Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Search - "meltdown"
As a long-time iPhone user, I am really sorry to say it but I think Apple has completed their transition to being a company that is incompetent when it comes to software development and software development processes.
I’ve grown tired of hearing some developers tell me about Apple’s scale and how software development is hard and how bugs should be expected. All of those are true, but like most rules of law, incompetence and gross negligence trumps all of that.
I’m writing this because of the telugu “bug”/massive, massive security issue in iOS 11.2.5. I personally think it’s one of the worst security issues in the history of modern devices/software in terms of its ease of exploitation, vast reach, and devastating impact if used strategically. But, as a software developer, I would have been able to see past all of that, but Apple has shown their true incompetence on this issue and this isn’t about a bug.
It’s about a company that has a catastrophic bug in their desktop and mobile platforms and haven’t been able to, or cared to, patch it in the 3 or so days it’s been known about. It’s about a company, who as of a view days ago, hasn’t followed the basic software development process of removing an update (11.2.5) that was found to be flawed and broken. Bugs happen, but that kind of incompetence is cultural and isn’t a mistake and it certainly isn’t something that people should try to justify.
This has also shown Apple’s gross incompetence in terms of software QA. This isn’t the first time a non-standard character has crashed iOS. Why would a competent software company implement a step in their QA, after the previous incident(s), to specifically test for issues like this? While Android has its issues too and I know some here don’t like Google, no one can deny that Google at least has a solid and far superior QA process compared to Apple.
Why am I writing this? Because I’m fed up. Apple has completely lost its way. devRant was inaccessible to iOS users a couple of times because of this bug and I know many, many other apps and websites that feature user-generated content experienced the same thing. It’s catastrophic. Many times we get sidetracked and really into security issues, like meltdown/spectre that are exponentially harder to take advantage of than this one. This issue can be exploited by a 3 year old. I bet no one can produce a case where a security issue was this exploitable yet this ignored on a whole.
Alas, here we are, days later, and the incompetent leadership at Apple has still not patched one of the worst security bugs the world has ever seen.82
https://git.kernel.org/…/ke…/... sure some of you are working on the patches already, if you are then lets connect cause, I am an ardent researcher for the same as of now.
So here it goes:
As soon as kernel page table isolation(KPTI) bug will be out of embargo, Whatsapp and FB will be flooded with over-night kernel "shikhuritee" experts who will share shitty advices non-stop.
1. The bug under embargo is a side channel attack, which exploits the fact that Intel chips come with speculative execution without proper isolation between user pages and kernel pages. Therefore, with careful scheduling and timing attack will reveal some information from kernel pages, while the code is running in user mode.
In easy terms, if you have a VPS, another person with VPS on same physical server may read memory being used by your VPS, which will result in unwanted data leakage. To make the matter worse, a malicious JS from innocent looking webpage might be (might be, because JS does not provide language constructs for such fine grained control; atleast none that I know as of now) able to read kernel pages, and pawn you real hard, real bad.
2. The bug comes from too much reliance on Tomasulo's algorithm for out-of-order instruction scheduling. It is not yet clear whether the bug can be fixed with a microcode update (and if not, Intel has to fix this in silicon itself). As far as I can dig, there is nothing that hints that this bug is fixable in microcode, which makes the matter much worse. Also according to my understanding a microcode update will be too trivial to fix this kind of a hardware bug.
3. A software-only remedy is possible, and that is being implemented by all major OSs (including our lovely Linux) in kernel space. The patch forces Translation Lookaside Buffer to flush if a context switch happens during a syscall (this is what I understand as of now). The benchmarks are suggesting that slowdown will be somewhere between 5%(best case)-30%(worst case).
4. Regarding point 3, syscalls don't matter much. Only thing that matters is how many times syscalls are called. For example, if you are using read() or write() on 8MB buffers, you won't have too much slowdown; but if you are calling same syscalls once per byte, a heavy performance penalty is guaranteed. All processes are which are I/O heavy are going to suffer (hostings and databases are two common examples).
5. The patch can be disabled in Linux by passing argument to kernel during boot; however it is not advised for pretty much obvious reasons.
6. For gamers: this is not going to affect games (because those are not I/O heavy)
Meltdown: "Meltdown" targeted on desktop chips can read kernel memory from L1D cache, Intel is only affected with this variant. Works on only Intel.
Spectre: Spectre is a hardware vulnerability with implementations of branch prediction that affects modern microprocessors with speculative execution, by allowing malicious processes access to the contents of other programs mapped memory. Works on all chips including Intel/ARM/AMD.
For updates refer the kernel tree: https://git.kernel.org/…/ke…/...
For further details and more chit-chats refer: https://lwn.net/SubscriberLink/...
(Originally written by Adhokshaj Mishra, edited by me. )23
Got to learn Shopware (the eCommerce thingy written in PHP) for the job.
Bought a book worth ~60$.
The author writes: "Use vagrant it's soooooo comfy and cozy and everything!".
Sure, why not.
Got to get online over my smartphone.
Cloned the repo with the Vagrantfile.
Did a 'vagrant up'.
Downloaded the Ubuntu box of around 1.5 GB (reminder: over my smartphone which has around 3 GB 'highspeed' internet connection).
Vagrant initialized and provisioned the box.
VT-X is not enabled. Hm. Strange. Wait...when it's not enabled, can it be that...
THIS SHITTY LAPTOP SCHMAPTOP DOES NOT SUPPORT VT-X AND I PULVERIZED JUST THE HALF OF MY INTERNET DATA FOR THIS SHITTY BOX IN ORDER TO JUST DOWNLOAD THE ZIP FILE AND INSTALL IT OLDSCHOOL-SCHMOLDSCHOOL INSTALL A APACHE VIRTUAL HOST.
Time for new hardware I think.15
I see lots of rants about lack of sleep, working through the night etc!
People you need to sleep an average of 7 hours a night your body needs this to stop ill health. Working through the night/mega long hours for nearly two years nearly caused me to have a breakdown.
Please be healthy! Working Long hours doesn't make you cool or a more valued employee.6
My laptop had a full meltdown and wouldn't turn on. It tried to start up then the screen went blank. It's happened before so I lost hope pretty quick.
Just spent the whole evening trying to fix it reinstalling windows and now I spot the problem. The HDMI is plugged in to a monitor that was off. My laptop was fine the whole time. Fml3
Is noscript still the best choice?
Finally getting some upgrades for our office workstations!!
My work-pc still rocks 3rd gen core i7 with -40% performance loss because of spectre/meltdown patches and 1600 mhz ram. Its been a huge pain in the ass. Building unreal engine from source literally takes a day, while on my home Ryzen 5 it takes an our.
Ryzen 7/9 babyyy!!!
(I might even be able to talk them into a threadripper, wish me luck 😀)4
Helped out a junior today with a minor JS issue he had. Told him, "cool so that should fix it on this page but it may break things elsewhere. Make sure you check it otherwise the client will go into meltdown. "
30mins after they go home. Client emails (All Caps) "WEBSITE BROKEN, URGENT HELP REQUIRED"
😡 you didn't bloody check it did you!
The year of 2018 is slowly coming to it end, so how about summing it up in a few keywords ?
I start : Bitcoin, Spectre/Meltdown, GDPR, Facebook-out-Linux-in, A.I., Elon Musk, Corporate fuckups(fb,g..), Cheap & Good smartphones
Just a few random ones, hope you come up with better summary:)19
After seeing this "old" picture I want to let know at the guyz who are in love with AMD that before Ryzen(s) I was able to cook my fuckin' breakfast's eggs on their fuckin' CPUs.
Big mistakes brings to great solutions and shut up the fuck up AMD, probably your core code is full of vulnerabilities but no one cares about your ultra threads architecture.22
PM is such a fucking cunt
telling me that my data structures describing the layout of binary data would be confusing for devs, and that we shall introduce
typedef fuckingRetardedObfuscatingName uint8_t;
in our code. everyone is fine with the concepts i provide to describe this binary data, not only at our company but also in other software i've worked on and common standards i've worked with, we work like that and every fucking idiot knows what a uin8_t is.
you fucking braindead imbecile have no fucking idea how we work and you don't care, you don't even try to understand what we are doing.
god i hope you die being hit by a fucking bus or something8
Public CSS discord: "Oh, awesome thanks, man! No need to apologize, I'll check the code. I DM'd you."
DM: Total meltdown cry baby freak-out... "Oh yeah... well, if the code is broken - then why does my repo have 63 stars? I think I'd know if my code didn't work - it must be your computer. Why won't you let me team-viewer into your computer and see your screen? I don't care about your personal information. It's made with React, not CSS. I thought you would be helpful - but you're not at all. You aren't professional..."
Uh... (I can see the code... team-viewer isn't going to help you... and I'm at work... and I already spent 15 minutes helping you - you fucking prick)13
Fuck you Intel.
Fucking admit that you're Hardware has a problem!
"Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data"
With Meltdown one process can fucking read everything that is in memory. Every password and every other sensible bit. Of course you can't change sensible data directly. You have to use the sensible data you gathered... Big fucking difference you dumb shits.
Meltown occurs because of hardware implemented speculative execution.
The solution is to fucking separate kernel- and user-adress space.
And you're saying that your hardware works how it should.
Shame on you.
I'm not saying that I don't tolerate mistakes like this. Shit happens.
But not having the balls to admit that it is because of the hardware makes me fucking angry.5
I really felt like a badass one time when I managed to recover all projects on our dev server after a full meltdown of the HDD.
We had no recent backups, because our backup server was down for a few months, and our (at the time small) company was in a tight spot on finances, and couldn't get a replacement.
The problem was that the HDD on the backup server failed, but we were storing all projects also on the dev server, along with our local git repos (no GitHub at the time for us), but then the dev server HDD also broke, and I used every piece of data recovery software I found trying to recover the data, until one actually managed to read the raw data from the HDD and store it as a virtual drive, that I then used to try and build another partition index and it actually worked!
Lost about 10% of the data, but that was enough, as i managed to recover all the git repos and databases...
I don't even remember the tools that got the job done in the end, but that was one hell of a week, and at the end I felt like a true IT God!
PS: 2 weeks later we had a new backup server, another offsite backup solution and a GitHub account for the company. Was delayed on salary in order to manage it (me and the CEO both agreed to give our pay for one month to get them), but worth it!2
Looking back on my Christmas holidays while waiting for my train to come.
I wrote my last exam on the 22, took the train home on 23, spent Christmas and the 25 with my family, searched for a new apartment for 3 days, had two days left to do an assignment due to the 30, was packing till 3 in the morning today and will have my first day of work tomorrow. (Yeah, I spend new year's Eve home alone and completely sober...)
I wonder when I will have an entire meltdown and become some Joker level psychopath... Also happy new year everybody 😁6
I have hit a new low...
If u don’t know, I love C language... have been using it for a while now...
But today, my brain is under a meltdown... I can’t freaking write a simple pointer based program....
WHAT THE HELL!!!!!!!
College is killing me ☹️☹️😭😭2
Ubuntu (probably) fucked up some upgrade and I wasn't able to use lvfs anymore. (damned meltdown/spectre bug) so... I figured it'd be a "good" idea to reinstall dbus. well.. the alternative was reinstalling Ubuntu so I figured I could at least try. obviously it didn't work out.. at all.
sooo here's me thinking I'll just insert my live media and live on with my life. nope. the fucking live media is corrupt. so, here I am now, contemplating why I was such an idiot.2
Data Disinformation: the Next Big Problem
Automatic code generation LLMs like ChatGPT are capable of producing SQL snippets. Regardless of quality, those are capable of retrieving data (from prepared datasets) based on user prompts.
That data may, however, be garbage. This will lead to garbage decisions by lowly literate stakeholders.
Like with network neutrality and pii/psi ownership, we must act now to avoid yet another calamity.
Imagine a scenario where a middle-manager level illiterate barks some prompts to the corporate AI and it writes and runs an SQL query in company databases.
The AI outputs some interactive charts that show that the average worker spends 92.4 minutes on lunch daily.
The middle manager gets furious and enacts an Orwellian policy of facial recognition punch clock in the office.
Two months and millions of dollars in contractors later, and the middle manager checks the same prompt again... and the average lunch time is now 107.2 minutes!
Finally the middle manager gets a literate person to check the data... and the piece of shit SQL behind the number is sourcing from the "off-site scheduled meetings" database.
Why? because the dataset that does have the data for lunch breaks is labeled "labour board compliance 3", and the LLM thought that the metadata for the wrong dataset better matched the user's prompt.
This, given the very real world scenario of mislabeled data and LLMs' inability to understand what they are saying or accessing, and the average manager's complete data illiteracy, we might have to wrangle some actions to prepare for this type of tomfoolery.
I don't think that access restriction will save our souls here, decision-flumberers usually have the authority to overrule RACI/ACL restrictions anyway.
Making "data analysis" an AI-GMO-Free zone is laughable, that is simply not how the tech market works. Auto tools are coming to make our jobs harder and less productive, tech people!
I thought about detecting new automation-enhanced data access and visualization, and enacting awareness policies. But it would be of poor help, after a shithead middle manager gets hooked on a surreal indicator value it is nigh impossible to yank them out of it.
Gotta get this snowball rolling, we must have some idea of future AI housetraining best practices if we are to avoid a complete social-media style meltdown of data-driven processes.
Someone cares to pitch in?15
My tech debt meltdown is happening right now. We are releasing our huge micro service based product next week with no automated testing of any sort. Our front end clients are relatively DRY. No tests and dry = can't change anything = hacks on top of hacks.
Why? Team lead won't listen to me and has beaten me down so I don't care anymore. If it's broken fuck it.2
Today was my 3rd day on the job and half way through it (right after my new laptop landed on my desk) I was fired. I tried to work for two days without a computer. All I could do was hover over the one other developer whose been there 3 weeks and who didn't meet the launch deadline. The founder had a meltdown over it this morning.10
Today I had sort of a meltdown when I found out that the small, 20-something company where I work and where we should all 'trust each other' is working to stealthily enable SSL Inspection.
I'm done with doing anything other than what is stipulated in my contract such as helping out in other areas out of my own volition.
Management got control hungry and mad once they got their hands on a Deep Inspection Firewall.
Well, I'm not feeling sorry for the uproar they'll have to endure once colleagues find out they are doing this stealthily.
Serves them right and after this and other similar experiences my trust in this company is right through the floor.2
I ask the professor from my last rant somehing about Spectre and Meltdown and he... hasn't heard of the exposure..4
Canonical has relased Ubuntu kernal update for Spectre and Meltdown.
It's time to do: fucking apt update && fucking apt upgrade.
Well, this week was a week from hell. It was a short 3 day week, and all of my internal Customers, who are normally pretty reasonable, just all unloaded on me at the same time. "We need this now!" "Have you done this?" "Why didn't you do that?" "We need you to do this, because our migration takes place in 30 minutes." (first notice of the migration). And then to top everything off, I'm creating a rollback DDL, and I've spent a couple of hours pulling my hair out, because a set of columns that need rolled back aren't in Prod, so I can't roll them back, because my own DDL drops them, and broadcast my natural meltdown to the entire DevOps team, feeling like an utter jackass after I realize my mistake. And even at quitting time, they are still walking up, and texting, and emailing. Holy f**k, I'm only going to be gone four days, two of them weekend, and will be back. All of this while trying to sell my house and pack boxes and move to an apartment. Can I retire now? Looks at retirement account... Nope, I'll be working until I'm 95. Just shoot me already!1
NODE CRYPTO YOU PUSS RIDDEN CANCEROUS CYST ON THE SWEATY BALLSACK OF THE INTERNET... fucking explain to me how every mother fucking module in node with require(‘crypto’) in it throws a hissy fit at runtime when I call only 1 file with it in it?! These packages that I’m not fucking using by the way but are nonetheless included by default in node are the ones having a meltdown.. and nodes answer?! Use the embedded functions. WHAT THE ACTUAL FUCK?!! If I didn’t need it Node could go and get gang raped by an angry pack of silverback gorillas. Fuuuuuuucccckkkkk yoouuuuu2
I took a certification test today that has an accumulative checkpoint score every 15 questions. I needed a 74 to pass the test... Here is a rough timeline of checkpoint scores and my thoughts:
64 - rough start I can recover
71 - OK, still failing but at least the score went up
63 - what the hell??
67 - OMG I am failing this test.
71 - You know, I don't need this job. I can find plenty of other work.
71 - This fucking test is brutal and I hate everyone. OMFG I only have an hour left!
Queue total internal meltdown. My job really depends on this certification.
73 - screw it. I failed. I am guessing from here on out.
77 - Holy shit I have a chance!! Only 25 questions to go. DONT SCREW THIS UP!
77 - YESSSSS My score didn't go down. 10 questions to go.
76 - Holy shit. After 6 month of studying, I passed the most brutal test of my life. ..... Barely.
Intel, wtf kind of drugs is your stupid site on?
Trying to make an account, the password requirement says "at least one special character".
Ok, no problem.
"Password format is invalid"
Wut? Hmm, maybe it doesn't like that one. Let's try one from their suggested ones.
"Password format is invalid"
WTF? The fuck is your problem?!
*reloads the page, tries again*
"Password format is invalid"
ARE YOU FUCKING RETARDED?
*adds the special at the end of the password instead of the beginning*
And then we wonder why bugs like Meltdown and Spectre come up. These guys can't even do fucking password validation properly.
And I've just lost 30 minutes because of this shit.
Not a good year for Intel, is it? First the two Spectre variants and Meltdown, now the AMT vulnerability.
/Hugs his AMD systems while unplugging the Intel ones.7
A new system developed at CSAIL was shown to have stronger security guarantees than Intel's existing approach for preventing so-called "timing attacks" like Meltdown and Spectre, made possible by hardware vulnerabilities.
Image courtesy of Graz University of Technology7
Yesterday, my team had a react crash-course workshop.
It was like "you have to import a couple of libs, use 'em in different react elements you pull up and Tadaaaa! Magic is happening and your app works".
This workshop was the pinnacle of "intense".
I understood 60% of the stuff.
My team-mates about 15%.
So react is the front-end technology of choice after our architectural-team. The other teams have to use this the technology for their UIs.
This will be a lot of fun ^^1
I wanna go back to the age where a C program was considered secure and isolated based on its system interface rathe than its speed. I want a future where safety does not imply inefficiency. I hate spectre and I hate that an abstraction as simple and robust as assembly is so leaky that just by exposing it you've pretty much forfeited all your secrets.
And I especially hate that we chose to solve this by locking down everything rather than inventing an abstraction that's a similarly good compile target but better represents CPUs and therefore does not leak.31
Can you relate to this? Please fill out this two-minute survey - https://surveymonkey.com/r/J8G8H5J/ or drop a comment below.
So is everyone prepared for the up to 30% performance hit on DB servers due to Spectre and Meltdown? Going to be a very interesting year....
The getting started of react native sucks big time.
If you don't want to display a completely centered text then go fuck yourself or what?
I mean there isn't even a howto on platform-independently not overlapping the fucking status bar. Everyone must've faced this problem when starting, but the only answer is an 8 times upvoted answer on SO telling me to add a hardcoded padding. What.
Where did this whole thing come to..🙁
Back in the days books about c didn't even start with more than 4 lines of code on the 70th page.
And when you google things about it it feels like you doing something totally wrong but its like the first thing a normal dude would do, what if i don't want shit centered bro i feel so useless and dumb i friggin hate that shit just fucking tell me what the fucking fuck to do!😫
It bugs me so hard cus i didn't even know a View is able to stick out on top of the app it doesn't make no sense to me the whole world is breaking apart12
Specter and Meltdown. Remember those guys?
Well I'm curious if anyone know of some articles that talk about someone successfully using the hack. Because you know people hate updates and now I want to know if anyone has paid the price of not doing their due diligence.2
My project is losing in one week: product owner, team leader and to make matters even worse our best dev also leaves. FUCK ME. We will see what happens when shit hits a fun.2
s it just me that finds WCF cumberlicated? I'm having trouble to get my client up and running every time we set up some sort of new service solution at work. All these service references and classes that cannot be resolved just cause a meltdown in my head. GGGGGGGGGGGGGNNNNNNNNNNNNNNHHHHHHHHHHHH! *going mad*4
google security support... people get mad for only TEN (?) years XP support1
Did you ever thought about rolling back time and:
- buy some cryptocurrencies
- sell your knowledge about vulnerabilities like spectrum/meltdown ...
- predict football championships
- WRITE THE GITHUB TO SELL IT FOR BILLIONS OF DOLLARS
Well, I do.
And so again I'm here asking for your opinions.
My old router (linksys EA6400) had a meltdown yesterday and decided to lose wifi connectivity every 4-5 seconds for 4-5 seconds each time. So it was like 5 ICMP packets pass and then 5 fail, and this pattern held up through the whole day.
Did a hard reset hoping it will help. Little did I know.. Do you even imagine how fun it was setting it up with randomly not working wifi? :D And this router can only be set up over wifi. I had to count seconds in my head predicting when it will start losing packets. Because when it does - the setup fails :)
So I guess it's time to start looking for a new one. I barely use ethernet ports (one for RPi). But I do need a good wifi. AC is a must. AX is not since none of my devices support it. I'd also like it to have open-source firmware, maybe accessible via shell (100% dd-wrt/open-wrt compatible). A USB port would be a plus (for the RPi).
Do you have any suggestions worth looking at?
What do you think about WRT3200ACM MU-MIMO?
Also I came across something called MESH ROUTERS (wtf is that?). http://linuxgizmos.com/low-cost-802.... Is it worth looking at?
What would YOU suggest?11
So are game consoles also affected by these processor problems? Many articles just mention PCs and phones5
I thought it would be a great course, learn some of the stuff that I always read about but couldn't understand jackshit, and maybe profit form it somehow.
I'm in my last assignment, they want us to pick some SNLI paper and implement, ok, so I find this one with the least amount of params because I thought hey this seems promising.
And boy what a ride it was, I implemented it using PyTorch, the results are way off, I read the paper again and rewrite some parts, still nothing, I get 79%, it's supposed to be 85%, and no matter how I try, nothing.
10 GitHub repos later, 40 hours of complete meltdown,
20 throwaway Google accounts using colab because we don't have GPUs in our uni and using AWS is not feasible.
Same shit, I'm at loss, the world is a lie, and I fell for it...
Before he began dropping the 20K proposed to remodel my flat, I told my father I much preferred a contractor who was recommended by someone I knew, as opposed to using a big corporation like Home Depot. FAMOUS LAST... a neighbour in my building highly recommended the contractor we chose. And, week 7 [or is it 8?] of what was proposed to take no longer than two weeks has begun afresh!
On Friday the fellow who is the owner of the contract remodeling company was here touching the paint. He was here because I forbade the two painters he sent to do the initial painting job.
My internet cut out suddenly around 1300 Friday. He set to leave for the weekend shortly after that. I mentioned the outage to him. The essence of his reply was that there was no way it could have had anything to do with him. The following day, my internet provider sent a tech out to diagnose the problem. What was the problem? The head of the remodeling firm removed a face plate from the wall where there were telephone wires and disconnect them when he tore the wires as he replaced the face plate.
Although the tech told me he wasn't going to charge my account the $85.00 fee for his services because the outage was caused within my flat, I wish to be sure of this. Which brings us to the punchline.
My internet provider is a lame ass business model, dreamed up by a squint-eyed ex-circus monkey, never well endowed in the top story, and now just plain sad.
There were some 911 outages in Washington State last Thursday night. All during the day Friday when you dialled their freephone #. the recorded announcement, before saying anything else, told you they were experiencing heavier than usual call volumes, and my wait would be greater than `10 minutes. Fine. What fried my La Croix silk was that after their customer service dept closed for the weekend, that outgoing message remained.
Today, I wanted to contact my provider to see if they would know if the $ was going to be charged to my account. After pressing the 'send' key, my computer came back with an error message, saying they were having technical difficulties. So, I went on over to the 'chat' page. There's nothing to click on to take me to this enfabled location. So, can't reach them by phone unless I want to hear, every 30 seconds whether or not I wish to, how sorry they are for my delay.
A few years ago I would've used this as an excuse to have a technicolour meltdown. The reason I'm posting this is that I am now able to see beforehand what I'll be doing to myself getting upset over the circumstances. When I do reach somebody, I'm going to tell them as lightly as possible, that if they were an airline, I wouldn't board any of their aircraft. Ever.