devRant - A fun community for developers to connect over code, tech & life as a programmer

Search - "instruction not clear"

143

virtu4lgh0st

2485

6y

https://git.kernel.org/…/ke…/... sure some of you are working on the patches already, if you are then lets connect cause, I am an ardent researcher for the same as of now.

So here it goes:

As soon as kernel page table isolation(KPTI) bug will be out of embargo, Whatsapp and FB will be flooded with over-night kernel "shikhuritee" experts who will share shitty advices non-stop.

1. The bug under embargo is a side channel attack, which exploits the fact that Intel chips come with speculative execution without proper isolation between user pages and kernel pages. Therefore, with careful scheduling and timing attack will reveal some information from kernel pages, while the code is running in user mode.

In easy terms, if you have a VPS, another person with VPS on same physical server may read memory being used by your VPS, which will result in unwanted data leakage. To make the matter worse, a malicious JS from innocent looking webpage might be (might be, because JS does not provide language constructs for such fine grained control; atleast none that I know as of now) able to read kernel pages, and pawn you real hard, real bad.

2. The bug comes from too much reliance on Tomasulo's algorithm for out-of-order instruction scheduling. It is not yet clear whether the bug can be fixed with a microcode update (and if not, Intel has to fix this in silicon itself). As far as I can dig, there is nothing that hints that this bug is fixable in microcode, which makes the matter much worse. Also according to my understanding a microcode update will be too trivial to fix this kind of a hardware bug.

3. A software-only remedy is possible, and that is being implemented by all major OSs (including our lovely Linux) in kernel space. The patch forces Translation Lookaside Buffer to flush if a context switch happens during a syscall (this is what I understand as of now). The benchmarks are suggesting that slowdown will be somewhere between 5%(best case)-30%(worst case).

4. Regarding point 3, syscalls don't matter much. Only thing that matters is how many times syscalls are called. For example, if you are using read() or write() on 8MB buffers, you won't have too much slowdown; but if you are calling same syscalls once per byte, a heavy performance penalty is guaranteed. All processes are which are I/O heavy are going to suffer (hostings and databases are two common examples).

5. The patch can be disabled in Linux by passing argument to kernel during boot; however it is not advised for pretty much obvious reasons.

6. For gamers: this is not going to affect games (because those are not I/O heavy)

Meltdown: "Meltdown" targeted on desktop chips can read kernel memory from L1D cache, Intel is only affected with this variant. Works on only Intel.

Spectre: Spectre is a hardware vulnerability with implementations of branch prediction that affects modern microprocessors with speculative execution, by allowing malicious processes access to the contents of other programs mapped memory. Works on all chips including Intel/ARM/AMD.

For updates refer the kernel tree: https://git.kernel.org/…/ke…/...

For further details and more chit-chats refer: https://lwn.net/SubscriberLink/...

~Cheers~

(Originally written by Adhokshaj Mishra, edited by me. )

undefined all vulnerable design flaw hardware vulnerability

23
65

Condor

32894

5y

I wonder why banks are always so terribly insecure, given how much money there's for grabs in there for hackers.

Just a while ago I got a new prepaid credit card from bpost, our local postal service that for some reason also does banking. The reason for that being that - thank you 'Murica! - a lot of websites out there don't accept anything but credit cards and PayPal. Because who in their right mind wouldn't use credit cards, right?! As it turns out, it's pretty much every European I've spoken to so far.

That aside, I got that card, all fine and dandy, it's part of the Mastercard network so at least I can get my purchases from those shitty American sites that don't accept anything else now. Looked into the manual of it because bpost's FAQ isn't very clear about what my login data for their online customer area now actually is. Not that their instruction manual was either.

I noticed in that manual that apparently the PIN code can't be changed (for "security reasons", totally not the alternative that probably they didn't want to implement it), and that requesting a forgotten PIN code can be done with as little as calling them up, and they'll then send the password - not a reset form, the password itself! IN THE FUCKING MAIL.

Because that's apparently how financial institutions manage their passwords. The fact that they know your password means that they're storing it in plain text, probably in a database with all the card numbers and CVC's next to it. Wouldn't that be a treasure trove for cybercriminals, I wonder? But YOU the customer can't change your password, because obviously YOU wouldn't be able to maintain a secure password, yet THEY are obviously the ones with all the security and should be the ones to take out of YOUR hands the responsibility to maintain YOUR OWN password.

Banking logic. I fucking love it.

As for their database.. I reckon that that's probably written in COBOL too. Because why wouldn't you.

rant

23
32

gurumeditation

4504

6y

For fucks sake if I send you a clearly described 5 step install instructions do not start on step 3! Yes you fucking moron instructions labeled 1,2,3,4,5 should be carried out one after the other! Not in random order.

Seriously, how deranged are you that you have never ever encountered a step-by-step instruction before?!

Don't give me that "oh, should I have started with step 1 first? You weren't very clear about that. I think it is a bit too complicated."

Here are some more instructions:
1. Close your PC
2. Donate it to someone with detectable IQ level
3. Go fuck yourself
4. Please die
5. Yes, start with step 1

rant 3 5 1 4 2

5
30

agentQ

2354

6y

So what's preventing me from launching my startup/service/platform to the public? Not ready to deal with users like Nancy.

joke/meme ux matters ui matters dumb user instruction not clear

2
3

VaderNT

1659

4y

A follow-up to a previous rant: https://devrant.com/rants/2296700/...

... and how the senior dev recently took it up a notch.

To recap: Back then the senior dev in our two-man project prepared tasks for me so thoroughly they became typing monkey jobs. He described what to do and how to do it in minute detail in the JIRA tasks.

I talked to him back then how this is too detailed. I also talked to our boss, who agreed to nudge mr. senior in the right direction and to make it clear he expects teamwork.

Fast forward to a couple of days ago. An existing feature will get extended greatly, needing some rework in our backend project. Senior and me had a phone call about what to do and some unclear details in the feature spec. I was already frustrated with the call because he kept saying "No, don't ask that! That actually makes sense, let's just do it as the spec says" and "Don't refactor! We didn't request a budget for that from our customer". Like wtf, really? You don't consider refactoring part of our job? You don't think actually understanding the task improves the implementation? Dude...

We agreed this is a task for one person and I'd do it. It took me the rest of the day to wrap my head around the task and the corresponding existing code. It had some warts, like weird inheritance hierarchies and control flow jumping up and down said hierarchy, but nothing too bad. I made a mental note to still refactor this, just as much as necessary to make my task easier. However... the following day, I got an email from mr. senior. "I refactored the code after all, in preparation for your task". My eyebrows raised.

Firstly, he had made the inheritance hierarchy *worse*. Classic mistake: Misusing inheritance for code reuse. More control flow jumping up and down like rabid bunnies. Pressed on that matter, he replied "it's actually not that bad". Yeah, good work! Your refactoring didn't make things worse! That's an achievement worthy of being engraved on your tombstone. And didn't he say "no refactoring"? Apparently rules are unfortunate things that happen to other people.

But secondly, he prepared classes and methods for me to implement. No kidding. Half-implemented methods with "// TODO: Feature x code goes here" and shit. Like, am I a toddler to you? Do you really think "if you don't let me do things myself I feel terribly frustrated and undervalued" is best answered with giving me LESS things to do myself? And what happened to our boss' instruction to split the task so each of us can work on his parts?

So, this was a couple of days ago. Since then, I've been sitting in my chair doing next to nothing. My brain has just... shut down. I'm reading the spec, thinking "that would require a new REST endpoint", and then nothing happens. I'm looking at the integration test stubs ("// TODO: REST call goes here") and my mind just stays blank, like a fresh unpainted canvas. I've lost all my drive.

I don't even know what to do. Should I assign the task back to him and tell him to go fuck himself? Should I write my boss I'm suddenly retarded? Could I call in sick for a year or so? I dunno... I can barely think straight. What should I do and how?

rant undervalued stupid tasks probably boredom boreout syndrome

5

Top Tags

rant linux code windows fuck i java c programming android dev the is javascript js joke life a python

Weekly Rant

View

Most unrealistic deadline you've had?