> Tesla has had a much longer time with cars in production to think about this
What?!? Tesla is just now this year and last starting to mass produce cars, at the rate of about 100,000/year. That's the same rate of production that Fors had in 1913, when. They produced 100,000 of the model A.
Mercedes and Freightliner have had various types of "autopilot" (driver assist) since 2000-2002, about the time Elon Musk was hired (and quickly fired) by PayPal.
Tesla is a new company, and a small company, led by someone with big dreams. Who has "a longer time to think about this" is very much to Tesla's disadvantage, since other companies had working systems on the road in production vehicles before Tesla even starting thinking about trying to develop something.
The problem with the CEOs big dreams is he can't pick one - Tesla, SpaceX, the Hyperloop, Solar City, the Boring company - what does Elon Musk want to do when he grows up? He can't decide.
Well, they have logged over 5 million miles of fully autonomous driving on public roads. Oh wait, that's Waymo.
> the vast quantity of sensor data Tesla has around to process and try new systems against.
You're kidding about that last part, right? BMW, and several other auto companies, get more sensor data in a week than Tesla does in a year, simply because they've produced and sold millions of vehicles with driver assist. Tesla does have a few advantages, such as a very charismatic CEO. There huge weakness is when you talk. About a "vast quantity" of - anything. Just using BMW as one example, millions of BMW cars are on the road with systems including Active Lane Keeping Assistant, Frontal Collision Warning with City Collision Mitigation, and Active Cruise Control with Stop & Go. Being a small, boutique player has its advantages, but the only thing vast about Tesla is its CEOs imagination and ego.
Toyota has hundreds of security engineers and produces about 9 million cars per year. That's about 11% of total auto production.
Tesla produces about 100,000 vehicles, or 1% of what Toyota produces. It's going to be tough for a tiny boutique operation to even *influence* the standards uses by the auto industry, much less *set* the standards. It's like me and my company trying to set the standard for HTTP authentication. Our comments were read by some of the significant players who have some actual say in what standards are adopted, but organizations such as Netscape, Microsoft, and Apache designed and selected the standards.
A more realistic goal for Tesla might be to have a voice so that standards adopted by the industry don't completely screw them. Since Tesla is 0.11% of the auto industry, statistical noise, the industry as a whole doesn't care what they do. VW, which produces a hundred times as many vehicles, actually affects the industry.
The current network based variant has an important limitation in regards exfiltration rate. Based on past vulnerabilities and exploits, we can guesstimate that new developments might make it roughly 10X faster. That makes it even more interesting to use against chosen HTTPS sites to retrieve the private key.
The JavaScript based ones aren't currently the easiest way to build a botnet, but deploying such JavaScript on a site frequented by Lockheed Martin employees, or bank employees, could be really interesting.
Here's the code for the driver uses with Intel network gigabit network cards. Hardly anyone ever uses that, right? Only people with Intel motherboards or Intel network cards, and other companies network cards that use the Intel chip.
I see a couple hundred if statements in there. Maybe 20% of those will serve as a gadget. I bet you can find three or four bounds checks. In my other reply I showed you how to use a bounds check as a Spectre gadget.
Here a couple of examples of Spectre gadgets. Suppose we have this code making sure the input doesn't try to access beyond the end of an array:
if (x array1_size)
y = array2[array1[x] * 4096];
Or maybe this code you might find in a firewall such as iptables. It checks to make sure the protocol of the packet is either TCP, udp, icmp, or another valid protocol:
if (packet.ethertype = maxtype) {
CurrentProt = EtherTypes[packet.ethertype]; }
Can you spot the problem?
99.99999% of the time, a received packet will have a valid protocol type. The CPU "learns" that the condition is almost always true, so will speculatively set the value of CurrentProt, then undo that if the condition ends up being false. Suppose there are 100 valid protocols the code handles. The attacker sends a frame with the EtherType (protocol) set to 40,101. The CPU speculatively loads whatever data is 40,001 bytes past the EtherTypes variable. The attacker has loaded the contents of whatever memory address they choose.
How frequently do you see a gadget such as bounds checks? Well, almost ALL well-written code will include these patterns, and therefore be vulnerable.
Here's something that will annoy the heck out of a few people here - ALL code written in Rust which uses an array is guaranteed to have bounds checks, and therefore be vulnerable.
> These are the same spanners that will drop rubbish a meter from a bin, throw a bottle out of the car window, spit gum out onto a footpath
I've seen that too. I've called people out on it. For smokers, I've pointed out that making a mess is a great way to get management to make the whole place non-smoking.
ALSO I've looked for trash cans and ash trays in places one would definitely expect them to be, and found none. Entrances to malls and other places that people spend over an hour, but they can't smoke inside, are places that people will smoke. Many people (such as yourself) will put the butt in the can, if there is a can available. Butts smell really bad for a couple hours, so carrying it around with you inside isn't a great option. Even throwing away inside will make the indoor area around an uncovered trash can stink for a while.
So it's a good idea to have a butt can / ashtray near entrances to places people can't smoke inside and they'll be there for a couple hours. Not everyone will use the butt can, just like not everyone will throw their empty cup in a trash can, but many people will.
The term "gadget", in this context, means vulnerable code, preferably OS code, an especially kernel code. That's pre-existing code, part of the OS, that's vulnerable.
For Netspectre, an interesting gadget is a network card driver that is vulnerable.
> As AC states, nobody cares HOW the data gets sent and arrives, only that it gets between point A and point B with the correct data at the other end.
Those who are responsible for making that happen care. The customers (you) care that it happens correctly. You even care about how much jitter there is on your VoIP flow, and how much latency there is on your games, and the packet loss rate on other applications. You all care about that even if you don't know what the words mean (and you don't care about jitter or latency on your Netflix stream).
> "did my data get to its destination at 100Mbps?" And that's all technological laymen like Nancy Pelosi care about.
People who are semi-literate in the most basic facts about networking think they know that the measurement of connection quality is bandwidth. They don't think about latency, jitter, or packet loss, so they are only considering 25% of the quality measurements - and thinking they know what they are talking about. In fact, bandwidth is the LEAST important measurement for real-time connections like VoIP, ssh, or even Google Docs and Slashdot.
Unfortunately, politicians like Nancy and bureacratic politicians like Wheeler write the rules about how we have to route and queue traffic, without knowing what a queue IS. It's quite a mess.
Worse, people who read just the first four pages of Networks for Dummies lobby them to enact EXTREMELY stupid, stupid rules like "you have to treat every packet the samst (as if it's 1974 and we're still using hubs as the main piece of network gear)".
I thought the same thing, more or less, based on my understanding of basically how the low-level attack works. As it turns out, I was wrong. They have figured out how to use a "no big deal" issue to build an important and powerful attack around it. I got lost in the details and "couldn't see the forest for the trees", so to speak.
Others have pointed out "maleware running" could be JavaScript. Not even that is necessary, though - even sending specially crafted TCP packets to the target can do the trick! Google Netspectre for details.
It's NOT just "hope something useful is in the cache" as I'd thought. The attacker can read chosen memory addresses, insome cases before ASR is applied.
This is a much bigger issue than I thought, and bigger than you thought, because of what people have been able to build on top of the essential vulnerability.
> Insecticide sprayers use very high pressure and tiny nozzles, because they need the mist to reach the underside of the leaves, where bugs are more likely to be.
Interesting. Makes sense. I read that the mosquitoes are probably hanging out on the bottom of the leaves in my hedges, but I wasn't sure how to get a good spray there. A high-pressure mist makes sense.
The Ethernet standards are called 10BaseT, 100BaseT, etc because it is baseband signaling at those speeds. 100 Mbps Baseband over Twisted pair: 100BaseT.
100Base-SX is 100Mbps Baseband over Multimode fiber. 1000BASE-SX is 1000Mbps Baseband over Multimode.
It's not called 100BroadT, because it's not a broadband signal; it's a baseband signal. That's why it's called 100BASE-whatever.
> meaning of words changes over time.
The ignorance of politicians or bureacrats doesn't change the fact that you can't plug an NBase-x device. Into any kind of broadband device and expect it to work. You CAN plug a 10Base-T device into a 100Base-T device and they can communicate. They use the same plugs and the same signaling.
Baseband and broadband use different kinds of plugs because they are completely incompatible AND THAT HAS NOT CHANGED. Try plugging your Docsis coax into a 100Base-T port and see. It still doesn't work, and never will - whether or not Nancy Pelosi understands that.
Broadband vs baseband doesn't have anything to with the width of the channel. Baseband, such as 10BaseT and 100BaseT, sends one symbol at a time over one channel. Broadband sends multiple symbols Iver multiple channels, simultaneously.
It's like a four-lane road with four cars traveling along side each other vs a single-lane road, cars in single file. One lane doesn't become four by making it wider.
You may be familiar with the difference between serial communication and parallel. Serial has one wire and sends one symbol (typically one bit) at a time down the wire. Parallel typically has 8 wires, each simultaneously carrying a bit, so an entire byte is flowing simultaneously across the 8 separate wires. Broadband uses multiple SEPARATE channels to send multiple symbols (bits) simultaneously, in parallel.
Maybe in your mind when you see advertising broadband means "fast", whatever "fast" means to you today. (Recall the actual broadband consumer connections that started the marketing were 192Kbps and 256Kbps).
For people who actually work with the connections, it's very much like a serial port vs a parallel port. In the 1980s you may have learned that "the parallel port is the fast one", but it won't work to connect a parallel printer to an RS-485 serial port. My RS-485 port is as fast as a Centronics parallel port, but it's the wrong kind of signal.
Serial means it sends the bits on at a time over one wire. Parallel means it sends the signal over several wires at once, as many bits at a time as there are wires. Broadband similarly sends several bits at a time, over several channels on the same wire. It won't work too plug a broadband device into a baseband port, any more than it'll work to plug a serial device into a parallel port. That's true even if you think that parallel means fast.
Thanks. I didn't know if it was mixed with water after sale in commercial / large applications. You can tell I'm not a farmer.
You mention "the applicators are designed to". I use some stuff that is sprayed and then the droplets harden. I the end up sorting them by size. to spraying process produces mostly droplets in the size range it's designed to, and fewer that are much larger or much smaller. I'm also reminded of the sprayer on the end of my garden hose, which mostly produces a stream of very large drops, and also produces a mist around the sprayer which cools me off on a hot day. I wonder if the sprayer he used was similar - producing MOSTLY drops in the size range it designed to favor.
Exactly. Apparently this guy was constantly working with 50 pound bags of the stuff every day or whatever. Breathing in the dust all time, having it on his skin dissolved in sweat all the time, etc. That's very different from the tiny amount of residue a typical person might be exposed to.
Sunlight increases cancer risk (and has health benefits), the human body naturally produces formaldehyde, a carcinogen. All the other things make your exposure and my exposure to Roundup statistical noise, insignificant compared to other things. The plaintiff here had a million times as much exposure than average people do, it seems. That could very well make a difference.
> Oh please define broadband for us, tell us precisely what it means
In telecommunications, there are three major types of transmission:
Baseband: The signal is in a channel. A baseband signal on channel 3 doesn't significantly interfere with one on channel 4. 100 Mbps is a baseband signal.
Passband: The signal is centered on a channel, but spills over. You may know in wifi channel 1 will interfere with channels 2 and 3. You can, however, use channel 1 and channel 3 for separate signals. You just have some interference if the two stations are close together.
Broadband: The signal is distributed across several channels. Cable TV and internet is a good example. A cable TV channel is 8Mhz wide (if there is a channel at 54Mhz, the next channel is at 62Mhz). That means it can carry up to 8Mhz gross bandwidth without special tricks like quadrature encoding. In order to get more bandwidth, providers send your internet signal over several TV channels simultaneously. (And use other tricks). Of your signal is on channels 100, 101, and 102 there can NOT be another person using channel 102 at exactly the same time. That's difference between passband and broadband.
In the 1990s, ISDN providers started offering service over three or four channels (broadband) rather than the aingle-channel (baseband) transmission than was available before. Using four channels, broadband ISDN could provide four times the bandwidth - 256Kbs.
DSL was similar - around the same time it became possible to bond multiple voice channels into a broadband configuration for DSL. The public noticed that the new services were faster, and they were "broadband", whatever the heck that means. Typical consumers started associating the word "broadband" with "fast".
As I mentioned, 100 Mbps Ethernet is baseband (single-channel), not broadband (multi-channel). Fiber optic is typically baseband, not broadband (remember we're talking per-signal). USB3 is baseband, at 640 Mbps. SATA is baseband, at 6Gbs. Broadband does NOT mean "fast". In fact most of the fastest connections you use are baseband, not broadband. It's just that for a few years in the 1990s the fast connections readily available to consumers happened to be broadband at the time. Not knowing what ISDN even stands for, and not knowing what broadband, passband, and baseband are, many consumers associated the term broadband with fast.
It would actually be just as accurate to call any high speed internet "DSL". In the same time period in the 1990s, the fastest connections for checking consumers were DSL, and broadband, and 4 Mbps, and copper. Neither "DSL", nor "4 Mbps", nor "copper", nor "broadband" mean "fast". They all have specific meanings. If you want a term that means "high speed", rhe correct term is "high speed".:)
ILM (George Lucas), Pixar, and others have been using Gimp for decades. They created a fork specifically for movies called FilmGimp. It was later renamed CinePaint.
There are basically two things you can do with your money after you've bought groceries and paid the water and electric bills, the basic necessities. You can spend the rest, buying things like lattes and Air Jordans, or you can save / invest it. Spending means the money is basically gone, saving means you'll have it when you need it later. You won't be homeless when you get hurt, sick or old.
Most saving is also investing - the money is used to build something, such as a semiconductor fab or a ship, which produces useful things. The saver gets back their money as chips are sold, plus more money. A LOT more, if they save for retirement while they are young. Having things like semiconductor fabs, next-gen battery research labs, etc is good for a country. A country with no investment is a tribal society living in tents.
One very important example of the spend / invest decision is housing. I was renting an apartment, which meant I was spending over $1,000 / month, $12K per year was just going away from my bank account. Now I spend about the same amount to BUY a house, meaning I'll get most of the money back when I sell the house. Over time, I'll be $300,000 better off buying (investing in the house) than I would renting (spending).
(Getting a house three times as expensive as you need can be a bad idea, whether renting or buying - still renting is generally worse.)
Anyway saving and investing is really good, for the individual doing the investing and for the country. As Barak Obama said, "if you want people to do less of something, tax it". A high tax on investment tends to get people to invest less, which is bad for them and bad for the country. That's why most developed countries tax investment at a much lower rate than the US does. They WANT their people to save an invest, because it's good for them individually and good for the country overall.
You may say "that's not fair that people who save up do better than people who spend all their money as soon as they get it!" Waa. Reality is, not every course of action gets the same results. Your choices matter. Doing smart things, like saving, gets better results. That's why those things are called "smart".
Their major security bugs show a simple PROCESS issue, not an architectural issue.
You don't have to completely rewrite the architecture in order to test that NOT entering a password, leaving the password field empty, doesn't log you in. You just have to start testing not only "it does the good thing with good input", but also "it does the negative / error case with bad input".
Their famous "go-to fail" is another example. Their code was basically: If certificate is valid {
trust the certificate } trust the certificate
That bug would have been prevented by testing their "validate certificate" code with an invalid cert. They. Probably tested that it correctly trusted a valid certificate, but clearly never tested it with an invalid certificate. That's kind of important for code that's supposed to tell the difference between the two.
Wow that had a lot of typos. Let's try that paragraph again:
In the famous "go-to fail" bug, a TLS certificate was accepted if it was valid - and accepted just the same if it was invalid. They probably tested that it worked - that it trusted a valid cert. But they didn't test that it did not trust an invalid cert.
There is no "architectural redesign" required to start testing the negatives, checking that NOT entering a password does NOT log you in.
> Two recent Apple bugs are perfect examples of this: "goto fail" and "passwordless root." Both are symptoms of either Apple not testing, or more likely, Apple only doing positive testing (this works with the values it's supposed to), but never any negative testing (this fails properly when given bad values).... > Both of those are process problems. Failing to do negative tests is a very common process flaw: it's very easy to write a "positive test" that ensures that a correct value produces a correct result.
Exactly. It is common. They tested that "it works" putting in the correct password gets you access. They totally forgot to test what happens when you DON'T put in the correct password - you still get access anyway.
In the famous "go-to fail" bug, a TLS certificate was accepted of it was valid - and accepted just the same of it was invalid. They probably tested that worked, that it trusted a valid cert. But they didn't test that it did not trust an invoice cert.
There is no "architectural redesign" required to start testing the negatives, checking that NOT entering a password does NOT log you in. It's just a policy change - all Pull Requests need at least two test logs attached - one showing that it does the new / positive thing when it should, one showing it does NOT do it when it shouldn't.
At my own company, on my team, we recently had the same problem. We added some code to handle the eccentricities of a certain CDN (proxy network) whose engineers have obviously never glanced at the RFC for how proxies are supposed to work. Our code was basically: if (looks_like_akamai) {
do_weird_akamai_stuff; }
We tested that it did in fact invoke the special behavior for Akamai. We didn't test that it did NOT invoke the special behavior when it's NOT Akamai.
Slashdot Mirror
> Tesla has had a much longer time with cars in production to think about this
What?!? Tesla is just now this year and last starting to mass produce cars, at the rate of about 100,000/year. That's the same rate of production that Fors had in 1913, when. They produced 100,000 of the model A.
Mercedes and Freightliner have had various types of "autopilot" (driver assist) since 2000-2002, about the time Elon Musk was hired (and quickly fired) by PayPal.
Tesla is a new company, and a small company, led by someone with big dreams. Who has "a longer time to think about this" is very much to Tesla's disadvantage, since other companies had working systems on the road in production vehicles before Tesla even starting thinking about trying to develop something.
The problem with the CEOs big dreams is he can't pick one - Tesla, SpaceX, the Hyperloop, Solar City, the Boring company - what does Elon Musk want to do when he grows up? He can't decide.
Well, they have logged over 5 million miles of fully autonomous driving on public roads. Oh wait, that's Waymo.
> the vast quantity of sensor data Tesla has around to process and try new systems against.
You're kidding about that last part, right? BMW, and several other auto companies, get more sensor data in a week than Tesla does in a year, simply because they've produced and sold millions of vehicles with driver assist. Tesla does have a few advantages, such as a very charismatic CEO. There huge weakness is when you talk. About a "vast quantity" of - anything. Just using BMW as one example, millions of BMW cars are on the road with systems including Active Lane Keeping Assistant, Frontal Collision Warning with City Collision Mitigation, and Active Cruise Control with Stop & Go. Being a small, boutique player has its advantages, but the only thing vast about Tesla is its CEOs imagination and ego.
Toyota has hundreds of security engineers and produces about 9 million cars per year. That's about 11% of total auto production.
Tesla produces about 100,000 vehicles, or 1% of what Toyota produces. It's going to be tough for a tiny boutique operation to even *influence* the standards uses by the auto industry, much less *set* the standards. It's like me and my company trying to set the standard for HTTP authentication. Our comments were read by some of the significant players who have some actual say in what standards are adopted, but organizations such as Netscape, Microsoft, and Apache designed and selected the standards.
A more realistic goal for Tesla might be to have a voice so that standards adopted by the industry don't completely screw them. Since Tesla is 0.11% of the auto industry, statistical noise, the industry as a whole doesn't care what they do. VW, which produces a hundred times as many vehicles, actually affects the industry.
The current network based variant has an important limitation in regards exfiltration rate. Based on past vulnerabilities and exploits, we can guesstimate that new developments might make it roughly 10X faster. That makes it even more interesting to use against chosen HTTPS sites to retrieve the private key.
The JavaScript based ones aren't currently the easiest way to build a botnet, but deploying such JavaScript on a site frequented by Lockheed Martin employees, or bank employees, could be really interesting.
Here's the code for the driver uses with Intel network gigabit network cards. Hardly anyone ever uses that, right? Only people with Intel motherboards or Intel network cards, and other companies network cards that use the Intel chip.
https://github.com/torvalds/li...
I see a couple hundred if statements in there. Maybe 20% of those will serve as a gadget. I bet you can find three or four bounds checks. In my other reply I showed you how to use a bounds check as a Spectre gadget.
Here a couple of examples of Spectre gadgets. Suppose we have this code making sure the input doesn't try to access beyond the end of an array:
if (x array1_size)
y = array2[array1[x] * 4096];
Or maybe this code you might find in a firewall such as iptables. It checks to make sure the protocol of the packet is either TCP, udp, icmp, or another valid protocol:
if (packet.ethertype = maxtype) {
CurrentProt = EtherTypes[packet.ethertype];
}
Can you spot the problem?
99.99999% of the time, a received packet will have a valid protocol type. The CPU "learns" that the condition is almost always true, so will speculatively set the value of CurrentProt, then undo that if the condition ends up being false. Suppose there are 100 valid protocols the code handles. The attacker sends a frame with the EtherType (protocol) set to 40,101. The CPU speculatively loads whatever data is 40,001 bytes past the EtherTypes variable. The attacker has loaded the contents of whatever memory address they choose.
How frequently do you see a gadget such as bounds checks? Well, almost ALL well-written code will include these patterns, and therefore be vulnerable.
Here's something that will annoy the heck out of a few people here -
ALL code written in Rust which uses an array is guaranteed to have bounds checks, and therefore be vulnerable.
> These are the same spanners that will drop rubbish a meter from a bin, throw a bottle out of the car window, spit gum out onto a footpath
I've seen that too. I've called people out on it. For smokers, I've pointed out that making a mess is a great way to get management to make the whole place non-smoking.
ALSO I've looked for trash cans and ash trays in places one would definitely expect them to be, and found none. Entrances to malls and other places that people spend over an hour, but they can't smoke inside, are places that people will smoke. Many people (such as yourself) will put the butt in the can, if there is a can available. Butts smell really bad for a couple hours, so carrying it around with you inside isn't a great option. Even throwing away inside will make the indoor area around an uncovered trash can stink for a while.
So it's a good idea to have a butt can / ashtray near entrances to places people can't smoke inside and they'll be there for a couple hours. Not everyone will use the butt can, just like not everyone will throw their empty cup in a trash can, but many people will.
The term "gadget", in this context, means vulnerable code, preferably OS code, an especially kernel code. That's pre-existing code, part of the OS, that's vulnerable.
For Netspectre, an interesting gadget is a network card driver that is vulnerable.
Gadget does NOT mean malware.
> As AC states, nobody cares HOW the data gets sent and arrives, only that it gets between point A and point B with the correct data at the other end.
Those who are responsible for making that happen care. The customers (you) care that it happens correctly. You even care about how much jitter there is on your VoIP flow, and how much latency there is on your games, and the packet loss rate on other applications. You all care about that even if you don't know what the words mean (and you don't care about jitter or latency on your Netflix stream).
> "did my data get to its destination at 100Mbps?" And that's all technological laymen like Nancy Pelosi care about.
People who are semi-literate in the most basic facts about networking think they know that the measurement of connection quality is bandwidth. They don't think about latency, jitter, or packet loss, so they are only considering 25% of the quality measurements - and thinking they know what they are talking about. In fact, bandwidth is the LEAST important measurement for real-time connections like VoIP, ssh, or even Google Docs and Slashdot.
Unfortunately, politicians like Nancy and bureacratic politicians like Wheeler write the rules about how we have to route and queue traffic, without knowing what a queue IS. It's quite a mess.
Worse, people who read just the first four pages of Networks for Dummies lobby them to enact EXTREMELY stupid, stupid rules like "you have to treat every packet the samst (as if it's 1974 and we're still using hubs as the main piece of network gear)".
I thought the same thing, more or less, based on my understanding of basically how the low-level attack works. As it turns out, I was wrong. They have figured out how to use a "no big deal" issue to build an important and powerful attack around it. I got lost in the details and "couldn't see the forest for the trees", so to speak.
Others have pointed out "maleware running" could be JavaScript. Not even that is necessary, though - even sending specially crafted TCP packets to the target can do the trick! Google Netspectre for details.
It's NOT just "hope something useful is in the cache" as I'd thought. The attacker can read chosen memory addresses, insome cases before ASR is applied.
This is a much bigger issue than I thought, and bigger than you thought, because of what people have been able to build on top of the essential vulnerability.
I read it a couple of times and still saw trained cows. Wjen I got to the mention of "birds" I backed to see if they said it was bovines and avians.
Of course, I just woke up from a nap so my eyes and brain are foggy.
> Insecticide sprayers use very high pressure and tiny nozzles, because they need the mist to reach the underside of the leaves, where bugs are more likely to be.
Interesting. Makes sense. I read that the mosquitoes are probably hanging out on the bottom of the leaves in my hedges, but I wasn't sure how to get a good spray there. A high-pressure mist makes sense.
Right, fiber standards include 100Base-FX and 1000Base-SX.
Those are 100Mbps Baseband over multimode fiber and 100bps Baseband over single mode fiber.
The "base" in the name 100Base-FX tells you it's Baseband, not broadband.
WiFi is passband - the signal spills over onto other channels.
192 Kbps ISDN is broadband - it uses three 64Kbs channels in parallel.
The Ethernet standards are called 10BaseT, 100BaseT, etc because it is baseband signaling at those speeds. 100 Mbps Baseband over Twisted pair: 100BaseT.
100Base-SX is 100Mbps Baseband over Multimode fiber.
1000BASE-SX is 1000Mbps Baseband over Multimode.
It's not called 100BroadT, because it's not a broadband signal; it's a baseband signal. That's why it's called 100BASE-whatever.
> meaning of words changes over time.
The ignorance of politicians or bureacrats doesn't change the fact that you can't plug an NBase-x device. Into any kind of broadband device and expect it to work.
You CAN plug a 10Base-T device into a 100Base-T device and they can communicate. They use the same plugs and the same signaling.
Baseband and broadband use different kinds of plugs because they are completely incompatible AND THAT HAS NOT CHANGED. Try plugging your Docsis coax into a 100Base-T port and see. It still doesn't work, and never will - whether or not Nancy Pelosi understands that.
Broadband vs baseband doesn't have anything to with the width of the channel. Baseband, such as 10BaseT and 100BaseT, sends one symbol at a time over one channel. Broadband sends multiple symbols Iver multiple channels, simultaneously.
It's like a four-lane road with four cars traveling along side each other vs a single-lane road, cars in single file. One lane doesn't become four by making it wider.
You may be familiar with the difference between serial communication and parallel. Serial has one wire and sends one symbol (typically one bit) at a time down the wire. Parallel typically has 8 wires, each simultaneously carrying a bit, so an entire byte is flowing simultaneously across the 8 separate wires. Broadband uses multiple SEPARATE channels to send multiple symbols (bits) simultaneously, in parallel.
Maybe in your mind when you see advertising broadband means "fast", whatever "fast" means to you today. (Recall the actual broadband consumer connections that started the marketing were 192Kbps and 256Kbps).
For people who actually work with the connections, it's very much like a serial port vs a parallel port. In the 1980s you may have learned that "the parallel port is the fast one", but it won't work to connect a parallel printer to an RS-485 serial port. My RS-485 port is as fast as a Centronics parallel port, but it's the wrong kind of signal.
Serial means it sends the bits on at a time over one wire. Parallel means it sends the signal over several wires at once, as many bits at a time as there are wires. Broadband similarly sends several bits at a time, over several channels on the same wire. It won't work too plug a broadband device into a baseband port, any more than it'll work to plug a serial device into a parallel port. That's true even if you think that parallel means fast.
Thanks. I didn't know if it was mixed with water after sale in commercial / large applications. You can tell I'm not a farmer.
You mention "the applicators are designed to". I use some stuff that is sprayed and then the droplets harden. I the end up sorting them by size. to spraying process produces mostly droplets in the size range it's designed to, and fewer that are much larger or much smaller. I'm also reminded of the sprayer on the end of my garden hose, which mostly produces a stream of very large drops, and also produces a mist around the sprayer which cools me off on a hot day. I wonder if the sprayer he used was similar - producing MOSTLY drops in the size range it designed to favor.
Exactly. Apparently this guy was constantly working with 50 pound bags of the stuff every day or whatever. Breathing in the dust all time, having it on his skin dissolved in sweat all the time, etc. That's very different from the tiny amount of residue a typical person might be exposed to.
Sunlight increases cancer risk (and has health benefits), the human body naturally produces formaldehyde, a carcinogen. All the other things make your exposure and my exposure to Roundup statistical noise, insignificant compared to other things. The plaintiff here had a million times as much exposure than average people do, it seems. That could very well make a difference.
> Oh please define broadband for us, tell us precisely what it means
In telecommunications, there are three major types of transmission:
Baseband: The signal is in a channel. A baseband signal on channel 3 doesn't significantly interfere with one on channel 4. 100 Mbps is a baseband signal.
Passband: The signal is centered on a channel, but spills over. You may know in wifi channel 1 will interfere with channels 2 and 3. You can, however, use channel 1 and channel 3 for separate signals. You just have some interference if the two stations are close together.
Broadband: The signal is distributed across several channels. Cable TV and internet is a good example. A cable TV channel is 8Mhz wide (if there is a channel at 54Mhz, the next channel is at 62Mhz). That means it can carry up to 8Mhz gross bandwidth without special tricks like quadrature encoding. In order to get more bandwidth, providers send your internet signal over several TV channels simultaneously. (And use other tricks). Of your signal is on channels 100, 101, and 102 there can NOT be another person using channel 102 at exactly the same time. That's difference between passband and broadband.
In the 1990s, ISDN providers started offering service over three or four channels (broadband) rather than the aingle-channel (baseband) transmission than was available before. Using four channels, broadband ISDN could provide four times the bandwidth - 256Kbs.
DSL was similar - around the same time it became possible to bond multiple voice channels into a broadband configuration for DSL. The public noticed that the new services were faster, and they were "broadband", whatever the heck that means. Typical consumers started associating the word "broadband" with "fast".
As I mentioned, 100 Mbps Ethernet is baseband (single-channel), not broadband (multi-channel). Fiber optic is typically baseband, not broadband (remember we're talking per-signal). USB3 is baseband, at 640 Mbps. SATA is baseband, at 6Gbs. Broadband does NOT mean "fast". In fact most of the fastest connections you use are baseband, not broadband. It's just that for a few years in the 1990s the fast connections readily available to consumers happened to be broadband at the time. Not knowing what ISDN even stands for, and not knowing what broadband, passband, and baseband are, many consumers associated the term broadband with fast.
It would actually be just as accurate to call any high speed internet "DSL". In the same time period in the 1990s, the fastest connections for checking consumers were DSL, and broadband, and 4 Mbps, and copper. Neither "DSL", nor "4 Mbps", nor "copper", nor "broadband" mean "fast". They all have specific meanings. If you want a term that means "high speed", rhe correct term is "high speed". :)
ILM (George Lucas), Pixar, and others have been using Gimp for decades. They created a fork specifically for movies called FilmGimp. It was later renamed CinePaint.
There are basically two things you can do with your money after you've bought groceries and paid the water and electric bills, the basic necessities. You can spend the rest, buying things like lattes and Air Jordans, or you can save / invest it. Spending means the money is basically gone, saving means you'll have it when you need it later. You won't be homeless when you get hurt, sick or old.
Most saving is also investing - the money is used to build something, such as a semiconductor fab or a ship, which produces useful things. The saver gets back their money as chips are sold, plus more money. A LOT more, if they save for retirement while they are young. Having things like semiconductor fabs, next-gen battery research labs, etc is good for a country. A country with no investment is a tribal society living in tents.
One very important example of the spend / invest decision is housing. I was renting an apartment, which meant I was spending over $1,000 / month, $12K per year was just going away from my bank account. Now I spend about the same amount to BUY a house, meaning I'll get most of the money back when I sell the house. Over time, I'll be $300,000 better off buying (investing in the house) than I would renting (spending).
(Getting a house three times as expensive as you need can be a bad idea, whether renting or buying - still renting is generally worse.)
Anyway saving and investing is really good, for the individual doing the investing and for the country. As Barak Obama said, "if you want people to do less of something, tax it". A high tax on investment tends to get people to invest less, which is bad for them and bad for the country. That's why most developed countries tax investment at a much lower rate than the US does. They WANT their people to save an invest, because it's good for them individually and good for the country overall.
You may say "that's not fair that people who save up do better than people who spend all their money as soon as they get it!" Waa. Reality is, not every course of action gets the same results. Your choices matter. Doing smart things, like saving, gets better results. That's why those things are called "smart".
> A boat is a small to medium size vessel that stops being a boat and becomes a ship
A boat becomes a ship, like a puppy becomes a dog and a kitten becomes a cat? That's really cool; I didn't know that.
Their major security bugs show a simple PROCESS issue, not an architectural issue.
You don't have to completely rewrite the architecture in order to test that NOT entering a password, leaving the password field empty, doesn't log you in. You just have to start testing not only "it does the good thing with good input", but also "it does the negative / error case with bad input".
Their famous "go-to fail" is another example. Their code was basically:
If certificate is valid {
trust the certificate
}
trust the certificate
That bug would have been prevented by testing their "validate certificate" code with an invalid cert. They. Probably tested that it correctly trusted a valid certificate, but clearly never tested it with an invalid certificate. That's kind of important for code that's supposed to tell the difference between the two.
See also this post and its parent:
https://slashdot.org/comments....
Wow that had a lot of typos. Let's try that paragraph again:
In the famous "go-to fail" bug, a TLS certificate was accepted if it was valid - and accepted just the same if it was invalid. They probably tested that it worked - that it trusted a valid cert. But they didn't test that it did not trust an invalid cert.
There is no "architectural redesign" required to start testing the negatives, checking that NOT entering a password does NOT log you in.
> Two recent Apple bugs are perfect examples of this: "goto fail" and "passwordless root." Both are symptoms of either Apple not testing, or more likely, Apple only doing positive testing (this works with the values it's supposed to), but never any negative testing (this fails properly when given bad values). ...
> Both of those are process problems. Failing to do negative tests is a very common process flaw: it's very easy to write a "positive test" that ensures that a correct value produces a correct result.
Exactly. It is common. They tested that "it works" putting in the correct password gets you access. They totally forgot to test what happens when you DON'T put in the correct password - you still get access anyway.
In the famous "go-to fail" bug, a TLS certificate was accepted of it was valid - and accepted just the same of it was invalid. They probably tested that worked, that it trusted a valid cert. But they didn't test that it did not trust an invoice cert.
There is no "architectural redesign" required to start testing the negatives, checking that NOT entering a password does NOT log you in. It's just a policy change - all Pull Requests need at least two test logs attached - one showing that it does the new / positive thing when it should, one showing it does NOT do it when it shouldn't.
At my own company, on my team, we recently had the same problem. We added some code to handle the eccentricities of a certain CDN (proxy network) whose engineers have obviously never glanced at the RFC for how proxies are supposed to work. Our code was basically:
if (looks_like_akamai) {
do_weird_akamai_stuff;
}
We tested that it did in fact invoke the special behavior for Akamai. We didn't test that it did NOT invoke the special behavior when it's NOT Akamai.