Re: Linux Nvidia here
Not just you. Happens with my AMD card, too. Think is has to do with the HDMI standard more than anything in that it has issues with displays being turned off.
7244 posts • joined 10 Jun 2009
Not just you. Happens with my AMD card, too. Think is has to do with the HDMI standard more than anything in that it has issues with displays being turned off.
"A GPU driver could use a similar scheme and (as already mentioned) certainly has the bandwidth to make it affordable."
But not the TIME. GPUs are normally built for high performance, so there are frequently zero-time context switches (a freed buffer has to immediately go to another application, with no chance to wait because, like I said, performance is demanded). Now you're in a security-vs-speed dilemma, and people why buy performance GPUs will demand the latter.
"Going incognito doesn’t hide your browsing from your employer"
That copout is due to hypervisor capabilities in enterprise settings. Basically, Incognito can do squat against an agent that can snoop at all programs actively running. Basically, that scenario is like getting caught with a salacious book wide open. You can't do much against that kind of eye.
Nevertheless, Chrome should be obligated to perform due diligence when handling incognito windows. It should, as standard security procedure, retain the information for no more than is absolutely necessary to function, meaning any information it no longer needs should be immediately wiped clean to minimize administrative/hypervisor/root-class malware spying.
"If any program (let's restrict that to non-root UID) can see another's memory then privacy and security is gone."
Then we're essentially doomed. Anti-malware, anti-cheat, basically any defensive program worth its salt MUST be able to see into other processes to make sure they're not malicious, and if THEY have to do this to be able to function, any other program can pretend to be this, too. We've gone into a Quis custodiet ipsos custodes? situation, and there's no easy answers to that.
But Google created the content AND presented it on an OS with GPU compositing, meaning they KNEW their stuff would show up on the GPU's RAM. As as saying goes, "You made the mess. You clean it up." There's not much Google can do with active Incognito pages in GPU RAM since it must be in an accessible state for the GPU to put it on the screen. But once the page closes, Google should assume the memory won't be cleaned up on its own, so it should zero or otherwise blank the page before releasing it.
Then it should be an option on the free() call, unless it's a free called by the program's termination (in which case it can an automatic wipe; performance becomes less of an issue in the graceful termination phase). That way, the program can judge if the memory needs to be wiped (for example, because sensitive memory is involved--they'll want to clean it regardless and doing it this way minimizes the chances of a read by elevated code). As for abnormal termination (essentially "nuking" an app), then perhaps only then should the OS intervene and wipe the program's memory space as it's performing an intervention. Any other method should leave it the program's responsibility.
"This bug is common in graphics drivers... not familiar enough with the inner workings of OpenGL to know but I'd assume the driver could zero framebuffer and texture memory when deallocated/no longer used. Maybe this is hard or non-performant."
The problem is that memory wipes take time, and GPUs are typically built for high performance, meaning it's a trade-off. Speed frequently clashes with security, unfortunately. And in a paranoid system, one should assume their mess won't be cleaned up for them.
PS. Why should the memory be wiped on the alloc? Shouldn't it be wiped on the free instead?
"The O/S certainly should clear memory that has been owned by a different process. Otherwise, as has been said above, there are at least privacy issues. It absolutely has to clear memory previously owned by a process with a different UID."
But what if the program in question is a recovery tool that NEEDS to see that memory? One size can't fit all here, and the principle of DTA dictates that ultimate responsibility falls to the program that made the data (the origin point, if you will, the point of first responsibility). If you don't trust another program to see their data, it should be wiped before you release it. And before you say the OS should do this (maybe not wipe on the alloc but on the free instead), remember that bulk memory operations mean an unavoidable performance hit, and if the OS is designed for high performance, such a hit may not be desired.
"On a well designed OS, the apps should not even be aware that other apps are running and each app should be able to consider its own memory space private and secure. We're not quite there yet, but it's a good aspiration ;-)"
Can't. There are times when an app NEEDS to know another app or module is running. Example, what good is a web browser without an Internet connection, which means knowing the socket driver is available, which may or may not be in Userland (depends on the OS, but microkernels by design would put everything non-essential into Userland). And there are such things as "ethical" process snoopers like anti-malware and anti-cheat programs.
This has been a known exploit since the earliest days of personal computing. It was quite common to quickly reboot a machine and discover troves of information left by the last program running (I used to do this quite a bit in the latter days of using my Commodore 128). I recall very few programs have the know-how to interrupt the warm boot sequence to erase their code to block this (I think Lenslok-protected games actually cared).
Basic defensive SECURITY programming says Don't Trust ANYONE. That goes backwards AND forwards. In other words, don't make assumptions of inputs AND don't release anything you don't want seen since anything you release COULD be seen. So like I said, Chrome should wipe any Incognito pages before releasing their framebuffers on the assumption that they don't want the contents to be visible to anything else.
There's also the matter of the KISS principle. Assume the least work was done on your request, and do yourself the least amount to accomplish your goal since you may be subject to delays or repetition that result in small delays adding up. Why should Diablo blank their framebuffer if they're just going to immediately overwrite it anyway?
Why is it a bug in Diablo? They initialize the memory with their first frame of rendering. What happened to the framebuffer before them is, frankly, none of their business. It should fall on Google to ensure that when a Incognito page is closed, it's blanked BEFORE it's released. In security terms, this is a memory leak on THEIR part.
"But doesn't an O/S kernel zero out regular memory before handing it to an application?"
Why should it? The memory you get from an allocation should be considered to be "undefined", and therefore it should be the applications' responsibility to handle it accordingly, using as you said common memory-fill techniques if necessary.
"GPUs are often touted as having large memory bandwidth, so surely they can use a bit of that to zero out a newly allocated region?"
Again, that's if they WANT that. If you're allocating the framebuffer to say play a video, then zeroing is redundant. You let the video take care of that.
I'm agreeing with the point that if an application is touting a low-trace operating mode, the onus is on the application to ensure low-trace operation.
All fine and dandy. But how do you force the issue?
"On the other hand if "they" had ensured that there was enough clean nuclear power available ...."
There are those who would argue that emboldened term is an oxymoron.
" This has now been exposed, though known by anyone expert for years. You need about 20W + of CFL or LED to light the same area to same brightness as a 100W lamp."
Funny. From what you say, the packages I read on a regular basis would then be accurate, because the 100W incandescent analogue in CFL is rated 26W (over 20 as you said). The watt ratio is roughly 4:1. A 9W CFL is roughly supposed to put out as much light as a 40W incandescent, a 15W a 60W, and I think an 18W a 75W.
Have you tried threatening them with a lawyer? Given your Internet is wireless, this falls directly into the FCC's purview (since wireless bandwidth has to come from the feds first), so unless they can show where the data use comes from, you can claim they're defrauding you.
That's assuming the trenches aren't already covered up. If they are, then that's an added expense. Remember, a lot of the infrastructure in America has already been installed. This is one reason New York is so difficult to wire up (200+ years of densely-packed existing infrastructure to work around).
As for the local monopolies, that's basically a necessary evil. For these small, poor, isolated communities, it was basically take the sweetheart deal or stay in the dark, because NO company would be willing to plunk down to build out to the boonies without some assurance of RoI. If there were to be restricted by law, the numbers wouldn't add up and they wouldn't even try. Remember, wires in America are more often than not privately owned, and companies frequently reserve the ultimate option to call Leave It and declare No Deal.
What you describe demonstrates capitalism in action. Business customers draw a higher rate, can frequently be metered, and can sign longer-term contracts. These buildings probably agreed to chip in for the gigabit rollout to their area as part of the contract. For an area to get additional coverage (which means extra infrastructure which means additional costs), you usually need either connections (such as getting in on new construction while the ground's already torn up), numbers (if an entire neighborhood contracts to sign up for gas, internet, or whatever, the utility has better incentive to plunk down), or money (affluent areas can usually pony up if they want it badly enough).
This has always been the problem with rural Internet coverage. They lack any of the three. They're sparsely populated, frequently of a lower standard of living, and as a result the community as a whole is lacking in capital. That's why many of them get tied up in sweetheart deals: it's the prime condition the companies will insist before they're willing to go out on a limb.
All fine and dandy. Now who PAYS for all that infrastructure rollout?
It also helps that Singapore and Hong Kong are TINY. Try doing the same thing in the United States where there's tons of sparse population to consider.
If that's the case, then why is no one using it while people clamor for more bandwidth? Any economist would see that as artificial scarcity to their detriment since someone else could come along and find a way to use the dark fiber to undercut them.
I may be mistaken, but the high price may be due to the need to install a cabinet at that junction (branching out fiber optics isn't always as simple as installing a splitter; the last mile in my Cox neighborhood for example is still copper). If neither she nor anyone else on her street has already signed up for the fiber, then that means infrastructure additions much the way Virginia Natural Gas doesn't run through my neighborhood because no one was interested in ponying up for the pipe (I use propane instead). Now, as it so happens a Verizon FiOS cabinet happens to be in the easement next to my house, so if I wanted to, I can switch (indeed, Verizon has sent many an offer). But since that means boxes throughout the house, the bottom-line price isn't good enough yet.
But the few that remain become that much more difficult to deal with. What do you do when your very-expensive enterprise system requires Flash to control it? Switching it out is not an option due to the accountants, who tend to be able to trump the security team (after all, accountants can influence the IT budget).
You can avoid Flash vulnerabilities by not using Flash, but many people don't have that option, requiring flash in their everyday activities. And yes, if they want to infect people badly enough and they can acquire one (this can be tough; usually it's states and other powerful agencies that hoard them), they MIGHT use a zero-day vulnerability.
As for Windows 10, that's still done by Adobe IIRC. The only company helping Adobe with Flash is Google, and only in regards to Linux and Chrome.
What makes you think they didn't come from ISIS. I mean, three men with material essential to any serious farmer commited quite a bit of mayhem 20 years ago, and technology means more and more power can be obtained by an individual over time. What's to say a lone wolf couldn't wreak national-scale mayhem today and we just don't want to admit it for the sake of our sanity?
Then you're basically saying, "Damned if you do, damned if you don't". If it isn't the government screwing you, it's robber barons (think the GIlded Age). Somewhere along the line, SOMEONE will have the chutzpah AND the capability to usurp, one way or the other, and since this is basic human instinct when they see a zero-sum game (it's you or the other guy), we'll never see this go away.
Which may be why no "people-centric" government doesn't seem to last for too long in historical terms. Every one of them degenerates or collapses due to simple human nature.
Furthermore, what happens when a crisis hits, like a war, and you NEED the government to rally and protect you from the enemy? World War II was a legit example. No single state could muster the forces necessary to defeat the combined Axis Powers, and since we were also deep in the Jim Crow era, there was also considerable friction between northern and southern states. Only the central government can override these frictions and unite the nation in war.
So IOW, you MUST trust the central government at some point, or there's no point in a government to begin with.
But what downsides are there back home? Before you say "terrorism," note that some people hate you for your mere existence. I believe they call that, "Haters gonna hate."
As far as the home turf is concerned, doing nothing is not an option, and the people DEMAND a robust solution. Otherwise, they'll vote you out. So what's a country who demands they be doing something effective to do when there is NO such thing as something effective to do?
"The problem is that people came to trust government at all."
And the problem behind the problem is that your average person isn't interested in anything as remote as that. They just want to see tomorrow, that's all. The simpler their lives can be, the better. It takes a certain amount of enlightenment to be able to question things around you; most don't have the intellect for that.
The enemy doesn't NEED backdoors, just a general idea. Unlike us, bound by Rules of Engagement, the enemy can attack indiscriminately. There's no such thing as neutrals to them: there's allies, enemies, and sympathizers, and the latter two are fair game. Thus civilians get targeted instead of, say, military installations.
And yet, by doing that, they make themselves more vulnerable to enemy action by providing a ready-made, robust solution instead of a homebrew job which can be hit or miss. The one big bug-a-boo about freedom is that it can always be turned against you. Heck, according to the opening of Genesis, GOD learned that the hard way.
Don't buy anything, just stick with what you've got because, frankly, most games require it since they're not WINE or VM-friendly.
Many times, there is no replacement package, and the hardware is custom, so virtualization is not an option. It's bare metal or bust.
"4. For the cases where the Windows tool won't run under Wine or Crossover run Windows in a VM. An old copy of W2K may do fine and won't try to install spyware even if you let it connect to the net."
And if the software balks in the VM?
"All we can do is to keep abreast of the security battle and get users to be savvy."
So how do you fix Stupid?
"It's called ReactOS and won't be finished for a lonnnnnnnnnnnnnnnnnnggggggggg time."
Judging by their homepage, it hasn't been updated in over a year. Plus their original target was Win2K compatibility. Meanwhile, there have been FOUR major Windows releases since then. They're trying to chase a moving target, and it's getting away from them.
"business related apps"
What if that business-related app is a custom industrial control system that runs on XP and only XP? Changing OS is not an option due to the custom nature of the hardware (which also means it can't be virtualized, so VMs are not an option), and since the hardware's hugely expensive and still being amortized, you can't switch it out.
Until you realize that one piece of software you need is Windows-only, won't run on WINE, and acts funny in a VM.
And then you get hit with a drive-by. BAM! There goes your idea of "being careful". I mean, what if El Reg gets hit with a drive-by, especially on one of its internal (read: won't be filtered) ads?
I do keep the CLI in mind, even in Windows. In fact, I've become pretty adept at Batch Files and VBScript automation, because few things beat batch files for...well, batch operations, doing similar things to numerous files at a time.
"World + Dog: "Linux after August! (Whoopee!)""
"Where's my Fallout 4?!"
Gamers: "Back to Windows in September...and this time for a fee!"
That's why I said "can" instead of "will". In places where freedom of speech is not strongly assured, dissing the country's leadership will draw at best dirty looks and at worst LEOs. Your mention of the Sex Pistols expression probably showed England is tolerant enough to let the isolated case slide as a nonviolent protest. In the Catalan case, it appears to be somewhere in between: a summons to explain oneself.
Looks like YAAC forgot the Joke Alert. I guess you haven't heard of comedian Larry the Cable Guy, have you? He actually made a joke of that, and his typical outfit happens to be sleeveless.
Another joke take of this is to "arm bears". Imagine a poster with an upright bear (a la Smokey) carrying a 12-gauge pump-action shotgun.
So what happens when you tunnel into YouTube through a VPN? Now T-Mobile only sees scrambled data. How will they know what you're doing?
The reason "setup" and "login" came into vogue is because the style you cite is considered grammatically correct: dangling prepositions (proper style says prepositions MUST have an object, as in "up the creek" or "in the hole").
Unless it's a cop rappelling from a police chopper (assume it's SWAT). He's in the line of duty, so he's allowed to trespass if the police have a warrant that grants them forcible entry.
And here I thought someone was going to go the other way and wonder why I'm talking about either birds or high-ranking churchmen.
Apparently, this is because ages in the far east, like Korea, are given as an ordinal rather than a cardinal, so "1st year" makes sense to them.
Even ENCRYPTED communications? Even FIBER communications? Let's see it, then.