> The amount of c02 produced by man pales in comparison to a single eruption.
18 posts • joined 13 Jul 2015
How about this for a compromise: when two endpoints A & B negotiate a shared encryption key, make them use 3-way negotiation, between A, B and K where K is a national key storage facility which stores keys for a limited time and releases keys to security services following a suitable legal process.
By "3-way negotiation" I'm presuming it's possible to securely generate a key known by 3 parties but not by eavesdroppers.
I'm not advocating a facility to record the data (encrypted or unencrypted), just to record decryption keys (for a limited time) for cases when the security services already have wiretapped data for which decryption is likely to be in the national interest.
This is a compromise to privacy, and safeguards would need to be in place such as publishing the number of key requests, but it's better than forcing all encryption to have back doors, which any attacker could use.
"... am I the only one who has a little sympathy with Intel et al?"
Possibly. Intel didn't invite sympathy when they blatantly lied in their press release to avoid taking responsibility for Meltdown.
They would be happy for people think their chips fall in some grey area between "perfect" and "flawed" but the documentation is very clear - they must prevent memory access via certain kinds of reference in certain conditions - and there is no grey area to hide in.
If you don't put the responsibility for Meltdown at Intel's door, you are expecting blameless organisations to take losses that they shouldn't have to, and setting a bad precedent for responsibility evasion that could lead to less reliable and less secure systems in the future.
If Intel started acting with integrity over this then I would probably start to feel sympathy for them.
Meltdown is a CPU flaw and Intel should be paying for replacements or compensation for any server whose throughput can't be restored to pre-patch levels.
I know it's naive to expect Intel to do this willingly, but that just makes it more important for us to spread the message.
It shouldn't just be private compensation deals for their biggest customers.
"The issue here is that if you take a traditional view of processor "correctness", there is no real bug here: the software runs as it should and returns the right results."
I disagree with this, at least as far as Meltdown is concerned. The CPU is supposed to enforce a sandbox and there is a hole in it big enough to read privileged data. This is a bug, not a side-effect of correct operation.
"... they did not design based on the assumption of bad actors abusing this."
I agree. For illustration, have a look at this Intel manual page from 1986, explaining why CPU-enforced sandboxing was introduced: the focus was entirely on detecting, and confining the damage of, "bugs". I think this is understandable because malware wasn't such an issue back then, but it has been obvious for a long time now that Protected Mode is a critical security defence, not just a stability feature, and there is no excuse for holes in its sandboxes in recent CPUs.
"- Websites / services becoming slow or going offline"
Good point about going offline. A server currently running under high CPU load could have its throughput reduced below the required workload and then there will be backlogs or service unavailability. This could be a headache for admins who will have to decide whether servers can tolerate the performance hit before installing the patch.
> They are not slowing the processor, the OS is, so no comeback on Intel
I don't think that argument will work for Intel. Their chips are not working to specification: the user-mode/kernel-mode separation is supposed to be policed by the CPU, and it's leaky. There is no chance of them hiding this fact.
They could try to spread the blame by claiming that some of the slowdown is due to badly coded workarounds by Microsoft etc but they can't escape the blame for workarounds being needed.
Some of the firmware updates (inculding R6400, R7000 and R8000) are now out of beta. The web interface of my R6400 showed a notification about the update. After installing, testing with the 'killall' URL led to a login prompt and, even after I authenticated, it still didn't execute the killall so the fix looks good.
"The widget, sure, but I can't disable the app in Application Settings like you can some other "built-in" apps."
Oh I see, sorry.
"Samsung's fault because of their horrendous record of not releasing code for their Exynos chipsets. The G3 with its Qualcomm-based chipset should be much better."
OK. That's encouraging. Maybe when LG stop pushing updates I'll brave CM again.
I've just received the update to Smart Notice.
On my stock unlocked G3 (software version V21a-EUR-XX), I can add and remove Smart Notice just like any other widget. Are you referring to the full-page Smart Bulletin instead? You can remove that from Settings->Display->HomeScreen.
But, like you, I can't see the Smart Notice update in the "Update Center". It's not helping that there is no "Check Now"/"Refresh" button in the App Updates panel, so all I can do is set it to check daily and wait.
My experience with Cyanogenmod (on Galaxy S2) is that it's great for scratching a nerdy itch and getting the latest Android fixes and features (continuing long after the OEM has stopped providing them) but bad for stability. Things may have changed since I tried it but, judging by a quick look at the G3 CM forums, they haven't changed much.
It took a lot more than 32 characters - in the video, copy & paste are used to repeatedly double the password length. It starts with 10 characters, then gets doubled 10 times in the dialler, (an eleventh attempt is abandoned - it isn't copied), which makes 10240 characters. Then this is pasted four times into the password entry field, so the total is 40960 characters. I expect someone even more pedantic than me will correct me if I've miscounted.
Obviously it's stupid to allow entry of so many characters, so I'll join you on the Guinness.
Verizon Wireless say you can't link to any part of their web site except the home page: http://goo.gl/WFjYKK (see the paragraph under the heading "Requirements for linking to www.verizonwireless.com")
The same instructions appear on lots of other sites - example Google search: http://goo.gl/hDKBle
Biting the hand that feeds IT © 1998–2020