Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Linus Torvalds: "GCC 4.9.0 Seems To Be Terminally Broken"

rev0lt Re:I know you're trying to be funny, but... (728 comments)

https://lkml.org/lkml/1998/9/3... [lkml.org] I don't know what else to tell you. They really do suck. Trap-gates are faster and safer. Call-gates are... prettier, more elegant.

Have a look at Linux 2.0 implementation. You'lll see an interrupt handler copying registers to the stack, and *then* invoking the call gate. So basically, doubling the work. And no, interrupts are not safer, as they don't provide stack isolation. This is done *manually* in the Linux implementation.

It's probably much a much narrower/null lead these days with massive caches, but back in 98, it was serious business.

I seriously doubt that. I was working extensively with x86 assembly in 98, and actually implemented call-gate systems in some of my pet projects. Granted, they were pet projects, not a mainstream piece of OSS, but I don't share that experience.

he various kernel mailing lists are abound with discussions on people wanting to try out call-gates, and finding out that *they suck*.

AFAIK, the implementation 2.0/2.2 still uses a call gate. Not directly, but inside the IV.

Also, SYSENTER wasn't switched to until we ran into the P4's massive pipeline stall on trap-gates, which the AMD K6 did *not* exhibit. It wasn't a fundamental problem with the trap-gate itself, but a quirk of the Netburst architecture.

It is a fundamental problem with the trap gate. The pipeline size and the agressive branch prediction mechanism only made it worse. Shorter pipelines don't suffer as much, as they are faster to clean and less prone to stupid execution stalls. Also, there was a huge amount of optimization done on silicon for this since 32 bit operating systems using interrupts became mainstream, and the same can't be said for the architecturally complex call-gate solution. SYSENTER simplifies a lot, but performs basically the same task as a call gate.

The fact that the unices/dos used entry 0x80 in the IDT, and NT used 0x2e, and 95 used 0x30, with call-gates to VxD code (eventually gotten rid of) doesn't mean the methodology of the trap was what was inherited

Actually, the fact that many other architectures do not provide any other user-defined global entry point besides the interrupt table has a huge weight in it; I don't see any problem with the metodology, if you're implementing a portable system. I see problems with a specific implementation of it on an operating system designed from the ground up for x86, and one of those problems is that whoever implemented it clearly had no clue about how it worked.

2 days ago
top

Gaza's Only Power Plant Knocked Offline

rev0lt Re:Radicalization (834 comments)

Jews, on the other hand, have thousands of years old connection to the land. There are historical artifacts, found all across Israel with Hebrew writings on them, and indeed most of Jewish history can be traced back to Greater Israel.

As many other tribes do, including many many muslim settlers. Jews didn't existed as a "nation" trying to form their own country since the beginning of the 30's. Problems between jewish settlements and muslim settlements go back many many centuries, as both shared the same piece of land. To suggest that jews are the ones with the legitimate right to it is to be narrow-minded. During the beginning of the XX century, they were actually a minority in the region. In fact, when jews all over Europe started returning to the "promised land", the influx was so big that the Brits passed laws limiting Jewish emigration.

The sad reality, is that we have a "neighbour" that is so extreme and hell bent on our extermination, that we have no choice but to continue defending ourselves.

That is a piss-poor excuse. I bet your neighbour doesn't have nuclear devices and the backing of the most well-equipped army in the World. But if that "us-or-them" attitude is what makes you sleep well at night - by all means. But regardless, both sides are to blame.

2 days ago
top

Gaza's Only Power Plant Knocked Offline

rev0lt Re:"Proportional response" is nonsense (834 comments)

That lie was exposed as such, when the Gazans voted — in free and internationally-observed elections [washingtonpost.com] — for Hamas [wikipedia.org].

Oddly enough, when American citizens are killed by the thousands as a response to direct actions of their freely elected democratic government, its called "terrorism", and it is a legitimate excuse to bomb the shit out of other countries. What you're saying is that anyone that suffered directly from decisions made by the US governments has the legitimate right of shooting down *any* american, just because it exercised its democratic duty. So, lets expand this concept - there has been some heavy international military interventions in the last decade, coordinated by more than a dozen democratic nations. It was their government's decision to take part on it. What you're defending is, that if you were on the other side of any of those interventions, you have the *right* to kill *anyone* from any of those countries, because they elected a government?
I actually hope you're an american.

Contrary to the haters' portrayal, IDF are not indiscriminate killers they don't need this sort of calculations to try their hardest to avoid killing innocent civilians. Shit still happens, unfortunately.

Its not the hater's portrayal when you have western media covering it, and even have Israel allies asking questions about this. Are you really convinced that Hamas has a super-duper propaganda machine that is bigger and more efficient than Israel's/US machine? Shit happens when you bomb one of the most densely populated areas in the world, and they don't care.

2 days ago
top

Gaza's Only Power Plant Knocked Offline

rev0lt Re:Radicalization (834 comments)

So I really do think that comparing casualty numbers here, when they're competently kept low by Israel and intentionally driven up by hamas, and yes they're deliberately trying to get their own killed for the press value, is a little disingenious. Unless you don't mind parrotting Hamas propaganda. Because that is what it is: Propaganda, very very bloodily so.

And what do they have left? I'd suggest you try to corner a common house pet like a cat or a dog, and see what happens. It is easy to take the moral high ground when you have food, water, sanitation and electricity. And a job, public transportation, schools, shelter. Parks for kids to play. Do you think everyone in Gaza is a terrorist? Do you think every arab is a terrorist?
Imagine yourself without most of what you take for granted, and that you look across your fence and your neighbour has everything you want and is laughing at you. It is hard not to get emotional on this, specially when you have an active propaganda machine telling you who the enemy is. And this machine exists in both sides.

Keep in mind, what is now the US and Australia was partially colonized by western criminals. Does this mean they are all criminals, and their children need to die? I don't think you believe what you wrote.

2 days ago
top

Gaza's Only Power Plant Knocked Offline

rev0lt Re:Radicalization (834 comments)

Hamas started it and reuses to agree to any proposed cease fire. Israel isn't the group calling for the extermination, Hamas is. Israel has also offered legitimacy to the Palestinian government in exchange for a cease fire and removing the language in the charter to kill all jews.

So, a guy insults you and says you should die. You shoot him and his family? Is this the appropriate response? Because that's what I've seen Israeli leaders and spokesman defend, and they don't look like batshit crazy terrorists. The other guys do.

2 days ago
top

Gaza's Only Power Plant Knocked Offline

rev0lt Re:Radicalization (834 comments)

Playing devil advocate's here, but most Hamas attacks are almost laughable a military point of view, and they are a pretty good excuse for Israel to retaliate. They may be taking the credit for them, but I'd be quite surprised if at least some of these attacks aren't "sponsored" by Israel itself.

2 days ago
top

Linus Torvalds: "GCC 4.9.0 Seems To Be Terminally Broken"

rev0lt Re:I know you're trying to be funny, but... (728 comments)

They suck. That's why Linux didn't use them (int 0x80).

Wrong. Linux didn't use them because every Unix OS out there didn't use them because... You know, they weren't designed specifically for x86. And - contrary to *every* single f***ing int 0x80 implementation out there, x86 Linux uses/used to (before SYSENTER) by-register instead of by-stack parameter passing convention.

That's why Windows NT didn't use them (int 0x2e)

Windows NT didn't use them because it was designed as a highly portable micro-kernel. Initially they targeted other architectures besides x86, such as MIPS. There were other reasons, and AFAIK most of the *actual* protection mechanism from the kernel was developed by an outside consultant (read it on a book some years back about Windows 95, cannot vouch for accuracy).

That's why *BSD didn't use them (int 0x80).

BSD kernels weren't designed for x86. They were ported for x86. The ports were done using the most generic approach. And every x86 BSD kernel uses by stack convention, not by register.

That's why OSX doesn't use them (int 0x80).

OSX wasn't designed as a x86-only operating system, and also inherits from BSD and XNU. XNU is based on Mach, which is based on 4.2BSD, so again, a port, not a native x86 development.

Cache locality is horrible, the far pointer requires more bytes/instruction and segment registers suck- especially when running in protected mode

You're kidding me, right? A single call that triggers a processor mechanism that creates a destination stack frame, SECURELY copies X bytes of stack between levels and invokes a higher - or LOWER level function? Most 32 bit code is 4-byte aligned anyway and binaries built page-bounded, so the actual savings are bare to none. And call gates are *actually* faster than interrupts. And given the way that protected memory works, I'd expect to see way more cache penalties on the interrupt approach than with a call gate. And all this not considering the huge amount of executed code before dispatching the actual syscall, at least on the kernels I mentioned.

The "DOS-style" syscalls you're referring to are a software interrupt trap, (also called a trap-gate).

No, you're confusing software interrupts (such as int 21h, int 80h, etc) with parameter convention. DOS-style is to pass parameters to interrupts by register, eg. ah=25h, al=00, int 21h. Every other x86 unix implementation passes by stack, not by register. There is the "but its slower" argument that falls when you actually look at the 2.0 kernel implementation specifics.

Every OS worth mentioning used them prior to SYSENTER being introduced.

True. Most unixes did it because of ABI compatibility (the use of int 0x80 predates any semi-decent protection mechanism from Intel, probably by a decade). Also, most OS developers aren't really tied into building a better mouse trap; If you look at it, most OSs use more-or-less exactly the same design, because most of the guys building them all learned from the same book and the same source references (nothing wrong with that, and it is truely the work of masters), and the guys that didn't usually don't care about x86 at all. Some are little details (such as the call gate stuff), others are a bit more serious (as in the case of not using the cpu's segmentation mechanism in userland applications to provide complete separated read-execute and read-write selectors), but in the end is like having a Ferrari to drive to church :)

2 days ago
top

Linus Torvalds: "GCC 4.9.0 Seems To Be Terminally Broken"

rev0lt Re:I know you're trying to be funny, but... (728 comments)

I'd say pretty much every protected-mode/mode switching assembly line in 2.0/2.2, and the USB stack issues in 2.4.12 - 2.4.22. And the whole swap mechanism of pre-2.6 (and specially pre-2.4). And the shitty shitty DOS-style syscalls in x86! Wtf was that? Intel/AMD even came up with a shiny new instruction, since apparently linux devs (Linus?) cannot be bothered in reading about level switching with call gates.
Anyway, dreadful bugs? Can't recall any major one. I did have some linux machines locking up randomly, even when they shouldn't, but most of the times, its a driver issue, not the kernel itself.

3 days ago
top

LibreSSL PRNG Vulnerability Patched

rev0lt Re:Shocked I am! Shocked! (151 comments)

I didn't know C and Excel had a native X.509 parser and cert management built into the language. I'll run and check my copy and K&R, but I'm pretty sure it's not in there.

If you configure any of them to that specific task, there is no technical limitation from their side. But I'm sure you wouldn't consider some scripted operations in Excel to generate and manage certificates a security product, right? That was my point.

In the last two years. Deployed in the main stream in that last year.

And is consistent in every environment? Shall I expect the same quality and behaviour in OpenBSD, Linux and Windows 3.1? Because, you know, this is the actual problem.

Gave the option of using local high rate entropy sources to ensure consistency in the random numbers from it's service interface.

Sure, its called ENGINE API. Did LibreSSL removed it? Doesn't seem so. Check https://github.com/libressl/li...

about two weeks ago
top

LibreSSL PRNG Vulnerability Patched

rev0lt Re:Shocked I am! Shocked! (151 comments)

Of course I know about other hardware RNGs. I already pointed to VIAs and the occasional one strapped to an ARM core. I put some of them in some of those chips.

So, you acknowledge they're still not mainstream, as you tried to imply in your previous comment.

It may be two years old to you, but it didn't come into existence in 10 minutes.

Yeah, it didn't. Crypto support in general purpose CPUs is not new, and as you mentioned, the VIA instructions are way older than the incarnation from Intel.

These repeated crypto software failures point to a holier than thou attitude of some crypto software writers that does the public no good. You can't play in this game without accepting that it's easy to be wrong and you'd better have things checked and cross checked by the smartest people you can find and don't get all defensive when you've been found to be wrong.

The whole point is, probably some of the critical systems running software implementations in userspace shouldn't. Cryptoprocessors exist for a long time, and cryptocards and SoC are quite common well, everywhere. Bugs will always exist, but the attack surface is way smaller.

Mark it down to experience and move on. That's how it works. When Theo can't accept that the universe works this way, he automatically loses his security credibility license.

That's how all software works. It wasn't a serious/catastrophic bug. The peer review process from the community worked as expected, the bug was spotted and then fixed. The bug was tied to a specific implementation that wasn't very well thought of. Doesn't really matter, it was fixed. The bug itself was quite hard to exploit, specially if used on a secure environment (where process accounting is common; in fact, it baffles me the inane amount of Linux servers without any resource accounting at all, and the huge amount of sysadmins that don't even know how to configure this); I'd guess it is quite easier to gain root access on a given Linux server by using a more "generic" exploit (and then do as much hijacking as you want) than to hijack a crypto channel by using a fork bomb. And if it was Linus doing a similar fuckup, no biggie. But because it's Theo, it is newsworthy.

about two weeks ago
top

LibreSSL PRNG Vulnerability Patched

rev0lt Re:Shocked I am! Shocked! (151 comments)

The last time I looked, OpenSSL claimed to provide command line tools for managing certs

So, it generates prime numbers and does some math between them. If that is a security product, so is everything else capable of producing that kind of output - it includes both Excel and the C language, as an example.

OpenSSL recently greatly improved its RNG code

Define "recently" and "greatly". Because if this bug actually happened in OpenSSL, I suspect that we'd have to wait months for the proper patch from upstream.

about two weeks ago
top

LibreSSL PRNG Vulnerability Patched

rev0lt Re:Shocked I am! Shocked! (151 comments)

It's a shame that you don't realize that *modern* Intel is only a subset of the cpu market, and not even that relevant in network appliances. Have a look at http://en.wikipedia.org/wiki/R..., and you'll quickly see that the instruction you mention is about 2 years old. So, either you have the experience you say you have in other posts, and you're perfectly aware of this and are trolling, or you actually have no clue on the diversity of hardware out there.

about two weeks ago
top

LibreSSL PRNG Vulnerability Patched

rev0lt Re:Shocked I am! Shocked! (151 comments)

Security products needs to be held to a higher standard.

OpenSSL/LibreSSL are *not* security products. They are crypto middleware. They can be used to build security products, or to build completely unsecured products. They do nothing by itself. Which is fun, because the LibreSSL Linux port actually required *extra* code so it would work with dumbass admins. And this extra code had the bug. True, Linux PID behaviour is not a security feature, but it is an entropy source. Maybe not a good one, granted. But it was used as fallback. Want to bitch about it, go ahead. It was detected, it was fixed. It is not a big deal. What is the problem?

about two weeks ago
top

LibreSSL PRNG Vulnerability Patched

rev0lt Re:Shocked I am! Shocked! (151 comments)

They failed. Then they tried to claim it wasn't a biggie.

It isn't. Apparently is an issue related to portability (aka Linux), and lack of permissions to access to proper RNGs in real-world scenarios (no access to /dev/urandom). While this is definitely a bug, it *isn't* a biggie. Its an edge case where the implementation should have been more robust, that's it.

about two weeks ago
top

Qualcomm Takes Down 100+ GitHub Repositories With DMCA Notice

rev0lt Re:On this 4th of July... (349 comments)

I was speaking only of unpaid volunteers.

I know. But those are only a subset of the contributors. And eg. for big, important projects, development is done mainly by companies (eg. Linux Kernel, Java, some GCC infrastructure, Mozilla, WebKit, etc), even if the commiters are listed individually. As I explained, the idea of the poor lonely guy in a basement writing code and being sued by the "big corps" is skewed from reality, and it has been for many many years.

The term quantify means to assign a number to something.

That number may be absolute (as you're implying with the SI reference) or relative. Checking yourself into a hospital because of an anxiety attack and getting a prescription and some off time because of the whole situation is easily quantifiable. Many health-related quantifications are done in percent of an expected, well known pattern. And insurance and disability funds are paid based on that.

I doubt that a few github takedowns are really going to impact a professional operation, however. They tend not to use sites like github as part of their core workflow. It mainly gets used by those poor nerds in basements.

While I do agree with your point (relying on a 3rd party is usually not a good idea, specially when you can self-host the codebases), this is more common than you think. I myself maintain/contribute to several private (paid) repositories that rely on external dependencies from OSS projects.

There is no criminal remedy to a false DMCA complaint that doesn't require a prosecutor to file.

Again, if someone publicly acuses you of a crime that is later proved you didn't commit, you are entitled to indemnification by damages caused to your reputation and your business/whatever. As this is not a matter of crime, it is a dispute filed on a civil court. There is no prosecuter on this. It is a dispute between two entities.

I'm really only concerned with the guys doing unpaid volunteer work here.

Yeah, but again, they are only a subset.

The community-driven project can't afford to deal with the likes of Qualcomm

Please tell me one well-known, widespread OSS project that is completely community-driven and mostly built with unpaid volunteer work. And no, stuff like foundations don't count - they're done for tax purposes.

about three weeks ago
top

Qualcomm Takes Down 100+ GitHub Repositories With DMCA Notice

rev0lt Re:On this 4th of July... (349 comments)

What lost time is there for a volunteer on an FOSS project? The courts do NOT award lost time for responding to the lawsuit, but they might award it for the actual takedown notice, assuming you can show damages

You are assuming a "volunteer" is not paid. In many cases, it is a false assumption.

What are the SI units for that?

Americans (mostly) don't use SI units. But what is the SI unit to bone damage in a broken leg? What is the SI unit for autism? What is the SI unit that measures impact of an infection on the organism? All these cases are quite easy to quantify.

Maybe. That might depend on how it is advertised. In any case, Qualcomm isn't the one advertising this case, so there is no claim for libel.

So I hire an assassin. The assassin commits a crime, and I'm not responsible for inciting and paying for the execution of the crime? Wow.

How are they depriving you of your IP? They're only preventing you from distributing it, unless github was your only copy of it.

Many many tools rely on automated checkout of libraries and components (under FLOSS licensing) from repositories. Having a base library or something like that unaccessible based on false pretext breaks those tools. This may translate on commercial releases that can't be done because further manual integration needs to be done. If I maintain or contribute to one of those tools, and my employer cannot deploy the latest bugfix or our platform because some monkey decided to file a DMCA, I'd bet they'll be having a bad time. And yes, again - this is quite common; OSS maintainers that are paid for what they do and integrate that work into the employer's product line. The notion that a project volunteer is a poor nerd in a basement, while romantic - is generically wrong. They exist, but they are not the majority.

As far as criminal charges go - only a prosecutor can seek those, and to date none has done so over a DMCA claim.

A prosecuter is necessary for a public crime. And some crimes are semi-public (they require a lawyer to file the complaint).

If you file a DMCA counter-notice you are potentially inviting a lawsuit.

Crossing the road is also dangerous.

You stand nothing to gain other than the right to continue distributing the work in question, and a LOT to lose

Or not. You assume the system is rigged "for the big guys". I don't. In Qualcomm's case, any doubts about licensing of their driver/firmware code would have direct impact on sales. Pushing this to court while blatantly wrong would cause damage to the existing business. Qualcomm is not SCO; its not a patent troll trying to make a quick buck. As an example, I've done consulting on embedding systems for small network appliances. One of the criterias I use for component/platform selection was how "untainted" the driver is. Does the manufacturer provide a OSS-licensed reference driver? Is it known to push back or discontinue existing drivers? Are the drivers actual working drivers, or a wrapped blob? Is the licensing clear? Does it require an NDA? etc. etc. Given the rising popularity of android and linux systems, and the fact that many other companies also factor in these elements when choosing provider (not only price or funcionality), I'd be surprised if they try to move this forward.

For somebody not making money off of the distribution, it is a big risk to take.

Again, you assume its a guy in a basement. More often than not (at least for code that is actually useful), its not the case.

about three weeks ago
top

Qualcomm Takes Down 100+ GitHub Repositories With DMCA Notice

rev0lt Re:On this 4th of July... (349 comments)

And what damages exactly does somebody doing volunteer FOSS work have to show?

Besides lost time, the fact that code was unavailable for possible futural employers to look at, the fact that the volunteer was publicly pointed out as a copyright infringer and may not feel comfortable continuing his pet project? Heck, just the stress of it all is quite easy to prove and quantify.

The site was only down for a few days, and then per the DMCA it goes back up when you file the counter-claim.

Meanwhile I actually read the DMCA from Qualcomm, and it seems that - in most cases - the claim seems legit. Well, for the cases that aren't, you have your *public repo* with your name on it linking to a frivolous DMCA claim. While the claim itself is perfectly legal, advertising it may constitute libel if the claim is bogus. Also, if the files aren't accessible, they are depriving you of your intellectual property, by claiming its theirs. You already have a ton of posts on this thread explaining in detail why when someone states they're the legitimate copyright owner in a DMCA claim when that is false is - by itself - a crime.

The US court system doesn't recognize the burden of having to defend a lawsuit as damages.

There is no lawsuit. There is a DMCA complaint. If it is publicly displayed and its proved wrong, its libel, and grounds for suing. If the DMCA complaint itself violates the law, its grounds for suing. But I'd be very surprised to see Qualcomm taking anyone to court - you see, that kind of move scares away their customers that use Qualcomm code and semiconductors. This is usually settled fast (outside the court system) and silently.

about a month ago
top

Qualcomm Takes Down 100+ GitHub Repositories With DMCA Notice

rev0lt Re:Github overtaken by thuggish government (349 comments)

* AFAIK, there are no restrictions on Americans purchasing services from Venezuelan companies (or paying for them with American credit cards).

...yet. And Venezuela isn't a politically stable country. I wouldn't be surprised if sooner or later those Colo companies were nationalized.

about a month ago
top

Qualcomm Takes Down 100+ GitHub Repositories With DMCA Notice

rev0lt Re:On this 4th of July... (349 comments)

They are still liable for the damages caused by their good faith claim. As anyone that is wrongfully accused of a crime.

about a month ago
top

Qualcomm Takes Down 100+ GitHub Repositories With DMCA Notice

rev0lt Re:On this 4th of July... (349 comments)

Unless you can prove Qualcomm maliciously and purposefully filed an false DMCA claim you aren't getting jack.

Not really. If you can prove that Qualcomm's false DMCA claim caused you harm (financially, psicologically, etc), you're getting jack and his wife. Public perception frowns upon "big companies abusing the little guy", so I'd expect this to not even go to court and to be settled with a non-disclosure clause, as it is common practice.

Seems like a huge risk for a very modest reward, if you win you are only out the years it took to litigate the matter but if you lose you could wind up liable for damages for infriging copyright on your own code (now Qualcomm's code).

Imagine this - you go to court to prove the code is yours, and its an actual part of Qualcomm's product line, to such an extent they thought they owned it. They caused you harm *while* benefiting from your unpaid work. An you think they would stand a chance in an appeal/counter suit? Now imagine its your pet project, and you subtly change the license to forbit explicit usage from Qualcomm from the get-go, while the process carries on? Then its possible for you to actually slap them with a DMCA claim of your own, and even *gasp*, prove it in court.

The actual news seems like Qualcomm hired some IP firm that doesn't know shit about code and found automatically some "infringing" files. If this is the case, they will do everything to avoid going to court, regardless of the number of lawyers on staff, while silently settling the case with the IP company. And this shit keeps happening because no one bothers into taking it to court.

about a month ago

Submissions

rev0lt hasn't submitted any stories.

Journals

rev0lt has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>