Too bad they were all Chinese, while the Capitalists raped the American middle class, totally destroying our manufacturing industry, forcing vast swathes of communities be pushed towards poverty here in America. Yay, Capitalism!!
...that at least 90% of the people do not even understand what "Socialism" is, but they also realize that "Capitalism" has been taken over by "Crony Capitalism", I'm only surprised that the percentage isn't higher. "And these children that you spit on, as they try to change their world...They're immune to your consultations - they're quite aware of what they're going through..."
I was going to post this EXACTLY, but you beat me to it. Anyone who buys the malarkey about Apple doing this "for the developers" likely also believes that Trump is "draining the swamp". Nope....
"Mitigation is cheaper on AMD, because they at least tried to do the right thing. And they only tend to be a problem for 64-bit ARM. The biggest failures here are Intel and IBM." OK, so everyone replace all of your Intel, 32-bit ARM and IBM CPUs immediately, because...
"There's no proof that those are real-world scenarios?" Nope, none outside of lab conditions. Show me otherwise....I'm waiting....
"Javascript is on your system. Malware hidden in applications is real, and on people's systems." Wait a minute! The fact that Javascript exists on your system means you're fucked?!? And, OMG!!, *malware is real*?? Say it ain't so!!! WTF have I been saying about general, widespread malware while you're obsessing about the most-fucking-difficult-exploit-known-to-man???
"...they're totally rational and you couldn't find any good arguments against them, either, so you just gave up. Noted." As just noted, not rational at all, but thanks for playing!
"For Netspectre, an interesting gadget is a network card driver that is vulnerable." OK, show me one. Or, to be more exact (and I have written device drivers,BTW) show me a vulnerability worth its name that relies on ONE specific flaw in ONE specific NIC device driver, given the wide range of NIC drivers. Sheesh! The lengths you guys will go to to defend the indefensible. (Indefensible, in this case, that the whole realm of SM panic is manifested by this weakest of arguments....)
Well, when google is your technical authority, it's understandable that you'd be dead wrong...."even sending specially crafted TCP packets to the target can do the trick! Google Netspectre for details."
IF you actually READ TFA, you'll see that it REQUIRES a "gadget" (read: malware code) running on your fucking machine!! (I swear, the tech level on/. has descended to fucking Alex Jones level of paranoia - facts be damned!!) FFS!!
"Intel apologists are equally irrational to YHWH apologists." Considering that these vulnerabilities also (largely) apply to AMD and ARM, your cheap-shot snark is duly noted and ignored for the shit it is. "Javascript. Malware hidden in software. Virtualization. These are all real-world scenarios which affect basically everyone." Lots of word salad with no proof. Yawn... "You're already vulnerable to shooting, so why worry about stabbing?" That's a really stupid analogy, but let's pursue it for the fuck of it. I can much more easily defend against a stabbing, because they need to be at very close range. (i.e. On your fucking system) whereas a bullet can travel over a mile and kill you. (Equifax vulnerability) The rest of your statements are equally delusional and devoid of rationality, so....
IMNSHO, the whole realm of Spectre/Meltdown vulnerabilities - while an interesting lab experiment - are complete horseshit. Consider:
1) In order for ANY of these vulnerabilities to be useful, you MUST be running malware on your system. If so, you are already hosed.
2) Given the enormous realms of malware extant than can much more quickly and easily grab your data (Hello, Equifax!), any true hacker would laugh at trying to use these vulnerabilities, because...
3) The idea that malware can tickle the cache millions of times to grab data (presuming it has not already been flushed), interpret said data and then prey that it is something useful, like passwords, when cache is normally filled with instructions more than data...Yes. Complete, organic, 100% Dolphin-free horseshit.
Any of you who are now delaying purchases, etc. while you twist your hanky are doing the rest of us a favor by forcing prices down, so - Keep It Up!!
I normally don't respond to ACs, but you ask a pretty good question.
Basically, you don't know, and that's the rub. Let's take as an example the latest set Spectre/Meltdown patches. These are known to affect I/O performance (heavily-syscall-dependent) to a degree anywhere from 5-30%. Given that this is ONE patch, the same basic rules apply in, essentially, what are semi-real-time systems. That is, for each and every patch, you must apply the entire set of QA tests, which takes a lot of time and money. Performing this level of testing for patches that arise sometimes more-than-weekly is a non-starter. Just throwing a patch out there and waiting for customer support calls is NOT an option.
Again, remember that these systems are designed to be used in a closed, controlled environment. In this case, lax procedures allowed a virus inside and....wellll.
I agree. However, again having worked in the industry, I can tell you that - especially until the last 5-7 years - the overwhelming pressure: from developers who started in DOS and just fell into the Windows world by default, especially during the silly-ass "UNIX wars"; marketers who thought that Windows would dominate the world and - why not?; MS themselves who - to their credit - created a pretty amazing set of developers tools *AND* a single, unified target market.
When I was working at a SCO UNIX shop, I started our transition to Linux. At least once a day, one of the sales dudes would drop by my office to tell me how much easier their lives would be if I just "flipped a switch" and put us on Windows. The first several times, I patiently explained how our entire infrastructure of development, testing and support was much more than just "flipping a switch". Finally, I just wrote a long email to the entire sales force and management, laid things out and told them that I would not accept any meeting to even discuss it.
It appears that the affected machines were those running process control systems. Because of their VERY finicky nature (and usually being designed to be used on a closed intranet), they almost NEVER apply post-production patches.
I once worked on a medical device where each and very build installed MUST be a bit-perfect replication of the original. Any new release went through horrific levels of qualification and then IT had to be bit-perfect until the next release.
The typical "patch Tuesday" crap just cannot work in these environments.
OK, serious question - how exactly are you managing the ever-shifting versions and their environments from XP-specific apps to ever-migrating methods of app data exchange? I'm serious - bad as Linux is, at least you have some modicum of control over your destiny vs just blindly following MS, n'est pas?
....today, ANY corporation or government agency that is not very actively doing everything they can to eliminate any dependency on Windows of any version is guilty of IT Malpractice. Yes, yes, there are (way too) many "Windows-only" apps extant, but it is fundamentally up to the purchasing community to drive the change necessary. Painful, time-consuming...yeah! Ultimately rewarding? Fuck yeah!
...."all your IT belong to us." Seriously, that is just the type of new-speak jargon for "we don't care about you, only your sweet, sweet dollars now that we've gotten you locked in, heh, heh, heh...".
ANYONE still using Windows 10 is getting exactly what they deserve.
I have one smartphone for some occasional development (Ugh!), but overall I'm really happy to see Motorola hanging in there. They may never achieve the scale of Samsung, Apple, etc., but....hang in there, Motorola!!!'
Not to mention FORCING you to migrate to their latest shiny, new, "mobile" interface, while said upgrades break and change things willy-nilly. Oh! Let's not forget that the most trivial "update" requires at least one - if not more - reboots which always occur at the most inopportune times. LOTS of reasons to ditch Windows.
And that is just another reason that I am *SO* glad that I switched to Linux years ago. Anyone whining about Windows today has only themselves to blame.
Just howdafuck is 15 bits per hour of cache data from a heavily used server going to give ANY valid data?!? I am STILL waiting for ANY reasonable explanation and - so far - have heard nothing but a bunch of paranoid "could" shit. SHOW ME!!
OK, now you're falling into the paranoia level - from ANY kind of realistic standpoint! Please explain - without ignoring my earlier request, i.e. just howdafuck do you either know and/or be able to manipulate any cache-level data gleaned by the most inefficient process known to mankind - you can do ANYTHING by arbitrarily sniffing what is most likely stale and/or recently replaced cache memory?!?
OK, I get that, but if I know of a stack buffer overrun on a particular Windows machine, don't I still have to execute *some* code to gather anything? Also, again, how exactly does one gather anything useful from what is essentially a small slice of unknown cache data?
Once you read the pdf describing this, anyone who knows anything can come to the same conclusion. Let's look at the facts: 1) In order for this or any of the other Spectre/Meltdown "vulnerabilities" (and I use that term loosely, it's really more of a theoretical/lab setup) require you to be running malware on your system. This latest "Net/S/M" calls them "gadgets", but they are fucking malware! 2) Referencing the basic principles of S/M, basically malware runs a specific set of instructions in a specific sequence to - essentially - tickle the cache by that set/series of instructions to leak some cache data that can then be read by said malware. OK, groovy enough, but how in da hell can you A) know that the cache data you read has not then subsequently over-written by a cache flush on that cache line? and then B) make any reasonable sense out of said data captured? Depending on the size of data gathered, and from what I've read it's pretty tiny, trying to steal "crypto keys" (the big bugbear over at Ars) in this way has to be the most idiotic ever!
Bottom line: use basic security to keep malware off your system and what does leak through will be much more efficient than S/M, so - worry about the REAL shit, please!
Slashdot Mirror
Too bad they were all Chinese, while the Capitalists raped the American middle class, totally destroying our manufacturing industry, forcing vast swathes of communities be pushed towards poverty here in America. Yay, Capitalism!!
...that at least 90% of the people do not even understand what "Socialism" is, but they also realize that "Capitalism" has been taken over by "Crony Capitalism", I'm only surprised that the percentage isn't higher.
"And these children that you spit on, as they try to change their world...They're immune to your consultations - they're quite aware of what they're going through..."
I was going to post this EXACTLY, but you beat me to it. Anyone who buys the malarkey about Apple doing this "for the developers" likely also believes that Trump is "draining the swamp". Nope....
"Mitigation is cheaper on AMD, because they at least tried to do the right thing. And they only tend to be a problem for 64-bit ARM. The biggest failures here are Intel and IBM."
OK, so everyone replace all of your Intel, 32-bit ARM and IBM CPUs immediately, because...
"There's no proof that those are real-world scenarios?"
Nope, none outside of lab conditions. Show me otherwise....I'm waiting....
"Javascript is on your system. Malware hidden in applications is real, and on people's systems."
Wait a minute! The fact that Javascript exists on your system means you're fucked?!? And, OMG!!, *malware is real*?? Say it ain't so!!! WTF have I been saying about general, widespread malware while you're obsessing about the most-fucking-difficult-exploit-known-to-man???
"...they're totally rational and you couldn't find any good arguments against them, either, so you just gave up. Noted."
As just noted, not rational at all, but thanks for playing!
"For Netspectre, an interesting gadget is a network card driver that is vulnerable."
OK, show me one. Or, to be more exact (and I have written device drivers,BTW) show me a vulnerability worth its name that relies on ONE specific flaw in ONE specific NIC device driver, given the wide range of NIC drivers.
Sheesh! The lengths you guys will go to to defend the indefensible. (Indefensible, in this case, that the whole realm of SM panic is manifested by this weakest of arguments....)
Well, when google is your technical authority, it's understandable that you'd be dead wrong...."even sending specially crafted TCP packets to the target can do the trick! Google Netspectre for details."
/. has descended to fucking Alex Jones level of paranoia - facts be damned!!) FFS!!
IF you actually READ TFA, you'll see that it REQUIRES a "gadget" (read: malware code) running on your fucking machine!! (I swear, the tech level on
"Intel apologists are equally irrational to YHWH apologists."
Considering that these vulnerabilities also (largely) apply to AMD and ARM, your cheap-shot snark is duly noted and ignored for the shit it is.
"Javascript. Malware hidden in software. Virtualization. These are all real-world scenarios which affect basically everyone."
Lots of word salad with no proof. Yawn...
"You're already vulnerable to shooting, so why worry about stabbing?"
That's a really stupid analogy, but let's pursue it for the fuck of it. I can much more easily defend against a stabbing, because they need to be at very close range. (i.e. On your fucking system) whereas a bullet can travel over a mile and kill you. (Equifax vulnerability)
The rest of your statements are equally delusional and devoid of rationality, so....
IMNSHO, the whole realm of Spectre/Meltdown vulnerabilities - while an interesting lab experiment - are complete horseshit. Consider:
1) In order for ANY of these vulnerabilities to be useful, you MUST be running malware on your system. If so, you are already hosed.
2) Given the enormous realms of malware extant than can much more quickly and easily grab your data (Hello, Equifax!), any true hacker would laugh at trying to use these vulnerabilities, because...
3) The idea that malware can tickle the cache millions of times to grab data (presuming it has not already been flushed), interpret said data and then prey that it is something useful, like passwords, when cache is normally filled with instructions more than data...Yes. Complete, organic, 100% Dolphin-free horseshit.
Any of you who are now delaying purchases, etc. while you twist your hanky are doing the rest of us a favor by forcing prices down, so - Keep It Up!!
I normally don't respond to ACs, but you ask a pretty good question.
Basically, you don't know, and that's the rub. Let's take as an example the latest set Spectre/Meltdown patches. These are known to affect I/O performance (heavily-syscall-dependent) to a degree anywhere from 5-30%. Given that this is ONE patch, the same basic rules apply in, essentially, what are semi-real-time systems. That is, for each and every patch, you must apply the entire set of QA tests, which takes a lot of time and money. Performing this level of testing for patches that arise sometimes more-than-weekly is a non-starter. Just throwing a patch out there and waiting for customer support calls is NOT an option.
Again, remember that these systems are designed to be used in a closed, controlled environment. In this case, lax procedures allowed a virus inside and....wellll.
I agree. However, again having worked in the industry, I can tell you that - especially until the last 5-7 years - the overwhelming pressure: from developers who started in DOS and just fell into the Windows world by default, especially during the silly-ass "UNIX wars"; marketers who thought that Windows would dominate the world and - why not?; MS themselves who - to their credit - created a pretty amazing set of developers tools *AND* a single, unified target market.
When I was working at a SCO UNIX shop, I started our transition to Linux. At least once a day, one of the sales dudes would drop by my office to tell me how much easier their lives would be if I just "flipped a switch" and put us on Windows. The first several times, I patiently explained how our entire infrastructure of development, testing and support was much more than just "flipping a switch". Finally, I just wrote a long email to the entire sales force and management, laid things out and told them that I would not accept any meeting to even discuss it.
It appears that the affected machines were those running process control systems. Because of their VERY finicky nature (and usually being designed to be used on a closed intranet), they almost NEVER apply post-production patches.
I once worked on a medical device where each and very build installed MUST be a bit-perfect replication of the original. Any new release went through horrific levels of qualification and then IT had to be bit-perfect until the next release.
The typical "patch Tuesday" crap just cannot work in these environments.
That depends. If you're a worker-bee, then yeah. OTOH, if you're a super hot-shot type, wwweeellll, the rules can be bent, right? Duh!
OK, serious question - how exactly are you managing the ever-shifting versions and their environments from XP-specific apps to ever-migrating methods of app data exchange?
I'm serious - bad as Linux is, at least you have some modicum of control over your destiny vs just blindly following MS, n'est pas?
....today, ANY corporation or government agency that is not very actively doing everything they can to eliminate any dependency on Windows of any version is guilty of IT Malpractice.
Yes, yes, there are (way too) many "Windows-only" apps extant, but it is fundamentally up to the purchasing community to drive the change necessary.
Painful, time-consuming...yeah! Ultimately rewarding? Fuck yeah!
...."all your IT belong to us."
Seriously, that is just the type of new-speak jargon for "we don't care about you, only your sweet, sweet dollars now that we've gotten you locked in, heh, heh, heh...".
ANYONE still using Windows 10 is getting exactly what they deserve.
...just where is the real Ajit Pai and what have you done with him?
I have one smartphone for some occasional development (Ugh!), but overall I'm really happy to see Motorola hanging in there. They may never achieve the scale of Samsung, Apple, etc., but....hang in there, Motorola!!!'
Not to mention FORCING you to migrate to their latest shiny, new, "mobile" interface, while said upgrades break and change things willy-nilly. Oh! Let's not forget that the most trivial "update" requires at least one - if not more - reboots which always occur at the most inopportune times. LOTS of reasons to ditch Windows.
And that is just another reason that I am *SO* glad that I switched to Linux years ago.
Anyone whining about Windows today has only themselves to blame.
Just howdafuck is 15 bits per hour of cache data from a heavily used server going to give ANY valid data?!? I am STILL waiting for ANY reasonable explanation and - so far - have heard nothing but a bunch of paranoid "could" shit. SHOW ME!!
OK, now you're falling into the paranoia level - from ANY kind of realistic standpoint!
Please explain - without ignoring my earlier request, i.e. just howdafuck do you either know and/or be able to manipulate any cache-level data gleaned by the most inefficient process known to mankind - you can do ANYTHING by arbitrarily sniffing what is most likely stale and/or recently replaced cache memory?!?
OK, I get that, but if I know of a stack buffer overrun on a particular Windows machine, don't I still have to execute *some* code to gather anything? Also, again, how exactly does one gather anything useful from what is essentially a small slice of unknown cache data?
But still, must not the attacker need to gain access - by actually running on the target machine - to gain control of the call stack?
Once you read the pdf describing this, anyone who knows anything can come to the same conclusion. Let's look at the facts:
1) In order for this or any of the other Spectre/Meltdown "vulnerabilities" (and I use that term loosely, it's really more of a theoretical/lab setup) require you to be running malware on your system. This latest "Net/S/M" calls them "gadgets", but they are fucking malware!
2) Referencing the basic principles of S/M, basically malware runs a specific set of instructions in a specific sequence to - essentially - tickle the cache by that set/series of instructions to leak some cache data that can then be read by said malware. OK, groovy enough, but how in da hell can you A) know that the cache data you read has not then subsequently over-written by a cache flush on that cache line? and then B) make any reasonable sense out of said data captured? Depending on the size of data gathered, and from what I've read it's pretty tiny, trying to steal "crypto keys" (the big bugbear over at Ars) in this way has to be the most idiotic ever!
Bottom line: use basic security to keep malware off your system and what does leak through will be much more efficient than S/M, so - worry about the REAL shit, please!
Are you saying that med devices CAN'T work under linux or that the med device manufacturers are too lazy/stupid to move off of DOS/XP?