..it's not the uninitialized buffers that are the issue. It's that the call to use info from the system entropy pool was *also* commented out, accidentally, in the process.
Here's the basic flow as it was, with *EVERYTHING* else snipped out:
Original: ---------- Add the following to Our_Randomness:
Lots of highly random info using system algorithms designed for the sheer purpose of being random
Some rather random information from some rather random location in memory, causing a warning to issue forth from some compilation utilities
A tiny amount of randomness from the kind-of-random process ID Generate Key, using Our_Randomness. ----------
Debian seems to have intended to change this to: ---------- Add the following to Our_Randomness:
Lots of highly random info using system algorithms designed for the sheer purpose of being random
A tiny amount of randomness from the kind-of-random process ID. Generate Key, using Our_Randomness. ----------
That would have been fine. But instead, it was accidentally changed to: ---------- Add the following to Our_Randomness:
A tiny amount of randomness from the kind-of-random process ID. Generate Key, using Our_Randomness. ----------
Notice the missing usage of "Lots of highly random info using system algorithms designed for the sheer purpose of being random".
It's shortened approximately from the age of the known universe to a bit over 10 minutes. See http://taint.org/2008/05/16/165301a.html, which has some useful info.
Surely you can't actually think that this was their only source of entropy, by design..?
OpenSSL, anywho, are not the creators of the problem, but the debian maintainers[*]...and OpenSSH merely uses OpenSSL, but I figure that was a typo.
Anyway, they didn't design it to depend on uninitialized data as their "only source of entropy". If they did, there would indeed be issues (even though on separate runs of the program, the system would probably give them some new location in memory for that buffer). However, it seems you're misunderstanding what kind of mistake was made -- not one of faulty conceptualization or design, but one of careless modification.
There were two basically identical lines of code that copied randomness from different sources. Considering that the things between/* and */ are comments, and not a part of the code, these two lines are pretty similar, right?
MD_Update(&m,buf,j);
MD_Update(&m,buf,j);/* purify complains */..yeah. Except, in the place where that first line is found, 'buf' points to information from a vary random source (e.g., the system entropy pool). In the place where the second line is found, 'buf' points to some semi-random chunk of memory that probably has noise in it, (to add to the *existing* randomness).
The first is easily sufficient to provide randomness, however, it doesn't hurt (and may help) to add in the second. But the second caused a code checking tool to complain. When the line causing the complaint was removed, the person who changed it also removed the other, "identical" (but extremely necessary) line of code.
Anyway, what it brings up for me is the question of Debian's review processes for sensitive packages. E.g.,
* Is there a formal difference between packages that are more "sensitive" and those that aren't? * Is there a review process for code submitted to a sensitive package? * If so, how did that fail, and why did it fail?..these are, unfortunately, things that I'm interested in, but not so interested that I can create enough time to look into it just now.:-p' Perhaps once work calms down a bit.
[*] By 'debian maintainers', I am not referring to the term 'maintainer' as defined by debian.
...perhaps I'm missing something obvious....what is the 'pleasethinkofthechildren' tag for? I mean, it's generally a good idea, but, what's the point of the tag? Are there some posts here that are inappropriate?..I don't figure it's in reference to the single-chip chipset..?
It's an audible click that is louder than the normal whirrs and clicks your hard drive makes. To get an example, put your mac into sleep mode. You should hear a click from the hard drive as the head is parked. If you hear that all the time (once a minute or so), then yes, it's too aggressive. But unless it's happening once a minute or more, it shouldn't be an issue. It's also fine if after you let it sit, it makes the click noise, but doesn't repeat that often.
Even if your system were parking twice every five minutes, and did so on *EVERY* five minutes (I.e., your system is never off, and you're never using it in a way that prevents it), you'd still have at least two years solid without problems.
On my Ubuntu system, it would park more than once per minute -- which gave me less than a year on my HD.
..and for what reason would you expect all hardware manufacturers to all be identical in an area that requires no definitive standard?
I can see it now: "Thats enough development from now on in that area. Since our competitor's drives are rated at 600,000 parks, let's just stop here and be done with it."
> It's important to note that this only occurs if ENABLE_LAPTOP_MODE is enabled. By default it is NOT set. From/etc/default/acpi-support:
Not accurate, or at least, not accurate in all cases. By default, some hardware manufacturers have aggressive apm settings. This would be essentially Ok, but Ubuntu touches the HD on a regular basis - thus, whenever the HD parks, it immediately unparks.
For someone whose laptop is their primary system, it's not quite the same. I lost a HD when the bug was new, just because I didn't notice the park/unpark click. When it went, I figured (since I'd gotten the laptop used) that it was just natural wear. Half a year later, I figured it out (during the last part of the life of my second hd) -- yeah, it took me a while. But I contributed to the bug report what I could, and then watched it stagnate...it sucks, knowing that the stance is basicly "won't fix, not our deal," and that in the meantime quite a few people are going to lose HD's to the issue. Not the end of the world, but somewhat disheartening.
Someone eventually submitted it to digg some time ago, and pewf! Attention, and probably a fix relatively shortly. I love Ubuntu, but there are communications issues here.
Hopefully not long. I've been waiting forever for it to be fixed. Granted, workarounds work, but I don't want to have to check for the necessity of a workaround (and implement the workaround) every time I install Ubuntu.
Yes, it is a default set by the manufacturer. The problem is that Ubuntu touches the hard drive on a regular basis, causing the just-parked head to unpark.
The Internet news service Slashdot has up an article entitled 'CBC News Interprets GPL - Poorly'. Primarily, it looks to describe the ongoing lack of capacity for Slashdot writers and editors to think outside of the IT world. It also includes a highly unique interpretation of summarization, and with great authority and sarcasm, classifies relatively succinct and accurate generalization as 'Unique'...which it seems to be, for the Slashdot crowd.:-p'
There's a great saying, and it's been said a lot, in different ways, but it boils down to this: If we restrict liberty to attain security, we will have neither.
No, it's not imaginary...and no, it's not being handled well.
I happen to think that freedom is not just a good thing, but that it is a necessary thing - just as responsibility and accountability are.
It has also been demonstrated that our government, as it clamps down on terrorism, is sacrificing what I consider to be the lifeblood and identity of the nation - that freedom which many hold dear. The more that freedom is taken, the more likely it is that some people will get severely pissed off. The more pissed off people there are, the more likely it is that there will be pissed off people that are more open to persuasion by unsavory ideals. That would mean a higher likelihood that someone here will bomb things, which is, as far as I'm concerned, not a good condition to be in as a country.
There are quite a few questions to be answered, that should be funded and looked into.
What is more likely to cause a breakdown of social order in the united states - loss of freedom, or terrorist bombings? How likely is it that we will actually succeed at preventing terrorist bombings using methods that destroy or erode the freedom we ideologically base our national identity on? It seems insane that these people want to bomb us. But they are probably not insane. Why did they do it? What motivates these groups? What motivates the leaders of these groups? What methods of preventing bombings are successful, and which ones merely seem like they should work, or provide a false sense of security? For things we implement because of urgency - are those going as planned? Are they working? How can we increase our government's introspection without compromising our capacity to act?..and most importantly, to me - since we are more and more required to endure the loss of freedoms anyway, are there also government-funded research programs looking into finding new ways to avoid getting bombed -- preferably ones which don't erode or destroy the freedom (and consequentially the security) of the nation?
I think we should get sociologists, game theorists, political science majors, former military generals, etc. into a working team to attempt to address these kinds of issues...of course....aside from the fact that it would be more difficult than getting a party of twelve to agree on a common pizza, it's probably not likely to get funded and implemented in the first place, even if the idea occurs to someone to make a bill for it or some such.
There's a great saying, and it's been said a lot, in different ways, but it boils down to this: If we restrict liberty to attain security, we will have neither.
No, it's not imaginary...and no, it's not being handled well.
I happen to think that freedom is not just a good thing, but that it is a necessary thing - just as responsibility and accountability are.
It has also been demonstrated that our government, as it clamps down on terrorism, is sacrificing what I consider to be the lifeblood and identity of the nation - that freedom which many hold dear. The more that freedom is taken, the more likely it is that some people will get severely pissed off. The more pissed off people there are, the more likely it is that there will be pissed off people that are more open to persuasion by unsavory ideals. That would mean a higher likelihood that someone here will bomb things, which is, as far as I'm concerned, not a good condition to be in as a country.
There are quite a few questions to be answered, that should be funded and looked into.
What is more likely to cause a breakdown of social order in the united states - loss of freedom, or terrorist bombings?
How likely is it that we will actually succeed at preventing terrorist bombings using methods that destroy or erode the freedom we ideologically base our national identity on?
It seems insane that these people want to bomb us. But they are probably not insane. Why did they do it? What motivates these groups? What motivates the leaders of these groups?
What methods of preventing bombings are successful, and which ones merely seem like they should work, or provide a false sense of security?
For things we implement because of urgency - are those going as planned? Are they working?
How can we increase our government's introspection without compromising our capacity to act?..and most importantly, to me - since we are more and more required to endure the loss of freedoms anyway, are there also government-funded research programs looking into finding new ways to avoid getting bombed -- preferably ones which don't erode or destroy the freedom (and consequentially the security) of the nation?
I think we should get sociologists, game theorists, political science majors, former military generals, etc. into a working team to attempt to address these kinds of issues...of course....aside from the fact that it would be more difficult than getting a party of twelve to agree on a common pizza, it's probably not likely to get funded and implemented in the first place, even if the idea occurs to someone to make a bill for it or some such.
I'd be willing to bet that a high percentage of those who wouldn't give up their phones for a million pounds:
a) had contacts on their phones that they didn't have elsewhere
b) didn't know how to back up their phone data
c) could greatly benefit from open standards...ah, for the days of charging my phone via USB,
plus encrypted synchronization with my computer whenever the two see each other by any method including email,
all encrypted, all universal, all open....a nice little utopia....as for now, I'm pretty happy that my Nokia tablet will access the internet via bluetooth on my Motorola phone.:-)
It's simple; even when one includes emotion, it is only logical to first take the course that compromises neither self nor group, second, choose self or group based on which gains the most and causes the least loss to the other. Generally, violent emotions are out of repression of instinctual and emotional drives (or intellectual ones, for that matter). Enough control must be had over ones emotions to deal with them piece by piece, but the act of exploring onesself and dealing with ones emotions cannot be ignored, or else it builds up.
Counseling and connection with other mammals also helps. If one extends ones idea of self into a group, and extends their idea of a group to include all people, The tendency to damage others naturally decreases, unless one is self-destructive, at which point, refer to the previous.:-)
Slashdot Mirror
Not tryin' to say..
http://tech.fortune.cnn.com/2011/03/03/steve-jobs-reality-distortion-takes-its-toll-on-truth/ ..you know. ..just sayin'.
Bah. Posted in response to wrong comment after copy/login/paste. My mistake.
..it's not the uninitialized buffers that are the issue. It's that the call to use info from the system entropy pool was *also* commented out, accidentally, in the process.
Here's the basic flow as it was, with *EVERYTHING* else snipped out:
Original:
----------
Add the following to Our_Randomness:
Lots of highly random info using system algorithms designed for the sheer purpose of being random
Some rather random information from some rather random location in memory, causing a warning to issue forth from some compilation utilities
A tiny amount of randomness from the kind-of-random process ID
Generate Key, using Our_Randomness.
----------
Debian seems to have intended to change this to:
----------
Add the following to Our_Randomness:
Lots of highly random info using system algorithms designed for the sheer purpose of being random
A tiny amount of randomness from the kind-of-random process ID.
Generate Key, using Our_Randomness.
----------
That would have been fine.
But instead, it was accidentally changed to:
----------
Add the following to Our_Randomness:
A tiny amount of randomness from the kind-of-random process ID.
Generate Key, using Our_Randomness.
----------
Notice the missing usage of "Lots of highly random info using system algorithms designed for the sheer purpose of being random".
(noticing my sig)
*snicker*
It's shortened approximately from the age of the known universe to a bit over 10 minutes. See http://taint.org/2008/05/16/165301a.html, which has some useful info.
Surely you can't actually think that this was their only source of entropy, by design..?
..and OpenSSH merely uses OpenSSL, but I figure that was a typo.
/* and */ are comments, and not a part of the code, these two lines are pretty similar, right?
/* purify complains */ ..yeah. Except, in the place where that first line is found, 'buf' points to information from a vary random source (e.g., the system entropy pool). In the place where the second line is found, 'buf' points to some semi-random chunk of memory that probably has noise in it, (to add to the *existing* randomness).
..these are, unfortunately, things that I'm interested in, but not so interested that I can create enough time to look into it just now. :-p' Perhaps once work calms down a bit.
OpenSSL, anywho, are not the creators of the problem, but the debian maintainers[*].
Anyway, they didn't design it to depend on uninitialized data as their "only source of entropy". If they did, there would indeed be issues (even though on separate runs of the program, the system would probably give them some new location in memory for that buffer). However, it seems you're misunderstanding what kind of mistake was made -- not one of faulty conceptualization or design, but one of careless modification.
There were two basically identical lines of code that copied randomness from different sources. Considering that the things between
MD_Update(&m,buf,j);
MD_Update(&m,buf,j);
The first is easily sufficient to provide randomness, however, it doesn't hurt (and may help) to add in the second. But the second caused a code checking tool to complain. When the line causing the complaint was removed, the person who changed it also removed the other, "identical" (but extremely necessary) line of code.
Anyway, what it brings up for me is the question of Debian's review processes for sensitive packages. E.g.,
* Is there a formal difference between packages that are more "sensitive" and those that aren't?
* Is there a review process for code submitted to a sensitive package?
* If so, how did that fail, and why did it fail?
[*] By 'debian maintainers', I am not referring to the term 'maintainer' as defined by debian.
...perhaps I'm missing something obvious.. ..what is the 'pleasethinkofthechildren' tag for? I mean, it's generally a good idea, but, what's the point of the tag? Are there some posts here that are inappropriate? ..I don't figure it's in reference to the single-chip chipset..?
Hehehe. Probably. :-)
"Good Touch / Bad Touch" :-)
First: Mac OS X is probably absolutely fine.
It's an audible click that is louder than the normal whirrs and clicks your hard drive makes.
To get an example, put your mac into sleep mode. You should hear a click from the hard drive as the head is parked.
If you hear that all the time (once a minute or so), then yes, it's too aggressive. But unless it's happening once a minute or more, it shouldn't be an issue. It's also fine if after you let it sit, it makes the click noise, but doesn't repeat that often.
Even if your system were parking twice every five minutes, and did so on *EVERY* five minutes (I.e., your system is never off, and you're never using it in a way that prevents it), you'd still have at least two years solid without problems.
On my Ubuntu system, it would park more than once per minute -- which gave me less than a year on my HD.
It's audible. You can also check using the script and/or instructions that is linked to from various posts here.
..and for what reason would you expect all hardware manufacturers to all be identical in an area that requires no definitive standard?
I can see it now: "Thats enough development from now on in that area. Since our competitor's drives are rated at 600,000 parks, let's just stop here and be done with it."
> It's important to note that this only occurs if ENABLE_LAPTOP_MODE is enabled. By default it is NOT set. From /etc/default/acpi-support:
Not accurate, or at least, not accurate in all cases. By default, some hardware manufacturers have aggressive apm settings. This would be essentially Ok, but Ubuntu touches the HD on a regular basis - thus, whenever the HD parks, it immediately unparks.
For someone whose laptop is their primary system, it's not quite the same. I lost a HD when the bug was new, just because I didn't notice the park/unpark click. When it went, I figured (since I'd gotten the laptop used) that it was just natural wear. Half a year later, I figured it out (during the last part of the life of my second hd) -- yeah, it took me a while. But I contributed to the bug report what I could, and then watched it stagnate. ..it sucks, knowing that the stance is basicly "won't fix, not our deal," and that in the meantime quite a few people are going to lose HD's to the issue. Not the end of the world, but somewhat disheartening.
Someone eventually submitted it to digg some time ago, and pewf! Attention, and probably a fix relatively shortly. I love Ubuntu, but there are communications issues here.
Hopefully not long. I've been waiting forever for it to be fixed. Granted, workarounds work, but I don't want to have to check for the necessity of a workaround (and implement the workaround) every time I install Ubuntu.
Yes, it is a default set by the manufacturer. The problem is that Ubuntu touches the hard drive on a regular basis, causing the just-parked head to unpark.
ah. I shall have to build an army of zombies to overcompensate for his army of net.kooks..
(by which I mean, thx for the info)
Is there something I'm missing about Roland that I should know?
The Internet news service Slashdot has up an article entitled 'CBC News Interprets GPL - Poorly'. Primarily, it looks to describe the ongoing lack of capacity for Slashdot writers and editors to think outside of the IT world. It also includes a highly unique interpretation of summarization, and with great authority and sarcasm, classifies relatively succinct and accurate generalization as 'Unique'. ..which it seems to be, for the Slashdot crowd. :-p'
..and after changing my formatting preferences..
..and no, it's not being handled well.
..and most importantly, to me - since we are more and more required to endure the loss of freedoms anyway, are there also government-funded research programs looking into finding new ways to avoid getting bombed -- preferably ones which don't erode or destroy the freedom (and consequentially the security) of the nation?
..of course.. ..aside from the fact that it would be more difficult than getting a party of twelve to agree on a common pizza, it's probably not likely to get funded and implemented in the first place, even if the idea occurs to someone to make a bill for it or some such.
There's a great saying, and it's been said a lot, in different ways, but it boils down to this: If we restrict liberty to attain security, we will have neither.
No, it's not imaginary.
I happen to think that freedom is not just a good thing, but that it is a necessary thing - just as responsibility and accountability are.
It has also been demonstrated that our government, as it clamps down on terrorism, is sacrificing what I consider to be the lifeblood and identity of the nation - that freedom which many hold dear. The more that freedom is taken, the more likely it is that some people will get severely pissed off. The more pissed off people there are, the more likely it is that there will be pissed off people that are more open to persuasion by unsavory ideals. That would mean a higher likelihood that someone here will bomb things, which is, as far as I'm concerned, not a good condition to be in as a country.
There are quite a few questions to be answered, that should be funded and looked into.
What is more likely to cause a breakdown of social order in the united states - loss of freedom, or terrorist bombings?
How likely is it that we will actually succeed at preventing terrorist bombings using methods that destroy or erode the freedom we ideologically base our national identity on?
It seems insane that these people want to bomb us. But they are probably not insane. Why did they do it? What motivates these groups? What motivates the leaders of these groups?
What methods of preventing bombings are successful, and which ones merely seem like they should work, or provide a false sense of security?
For things we implement because of urgency - are those going as planned? Are they working?
How can we increase our government's introspection without compromising our capacity to act?
I think we should get sociologists, game theorists, political science majors, former military generals, etc. into a working team to attempt to address these kinds of issues.
There's a great saying, and it's been said a lot, in different ways, but it boils down to this: If we restrict liberty to attain security, we will have neither. No, it's not imaginary. ..and no, it's not being handled well.
I happen to think that freedom is not just a good thing, but that it is a necessary thing - just as responsibility and accountability are.
It has also been demonstrated that our government, as it clamps down on terrorism, is sacrificing what I consider to be the lifeblood and identity of the nation - that freedom which many hold dear. The more that freedom is taken, the more likely it is that some people will get severely pissed off. The more pissed off people there are, the more likely it is that there will be pissed off people that are more open to persuasion by unsavory ideals. That would mean a higher likelihood that someone here will bomb things, which is, as far as I'm concerned, not a good condition to be in as a country.
There are quite a few questions to be answered, that should be funded and looked into.
What is more likely to cause a breakdown of social order in the united states - loss of freedom, or terrorist bombings?
How likely is it that we will actually succeed at preventing terrorist bombings using methods that destroy or erode the freedom we ideologically base our national identity on?
It seems insane that these people want to bomb us. But they are probably not insane. Why did they do it? What motivates these groups? What motivates the leaders of these groups?
What methods of preventing bombings are successful, and which ones merely seem like they should work, or provide a false sense of security?
For things we implement because of urgency - are those going as planned? Are they working?
How can we increase our government's introspection without compromising our capacity to act? ..and most importantly, to me - since we are more and more required to endure the loss of freedoms anyway, are there also government-funded research programs looking into finding new ways to avoid getting bombed -- preferably ones which don't erode or destroy the freedom (and consequentially the security) of the nation?
I think we should get sociologists, game theorists, political science majors, former military generals, etc. into a working team to attempt to address these kinds of issues. ..of course.. ..aside from the fact that it would be more difficult than getting a party of twelve to agree on a common pizza, it's probably not likely to get funded and implemented in the first place, even if the idea occurs to someone to make a bill for it or some such.
I'd be willing to bet that a high percentage of those who wouldn't give up their phones for a million pounds: a) had contacts on their phones that they didn't have elsewhere b) didn't know how to back up their phone data c) could greatly benefit from open standards. ..ah, for the days of charging my phone via USB,
plus encrypted synchronization with my computer whenever the two see each other by any method including email,
all encrypted, all universal, all open.. ..a nice little utopia.. ..as for now, I'm pretty happy that my Nokia tablet will access the internet via bluetooth on my Motorola phone. :-)
Who modded the parent "Informative"? I'd expect links to work if it's described as "Informative". As it is I think it's more of an obscure joke..
It's simple; even when one includes emotion, it is only logical to first take the course that compromises neither self nor group, second, choose self or group based on which gains the most and causes the least loss to the other. Generally, violent emotions are out of repression of instinctual and emotional drives (or intellectual ones, for that matter). Enough control must be had over ones emotions to deal with them piece by piece, but the act of exploring onesself and dealing with ones emotions cannot be ignored, or else it builds up.
:-)
Counseling and connection with other mammals also helps. If one extends ones idea of self into a group, and extends their idea of a group to include all people, The tendency to damage others naturally decreases, unless one is self-destructive, at which point, refer to the previous.
If the universe were shaped like a toroid, that could account for the horn-shape. It could also account for expansion of the universe in general.