Ah good news, it would be no help as another technological footnote like Vorbis & Theora.
regarding Vorbis : back in the days it did see some success. By virtue of being BSD-like licensed (i.e.: a permissive license) it was used to compress audio in several game engines (e.g.: at ID starting from Quake3 and up). Also Spotify apparently used it on their app, at least for some time.
regarding Theora : Google used it on Youtube as a possible alternative, so still some use.
But yes, both pale in comparison with OPUS (the offspring of Xiph and Skype collaboration) which incredibly widespread (again permissive license AND best quality in A/B/X tests AND patent free), seems like any modern communication application uses it : it's used for WhatsApp, Skype (well obviously), etc. but also even in some un expected places (Digital Radio Mondial - the digital success of AM Radio, same relationship as DAB+ to FM Radio - supports OPUS. It's not in the official specs, but the major software suite all have ways to use it).
The things which changed in the recent time : - Patent real-word problems: Frauenhofer was some pain back in the MP3 era (hence some in the wild usage of Vorbis). During the MPEG4 AVC / H 264 era, a nice single central patent pool made the things not that much difficult. Theora was a nice concept or patent-free-ness, but in practice there wasn't much difficulties in obtaining the necessary license. Nowaday H265 / HEVC is pure madness. To the point that several hardware manufacturer have backpedalled and we currently see a *decrease* of device manufactured with H265 support enabled. There is definitely room for a patent-free / freely licensed codec. - Quality : Vorbis was a provably better than MP3 back then (hence tiny better success in the wild). But Thoera was just a repurposed old codec from On2 (VP3) that just got opensourced, not much more arguments going for it. Compare the situation nowadays with OPUS which completely blasts everything in ABX tests except for the ultra-low-bandwith ( 4 kbits) which are beyond its scope anyway. Currently AV-1 is the offspring of the Daala efforts of Xiph (and there's some really interesting idea going in: perceptual vector quantization, chroma-from-luma, lapped transforms, rANS entropy coding, etc.), Google's VP10 (now we are several generations down) and Cisco's thor. Even at the current state of development, it's already showing promises.
Secondly IPMI style functionality is a small subset of what Intel's IME does.
It's still a small separate SoC, which runs its own small operating system, webserver and java-based VNC solution (which already implies TONS of access), and is connected and listening to the network constantly, even when the main CPU is completely shut down (or even unable to boot) (which was the entire purpose of this kind of system).
In practice the code quality of the system running on this chip is still so awefull that, it's still vera pwnable.
- Thirdly AMD's equivalent is the PSP, which just like IME is in every Intel chip, PSP is in every AMD chip. - Fourthly the Trust Zone functionality in AMD's PSP seems to go even a step ahead
From what I've understood, all these various "Security Processor" mainly deal with storing private key in a secluded part of the system. They're mainly handling cryptography-related questions. They don't have a networking stack (and could not be listening on the network even if the CPU is unpowered, they *are* part of the CPU). Except libreboot's rant about them, I haven't seen yet any concrete proof that they can - by themselves - handle anything more nefarious than "store private key inside, perform signature and encryption/decryption if provided with the correct PIN".
In marketing material, they seems to be attached to wild possibility (remote wiping stolen computers), but there's evidence that these kind of functionality require coordination between multiple component, and the security processor's role boils down "contains the crypto key to the data saved on the mass storage device". They actual communication of the remote command require kludges in the UEFI / IntelAMT / IPMI. Even TFA specifically speaks about the security hazard contained in *the chipsets* (not the CPU).
But I haven't been *actively* investigating these capabilites. so maybe recently, Intel and AMD have discretely been moving extra functionality into their secure processors (network access, full memory r/w access, always-on even when the main CPU is turned off, etc.)
... although.. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.
For the record, the reason why PC are currently secure under IPv4 is because of the router functionnality inside the xDSL modem. The modem runs some sort of firewall - i.e.: packets are inspected and filtered. The fact that the addresses are masquaraded from/translated to non-routable local IP ranges is just icing on the cake. The core of the cake is that the router *does filter*...
It would work just as well if publicly addressable addresses where used behind the router. (NAT just makes the router function mandatory, because you could not achieve the same simply with a network hub/switch and a dumb-modem).
So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence.
Again, NAT isn't necessary per se. You don't need to remap all the addresses into some fdxx:: prefix to make the network secure. What you need is actually DOING filtering, even if the in-network IPv6 addresses are publicly routable.
And in practice that's exactly what I'm seeing in all local ISP IPv6 deployement : their stantard modem is a modem/router combo. It has filtering capabilities. By default, there's no inbound access. It *happens* that they also do NAT on IPv4 because they only get a single IP. But it's mainly functioning as a firewall, on both IPv4 and IPv6.
In 2017, nobody sane is using dumb-modems+switches, so stop agitating this IPv6 strawman.
Problems are patents. There exist *several separate* patent pools, and a few extern patent holder. So paying the IP rights for H265/HEVC is nightmarish patent minefield.
So most manufacturer end up NOT enabling hardware H265/HEVC. Thus you end up with VLC doing the work on your CPU.
Luckily things are very likely to get better soon with AOMedia's AV-1 (similar to other opensource efforts as OPUS, Vorbis, etc. it's designed to be patent-free) (and its has all the big names behind it - including Google and Netflix, i.e.: most of the content watched only - but also hardware manufacturer, etc.)
As a member of the audience, if I am going to be buying a chipset then who do I buy it from if I want to talk with my wallet? Aren't Intel and AMD pretty much the only games in town?
Go buy a motherboard with gamer-oriented AMD chipset. On AMD's side, IPMI (the industry equivalent of Intel's ME) is usually only available on chipset targeting the server/workstation market.
(i.e.: you'll find IPMI on motherboard by SuperMicro. Not on those by ASUS/GigaByte/etc.)
And the best move would be to start coordinating petitions to ask for the opensourcing of the small OS and server running on the chipset's embed core.
(AMD is rather opensource firendly so they might step in and try help push forward a "open IPMI" initiative).
IPMI and TrustZone are 2 entirely different concepts.
IPMI is a separate full blown soc that run a micro server offereing a web interface for admins and a java-based VNC (AMD's equivalent of intel'sME/AMT)
TrustZone is about having a separate core that handle a couple of security tasks that, by purpose, need to be shielded from CPU activity. namely handling private keys (it's cousin of Intel's Trusted Platform).
IPMI is the scary one, because it has full access to tons of critical component (network, framebuffer, firmware settings, etc.) even it the main CPU is shut down (it's a full blown independent server inside a dedicaded SoC on the motherboard, usually inside the chipset)
TrustZone basically only handles key signing/encryption/etc. so isn't that much critical.
Same goes for Intel's ME vs Trusted-whatever-its-called now.
On AMD, it's called IPMI. The difference is that IPMI is a vendor neutral industry standard (and could be found on chipset of any vendor), whereas Intel's ME is their own "NIH-Syndrom" spin of the same concept.
The difference is that IPMI is considered a "special feature", and can only be found on specific server/workstation chipsets. The AMD 990FX doesn't feature this micro server.
You need to order specific workstation motherboard from manufacturer such as SuperMicro. (You know, the manufacturer with such a filmsy UEFI implementation, that the FlashROM can randomly commit suicide when you simply add a boot option). Or from manufacturer of servers (HP, etc.)
the FSF warned about these backdoors in both Intel and AMD CPUs a while ago. I think the said the last processor made without this "backdoor" was an AMD processor made in 2011.
Huh.... no. Wrong. For the record : both Intel's ME and industry standard IPMI live inside the motherboard chipset, not inside the CPU. (i.e.: they live where they have access to all the critical component to function : network card, embed GPU's framebuffer, etc.).
On AMD's side, IPMI is *still* only featured on server chipset. Again, there's no IPMI in gamer-oriented chipsets such as 990FX. So for most AMD-powered/.ers : the tower under their desk in their basement geek-cave is safe. It's the server at work at their day-jobs.
On Intel's side ME is much more widely spread even on normal desktop chipset (the idea is to make the life of sys admins in enterprises easier).
Tehcnically it's not much a "backdoor" (i.e.: something hidden) as it is a "maintenance entrance" (i.e.: makes the life of the sysadmin easier so he can remotely VNC and diagnostic a server that won't boot, flash computer's firmware UEFI/BIOS, etc.)
The problem is that the quality of this small server is horrendously bad. To the point that any motivated script kiddy can pwn all the workstations and servers across the whole enterprises network easily, simply by downloading some ready to use package.
(Luckily, most of the ME and IPMI implementation only listen to the secondary network port, and thus should be only visible on the private administration network. The bad news is that pro laptops also have ME and that can be enabled on the *WIFI* network)
So to keep with the above metaphore, ME and IPMI are a "maintenance access" door, which actually isn't even locked, but whose whole security boils down to a small sticky note say "please, sysadmins only".
Life would have been much more easy if the ME / IPMI firmware running on the embed system was open-sourced....
Amazing how it looks just like MacOS with the transparency, etc.
...and just like Jolla's Sailfish OS' "silica" style, for the past nearly 4 years. ...and also just like KDE's own style for the past naerly 10 years, as visible on their own "Neon" project demo CD. (Though that's for the general transparency effects getting popular in style. for the combo with "flat"-looking surface, these appeared more recently with the KDE Plasma 5 around 3 years ago)
Well by now this type of style is really old news. Which is probably why Microsoft is introducing it now.
How many real Linux developers are on Windows and have trouble with running a VM, or a separate box?
The opposite also happens: There are a few scientific fields where nearly everybody uses Linux (e.g.: Life-science research - bioinformatics, etc.) The servers and clusters run Linux. The devs run Linux (or Linux VM on laptops with unusual hardware) (or sometime stay on MacOS X because it's still a type of Unix and "Good Enoug" for them). So the dev write Linux software that end-up being run on Linux compute nodes.
BUT... there are a few research labs with users stuck on Windows (usually the wet labs guys). They might need to do some data pre-processing locally before uploading onto the cluster (e.g.: because the un-processed files are way to big).
Here there used to be only 2 options:
- the wetlab people install an Ubuntu VM on their machine and run the Linux software this way. (it's not trivial. Again, we're not talking about the devs or sysadmins, we're talking about the wet lab researchers) (at least some dev release ready-to-use virtual appliances)
- the dev recompile a windows version using Cygwin. (but unlike a Linux to Mac OS X port, these tend to be non-trivial, even if you use a full blown POSIX abstraction layer (cygwin) instead of a minimalistic compiéer (mingw) or... gasp... the native Visual Studio)
Now WSL offers a third option: - just download the Linux version and run it using Bash.EXE
In otherwords : the consumer of software can also have an advantage by using WSL - when in a Linux dominated field (e.g.: research) and not wanting to fumble with Linux/VM installation.
Surely Microsoft would introduce some "extra" features that are addictively sweet into it's Linux ABI. Just like Microsoft did with Java a decade and a half ago -- in violation of the agreement Microsoft signed with Sun -- and got sued for it and cost them $1.2 Billion. Surely nice, friendly Microsoft wouldn't want you to get hooked on something that doesn't exist in the real Linux, and therefore makes you consider deploying Windows in production?
There's a difference:
- back then, in the target market (enterprise servers), Microsoft's own servers (Windows NT OS, running Microsoft IIS web server, etc.) had a significant market share, next to Sun's own Unix machines (solaris, etc.)
So, devs working with Microsoft tools, will end up producing things that work better on the Microsoft servers than on Sun's (due to different extensions) : will lead to some preferences toward the Microsoft servers. (The code just works better here, let's buy more of these).
In other words: The Microsoft E.E.E strategy can work, because there's an actual market share that they can favour while extending the standard as per the second E.
Nowadays, in the target market (Cloud, embed, etc. - i.e.: everything except the desktop) Linux is nearly omni-present. (With maybe the sole exception of Windows instances being available on the Azure Cloud, I've hear. Does anybody really use those ?)
Now imagine a developer producing a Linux software with Microsoft's extensions that require WSL. Developer tries it on their cluster/webserver/cloud/raspberry pi/cubesat/whatever... and it doesn't work. Well, to bad. Developer tosses the useless crap and moves on.
In other words, you need an actual monopoly (or even at least some significative market presence) to leverage for the Extend phase to actually work. Otherwise you're just "that werid company with a non-working product".
Actually, this time, if you think about it, Microsoft is the one on the receiving side. Linux kernel is developped *extremely fast*, by a very vast community. On the other hand, Microsoft is only throwing a small finite number of developers at this, and has only currently implemented the strict minimum subset of Linux ABI calls to enable some ELFs to run natively. There are still ton
Ads? What ads? I don't see any ads. Oh, you must be one of the dumbasses not using AdBlock?
Which is also going to be one of the techniques used by crappy web site owner : if the webserver recieves a request from a IP within a known Facebook IP range, then serve instead an ad-less version.
Then it's basically a cat-and-mouse game, as makers of crappy sites try to find better way to detect Facebook's access and Facebook tries to be less obvious (retrieve content through external 3rd party servers, retieve content through the webapp running on the poster's local browser, etc.)
According to TFA : the target isn't actually human drivers (who as you mention will never actually follow speed instruction anyway), but semi-autonomous cars (basically the system feeds directly into the cruise control of the car, and at that speed, cars cross while mathe-magically managing to avoid each other).
Yeah. Right. All the cars at an intersection needing to openly agree together at which speed each should drive through a public open protocol. I can't see what could possibly go wrong/get abused~ (Yeah, the various three letter agencies of the world can finally blame their attempt at assassination by remote car hack to "bugs in the traffic management software")
More seriously : Luckily most modern car have the *adaptive* cruise control type, coupled with forward collision avoidance, so your (high range) car should be able to notice that (because of buggy / malicious speed instructions) it is on a collision course with another car and apply emergency brakes to reduce risks. (But sadly, current modern cars don't have a very wide angle into their FCAS, and will consider a car coming sideways only at the very last moment. So you're still in for some ruined car body, but at least you'll probably still be alive)
Note: the simpler version shown in the Youtube animation (with groups of car crossing in turns, but never cars coming from both perpendicular streets at the same time, only next group once the perpendicular group has finished), is actually being implemented in some european cities (I've seen it in Switzerland) in the traffic lights : the lights try to intelligently switch green on one perpendicular axis or the other, depending on the incoming traffic trying to minimize the slowing down of group of cars (i.e.: if you travel the correct speed, the traffic will always suddenly turn green once you approach and turn back immediately red once you've crossed ; and conversely on the side ways. i.e.: the traffic light vary their cycles so it looks like the youtube animation with nobody waiting at the crossing due to red light).
but the implied end goal of lanes of car safely criss-crossing each other simply by keeping the correct speed sound a little bit dangerous, error prone and open to hacking.
Also, I know it sounds ridiculous, but there is a back door in Intel chipsthat allows you to access them, even when the OS is not installed
Technically:
1 - it's not in the Intel *CPU*, it's in the Intel *Server Motherboard Chipsets*. By design, Intel ME (Management Engine) is a useful tool so sys-admin can remotely access and checks servers (or enterprise workstation) whose OS won't even respond anymore. (e.g.: to diagnose early boot process steps, oversee a firmware update, etc.) It' basically a small embed CPU core running a micro embed Linux and featuring a web server for the interface and a sort of VNC server and port forwarder/remote device mapper. In practice, this service is done very sloppily and bugs are constantly found that enable exploit and un authorized acces.
2 - Intel ME has equivalent in other manufacturer called IPMI. e.g.: most of the AMD server motherboard features that one. Again, like with Intel ME, cirtical exploitable bug are regularily found in IPMI, meaning it similarly easy to circumvent access control.
A big chunk of these exploitable bugs in both Intel ME and IPMI are very probably due to sloppy programming for product rushed to the marker.
But given how many bugs are discovered, and how juicy light-out-management is as a target, there bound to be a few "not so honest mistakes" among these bugs. But these not-quite-accidental bugs aren't only to be blamed on US agencies.
In between was also the RAZR2. That one had a 3G variant in Europe. The one I inherited from my brother kept working very well as a back-up phone until it got lost/stolen in a train.
And there are still cell towers able to fall back to GPRS in Europe (a.k.a. "2.5G") so a RAZR could get even internet connection in some regions.
It's like the difference between a bayonet style combat knife and a Swiss Army Knife. The former is more durable
Well, if you source your "Swiss Army Knifes" from China...
But the rest of the comparison is spott-on : Just like a combat knife is - well - a knife designed for combat, whereas a Swiss Army Knife has only "army knife" in the name* and is basically designed to be a toolbox-combo-with-kitchen-cutelry-drawer that fits in your pocket (and a very useful one at that), similarly a classic phone is mainly designed to be a portable phone, whereas modern smartphone are mostly designed to be "computers that fit into your pocket and fill a good chunk of all your daily computing needs (plus can also make calls)".
--- *: i.e.: despite the "Swiss Army" name, it's not a military combat knife. It's more like a kitchen knife issued by the swiss army, hence the name.
And let me guess : this modem will function as the SoC's northbridge ? Meaning that the piece or hardware that is running for its firwmare some external 3rd party code uploaded by the cell towers of the service provider will have full access to all the RAM and other such peripherals ?
You just start with a government ID used for shopping and eGovernment. How could that possibly be evil? It's just one ID for all your government services. And shopping. It'd be really great to use this for shopping. And health services. We already need a central repository for our health records so it should be there too. Oh and hey all of our banking accounts should tie into this too.
These are all service that already need to know who the real you is. Even if there's not a simplified "Internet ID" scheme, they already know who you are, by virtue of how they work. They all need to know that their client ID#xxxxxx is the real person Mr/Mrs. Yyyy Zzzzz.
Its convenient and it really helps government crack down on crime.
Huh ? How does it help government crack down on crime ?! It's mainly a simple way by which they can confirm the real identity of a person. The only thing remotely related to crime, is that all the above administrations and shops will be less compelled to try establishing real identities using flimsy proofs like bills (easy to forge).
Well now that we have you spending habit it'd be a good idea to give you tax credits on your health if you eat buy healthy food instead of junk food.
Nope. That's doesn't require a standardized internet identity (again, all the above *already* have to know who you are in real life, except for grocery stores where you pick-up in person instead of being delivered to). That requires *sharing of information* which is a big no-no in most jurisdiction (e.g.: Europe, where TFA's country is located).
Again, *how* a company establishes your real-world identity is completely orthogonal to *what* the company is doing with your personal data.
What you need is *not* stopping methods to register a real world identity to web service. What you need is *legislation* and *occasional investigation* to prevent the various web services sharing information beyond what is required. (i.e.: the tax websites should only know "this user is real world user Mr Xxxx Yyyy". Same for your health insurance. None of them should receive your shopping list through the identification service). and speaking of these laws, and investigation (instigated by consumer-protection associations) - SPOILER ALERT - Germany has them.
In fact now that 80% of the internet uses your ID we should roll it out for Hulu and forum services too,
Why the fuck does a forum needs to be able to map to your real id ? Translate it to today's pre-IDservice era : does a forum asks for a photocopy of your passport / ID card ? Nope. They only needs any log-in so you can come back later. But you can use a pseudonyme and a password, or any of the optional OAuth / OpenID providers. (but can still rely on your password manager instead for similar convenience). Same after ID services : forum still have no grounds to require a service to guarantee that you're the real-world person you pretend to be.
Oh hey since we have IDs tied to facebook we can finally solve this troll problem. In fact we should require your government ID to be used to login to Facebook to verify it because everybody agrees hate speech needs to be properly penalized.
Actually, even before a central standard way to confirm real world identites, Facebook attempted to require its users to identify with real world identity (Was it called "RealID" or "RealName" ? can't remembre). on the grounds to fight against internet trolls and cyber-bullies. (read: and better datamine the shit out of you). result: in vain.
If you want your code to be reused by others you simply have to choose an unmodified license.
What I'm saying is that under some special circumstances, the modified license can happen to be another different unmodified. And this newly licensed code can still be acceptable under the old licensing term.
This usually happens when transitioning from permissive license (like the BSD family ; because they are on purpose done in a way that let total freedom to the developers, including even NOT releasing the code at all) to a copy-left share-alike (the addition of the restrictions that prevent developer from blocking end-users are acceptable under some forms of BSD).
Or probably from permissive license to nearly anything else, including commercial. (again, that's the whole purpose of permissive license in the first place).
(as long as the new license doesn't contradict the terms under which you got the code).
(Yes, and even RedHat / CentOS used it at some point in time)
My point : yet after nearly everybody dropped upstart in favor of systemd (or, in Gentoo's case, went a different path with SysVInit -> OpenRC transition), Canonical persisted on using upstart instead.
They have a strong case of wanting to do things their own way differently from everybody else (cue in xkcd's "yet another standard" comic), despite not having the developers resources to do so. (Unlike, say, Gentoo. Apparently they can successfully maintain their OpenRC).
BTW, when did the ö character start working on Slashdot?
on the other hand I have spell ö as ö for years before ö started to get accepted. (Or did Slashdot suddenly turn UTF-8 support on ? "éàöü" ? seems to work in preview already)
Changing the UI suddenly presents new challenges for productive people who do not have the time, interest, or inclinati[o]n to focus on learning a new way of doing their daily tasks.
Yes, they should instead have followed the example of Microsoft. no, wait... (Ribbon interfaces are now suddenly all the rage ! Hey, now we need a tile-based interface !)
Compared to Microsoft interface delirium, Ubuntu's move Gnome2 -> Unity -> Gnome3 is much tame.
(Disclaimer: proud KDE user since the mid-late 90s. For obvious historical reasons)
Slashdot Mirror
Ah good news, it would be no help as another technological footnote like Vorbis & Theora.
regarding Vorbis : back in the days it did see some success. By virtue of being BSD-like licensed (i.e.: a permissive license) it was used to compress audio in several game engines (e.g.: at ID starting from Quake3 and up). Also Spotify apparently used it on their app, at least for some time.
regarding Theora : Google used it on Youtube as a possible alternative, so still some use.
But yes, both pale in comparison with OPUS (the offspring of Xiph and Skype collaboration) which incredibly widespread (again permissive license AND best quality in A/B/X tests AND patent free), seems like any modern communication application uses it : it's used for WhatsApp, Skype (well obviously), etc. but also even in some un expected places (Digital Radio Mondial - the digital success of AM Radio, same relationship as DAB+ to FM Radio - supports OPUS. It's not in the official specs, but the major software suite all have ways to use it).
And again the number of AOMedia members is impressive, so it's clearly going to be a success.
The things which changed in the recent time :
- Patent real-word problems: Frauenhofer was some pain back in the MP3 era (hence some in the wild usage of Vorbis). During the MPEG4 AVC / H 264 era, a nice single central patent pool made the things not that much difficult. Theora was a nice concept or patent-free-ness, but in practice there wasn't much difficulties in obtaining the necessary license. Nowaday H265 / HEVC is pure madness. To the point that several hardware manufacturer have backpedalled and we currently see a *decrease* of device manufactured with H265 support enabled. There is definitely room for a patent-free / freely licensed codec.
- Quality : Vorbis was a provably better than MP3 back then (hence tiny better success in the wild). But Thoera was just a repurposed old codec from On2 (VP3) that just got opensourced, not much more arguments going for it.
Compare the situation nowadays with OPUS which completely blasts everything in ABX tests except for the ultra-low-bandwith ( 4 kbits) which are beyond its scope anyway.
Currently AV-1 is the offspring of the Daala efforts of Xiph (and there's some really interesting idea going in: perceptual vector quantization, chroma-from-luma, lapped transforms, rANS entropy coding, etc.), Google's VP10 (now we are several generations down) and Cisco's thor.
Even at the current state of development, it's already showing promises.
So yeah, big thing are in the making.
Secondly IPMI style functionality is a small subset of what Intel's IME does.
It's still a small separate SoC, which runs its own small operating system, webserver and java-based VNC solution (which already implies TONS of access),
and is connected and listening to the network constantly, even when the main CPU is completely shut down (or even unable to boot) (which was the entire purpose of this kind of system).
In practice the code quality of the system running on this chip is still so awefull that, it's still vera pwnable.
- Thirdly AMD's equivalent is the PSP, which just like IME is in every Intel chip, PSP is in every AMD chip.
- Fourthly the Trust Zone functionality in AMD's PSP seems to go even a step ahead
From what I've understood, all these various "Security Processor" mainly deal with storing private key in a secluded part of the system.
They're mainly handling cryptography-related questions.
They don't have a networking stack (and could not be listening on the network even if the CPU is unpowered, they *are* part of the CPU).
Except libreboot's rant about them, I haven't seen yet any concrete proof that they can - by themselves - handle anything more nefarious than "store private key inside, perform signature and encryption/decryption if provided with the correct PIN".
In marketing material, they seems to be attached to wild possibility (remote wiping stolen computers), but there's evidence that these kind of functionality require coordination between multiple component, and the security processor's role boils down "contains the crypto key to the data saved on the mass storage device". They actual communication of the remote command require kludges in the UEFI / IntelAMT / IPMI.
Even TFA specifically speaks about the security hazard contained in *the chipsets* (not the CPU).
But I haven't been *actively* investigating these capabilites.
so maybe recently, Intel and AMD have discretely been moving extra functionality into their secure processors
(network access, full memory r/w access, always-on even when the main CPU is turned off, etc.)
... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.
For the record, the reason why PC are currently secure under IPv4 is because of the router functionnality inside the xDSL modem.
The modem runs some sort of firewall - i.e.: packets are inspected and filtered.
The fact that the addresses are masquaraded from/translated to non-routable local IP ranges is just icing on the cake.
The core of the cake is that the router *does filter*...
It would work just as well if publicly addressable addresses where used behind the router.
(NAT just makes the router function mandatory, because you could not achieve the same simply with a network hub/switch and a dumb-modem).
So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence.
Again, NAT isn't necessary per se. You don't need to remap all the addresses into some fdxx:: prefix to make the network secure. What you need is actually DOING filtering, even if the in-network IPv6 addresses are publicly routable.
And in practice that's exactly what I'm seeing in all local ISP IPv6 deployement : their stantard modem is a modem/router combo. It has filtering capabilities.
By default, there's no inbound access. It *happens* that they also do NAT on IPv4 because they only get a single IP.
But it's mainly functioning as a firewall, on both IPv4 and IPv6.
In 2017, nobody sane is using dumb-modems+switches, so stop agitating this IPv6 strawman.
thanks to H.265/HEVC videos.
Problems are patents.
There exist *several separate* patent pools, and a few extern patent holder.
So paying the IP rights for H265/HEVC is nightmarish patent minefield.
So most manufacturer end up NOT enabling hardware H265/HEVC.
Thus you end up with VLC doing the work on your CPU.
Luckily things are very likely to get better soon with AOMedia's AV-1
(similar to other opensource efforts as OPUS, Vorbis, etc. it's designed to be patent-free)
(and its has all the big names behind it - including Google and Netflix, i.e.: most of the content watched only - but also hardware manufacturer, etc.)
As a member of the audience, if I am going to be buying a chipset then who do I buy it from if I want to talk with my wallet? Aren't Intel and AMD pretty much the only games in town?
Go buy a motherboard with gamer-oriented AMD chipset.
On AMD's side, IPMI (the industry equivalent of Intel's ME) is usually only available on chipset targeting the server/workstation market.
(i.e.: you'll find IPMI on motherboard by SuperMicro. Not on those by ASUS/GigaByte/etc.)
And the best move would be to start coordinating petitions to ask for the opensourcing of the small OS and server running on the chipset's embed core.
(AMD is rather opensource firendly so they might step in and try help push forward a "open IPMI" initiative).
IPMI and TrustZone are 2 entirely different concepts.
IPMI is a separate full blown soc that run a micro server offereing a web interface for admins and a java-based VNC
(AMD's equivalent of intel'sME/AMT)
TrustZone is about having a separate core that handle a couple of security tasks that, by purpose, need to be shielded from CPU activity.
namely handling private keys
(it's cousin of Intel's Trusted Platform).
IPMI is the scary one, because it has full access to tons of critical component (network, framebuffer, firmware settings, etc.) even it the main CPU is shut down (it's a full blown independent server inside a dedicaded SoC on the motherboard, usually inside the chipset)
TrustZone basically only handles key signing/encryption/etc. so isn't that much critical.
Same goes for Intel's ME vs Trusted-whatever-its-called now.
AMD has a similar feature.
On AMD, it's called IPMI.
The difference is that IPMI is a vendor neutral industry standard (and could be found on chipset of any vendor),
whereas Intel's ME is their own "NIH-Syndrom" spin of the same concept.
The difference is that IPMI is considered a "special feature", and can only be found on specific server/workstation chipsets.
The AMD 990FX doesn't feature this micro server.
You need to order specific workstation motherboard from manufacturer such as SuperMicro.
(You know, the manufacturer with such a filmsy UEFI implementation, that the FlashROM can randomly commit suicide when you simply add a boot option).
Or from manufacturer of servers (HP, etc.)
the FSF warned about these backdoors in both Intel and AMD CPUs a while ago. I think the said the last processor made without this "backdoor" was an AMD processor made in 2011.
Huh.... no. Wrong.
For the record : both Intel's ME and industry standard IPMI live inside the motherboard chipset, not inside the CPU.
(i.e.: they live where they have access to all the critical component to function : network card, embed GPU's framebuffer, etc.).
On AMD's side, IPMI is *still* only featured on server chipset. Again, there's no IPMI in gamer-oriented chipsets such as 990FX. /.ers : the tower under their desk in their basement geek-cave is safe. It's the server at work at their day-jobs.
So for most AMD-powered
On Intel's side ME is much more widely spread even on normal desktop chipset (the idea is to make the life of sys admins in enterprises easier).
Tehcnically it's not much a "backdoor" (i.e.: something hidden) as it is a "maintenance entrance" (i.e.: makes the life of the sysadmin easier so he can remotely VNC and diagnostic a server that won't boot, flash computer's firmware UEFI/BIOS, etc.)
The problem is that the quality of this small server is horrendously bad. To the point that any motivated script kiddy can pwn all the workstations and servers across the whole enterprises network easily, simply by downloading some ready to use package.
(Luckily, most of the ME and IPMI implementation only listen to the secondary network port, and thus should be only visible on the private administration network. The bad news is that pro laptops also have ME and that can be enabled on the *WIFI* network)
So to keep with the above metaphore, ME and IPMI are a "maintenance access" door, which actually isn't even locked, but whose whole security boils down to a small sticky note say "please, sysadmins only".
Life would have been much more easy if the ME / IPMI firmware running on the embed system was open-sourced....
Amazing how it looks just like MacOS with the transparency, etc.
...and just like Jolla's Sailfish OS' "silica" style, for the past nearly 4 years.
...and also just like KDE's own style for the past naerly 10 years, as visible on their own "Neon" project demo CD. (Though that's for the general transparency effects getting popular in style. for the combo with "flat"-looking surface, these appeared more recently with the KDE Plasma 5 around 3 years ago)
Well by now this type of style is really old news.
Which is probably why Microsoft is introducing it now.
Just as the RIAA is not producing music and the MPAA doesn't film anything.
And I though that **AA were good at producing lawsuits (bordering on frivolous).
How many real Linux developers are on Windows and have trouble with running a VM, or a separate box?
The opposite also happens :
There are a few scientific fields where nearly everybody uses Linux (e.g.: Life-science research - bioinformatics, etc.)
The servers and clusters run Linux.
The devs run Linux (or Linux VM on laptops with unusual hardware) (or sometime stay on MacOS X because it's still a type of Unix and "Good Enoug" for them).
So the dev write Linux software that end-up being run on Linux compute nodes.
BUT... there are a few research labs with users stuck on Windows (usually the wet labs guys).
They might need to do some data pre-processing locally before uploading onto the cluster (e.g.: because the un-processed files are way to big).
Here there used to be only 2 options :
- the wetlab people install an Ubuntu VM on their machine and run the Linux software this way.
(it's not trivial. Again, we're not talking about the devs or sysadmins, we're talking about the wet lab researchers)
(at least some dev release ready-to-use virtual appliances)
- the dev recompile a windows version using Cygwin.
(but unlike a Linux to Mac OS X port, these tend to be non-trivial, even if you use a full blown POSIX abstraction layer (cygwin) instead of a minimalistic compiéer (mingw) or... gasp... the native Visual Studio)
Now WSL offers a third option :
- just download the Linux version and run it using Bash.EXE
In otherwords : the consumer of software can also have an advantage by using WSL - when in a Linux dominated field (e.g.: research) and not wanting to fumble with Linux/VM installation.
Surely Microsoft would introduce some "extra" features that are addictively sweet into it's Linux ABI. Just like Microsoft did with Java a decade and a half ago -- in violation of the agreement Microsoft signed with Sun -- and got sued for it and cost them $1.2 Billion. Surely nice, friendly Microsoft wouldn't want you to get hooked on something that doesn't exist in the real Linux, and therefore makes you consider deploying Windows in production?
There's a difference :
- back then, in the target market (enterprise servers), Microsoft's own servers (Windows NT OS, running Microsoft IIS web server, etc.) had a significant market share, next to Sun's own Unix machines (solaris, etc.)
So, devs working with Microsoft tools, will end up producing things that work better on the Microsoft servers than on Sun's (due to different extensions) : will lead to some preferences toward the Microsoft servers. (The code just works better here, let's buy more of these).
In other words: The Microsoft E.E.E strategy can work, because there's an actual market share that they can favour while extending the standard as per the second E.
Nowadays, in the target market (Cloud, embed, etc. - i.e.: everything except the desktop) Linux is nearly omni-present.
(With maybe the sole exception of Windows instances being available on the Azure Cloud, I've hear. Does anybody really use those ?)
Now imagine a developer producing a Linux software with Microsoft's extensions that require WSL.
Developer tries it on their cluster/webserver/cloud/raspberry pi/cubesat/whatever... and it doesn't work. Well, to bad. Developer tosses the useless crap and moves on.
In other words, you need an actual monopoly (or even at least some significative market presence) to leverage for the Extend phase to actually work.
Otherwise you're just "that werid company with a non-working product".
Actually, this time, if you think about it, Microsoft is the one on the receiving side.
Linux kernel is developped *extremely fast*, by a very vast community.
On the other hand, Microsoft is only throwing a small finite number of developers at this, and has only currently implemented the strict minimum subset of Linux ABI calls to enable some ELFs to run natively. There are still ton
Ads? What ads? I don't see any ads.
Oh, you must be one of the dumbasses not using AdBlock?
Which is also going to be one of the techniques used by crappy web site owner :
if the webserver recieves a request from a IP within a known Facebook IP range, then serve instead an ad-less version.
Then it's basically a cat-and-mouse game, as makers of crappy sites try to find better way to detect Facebook's access and Facebook tries to be less obvious (retrieve content through external 3rd party servers, retieve content through the webapp running on the poster's local browser, etc.)
The Chinese laptops are always suspect. You never know what's in the firmware.
...nor whats's in battery, and if that one isn't going to spontaneously combust.
They do. I believe that they run at 0.7 atmospheres. It makes people sleepy and docile.
I'm a ski instructor, you insensitive clod!*
3'800m is a pretty normal altitude for me.
I'm not abnormally sleepy at 4000m.
---
Well at least that's my week-end hobby.
According to TFA :
the target isn't actually human drivers (who as you mention will never actually follow speed instruction anyway),
but semi-autonomous cars (basically the system feeds directly into the cruise control of the car, and at that speed, cars cross while mathe-magically managing to avoid each other).
Yeah. Right. All the cars at an intersection needing to openly agree together at which speed each should drive through a public open protocol.
I can't see what could possibly go wrong/get abused~
(Yeah, the various three letter agencies of the world can finally blame their attempt at assassination by remote car hack to "bugs in the traffic management software")
More seriously :
Luckily most modern car have the *adaptive* cruise control type, coupled with forward collision avoidance, so your (high range) car should be able to notice that (because of buggy / malicious speed instructions) it is on a collision course with another car and apply emergency brakes to reduce risks.
(But sadly, current modern cars don't have a very wide angle into their FCAS, and will consider a car coming sideways only at the very last moment.
So you're still in for some ruined car body, but at least you'll probably still be alive)
Note:
the simpler version shown in the Youtube animation (with groups of car crossing in turns, but never cars coming from both perpendicular streets at the same time, only next group once the perpendicular group has finished), is actually being implemented in some european cities (I've seen it in Switzerland) in the traffic lights : the lights try to intelligently switch green on one perpendicular axis or the other, depending on the incoming traffic trying to minimize the slowing down of group of cars (i.e.: if you travel the correct speed, the traffic will always suddenly turn green once you approach and turn back immediately red once you've crossed ; and conversely on the side ways.
i.e.: the traffic light vary their cycles so it looks like the youtube animation with nobody waiting at the crossing due to red light).
but the implied end goal of lanes of car safely criss-crossing each other simply by keeping the correct speed sound a little bit dangerous, error prone and open to hacking.
Also, I know it sounds ridiculous, but there is a back door in Intel chips that allows you to access them, even when the OS is not installed
Technically:
1 - it's not in the Intel *CPU*, it's in the Intel *Server Motherboard Chipsets*.
By design, Intel ME (Management Engine) is a useful tool so sys-admin can remotely access and checks servers (or enterprise workstation) whose OS won't even respond anymore. (e.g.: to diagnose early boot process steps, oversee a firmware update, etc.)
It' basically a small embed CPU core running a micro embed Linux and featuring a web server for the interface and a sort of VNC server and port forwarder/remote device mapper.
In practice, this service is done very sloppily and bugs are constantly found that enable exploit and un authorized acces.
2 - Intel ME has equivalent in other manufacturer called IPMI. e.g.: most of the AMD server motherboard features that one.
Again, like with Intel ME, cirtical exploitable bug are regularily found in IPMI, meaning it similarly easy to circumvent access control.
A big chunk of these exploitable bugs in both Intel ME and IPMI are very probably due to sloppy programming for product rushed to the marker.
But given how many bugs are discovered, and how juicy light-out-management is as a target, there bound to be a few "not so honest mistakes" among these bugs.
But these not-quite-accidental bugs aren't only to be blamed on US agencies.
Are you thinking of the Droid RAZR?
In between was also the RAZR2.
That one had a 3G variant in Europe.
The one I inherited from my brother kept working very well as a back-up phone until it got lost/stolen in a train.
And there are still cell towers able to fall back to GPRS in Europe (a.k.a. "2.5G") so a RAZR could get even internet connection in some regions.
It's like the difference between a bayonet style combat knife and a Swiss Army Knife. The former is more durable
Well, if you source your "Swiss Army Knifes" from China...
But the rest of the comparison is spott-on :
Just like a combat knife is - well - a knife designed for combat, whereas a Swiss Army Knife has only "army knife" in the name* and is basically designed to be a toolbox-combo-with-kitchen-cutelry-drawer that fits in your pocket (and a very useful one at that),
similarly a classic phone is mainly designed to be a portable phone, whereas modern smartphone are mostly designed to be "computers that fit into your pocket and fill a good chunk of all your daily computing needs (plus can also make calls)".
---
*: i.e.: despite the "Swiss Army" name, it's not a military combat knife. It's more like a kitchen knife issued by the swiss army, hence the name.
And let me guess :
this modem will function as the SoC's northbridge ?
Meaning that the piece or hardware that is running for its firwmare some external 3rd party code uploaded by the cell towers of the service provider will have full access to all the RAM and other such peripherals ?
Yay !
And probably do all the transaction where your actual real world identity is a requirement in person, I presume ?
(like filing your taxes)
You just start with a government ID used for shopping and eGovernment. How could that possibly be evil? It's just one ID for all your government services. And shopping. It'd be really great to use this for shopping. And health services. We already need a central repository for our health records so it should be there too. Oh and hey all of our banking accounts should tie into this too.
These are all service that already need to know who the real you is.
Even if there's not a simplified "Internet ID" scheme, they already know who you are, by virtue of how they work.
They all need to know that their client ID#xxxxxx is the real person Mr/Mrs. Yyyy Zzzzz.
Its convenient and it really helps government crack down on crime.
Huh ? How does it help government crack down on crime ?!
It's mainly a simple way by which they can confirm the real identity of a person.
The only thing remotely related to crime, is that all the above administrations and shops will be less compelled to try establishing real identities using flimsy proofs like bills (easy to forge).
Well now that we have you spending habit it'd be a good idea to give you tax credits on your health if you eat buy healthy food instead of junk food.
Nope.
That's doesn't require a standardized internet identity (again, all the above *already* have to know who you are in real life, except for grocery stores where you pick-up in person instead of being delivered to).
That requires *sharing of information* which is a big no-no in most jurisdiction (e.g.: Europe, where TFA's country is located).
Again, *how* a company establishes your real-world identity is completely orthogonal to *what* the company is doing with your personal data.
What you need is *not* stopping methods to register a real world identity to web service.
What you need is *legislation* and *occasional investigation* to prevent the various web services sharing information beyond what is required.
(i.e.: the tax websites should only know "this user is real world user Mr Xxxx Yyyy". Same for your health insurance. None of them should receive your shopping list through the identification service).
and speaking of these laws, and investigation (instigated by consumer-protection associations) - SPOILER ALERT - Germany has them.
In fact now that 80% of the internet uses your ID we should roll it out for Hulu and forum services too,
Why the fuck does a forum needs to be able to map to your real id ?
Translate it to today's pre-IDservice era : does a forum asks for a photocopy of your passport / ID card ? Nope. They only needs any log-in so you can come back later. But you can use a pseudonyme and a password, or any of the optional OAuth / OpenID providers. (but can still rely on your password manager instead for similar convenience).
Same after ID services : forum still have no grounds to require a service to guarantee that you're the real-world person you pretend to be.
Oh hey since we have IDs tied to facebook we can finally solve this troll problem. In fact we should require your government ID to be used to login to Facebook to verify it because everybody agrees hate speech needs to be properly penalized.
Actually, even before a central standard way to confirm real world identites, Facebook attempted to require its users to identify with real world identity (Was it called "RealID" or "RealName" ? can't remembre).
on the grounds to fight against internet trolls and cyber-bullies. (read: and better datamine the shit out of you).
result: in vain.
If you want your code to be reused by others you simply have to choose an unmodified license.
What I'm saying is that under some special circumstances, the modified license can happen to be another different unmodified.
And this newly licensed code can still be acceptable under the old licensing term.
This usually happens when transitioning from permissive license (like the BSD family ; because they are on purpose done in a way that let total freedom to the developers, including even NOT releasing the code at all) to a copy-left share-alike (the addition of the restrictions that prevent developer from blocking end-users are acceptable under some forms of BSD).
Or probably from permissive license to nearly anything else, including commercial. (again, that's the whole purpose of permissive license in the first place).
(as long as the new license doesn't contradict the terms under which you got the code).
Upstart was available before systems was written.
(Yes, and even RedHat / CentOS used it at some point in time)
My point :
yet after nearly everybody dropped upstart in favor of systemd (or, in Gentoo's case, went a different path with SysVInit -> OpenRC transition),
Canonical persisted on using upstart instead.
They have a strong case of wanting to do things their own way differently from everybody else (cue in xkcd's "yet another standard" comic), despite not having the developers resources to do so. (Unlike, say, Gentoo. Apparently they can successfully maintain their OpenRC).
(Or did Slashdot suddenly turn UTF-8 support on ? "éàöü" ?)
Øh ! göð !
That is the real top news of today !
UTF-8 finally working on /. (with the editor silently turning it into HTML numerical refs)
Soon we will be able to invoke Zalgo's name and spread the corruption.
BTW, when did the ö character start working on Slashdot?
on the other hand I have spell ö as ö for years before ö started to get accepted.
(Or did Slashdot suddenly turn UTF-8 support on ? "éàöü" ? seems to work in preview already)
Changing the UI suddenly presents new challenges for productive people who do not have the time, interest, or inclinati[o]n to focus on learning a new way of doing their daily tasks.
Yes, they should instead have followed the example of Microsoft.
no, wait...
(Ribbon interfaces are now suddenly all the rage ! Hey, now we need a tile-based interface !)
Compared to Microsoft interface delirium, Ubuntu's move Gnome2 -> Unity -> Gnome3 is much tame.
(Disclaimer: proud KDE user since the mid-late 90s. For obvious historical reasons)