia. He spoke up about the Saudi royal family getting help from the outsiders (the US), saying some rather nasty things about the "infidels" and that got him kicked out of the country.
Had bin Laden been allowed to bring in the calvary to save the day in Saudi Arabia, he would be even more of a hero, he probably thought. He probably saw it as the US stealing his glory. On top of that, the royal family publicly chose the US over him, which would have been insulting. See why he was pretty pissed at the US?
Osama wanted revenge on the US partly because the Saudis rejected him, choosing to partner with the US instead.
To understand the relationship between the United States and Saudi Arabia, one must understand there are two governments in Saudi Arabia. There's the House of Saud, which is the royal family. They are responsible for international relations and members of the family hold many posts in government.
There is also the Ulama, the Islamic religious establishment. The Ulama runs a lot of the internal government, including schools. All royal proclamations (laws) have to be approved by the Ulama to take effect. The royal family nominates a new king, subject to the approval of the Ulama.
So over all the royal family *exercises* power, does things, but always subject to the authority of the Islamic religious authorities. The House of Saud is focused on day-to-day administration, the Ulama on the big picture. The official constitution of the country is the Qur'an.
Throughout the Middle East, including in Saudi Arabia, some of the Islamic leadership does things that the US doesn't like, including how they treat Christians and jews. Within that context of a region unfriendly to US values, the royal families of Saudi Arabia and Jordan have been relatively friendly to the United States and Western Europe.
So in short, the US tends to be friendly with part of the Saudi government - the royal family, while being very displeased by the actions of a separate part, the Ulama.
What part of "screw the independent bookstores" is unclear?
He put at least $25 million into Udacity - that's where his mouth is.
The article says that the vendor asked "we'd really like to own this information ... what will it take to make that happen?" The people who discovered the vulnerabilities then replied with the $60,000 figure.
It probably would have been better for them to not quote a price or even mention money, especially since the FBI was on the call. Instead they could ask "what do you have in mind?" The vendor brought up "own the information", let THEM make a cash offer if they choose to go that direction.
Quoting a security professional from the article:
--
"When you're performing Coordinating Disclosureâ"calling the vendor for the first timeâ"for me it's super important to really stress, 'Look I'm not trying to sell you anything. I'm not trying to extort you. I'm not trying to set this up as a future sales call for all of my wonderful products,'" said Rapid7's Beardsley. "I am very cognizant of that for a couple reasons. One, I don't want to go to jail. And two, it's an emotional thing for most people, especially people who've never had to deal with [disclosure] before."
--
Federal law says extortion is "a communication requesting money or other valuable thing ... threatening to damage ... the reputation of the addressee". Requesting $60,000 was probably a mistake.
If you want to possibly accept an offer of an NDA for money, maybe the best way to do that would be something like:
I'm not demanding anything. You mentioned an NDA. I'm sorry, I can't negotiate that with you; if you choose to make a specific offer I can only accept or decline.
I probably wouldn't do an NDA at all. I would be willing to do some consulting for them to help them understand and fix the problem before information is made public. Obviously, if I know they did a good job of fixing it, would would require that any disclosure I make acknowledge that they fixed it. If they choose not to get the information needed to fix it, full honest disclosure might need to include that fact. Either way I'm going to make an honest disclosure. They can affect what I disclose by changing the facts - either fixing it or not fixing it, and letting me see that it is fixed properly, or not communicating with me. Those are facts that could be part of an honest disclosure.
I wouldn't want to go to "if you pay me I won't disclose" - any way you do that, whether or not it's a federal crime will be up to the opinion of a judge or jury.
Did you get a better understanding after you read the statute I quoted, because it sounds like you're now saying something very different?
Your original comment:
>> Threatening to release it unless they pay you is extortion, a felony.
>> At the federal level it carries a prison sentence of up to three years.
> No, no it fucking isn't.
So you said that threatening to release embarrassing information unless someone pays isn't extortion. "No, no it fucking isn't", you said.
Now we know federal law defining extortion is almost exactly the words I used, the words you said "fucking isn't". Extortion is asking for money with "any threat to injure the property or reputation".
Do you still think the federal statute isn't law, so threatening to release embarrassing information unless you're paid "fucking isn't" extortion?
To say "A threat would be we'll steal all your money. Releasing publicly is the responsible behavior for security researchers". We know federal law defines extortion as "a threat to ... damage the reputation". Are you claiming federal law isn't law? Or are you saying "I wish that wasn't law"?
One more thing about "Releasing publicly is the responsible behavior for security researchers" -
Are you still unclear about warning customers, by releasing information, versus "I'll release embarrassing information *unless you pay me*"? That "unless you pay me" part is what changes it from a public service to a felony, extortion.
And yes, putting the public in danger by keeping quiet about a dangerous bridge *because you got paid off by extorting money from the construction company* would also be quite unlawful.
> This is more like an engineer knowing a bridge is defective and telling people not to use it.
If you said "I'll tell people the bridge is defective unless you pay up", that would be extortion.
That's why I pointed out you'd either a) release the information regardless of whether they pay or b) don't mention anything about releasing the information.
Here's the federal statute, 18 U.S. Code $â875 (d) ... any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to injure the property or reputation of the addressee
--
--
The "interstate commerce" part is there to give the feds jurisdiction. Email counts as communication via interstate commerce.
Threatening to release it unless they pay you is extortion, a felony. At the federal level it carries a prison sentence of up to three years.
Colloquially, it's called blackmail, though in federal law blackmail is only if you threaten to tell about a crime they committed.
To not commit the crime of extortion, one would need to be clear you WILL release a warning to customers so that customers can protect themselves - whether or not the company pays. The company would be paying for details of the problem, not paying to prevent information from being released. Alternatively, don't mention releasing the information at all. You don't want to give the impression that you'll release it unless you're paid, because that's extortion.
If company comes back offering payment in exchange for an NDA, that would be an interesting legal situation. Is it extortion if the "victim" proposes it? Probably not at the federal level. At least if the communication accepting the NDA offer is kept short - "I accept your offer". You wouldn't want to restate the offer "if you pay me I won't release it", because that could be considered a threatening communication (extortion).
I haven't read the text of the law in every state. It could still violate state law if you accept an NDA in exchange for payment after you've already mentioned releasing it.
I keep getting called about joining their team responsible for security of in-vehicle computers. I've met some of the people on that team. THAT team seems to be pretty good, well-staffed.
Apparently somebody on another team screwed up, though.
You're not wrong.
At the same time, people who make dumb decisions might be the perfect audience for certain advertisers. Perfect place for a payday loan ad. (Grumble)
Thanks for getting this back on topic.
TI and others make units designed for automotive use which are speced for those kinds of temperatures. They are expected to work under the hood of a car, in Texas.
Just Google automotive micros or socs as needed, or call any manufacturer.
Milspec parts are similar temperatures plus a higher reliability rating.
Or, submitter could ask Zach, who works in signaling, which would then text Ray. :)
From everything you just said it would seem you think call centers don't exist?
That's all this is - a call center, with no minimum wage employees required because it's a recording.
It takes several seconds to load a web page. With only 35 million seconds in a year, that means a company can show a web page no more than 10 million times in a year.
So for example let's Facebook, where a single user might load a page 1,000 times in a year. 10 million total page loads (based on second per year) divided by 1,000 page loads per user in a year. Facebook can have no more than 100,000 users. That's what you proved.
Unless of course a web site can serve pages to two people at once.* Or a phone spam company can set their computer to call more than one person at a time.
* That's not a crazy limitation. I have a web server that maxes out at two simultaneous clients. It's an ESP32, a $13 computer. So we can reason that the spam callers will need to spend more than $13 on equipment if they want to call billions of people.
> how many of these calls do you seriously think they could make at once
2,000, per unit.
2,000 simultaneous calls is typical for an autodialer running on commodity PC hardware.
NOW do the math.
Okay, Mr. Kernel, does the driver kbdray handle a Microsoft Natural keyboard? By the way, that driver is newwer than the kernel.
Go ahead and take your time answering, I'll wait.
.
.
.
.
.
.
.
.
.
.
.
.
.
How can a kernel (from last year) figure out what hardware is supported by a driver (which was written last week)? Where is the code that knows which hardware is supported by that driver?
The driver knows which hardware it supports! The kernel figures out which driver goes to which hardware by asking the driver. On Linux, for example, udev does the poll. It actually has two methods for asking drivers what hardware they support. The simplest method is udev can call a function within the driver, passing the type and vendor IDs to the driver. The driver then responds yes or no. The other mechanism is the driver can call driver_register, passing it's device_driver structure which includes a list of which hardware it supports.
I highly recommend before you tell me any more about how we write drivers, you try actually writing one. If you're on Mac, there's one we need. What it needs to do is claim a particular memory segment for itself, then use that memory to - do nothing. That segment has a few bad bits, and should not be used. Very handy on MacBooks with soldered-on RAM.
If you DO decide to write a simple driver as a learning exercise, here's a little tip:
> Each individual driver needs access to and control of one piece of hardware.
Somebody might have TWO audio cards. Or FOUR disks. Maybe even zero SCSI cards. In your code, remember basically everything needs to be a linked list, because you may be handling one, two, twenty, or zero pieces of hardware. Also other drivers may claim the same hardware, so be ready for that.
> Two women doing a space walk together is history. On reflection, wouldn't you agree that it is news for nerds?
How, precisely, are their genitals relevant to the job?
Obviously their genitalia isn't involved in any way.
Beethoven composing his greatest works after he became deaf is interesting because you might think a deaf person couldn't compose great music. Women doing spacewalks is interesting only if you're thinking "even women can do it". It's patronizing sexism, and it's infuriating to me because my four year old daughter picks up on that. She hears that it's special when a woman manages to do something, and understands your implicit reason you think it's special when a woman accomplishes something - because in general women can't accomplish anything. That's the unspoken assumption.
Can a device driver access your hard drive? Yes, that's what the sd and ahci drivers are FOR. If the sd driver couldn't access your block devices, how would anything access them? If the ahci couldn't access your SATA controller, you couldn't use your SATA controller.
Can device driver's access your network card? Pretty tough to use a network card if drivers can't read it, write it, and otherwise control it.
So the hardware drivers must, at minimum, have access to and control of your hardware - and therefore all your data.
Yes if you design a system where (really slow) device drivers run as separate processes, you could use the MMU to limit which *memory* it has access to, but still drivers have control of hardware.
Here I say "hardware drivers" not to be redundant, but because you CAN have a userspace driver which adds certain *functionality* to be accessed *through* a piece of hardware, which in turn has a hardware driver. A classic example is a modem attached to a serial port. At least from the perspective of the kernel, the hardware is the serial port. That hardware must be controlled by a hardware driver which has full control of the hardware. The hardware driver can accept requests from the userland modem driver. I've written drivers like that before. The userland modem driver doesn't need direct control of hardware, it can go through the serial port driver and any security gates we decide to put in.
So you're the guy who fell for it and downloaded the "driver" for the thumb drive you bought?
USB devices present themselves to the OS as one of 21 classes, such as:
01 Audio Speaker, microphone, sound card, MIDI
02 Communications Modem, Serial, Ethernet
03 Human interface device (HID) Keyboard, mouse
05 Physical Interface Device (PID) Force feedback joystick
06 Image (PTP/MTP) Webcam, scanner
08 Mass storage (MSC or UMS) USB flash drive, memory card reader, digital audio player
Note "storage device" doesn't distinguish between a flash drive and a spinning disk. The OS tells the USB device "store these bytes" or "play this sound". The OS has no idea how the hardware actually does that. Firmware within the device knows about the memory chips whatever hardware is involved.
If you lookup which chips devices can use to implement USB, you'll notice all the USB interface chips have flash memory included in the chip. Wonder what that's for? :) That's for storing your hardware driver, within the device.
The other option for implementing a "USB device" is to use a ft232rl USB to serial converter or similar in your device, then build a serial device. In that case the actual USB device is the USB to serial port, which then has a serial device attached.
Malice, negligence or just "shit happens", low-level hardware drivers are a problem. The protection is pretty much the same no matter how the vulnerability got there.
Hardware drivers and the kernel require powerful capabilities - and are responsible for ENFORCING security policy. Since they control security, they can't be controlled by it.
At one point people developed the idea of the microkernel as a theoretical way of reducing the attack surface. In practice, that evolved into virtualization - the hardware drivers being separate from the application software, to the extent of being two separate operating systems. Virtualization gives a good layer of security (though nothing is perfect).
Another good solution is exemplified by USB 2.0, where the hardware driver is stored within the hardware itself, as firmware, and totally separate from the operating system. The OS trusted driver needs only be a generic driver that an talk to that class of hardware via a standard interface protocol.
Thunderbolt goes the opposite way, exposing your PCI-E bus to externally connected devices, giving them the same level of trust as internal parts.
True, Juanita Broaddrick is straight up rape.
There's not sufficient evidence to prove it beyond a reasonable doubt, but the evidence suggests he very likely did rape her.
We may be arguing about an intermediate thing, while we could agree on the conclusion. Perhaps I'm even misunderstanding your point, getting hung up on how you get there.
We can agree, I think that the end of the Mueller investigation isn't necessarily the end of potential trouble for people associated with Trump. If that's your point, agreed.
Thanks for the Rosenstein quote.
I may be splitting hairs on something that doesn't much matter. You mentioned "other stuff, like Cohen's financial chicanery and the campaign finance crimes and whatever else were handed off to other authorities." According to Mueller, he investigated that to a certain point, then farmed out the prosecution to other parts of DOJ. So it wouldn't be accurate to say "Mueller wasn't allowed to look at campaign finance", for example.
Btw if that's the case, you might want to educate some Stanford law professors and former federal prosecutorsnwho have been writing about the investigation.
David Alan Sklansky, a former federal prosecutor, is the Stanley Morrison Professor of Law at Stanford Law School. He is also a faculty co-director of the Stanford Criminal Justice Center (SCJC). In his article "Mueller Charges Trump Campaign Officials", Sklansky writes:
" The two men were charged with tax evasion, money laundering, false statements, and conspiracy. ... All of these charges stem from the ongoing investigation led by special counsel Robert Mueller".
I don't suppose by chance you get all of your information from CNN? If so, is that intentional, you want to hear a fairy tale, or accidental?
That true, Flowers came forward on her own.
My point was that Clinton tried to deny it. Even after the tapes were played on national television. Over and over, for decades, various women accused him of sexual assault, sexual harassment, and other similar behavior, and Bill always put on that smile and tried to play completely innocent.
Trump doesn't hide that he's - what the word? A bit of a perv? He and Bill Clinton would get along together well, especially in the company of some Colombian prostitutes. Clinton got busted for lying about it, Trump got some heat for bragging about it.
That was funny!
On a slightly more serious note, #nevertrump is traditional pachyderms.
Trump is the opposite of family values, of slow steady wins the race, making careful, incremental changes, etc. He mobilized a different group of voters, neither red not blue - including, for example, many members of large unions. Those were traditionally solid Democrat. The largest unions are now officially on record decrying AOC's policy proposals.
Yes, he did hand over some evidence to other parts of Justice, bringing the total number of investigators into the hundreds.
Mueller's appointment is only about a dozen sentences, so you can read it for yourself, but I'll point out items ii and IV.
Mueller is authorized to investigate'
"ii. Any matters which arise during the investigation, or may arise"
And to prosecute:
"iv. any federal crime"
Nobody limited Mueller's scope, other than whatever Mueller himself decided to offload to others, at the time Mueller chose to do it.
You're claiming Muller didn't investigate Cohen and dig evidence related to the crimes for which he was charged, and hand that evidence over to prosecutors like any investigator does? Muller would be very surprised to hear that! Muller would also be guilty of perjury if that were so, since he submitted sentencing recommendation for Cohe to the court, and in it made statements to the court about him investigating the crimes Cohen was charged with.
Here's the government's sentencing recommendation for Cohen. Notice who signed it as the author:
https://www.documentcloud.org/...