Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Search - "spectre"
As a long-time iPhone user, I am really sorry to say it but I think Apple has completed their transition to being a company that is incompetent when it comes to software development and software development processes.
I’ve grown tired of hearing some developers tell me about Apple’s scale and how software development is hard and how bugs should be expected. All of those are true, but like most rules of law, incompetence and gross negligence trumps all of that.
I’m writing this because of the telugu “bug”/massive, massive security issue in iOS 11.2.5. I personally think it’s one of the worst security issues in the history of modern devices/software in terms of its ease of exploitation, vast reach, and devastating impact if used strategically. But, as a software developer, I would have been able to see past all of that, but Apple has shown their true incompetence on this issue and this isn’t about a bug.
It’s about a company that has a catastrophic bug in their desktop and mobile platforms and haven’t been able to, or cared to, patch it in the 3 or so days it’s been known about. It’s about a company, who as of a view days ago, hasn’t followed the basic software development process of removing an update (11.2.5) that was found to be flawed and broken. Bugs happen, but that kind of incompetence is cultural and isn’t a mistake and it certainly isn’t something that people should try to justify.
This has also shown Apple’s gross incompetence in terms of software QA. This isn’t the first time a non-standard character has crashed iOS. Why would a competent software company implement a step in their QA, after the previous incident(s), to specifically test for issues like this? While Android has its issues too and I know some here don’t like Google, no one can deny that Google at least has a solid and far superior QA process compared to Apple.
Why am I writing this? Because I’m fed up. Apple has completely lost its way. devRant was inaccessible to iOS users a couple of times because of this bug and I know many, many other apps and websites that feature user-generated content experienced the same thing. It’s catastrophic. Many times we get sidetracked and really into security issues, like meltdown/spectre that are exponentially harder to take advantage of than this one. This issue can be exploited by a 3 year old. I bet no one can produce a case where a security issue was this exploitable yet this ignored on a whole.
Alas, here we are, days later, and the incompetent leadership at Apple has still not patched one of the worst security bugs the world has ever seen.79
https://git.kernel.org/…/ke…/... sure some of you are working on the patches already, if you are then lets connect cause, I am an ardent researcher for the same as of now.
So here it goes:
As soon as kernel page table isolation(KPTI) bug will be out of embargo, Whatsapp and FB will be flooded with over-night kernel "shikhuritee" experts who will share shitty advices non-stop.
1. The bug under embargo is a side channel attack, which exploits the fact that Intel chips come with speculative execution without proper isolation between user pages and kernel pages. Therefore, with careful scheduling and timing attack will reveal some information from kernel pages, while the code is running in user mode.
In easy terms, if you have a VPS, another person with VPS on same physical server may read memory being used by your VPS, which will result in unwanted data leakage. To make the matter worse, a malicious JS from innocent looking webpage might be (might be, because JS does not provide language constructs for such fine grained control; atleast none that I know as of now) able to read kernel pages, and pawn you real hard, real bad.
2. The bug comes from too much reliance on Tomasulo's algorithm for out-of-order instruction scheduling. It is not yet clear whether the bug can be fixed with a microcode update (and if not, Intel has to fix this in silicon itself). As far as I can dig, there is nothing that hints that this bug is fixable in microcode, which makes the matter much worse. Also according to my understanding a microcode update will be too trivial to fix this kind of a hardware bug.
3. A software-only remedy is possible, and that is being implemented by all major OSs (including our lovely Linux) in kernel space. The patch forces Translation Lookaside Buffer to flush if a context switch happens during a syscall (this is what I understand as of now). The benchmarks are suggesting that slowdown will be somewhere between 5%(best case)-30%(worst case).
4. Regarding point 3, syscalls don't matter much. Only thing that matters is how many times syscalls are called. For example, if you are using read() or write() on 8MB buffers, you won't have too much slowdown; but if you are calling same syscalls once per byte, a heavy performance penalty is guaranteed. All processes are which are I/O heavy are going to suffer (hostings and databases are two common examples).
5. The patch can be disabled in Linux by passing argument to kernel during boot; however it is not advised for pretty much obvious reasons.
6. For gamers: this is not going to affect games (because those are not I/O heavy)
Meltdown: "Meltdown" targeted on desktop chips can read kernel memory from L1D cache, Intel is only affected with this variant. Works on only Intel.
Spectre: Spectre is a hardware vulnerability with implementations of branch prediction that affects modern microprocessors with speculative execution, by allowing malicious processes access to the contents of other programs mapped memory. Works on all chips including Intel/ARM/AMD.
For updates refer the kernel tree: https://git.kernel.org/…/ke…/...
For further details and more chit-chats refer: https://lwn.net/SubscriberLink/...
(Originally written by Adhokshaj Mishra, edited by me. )23
Is noscript still the best choice?
Finally getting some upgrades for our office workstations!!
My work-pc still rocks 3rd gen core i7 with -40% performance loss because of spectre/meltdown patches and 1600 mhz ram. Its been a huge pain in the ass. Building unreal engine from source literally takes a day, while on my home Ryzen 5 it takes an our.
Ryzen 7/9 babyyy!!!
(I might even be able to talk them into a threadripper, wish me luck 😀)4
The year of 2018 is slowly coming to it end, so how about summing it up in a few keywords ?
I start : Bitcoin, Spectre/Meltdown, GDPR, Facebook-out-Linux-in, A.I., Elon Musk, Corporate fuckups(fb,g..), Cheap & Good smartphones
Just a few random ones, hope you come up with better summary:)19
After seeing this "old" picture I want to let know at the guyz who are in love with AMD that before Ryzen(s) I was able to cook my fuckin' breakfast's eggs on their fuckin' CPUs.
Big mistakes brings to great solutions and shut up the fuck up AMD, probably your core code is full of vulnerabilities but no one cares about your ultra threads architecture.23
What laptops are you using for university?
I think about getting the HP Spectre x360 15', so I will also have the ability to take notes with a pen on the device. I guess that will be quite useful because I want to try to use paper as less as possible... Let's see how that will work out.😂
Do you have any other recommendations?18
Lately I've noticed a lot of people complaining about webview apps (electron and so on)... While I see their arguments for resource hungry apps, slow and unreliable - I strongly think that it's just complaining for no reason....
It's slow - yes
It's stupid to make web work in native - yes
But guys, isn't it awesome that technologies allows us to do such things? Even a simple web developer can quickly prototype an application on mac/windows/linux/android/iphones - even if it's not a great one, you still don't need to learn all the corks and quacks of the languages... You just need to get it out there!
So, I'd like to say that we should actually appreciate things we have more, even if it's as stupid as emoji coding language :)
ps. I really admire the emoji language as it's amazing on the spectre of what is possible.... :D16
Ubuntu (probably) fucked up some upgrade and I wasn't able to use lvfs anymore. (damned meltdown/spectre bug) so... I figured it'd be a "good" idea to reinstall dbus. well.. the alternative was reinstalling Ubuntu so I figured I could at least try. obviously it didn't work out.. at all.
sooo here's me thinking I'll just insert my live media and live on with my life. nope. the fucking live media is corrupt. so, here I am now, contemplating why I was such an idiot.2
Everything will be about the same, but faster. Quantum computing will allow brick-shitting speeds of data processing, Nvidia will at some point develop a quantum GPU and call it Fuckall architecture or something that will allow to simulate all the atomic-level physics of a whole car (and stuff), 1Tb network speeds will be common, websites and databases work in a blink of an eye.
Also someone will find a spectre/meltdown-level vulnerability in quantum CPUs and everyone will get f-d in the a. Again. Almost.14
Recently I have updated my lubuntu to 18.04.
I don't use it regularly but I like to have it on the side of my window 10.
Anyway today I boot and decide to use it and get this error.
[0.000000] [Firmware Bug]: TSC_DEADLINE disabled du to errata; please update microcode to version 0x22 (or later)
and two MMIO read fault.
At first it sounds really dramatic and I was thinking, "Nice ... I never get a problem with Windows Update and when its Linux it doesn't work ..."
But lubuntu boots normally after so it's not a blocking problem.
So I do what most of us do in case like this, go to Google and search to know what the hell is going on.
And the answer is simple, my CPU microcode isn't up to date to prevent Spectre, one apt get install and a reboot later my 4700HQ is patched in 0x24 version and protected for Spectre where my windows didn't patch anything and worst disable the KB that I have installed manually before the last big update.
So thanks Linux, you scared me with your error but it was a good job to throw it :)1
I ask the professor from my last rant somehing about Spectre and Meltdown and he... hasn't heard of the exposure..4
Canonical has relased Ubuntu kernal update for Spectre and Meltdown.
It's time to do: fucking apt update && fucking apt upgrade.
Not a good year for Intel, is it? First the two Spectre variants and Meltdown, now the AMT vulnerability.
/Hugs his AMD systems while unplugging the Intel ones.7
A new system developed at CSAIL was shown to have stronger security guarantees than Intel's existing approach for preventing so-called "timing attacks" like Meltdown and Spectre, made possible by hardware vulnerabilities.
Image courtesy of Graz University of Technology7
Intel, wtf kind of drugs is your stupid site on?
Trying to make an account, the password requirement says "at least one special character".
Ok, no problem.
"Password format is invalid"
Wut? Hmm, maybe it doesn't like that one. Let's try one from their suggested ones.
"Password format is invalid"
WTF? The fuck is your problem?!
*reloads the page, tries again*
"Password format is invalid"
ARE YOU FUCKING RETARDED?
*adds the special at the end of the password instead of the beginning*
And then we wonder why bugs like Meltdown and Spectre come up. These guys can't even do fucking password validation properly.
And I've just lost 30 minutes because of this shit.
As a company director that’s just starting out down my freelance journey, I still find it so scary taking money out of the business, even though I know I have the money to replace it.
The spectre of getting my taxes wrong even though I’ve got established accountants looking out for me is insane.
My productivity is dying for want of a second monitor. I've been hooking up a new-ish HP external LCD to my brand new HP Spectre laptop. Every time I do this, the laptop soon locks up. Won't launch programs, won't even let me click the Windows button to restart. Have to hard reset and go back to single 15" screen. THEY'RE THE SAME BRAND?! WHY ARENT THEY COMPATIBLE?!4
So is everyone prepared for the up to 30% performance hit on DB servers due to Spectre and Meltdown? Going to be a very interesting year....
From what Linus Torvalds say, seems like Intel isn't willing to fix Spectre 😕
So, Dell's XPS 13 or HP's Spectre x360 13''?
Convertibles seem cool but I'm not sure if the feature is useful...9
So are game consoles also affected by these processor problems? Many articles just mention PCs and phones7
Are there any .NET devs here who use MacBooks as their main dev machine who can share some feedback? I really like the design of the Mac but I'm not sure whether I will be very productive on it. Other laptops I'm considering are the Razer Blade, Dell XPS or HP Spectre x3603