All software has flaws
both in themselves and in their implementation.
"trusted" software is only trusted at a point in time until some circumstances changes that trust.
A 20 year old bug has been discovered in an algorithm so pervasive it's used in the Mars Curiosity rover, cars, aircraft, Android phones and a string of popular open source wares. The bug can be found in the Lempel-Ziv-Oberhumer (LZO) data compression algorithm created by Markus Oberhumer, who on Wednesday posted a new version …
On the other hand, there is a pretty cool article on formal verification ("Reasoning and Verification: State of the Art and Current Trends") in "IEEE Intelligent Systems" of January (which, incidentally, just arrived in my mailbox; yes I am not living in Upper Volta - IEEE managed postal delivery still needs to be pulled into the 21st century).
Apparently, advances over the last ten years have been enormous and practical. Victory soon!
"On the other hand, there is a pretty cool article on formal verification "
If formal verification were a panacea it would be a lot more common. All it does however is move the bugs from the software to the formal specification (which is effectively a sort of program in itself) and you end up having to debug the latter instead, and which scales in complexity with the complexity of the system you're trying to prove. And if you have a bug in the spec that goes unnoticed then it makes the formal proof worse than useless because people assume that , well , the software has been formally proven , it can't fail! Hmmm...
C has been used in the galaxy for the last 5 million years. Which is why the Fn'orrrl died of bitterness before they could expand from the core, and the Blfti'ckx Machine Civilization just snowball-bluescreened when an unexpected radio burst was generated by a nearby neutron star and generated a surprise packet with unexpected binary content.
Fermi Paradox: It's all down to C!
So the alien archeologists examine the rover sent to mars and deduce humanity died out down to shoddy programming. .... Lionel Baden
Hmmm, many a true word is said in jest, LB, and is in steganography quite a valued transparent code in matters that might in other cases, .... deemed by concerned and/or terrified others to be better kept secret and generally unknown ..... warrant encryption and/or the likes of NSL protection.
IT never rains but IT pours ..... and this is appropriately APT and relevant here, for it has been built and builds upon pervasive algorithm bugs which be transformed in other systems of operation and fields of SMARTR Advanced ProgramMING Play into Heavenly Opportunities Exploiting Serial Primitive Weaknesses which some may conclude to be an Inherent Systemic Flaw?
amanfromMars  adding more on http://thedailybell.com/news-analysis/35428/No-We-Are-Not-Fans-of-Open-Source-Public-Solutions/
And furthermore, if one be talking of turkeys in current positions of present power, one will have to realise that they, the turkeys, unless they have accepted special future training from enabling deadly action forces and are even mildly cognitive of the dire consequences for themselves in plumping for the pumping and pimping of the maintenance and retention of the status quo rather than being instrumental in Brave New Worlds with New AIDealings, will not be voting for Xmas, so will have to hunted down and rooted out and as exposed as the killjoys that they are and have become.
A simple truth which is impossibly complex to deny or successfully battle against, as every turn to hide and repress and suppress and obfuscate the honest picture, discovers and uncovers the Bigger Picture which leads to tales which reveal more of the all and sundry to everyone from ....... well, the Advanced Intelligent Crowd[s] in Cloud[s] is something to follow if you want to know what the Future is planning in the Virtual Fields and Alternate Landscapes of Concept Generation and Concept Development ProgramMING ....... Program Mined Intelligence Network Games/Mind Infiltration Networking Games.
To imagine in a novel and noble age of unprecedented virtually instantaneous global communication, where the works of a day and a zeroday can unravel and expose the labour of millennia as a contrived sham and lucrative schema, that past masters of ignorance will rule with reign and reins in a future with growing intelligence, is a risible arrogance borne and born of ignorant masters of the past to be virtually lost and practically forgotten and only remembered by students of history.
Thank for all the thoughts and common sense, Robert. As you can read, are they much appreciated here.
There's a lot going on out there, El Reg, and all of it good except for that which targets the bad, and that is great.
In 2 months time, when Curio
usity broadcasts a picture of a grinning Elvis sitting on a Martian boulder back to planet Earth, then you'll know that it was me what hacked it. You heard it here first.
Either that, or The Sunday Sport was right all along!
My personal favourite of their headlines was 'Vampire 3-in-a-Bed Sex Scandal'.
It says exactly what's up:
So sorry, this is not a "new heartbleed" situation the author seems to dream for.
Nevertheless, it's a good idea to close this risk, just in case, in the future, one implementation may inadvertently wander into the area of "custom compression format using large blocks of > 8 MB on 32-bits system, and receiving data from untrusted external sources". Judging from the current list of usages, this scenario stand in the low probability range. But that's nonetheless good to plug it, if the solution doesn't trigger any other side effect, which is the case within current LZ4 release available on Github and Google code.
So no "debunking" anywhere in sight.
you should cite correctly; did that for ya :
> At the end of the day, none of the known implementation of LZ4 is exposed to this risk.
> Basically, most user programs employ LZ4 for small data packet structure, way beyond the critical limit.
> Programs which generate and distribute large compressed blocks (notably the lz4c pos-x compression
> utility, distributed within Linux Distro) use the documented streaming format, which limits block size to 4
> or 8 MB. Remove also from the list programs which never take "externally provided" data as input, they
> can't be targeted either.
> So sorry, this is not a "new heartbleed" situation the author seems to dream for.
except for a great headline, nothing left
And just to go off topic - "Curiosity rover brought Earth BUG to Mars".
Brought ?? Huh?? I think the correct word required here is "took".
With a UK domain to your name, you might at least try to translate American headings / text in to English. Using American phrases like "...bringing him to jail." and "...I'm going to bring him something." are really starting to hurt. We English still use take, taken & took, so please don't forget them.
- Grammar Police (UK division)
> Brought ?? Huh?? I think the correct word required here is "took".
I was raised North of the border, but "brought to" sounds perfectly Ok to me. Then again, verbs of motion are used differently in each of the half a dozen or so languages that I speak on an everyday basis, so there might be some interference there.
"On the other hand, there is a pretty cool article on formal verification ("Reasoning and Verification: State of the Art and Current Trends") in "IEEE Intelligent Systems" of January ..."
I would hope that this will eventually come to the fore ...
I studied formal verification methods many years ago and when I went for an interview and asked about verification of software the company said 'we test it extensively'. I believe that to still be the case in nearly, if not all systems today (including military and critical systems.)
"the emergence of the bug is a reminder of how developers build on 'trusted' systems like LZO. That trust turns out to have been misplaced"
I don't follow your thought-processes, unless a company is prepared to have its own programmers go through the code, then you have no other option but to accept the code as relatively bug free.
"[I]t is unclear how Curiosity's micro controllers are affected, so the idea of interstellar RCE is in the realm of science fiction."
Um, at this point even interplanetary RCE remains in the realm of sci-fi. Interstellar RCE would reguire not only "uncommonly huge buffer sizes" but, say, either great patience and a very long lifespan, or some way to get around the speed of light as a limit in communications.
Biting the hand that feeds IT © 1998–2022