Experiments were performed on multiple x86 processor
architectures, including Intel Ivy Bridge (i7-3630QM),
Intel Haswell (i7-4650U), Intel Skylake (unspecified
Xeon on Google Cloud), and AMD Ryzen. The Spectre
vulnerability was observed on all of these CPUs.
That article describes a completely different and well-documented issue of high-pressure fire suppression systems destroying hard disks due to a massive pressure spike when the gas is released. Modern data center fire suppression systems are designed to ramp up the gas pressure more slowly, to prevent this issue, and given the size of these systems, it's not really an attack you can take on the road with you, unlike the research described in TFA, which looks like it can be performed with little more than a phone and perhaps a Bluetooth speaker... but which also does not cause permanent damage to the harddrive.
You do realize that you're linking to someone's blog, not an established news source? And that the author literally cites scientists that "poisoning from scavenging carcasses tainted by lead ammunition is likely responsible for many of the [bird] deaths", before wondering why "nobody" is concerned about windmills.
Well, here's the reason: As has been established repeatedly, the number of birds killed by windmills (on the order of half a million a year in the entire US) is completely dwarfed by, say, the number of birds killed by windows (on the order of one billion), not to mention cars and cats.
That's not to say that people are not concerned with birds killed by wind mills, too. (And bats, porpoises and other animals.) The problem is fortunately entirely manageable by choosing appropriate locations for wind farms and other precautions. In particular, the construction (like all big construction) is a much bigger environmental issue than the actual operation of the windmills. E.g. here's Siemens Wind Power describing a solution to minimize noise pollution for endangered porpoise populations and other marine life during construction of off-shore wind farms.
If the app was communicating with the site, why require the user to enter anything at all? Just have them click a confirm button on the device. (This, incidentally, is how Google's 2FA works on some newer Android phones.)
A major design criteria for TOTP is that code generation is an entirely offline process. Your phone can be completely offline, and it can still produce codes for you.
SMS is, contrary to TFA's claims, no longer considered safe, as hijacking of phone numbers is feasible for a skilled and determined attacker. No state actors required.
(SMS is also an unreliable protocol, and if you allow users to fallback to offline TOTP if SMS service is flaky, an attacker can just do the same, so any security benefit of SMS is void.)
To this day, most movies are only mastered in 2K, meaning that with "4K" you'll just be paying for digitally upscaled video without any added detail.
E.g. look at the IMDb box-office top 10 (as a proxy for new, popular movies), then check the Technical Specs for each movie. For the vast majority of movies, you'll see:
Cinematographic Process Digital Intermediate (2K) (master format)
Only two movies on the current top 10 were mastered in 4K: The Hitman's Bodyguard and Logan Lucky. Even Spider-Man: Homecoming, which Apple used when announcing the 4K movie initiative is only mastered in 2K! This is ridiculous.
Sure, with the 4K movies you'll probably also get higher bandwidth, which directly translates to higher quality... but that property is completely separate from resolution, and upscaling to 4K will actually give slightly worse fidelity than if the same bandwidth was used to compress the original 2K video.
Nobody designs software to have race conditions. The software was just plain buggy already on those earlier models, and only the redundant hardware safety mechanism stopped people from being killed.
The earlier models had two, redundant, safety mechanisms in place to prevent killing patients, one in software and one in hardware. Yes, it was an unforgivable management decision to deliberately compromise that redundancy by removing the hardware safety mechanism in Therac-25, but that does not excuse the bug in the software safety mechanism.
The software was responsible (not solely responsible, before Therac-25, but still responsible) for preventing fatal radiation doses, and it did not do its job.
I may be wrong, but isn't it that systemd also depends on things like dbus?
Systemd uses the D-Bus protocol for communication (e.g. between the systemctl client and the PID 1 daemon), but a minimal systemd install does not require the D-Bus daemon. That said, you'll be hard pressed to find a Linux desktop systems or server without the D-Bus daemon (no matter what init system is in use), but it'd certainly be possible to build an embedded Linux system with systemd init, and no D-Bus daemon.
Even though it might be possible to run systemd in a sane way, distributions now package it with all sorts of crap.
Really? Ubuntu now ships with systemd service management and the journal (and, yes, udev and the D-Bus daemon, though those have been included for a decade or so). AFAIK, Ubuntu also uses systemd-logind (though it used that even before it switched to systemd init), and doesn't use systemd-networkd (but sticks to NetworkManager), nor does it use systemd's DHCP or NTP services.
The scalper is providing a ticket to someone who otherwise would have been unable to obtain a ticket he desires
Huh? Without the scalper, that someone could have bought the ticket directly from the supplier, at a lower price.
Anyway, I'm not sure what's described in the story qualifies as scalping... The Pixel is not in limited supply (at least not for people with a little patience), and it's not clear at all that the prices were marked up – instead, the resellers seem to have undercut Google's prices by exploiting a tax loophole.
Google's ban on commercial resale is of course absurd, and I honestly thought that US law had firmly established (e.g. through the first sale doctrine) that (barring the occasional anti-scalping laws mentioned elsewhere) once you sell a physical good to someone, they can do whatever the hell they want with it, including reselling it. (But then, US law has also repeatedly established that you can void just about any legal right simply by clicking "I agree" beneath an impenetrable EULA, so maybe Google is in the clear...)
How is "scalping" self evidently wrong? If I own a ticket to a concert or sports event, why is it "wrong" for me to sell it at a market price?
Because you're abusing a market failure, and in fact helping to create it in the first place. You're inserting yourself in the distribution chain, but not adding anything of value.
You can be the victim of this attack even if you don't own a smart phone. The attacker uses an app to attack the service... and the attack still works, even if the victim only uses the desktop version of the vulnerable service.
Almost everyone turned to oauth as the bastion of mobile security. You want a list of almost every mobile app that connects to a server?
This is not a protocol bug, but a common implementation bug in mobile apps relying on OAuth for authentication. So no, not "almost every mobile app that connects to a server" will be vulnerable... only all the poorly coded ones.
The problem is that the third-party app goes through OAuth, and the third-party backend server then trusts the app when the app says "yup, I checked with Google/Facebook/whatever, and this is user so-and-so", even though the app is running in an untrusted context. There are various ways of solving this using OAuth, and OpenID Connect even adds the JWT mechanism, which is designed for thus use case... but apparently many apps don't take advantage of this.
The same problem can easily happen on the desktop, if the third-party server trusts client-side JavaScript to do the OAuth process... and at least Google's developer docs specifically warns against that attack.
Don't be daft and lie to yourself that Trump won because America is overwhelmingly populated by misogynists, homophobes, racists, and xenophobes.
He won because he spoke up on behalf of the workers who lost their jobs to outsourcing (...)
That is definitely a big part of it, yes.
There's also the fact that the Democrats are still supporting Planned Parenthood even though they've been caught multiple times illegally selling baby carcases to maximize their profits and not reporting ongoing sexual abuse.
... The fact that many people will believe anything they read on Facebook is also a big part of the explanation, yes.
As much as I like platform diversity, and as much as I primarily game on non-Windows OS'es, it simple does not make financial sense to develop for Linux first.
The only fiscally responsible thing is to develop primarily for the platform where the most paying customers are... and for desktop games, that's Windows. Because even with engines like Unreal and Unity simplifying cross-platform development, it's never free to support additional platforms. You need developers with platform experience, you need testers on the platform. For Linux, you have to worry about distribution fragmentation, and for OS X, about Apple breaking backwards compatibility. And while I laud companies that launch on Windows, OS X and Linux simultaneously, that's definitely a gamble. If your game tanks on Windows, the OS X and Linux sales are likely also gonna tank, and will not cover the costs of supporting those additional platforms. (Though obviously, this risk has to be weighed against the risks of staggered platform releases...)
Disclosure: I am a Unity employee (but not working in an area related to the Facebook announcement).
You mean the Lenovo that intentionally shipped the SuperFish malware preinstalled on its computers? (Which of course is why you always do a clean OS install on a new computer...)
You know, the Lenovo that, after profusely apologizing for the SuperFish incident, moved on to intentionally shipping the OneKey Optimizer malware, along with a BIOS rootkit? (Meaning that a clean OS install would not get rid of the Lenovo-provided malware?)
It does get pretty tricky to find enough air in a vacuum tube to use for air bearings. We ultimately went the maglev route for a variety of reasons but this was a big one.
Hyperloop Transportation Technologies also went maglev instead of air cushion.
Unity, Flash and Shockwave needs to be killed off for good.
Well, good news on one front: Unity Webplayer is officially end-of-life as of last year, and webplayer authoring is not supported at all in the recent 5.4 release of Unity. When it comes to browser gaming, Unity is focused 100% on cross-platform, open standard HTML 5/WebGL, and is working closely with Mozilla on bringing those technologies up to par with native.
(Outside browsers, Linux is a first-class Unity target platform, and the Linux version of the Unity editor is coming along nicely, although it's still considered experimental.)
Without knowing anything about the particulars of this solution, a likely approach nowadays would be to take an existing emulator writen in C/C++ and compile it to JavaScript using Emscripten.
Emscripten produces JavaScript compliant with the asm.js profile, which is a subet of JavaScript that is easily optimized by the browser JS engine, allowing in-browser performance on the order of half of native speed. Given the age of the emulated hardware, this slowdown is not a problem.
You still have to emulate actual I/O devices in plain HTML+JavaScript, which for these presumably amounts to mapping JavaScript input events to a virtual keyboard, and using a HTML Canvas element to emulate the display. Even joysticks and gamepads can be supported in bleeding edge browsers.
TL;DR: By standing on the shoulders of giants, and adding a bunch of glue code.:-)
You can't hold people responsible for the sins of their ancestors.
Sure you can. Not guilty in a criminal law kind of way, but definitely in a civil law kind of way. Many people who are alive today have inherited massive profits from the crimes of their ancestors, and it is at least theoretically possible to put a number on that profit, and award that to the people who inherited the corresponding losses from their disadvantaged ancestors.
Slashdot Mirror
I read their paper instead.
Experiments were performed on multiple x86 processor architectures, including Intel Ivy Bridge (i7-3630QM), Intel Haswell (i7-4650U), Intel Skylake (unspecified Xeon on Google Cloud), and AMD Ryzen. The Spectre vulnerability was observed on all of these CPUs.
Guess again. Spectre paper confirms that any webpage can read browser process memory from JavaScript. On AMD CPUs too.
That article describes a completely different and well-documented issue of high-pressure fire suppression systems destroying hard disks due to a massive pressure spike when the gas is released. Modern data center fire suppression systems are designed to ramp up the gas pressure more slowly, to prevent this issue, and given the size of these systems, it's not really an attack you can take on the road with you, unlike the research described in TFA, which looks like it can be performed with little more than a phone and perhaps a Bluetooth speaker... but which also does not cause permanent damage to the harddrive.
https://godbolt.org/g/bTeB37
Merry Christmas.
You do realize that you're linking to someone's blog, not an established news source? And that the author literally cites scientists that "poisoning from scavenging carcasses tainted by lead ammunition is likely responsible for many of the [bird] deaths", before wondering why "nobody" is concerned about windmills.
Well, here's the reason: As has been established repeatedly, the number of birds killed by windmills (on the order of half a million a year in the entire US) is completely dwarfed by, say, the number of birds killed by windows (on the order of one billion ), not to mention cars and cats.
That's not to say that people are not concerned with birds killed by wind mills, too. (And bats, porpoises and other animals.) The problem is fortunately entirely manageable by choosing appropriate locations for wind farms and other precautions. In particular, the construction (like all big construction) is a much bigger environmental issue than the actual operation of the windmills. E.g. here's Siemens Wind Power describing a solution to minimize noise pollution for endangered porpoise populations and other marine life during construction of off-shore wind farms.
(Then there's that other growing threat to birds: Climate change. Which is why the Massachusetts Audubon Society supported the Cape Wind project.)
If the app was communicating with the site, why require the user to enter anything at all? Just have them click a confirm button on the device. (This, incidentally, is how Google's 2FA works on some newer Android phones.)
A major design criteria for TOTP is that code generation is an entirely offline process. Your phone can be completely offline, and it can still produce codes for you.
SMS is, contrary to TFA's claims, no longer considered safe, as hijacking of phone numbers is feasible for a skilled and determined attacker. No state actors required.
(SMS is also an unreliable protocol, and if you allow users to fallback to offline TOTP if SMS service is flaky, an attacker can just do the same, so any security benefit of SMS is void.)
To this day, most movies are only mastered in 2K, meaning that with "4K" you'll just be paying for digitally upscaled video without any added detail.
E.g. look at the IMDb box-office top 10 (as a proxy for new, popular movies), then check the Technical Specs for each movie. For the vast majority of movies, you'll see:
Only two movies on the current top 10 were mastered in 4K: The Hitman's Bodyguard and Logan Lucky. Even Spider-Man: Homecoming, which Apple used when announcing the 4K movie initiative is only mastered in 2K! This is ridiculous.
Sure, with the 4K movies you'll probably also get higher bandwidth, which directly translates to higher quality... but that property is completely separate from resolution, and upscaling to 4K will actually give slightly worse fidelity than if the same bandwidth was used to compress the original 2K video.
you can program storage leaks in Ada through the normal mechanisms. It's not 100% foolproof. Some competence by the developer is required.
People say the same thing about C++. (Just remember to use RAII, smart pointers, etc.)
Ada is a safeR language than C, sure. But Rust is, plainly, a memory safe language. There's no comparison.
Nobody designs software to have race conditions. The software was just plain buggy already on those earlier models, and only the redundant hardware safety mechanism stopped people from being killed.
Nope, that's not an excuse.
The earlier models had two, redundant, safety mechanisms in place to prevent killing patients, one in software and one in hardware. Yes, it was an unforgivable management decision to deliberately compromise that redundancy by removing the hardware safety mechanism in Therac-25, but that does not excuse the bug in the software safety mechanism.
The software was responsible (not solely responsible, before Therac-25, but still responsible) for preventing fatal radiation doses, and it did not do its job.
Horrible summary... Punycode is an encoding, not a vulnerability. The vulnerability is a variant of the well-known homograph attack.
The original source explains it better: https://www.xudongz.com/blog/2...
I may be wrong, but isn't it that systemd also depends on things like dbus?
Systemd uses the D-Bus protocol for communication (e.g. between the systemctl client and the PID 1 daemon), but a minimal systemd install does not require the D-Bus daemon. That said, you'll be hard pressed to find a Linux desktop systems or server without the D-Bus daemon (no matter what init system is in use), but it'd certainly be possible to build an embedded Linux system with systemd init, and no D-Bus daemon.
Even though it might be possible to run systemd in a sane way, distributions now package it with all sorts of crap.
Really? Ubuntu now ships with systemd service management and the journal (and, yes, udev and the D-Bus daemon, though those have been included for a decade or so). AFAIK, Ubuntu also uses systemd-logind (though it used that even before it switched to systemd init), and doesn't use systemd-networkd (but sticks to NetworkManager), nor does it use systemd's DHCP or NTP services.
The scalper is providing a ticket to someone who otherwise would have been unable to obtain a ticket he desires
Huh? Without the scalper, that someone could have bought the ticket directly from the supplier, at a lower price.
Anyway, I'm not sure what's described in the story qualifies as scalping... The Pixel is not in limited supply (at least not for people with a little patience), and it's not clear at all that the prices were marked up – instead, the resellers seem to have undercut Google's prices by exploiting a tax loophole.
Google's ban on commercial resale is of course absurd, and I honestly thought that US law had firmly established (e.g. through the first sale doctrine) that (barring the occasional anti-scalping laws mentioned elsewhere) once you sell a physical good to someone, they can do whatever the hell they want with it, including reselling it. (But then, US law has also repeatedly established that you can void just about any legal right simply by clicking "I agree" beneath an impenetrable EULA, so maybe Google is in the clear...)
How is "scalping" self evidently wrong? If I own a ticket to a concert or sports event, why is it "wrong" for me to sell it at a market price?
Because you're abusing a market failure, and in fact helping to create it in the first place. You're inserting yourself in the distribution chain, but not adding anything of value.
Indeed. The attacker is running the app, and thus controls the list of trusted CA roots.
The bug is in the third-party backend, which trusts the app to do authentication.
You can be the victim of this attack even if you don't own a smart phone. The attacker uses an app to attack the service... and the attack still works, even if the victim only uses the desktop version of the vulnerable service.
Almost everyone turned to oauth as the bastion of mobile security. You want a list of almost every mobile app that connects to a server?
This is not a protocol bug, but a common implementation bug in mobile apps relying on OAuth for authentication. So no, not "almost every mobile app that connects to a server" will be vulnerable... only all the poorly coded ones.
The problem is that the third-party app goes through OAuth, and the third-party backend server then trusts the app when the app says "yup, I checked with Google/Facebook/whatever, and this is user so-and-so", even though the app is running in an untrusted context. There are various ways of solving this using OAuth, and OpenID Connect even adds the JWT mechanism, which is designed for thus use case... but apparently many apps don't take advantage of this.
The same problem can easily happen on the desktop, if the third-party server trusts client-side JavaScript to do the OAuth process... and at least Google's developer docs specifically warns against that attack.
Don't be daft and lie to yourself that Trump won because America is overwhelmingly populated by misogynists, homophobes, racists, and xenophobes.
He won because he spoke up on behalf of the workers who lost their jobs to outsourcing (...)
That is definitely a big part of it, yes.
There's also the fact that the Democrats are still supporting Planned Parenthood even though they've been caught multiple times illegally selling baby carcases to maximize their profits and not reporting ongoing sexual abuse.
... The fact that many people will believe anything they read on Facebook is also a big part of the explanation, yes.
Sorry, no.
As much as I like platform diversity, and as much as I primarily game on non-Windows OS'es, it simple does not make financial sense to develop for Linux first.
The only fiscally responsible thing is to develop primarily for the platform where the most paying customers are... and for desktop games, that's Windows. Because even with engines like Unreal and Unity simplifying cross-platform development, it's never free to support additional platforms. You need developers with platform experience, you need testers on the platform. For Linux, you have to worry about distribution fragmentation, and for OS X, about Apple breaking backwards compatibility. And while I laud companies that launch on Windows, OS X and Linux simultaneously, that's definitely a gamble. If your game tanks on Windows, the OS X and Linux sales are likely also gonna tank, and will not cover the costs of supporting those additional platforms. (Though obviously, this risk has to be weighed against the risks of staggered platform releases...)
Disclosure: I am a Unity employee (but not working in an area related to the Facebook announcement).
You mean the Lenovo that intentionally shipped the SuperFish malware preinstalled on its computers? (Which of course is why you always do a clean OS install on a new computer...)
You know, the Lenovo that, after profusely apologizing for the SuperFish incident, moved on to intentionally shipping the OneKey Optimizer malware, along with a BIOS rootkit ? (Meaning that a clean OS install would not get rid of the Lenovo-provided malware?)
Just out of curiosity, how would an air cushion work in a vacuum tube?
All the Hyperloop designs are of course not vacuum, just low pressure, so an air cushion is physically possible.
However, it's a good question, and Hyperloop One answered it thusly:
It does get pretty tricky to find enough air in a vacuum tube to use for air bearings. We ultimately went the maglev route for a variety of reasons but this was a big one.
Hyperloop Transportation Technologies also went maglev instead of air cushion.
Unity, Flash and Shockwave needs to be killed off for good.
Well, good news on one front: Unity Webplayer is officially end-of-life as of last year, and webplayer authoring is not supported at all in the recent 5.4 release of Unity. When it comes to browser gaming, Unity is focused 100% on cross-platform, open standard HTML 5/WebGL, and is working closely with Mozilla on bringing those technologies up to par with native.
(Outside browsers, Linux is a first-class Unity target platform, and the Linux version of the Unity editor is coming along nicely, although it's still considered experimental.)
Full disclosure: I work for Unity Technologies.
Without knowing anything about the particulars of this solution, a likely approach nowadays would be to take an existing emulator writen in C/C++ and compile it to JavaScript using Emscripten.
Emscripten produces JavaScript compliant with the asm.js profile, which is a subet of JavaScript that is easily optimized by the browser JS engine, allowing in-browser performance on the order of half of native speed. Given the age of the emulated hardware, this slowdown is not a problem.
You still have to emulate actual I/O devices in plain HTML+JavaScript, which for these presumably amounts to mapping JavaScript input events to a virtual keyboard, and using a HTML Canvas element to emulate the display. Even joysticks and gamepads can be supported in bleeding edge browsers.
TL;DR: By standing on the shoulders of giants, and adding a bunch of glue code. :-)
Reminds me of watching Tom Cruise climb Burj Khalifa in Mission Impossible, and thinking, "enh, the CGI is not really believable".
It may caused by jump cuts and other bad directing choices, but somehow, CGI is managing to ruin real stunts now.
You can't hold people responsible for the sins of their ancestors.
Sure you can. Not guilty in a criminal law kind of way, but definitely in a civil law kind of way. Many people who are alive today have inherited massive profits from the crimes of their ancestors, and it is at least theoretically possible to put a number on that profit, and award that to the people who inherited the corresponding losses from their disadvantaged ancestors.