I like this summary, so I'll elaborate a bit for those who don't want to read the paper.
There are two attacks, being released together. Meltdown attacks Intel kernel memory, and Spectre attacks any peer userspace process. Meltdown (attack on kernel memory) only works on certain Intel designs. Specter works on any architecture that performs out-of-order execution of instructions and leaves junk behind in the cache even after the results of the instructions that shouldn't have been executed are wiped and where the cache is shared by multiple processes. Basically, any modern high-speed processor.
The first one can be mitigated by not leaving any kernel pages mapped at all. The second one... sounds like they're suggesting to just look for all the known patterns of instructions in your binaries and modify the source code to avoid that pattern. And keep doing that each time a new pattern is discovered.
Both attacks work by checking "did a specific address end up in processor cache". The usual way to test this is by clearing the cache, performing the attack, and then seeing which memory accesses are fast and which are slow. For both, the attacker needs to be able to precisely time memory reads. For Spectre, the attacker also needs to know the machine code of the target (to find specific instruction sequences which it can attack), and be able to communicate with the target (to provide them with crafted inputs)
While the requirements for Spectre sound like a high bar, the authors of the paper were able to demonstrate it by tweaking some javascript and looking at the machine code it generates in Chrome's JIT compiler, then having the javascript attack the host browser. This allowed the javascript to read the entire memory of the browser. It doesn't say they were able to attack things like SSH agent cached keys, but once they know everything in the browser's password cache they can work their way outward.
A multi-user host would be the most vilnerable to Spectre.
There are two flaws. AMD does not have the read-kernel-memory flaw but it does have the read-other-userland-process-memory flaw. Imagine javascript reading your cached ssh agent keys.
Specter sounds like the worse of the two, to me, actually. In the paper for it they describe an attack where javascript is carefully crafted so that it generates specific processor instructions when compiled by the Chrome JIT compiler, and then the javascript is able to attack the browser host and read it's entire memory contents. And they have a working example of this supposedly.
There are two attacks described in the papers. One applies only to Intel and allows you to read Kernel memory. The solution is to wipe page tables during switches to/from kernel mode.
The other attack applies to EVERY processor that does out-of-order execution and which leaves junk in the cache after rolling back a failed guess. It allows one userland process to read the entire memory of another userland process (i.e. a php script reading the contents of your sshd, though they haven't demonstrated that one yet). They do have an example of javascript reading the contents of the browser's memory, and they did it by crafting javascript that gets JIT'd into specific assembly instructions by Chrome's compiler.
The thing all of these attacks have in common is they must know the machine code being executed by the target, and be somewhat in control of their own machine code. I don't even see how they will stop the second attack other than clearing out the cache more frequently, but with multiple processors or hyperthreading and sharing the cache... there might not even BE a fix. I haven't read of one yet. (but the story is still developing)
I saw it on tv that same day. They had news updates on it for the next dozen hours about how the roof was still on fire because of layered new construction overtop old construction, and continued drama over whether the defense officials would need to evacuate. You want to tell me that the tv footage was faked? Burden of proof is on you. Go conspiracy youself elsewhere.
Youre swinging the clue-bat the wrong direction. The difference between an F16 and a gravitational slingshot is that the F16 is being accelerated by air pressure from the outside, while the ocupant is accelerated by external contact as well. It requires the structure of the vehicle and occupant to withstand the forces. When gravity is performing the acceleration it accelerates all molecules of the entire body equally* so the bodies feel no external stresses at all.
*aside from tidal forces etc mentioned by the other posters.
He said it required a massive amount of luck, not effort. If you set your finite improbability generator to 1:2^256 you could crack them all open on your next lunch break.
I will swear by Perls ability to let me write more features in less time, with test cases and documentation, which is easier to maintain than any other language Ive used extensively (C++, C, Delphi, Java, Javascript, Bash)
Ive done a little Python and a little Ruby, and both were prettier to look at, but the toolchains were not as well developed for general purpose agile tinkering at the time I used them. Its hard to make a fair comparison though without delving as deep into those as ive done with perl.
I see people complain about this from time to time, but I dont agree. Perl scripts often process binary data and if you assumed UTF-8 on input and output then it would break things like unzipping compressed data on stdin or streaming it to stdout. The unix tradition perl is built on assumes bytes until you tell it otherwise.
I dont follow python, but Id assume you get the exact opposite problem, needing to turn on binary mode any time your script might need to stream binary data?
Meanwhile, I am rather annoyed at slashdots lack of unicode. It would be nice if they could at least support the common characters used by i.e. the iOS screen keyboard which makes it impossible for me to use apostrophes.
I was actually running Starcraft II just a few months ago and it worked great. But, with Blizzardâ(TM)s regular patches they finally managed to break it for me. Now it works right up until I start a match and then crashes.
Not just bios, PS/2 supports "full n-key rollover" which is important to gamers. In other words, PS/2 sends a press code and then a release code on keydown and keyup events. The USB keyboard standard screwed this up by having each packet list the keys currently pressed, and when a key disappears from the next packet it means it was released. The packet only holds 6 keys, so a person with 10 fingers can easily overrun it, which masks a key press. The special expensive n-key rollover usb keyboards supposedly work by attaching as multiple keyboard devices.
Also there's the bit about polling vs. interrupts. PS/2 can supposedly get the key code delivered faster since it doesn't wait on other devices for a turn to speak.
I don't know squat about it either. Maybe you could inform us about the value you're adding to the cab system by owning this license? Then people won't suspect you of being a parasite.
Sounds like a fantastic hobby. I prefer my programming and videogame hobbies, and like to keep transit simplified to three or less methods to worry about. I suppose this is part of why I don't live in NYC.
There are quite a few small projects that aim to do service monitoring "better", but none of them is a complete solution. They are all designed as building blocks (the way they should) but nobody has gone through the effort to build the missing pieces that would let you run i.e. Gnome3 desktop on them.
I only use these service monitors for embedded systems and minimalist systems. All my desktops are running systemd simply because it came with the distro and I don't want to spent the time learning to make Gnome3 run on a more minimal tool. I really hate Gnome's design, but I like having a desktop that looks and feels modern.
If you ignore the partisan rant at the start of the article, youll find that they document the deaths pretty well, and only 2 of the 50 are actually "suspicious deaths related to the Clintons", and both had other probable theories, and no actual theory involving the Clintons.
That is unrelated to these new suspicious DNC events, but I like to debunk the "50 deaths" myth when I see it mentioned.
The first thing that comes to my mind is wondering how MS mapped windows users to linux UIDs. When linux is allowed to access the filesystem there could be all sorts of things to abuse in the permission translation. I would be interested in an article describing the design decisions though, instead of one generically predicting doom and gloom.
Well npm does seem to have caught up on module availability. Though I just checked and the excel parser is actually just a wrapper around the Python library. Also these APIs are pretty skeletal and the documentation is almost non-existent.
It won't give you asynchronous event-driven websockets or anything like that, but Catalyst is great for a fast backend, serving pages and ajax requests. The learning curve is higher than it needs to be (thus the rise of Mojo and Dancer), but it's served me well on two moderate sized projects. (one public site serving ~30,000 requests a day, and the other a closed system with ~1000 active users a day)
I started on Perl to maintain existing code, but have since used it extensively for everything I do these days. The greatest thing about perl is the wealth of CPAN libraries available. Recently I was asked to automate the process of logging into a mailbox, downloading the most recent message meeting various criteria, extracting a zip file attachment from it, extracting an Excel ('97 format) file from the zip file, and importing its table of data into the database used by a large webapp.
Thanks to CPAN, I had the whole thing done in less than a day. CPAN modules are a mixed bag, but most of the important ones have decent documentation and a lot of real-world testing. They're also trivial to install. "cpanm ModuleName".
I judge web frameworks by how *little* they try to do for me, and how easy it is to pull in other modules that serve specific purposes. The Perl ecosystem excels at this, more than any other language I've worked with.
When DeLorean went bankrupt they sold the stainles steel panel molds to fishermen, who dumped them in the ocean to anchor fishing nets. I expect lots of wealth will be destroyed even if the factories get used by someone else.
The flip side is that probably a lot of inefficiency will get destroyed too. Large corporations tend to have that in abundance, carried along by the successful side of the business.
and HDMI cables go up to 50' (VGA is cheaper, if that's an option for you)
This is what I did to connect the projector in my livingroom to my computer in my office. But actually after doing that a while I got tired of always needing my personal PC to be ready for use as an entertainment center, and just got a second computer for the livingroom and put Windows on it so my friends could figure it out. That way I also don't care if it gets full of malware as people download things; I just wipe it if anything doesn't look right.
Um, did you ever play quake? If I remember right (and it has been a rather long time) Quake was the first FPS to have no plot at all whatsoever, not even alluded to in the manual. There was no opening cutscene, no text of any form at any point in the game, and in fact the start of the game was somewhat unique because instead of having you select difficulty from a menu, they instead dropped you into a room with 3 portals, one for each difficulty.
Wolfenstien had a plot. "Escape from castle Wolfenstien, and kill nazis". Doom had a plot. "Aliens destroyed earth and you have invaded their base and must kill them all". The plot interaction consisted of showing you the name of the next location you were attacking, and some text when you completed the episode. Oh, and you could read about the atrocities of the aliens in the game manual. Heretic has a plot with the same mechanics. Doom2 likewise. Duke3D used a plot similar to doom, except the fight started on earth. Duke3D actually had things you could interact with, but I wouldn't go as far as to call them plot elements. Quake had no plot. Quake2 had an intro plot (same used in Doom) and even an engine-rendered cinematic, but then reverted to killing everything in sight for the rest of the game, like quake 1.
Half-life was seriously the very first game I ever played which was a true fps with rpg elements. Half-life broke new ground.
Slashdot Mirror
I like this summary, so I'll elaborate a bit for those who don't want to read the paper.
There are two attacks, being released together. Meltdown attacks Intel kernel memory, and Spectre attacks any peer userspace process. Meltdown (attack on kernel memory) only works on certain Intel designs. Specter works on any architecture that performs out-of-order execution of instructions and leaves junk behind in the cache even after the results of the instructions that shouldn't have been executed are wiped and where the cache is shared by multiple processes. Basically, any modern high-speed processor.
The first one can be mitigated by not leaving any kernel pages mapped at all. The second one ... sounds like they're suggesting to just look for all the known patterns of instructions in your binaries and modify the source code to avoid that pattern. And keep doing that each time a new pattern is discovered.
Both attacks work by checking "did a specific address end up in processor cache". The usual way to test this is by clearing the cache, performing the attack, and then seeing which memory accesses are fast and which are slow. For both, the attacker needs to be able to precisely time memory reads. For Spectre, the attacker also needs to know the machine code of the target (to find specific instruction sequences which it can attack), and be able to communicate with the target (to provide them with crafted inputs)
While the requirements for Spectre sound like a high bar, the authors of the paper were able to demonstrate it by tweaking some javascript and looking at the machine code it generates in Chrome's JIT compiler, then having the javascript attack the host browser. This allowed the javascript to read the entire memory of the browser. It doesn't say they were able to attack things like SSH agent cached keys, but once they know everything in the browser's password cache they can work their way outward.
A multi-user host would be the most vilnerable to Spectre.
There are two flaws. AMD does not have the read-kernel-memory flaw but it does have the read-other-userland-process-memory flaw. Imagine javascript reading your cached ssh agent keys.
Specter sounds like the worse of the two, to me, actually. In the paper for it they describe an attack where javascript is carefully crafted so that it generates specific processor instructions when compiled by the Chrome JIT compiler, and then the javascript is able to attack the browser host and read it's entire memory contents. And they have a working example of this supposedly.
There are two attacks described in the papers. One applies only to Intel and allows you to read Kernel memory. The solution is to wipe page tables during switches to/from kernel mode.
The other attack applies to EVERY processor that does out-of-order execution and which leaves junk in the cache after rolling back a failed guess. It allows one userland process to read the entire memory of another userland process (i.e. a php script reading the contents of your sshd, though they haven't demonstrated that one yet). They do have an example of javascript reading the contents of the browser's memory, and they did it by crafting javascript that gets JIT'd into specific assembly instructions by Chrome's compiler.
The thing all of these attacks have in common is they must know the machine code being executed by the target, and be somewhat in control of their own machine code. I don't even see how they will stop the second attack other than clearing out the cache more frequently, but with multiple processors or hyperthreading and sharing the cache... there might not even BE a fix. I haven't read of one yet. (but the story is still developing)
I saw it on tv that same day. They had news updates on it for the next dozen hours about how the roof was still on fire because of layered new construction overtop old construction, and continued drama over whether the defense officials would need to evacuate. You want to tell me that the tv footage was faked? Burden of proof is on you. Go conspiracy youself elsewhere.
Youre swinging the clue-bat the wrong direction. The difference between an F16 and a gravitational slingshot is that the F16 is being accelerated by air pressure from the outside, while the ocupant is accelerated by external contact as well. It requires the structure of the vehicle and occupant to withstand the forces. When gravity is performing the acceleration it accelerates all molecules of the entire body equally* so the bodies feel no external stresses at all.
*aside from tidal forces etc mentioned by the other posters.
He said it required a massive amount of luck, not effort. If you set your finite improbability generator to 1:2^256 you could crack them all open on your next lunch break.
I will swear by Perls ability to let me write more features in less time, with test cases and documentation, which is easier to maintain than any other language Ive used extensively (C++, C, Delphi, Java, Javascript, Bash)
Ive done a little Python and a little Ruby, and both were prettier to look at, but the toolchains were not as well developed for general purpose agile tinkering at the time I used them. Its hard to make a fair comparison though without delving as deep into those as ive done with perl.
I see people complain about this from time to time, but I dont agree. Perl scripts often process binary data and if you assumed UTF-8 on input and output then it would break things like unzipping compressed data on stdin or streaming it to stdout. The unix tradition perl is built on assumes bytes until you tell it otherwise.
I dont follow python, but Id assume you get the exact opposite problem, needing to turn on binary mode any time your script might need to stream binary data?
Meanwhile, I am rather annoyed at slashdots lack of unicode. It would be nice if they could at least support the common characters used by i.e. the iOS screen keyboard which makes it impossible for me to use apostrophes.
I was actually running Starcraft II just a few months ago and it worked great. But, with Blizzardâ(TM)s regular patches they finally managed to break it for me. Now it works right up until I start a match and then crashes.
Not just bios, PS/2 supports "full n-key rollover" which is important to gamers. In other words, PS/2 sends a press code and then a release code on keydown and keyup events. The USB keyboard standard screwed this up by having each packet list the keys currently pressed, and when a key disappears from the next packet it means it was released. The packet only holds 6 keys, so a person with 10 fingers can easily overrun it, which masks a key press. The special expensive n-key rollover usb keyboards supposedly work by attaching as multiple keyboard devices.
Also there's the bit about polling vs. interrupts. PS/2 can supposedly get the key code delivered faster since it doesn't wait on other devices for a turn to speak.
I think it was 2001 when University of Cincinnati stopped using SSN as the student ID
I don't know squat about it either. Maybe you could inform us about the value you're adding to the cab system by owning this license? Then people won't suspect you of being a parasite.
Sounds like a fantastic hobby. I prefer my programming and videogame hobbies, and like to keep transit simplified to three or less methods to worry about. I suppose this is part of why I don't live in NYC.
There are quite a few small projects that aim to do service monitoring "better", but none of them is a complete solution. They are all designed as building blocks (the way they should) but nobody has gone through the effort to build the missing pieces that would let you run i.e. Gnome3 desktop on them.
https://skarnet.org/software/s...
I even wrote my own, though it needs a "version 2" before it will really be ready for prime-time.
http://www.nrdvana.net/daemonp...
I only use these service monitors for embedded systems and minimalist systems. All my desktops are running systemd simply because it came with the distro and I don't want to spent the time learning to make Gnome3 run on a more minimal tool. I really hate Gnome's design, but I like having a desktop that looks and feels modern.
They should have called it a GrandByte, 1024B = 1GB. That would have prevented this mess
I double-dare you to refute the points in the article I linked. It is backed up with source material. The original email is not.
I used tobelieve the body count rumor too, but then found this: http://www.snopes.com/politics...
If you ignore the partisan rant at the start of the article, youll find that they document the deaths pretty well, and only 2 of the 50 are actually "suspicious deaths related to the Clintons", and both had other probable theories, and no actual theory involving the Clintons.
That is unrelated to these new suspicious DNC events, but I like to debunk the "50 deaths" myth when I see it mentioned.
The first thing that comes to my mind is wondering how MS mapped windows users to linux UIDs. When linux is allowed to access the filesystem there could be all sorts of things to abuse in the permission translation. I would be interested in an article describing the design decisions though, instead of one generically predicting doom and gloom.
Well npm does seem to have caught up on module availability. Though I just checked and the excel parser is actually just a wrapper around the Python library. Also these APIs are pretty skeletal and the documentation is almost non-existent.
Compare: (just picking the modules with high star ratings)
http://search.cpan.org/~dougw/...
https://www.npmjs.com/package/...
http://search.cpan.org/~phred/...
https://www.npmjs.com/package/...
It won't give you asynchronous event-driven websockets or anything like that, but Catalyst is great for a fast backend, serving pages and ajax requests. The learning curve is higher than it needs to be (thus the rise of Mojo and Dancer), but it's served me well on two moderate sized projects. (one public site serving ~30,000 requests a day, and the other a closed system with ~1000 active users a day)
I started on Perl to maintain existing code, but have since used it extensively for everything I do these days. The greatest thing about perl is the wealth of CPAN libraries available. Recently I was asked to automate the process of logging into a mailbox, downloading the most recent message meeting various criteria, extracting a zip file attachment from it, extracting an Excel ('97 format) file from the zip file, and importing its table of data into the database used by a large webapp.
Thanks to CPAN, I had the whole thing done in less than a day. CPAN modules are a mixed bag, but most of the important ones have decent documentation and a lot of real-world testing. They're also trivial to install. "cpanm ModuleName".
I judge web frameworks by how *little* they try to do for me, and how easy it is to pull in other modules that serve specific purposes. The Perl ecosystem excels at this, more than any other language I've worked with.
When DeLorean went bankrupt they sold the stainles steel panel molds to fishermen, who dumped them in the ocean to anchor fishing nets. I expect lots of wealth will be destroyed even if the factories get used by someone else.
The flip side is that probably a lot of inefficiency will get destroyed too. Large corporations tend to have that in abundance, carried along by the successful side of the business.
Harbor Freight sells 3' flex drills for pretty cheap,
Parts Express sells 16' USB cable + repeater for pretty cheap (and you can chain up to 5 of them)
http://www.parts-express.com/u...
and HDMI cables go up to 50' (VGA is cheaper, if that's an option for you)
This is what I did to connect the projector in my livingroom to my computer in my office. But actually after doing that a while I got tired of always needing my personal PC to be ready for use as an entertainment center, and just got a second computer for the livingroom and put Windows on it so my friends could figure it out. That way I also don't care if it gets full of malware as people download things; I just wipe it if anything doesn't look right.
Um, did you ever play quake? If I remember right (and it has been a rather long time) Quake was the first FPS to have no plot at all whatsoever, not even alluded to in the manual. There was no opening cutscene, no text of any form at any point in the game, and in fact the start of the game was somewhat unique because instead of having you select difficulty from a menu, they instead dropped you into a room with 3 portals, one for each difficulty.
Wolfenstien had a plot. "Escape from castle Wolfenstien, and kill nazis". Doom had a plot. "Aliens destroyed earth and you have invaded their base and must kill them all". The plot interaction consisted of showing you the name of the next location you were attacking, and some text when you completed the episode. Oh, and you could read about the atrocities of the aliens in the game manual. Heretic has a plot with the same mechanics. Doom2 likewise. Duke3D used a plot similar to doom, except the fight started on earth. Duke3D actually had things you could interact with, but I wouldn't go as far as to call them plot elements. Quake had no plot. Quake2 had an intro plot (same used in Doom) and even an engine-rendered cinematic, but then reverted to killing everything in sight for the rest of the game, like quake 1.
Half-life was seriously the very first game I ever played which was a true fps with rpg elements. Half-life broke new ground.