* Posts by chasil

101 posts • joined 18 Jul 2014

Page:

Using a free VPN? Why not skip the middleman and just send your data to President Xi?

chasil

Just use Tor.

There are many cases where hostile sites block Tor exit nodes, and shopping through one subjects you to much more extensive 2fa, but the more people who use Tor, the more accommodating they will become.

Oi! Not encrypting RPC traffic? IETF bods would like to change that

chasil

Re: stunnel, wireguard

There are also situations where NFS should NEVER EVER EVER be run over UDP. I guess you can save stunnel for those scenarios.

Isn't there also a userspace implementation of wireguard? Perhaps you would be happier with that version.

From "man 5 nfs:"

Using NFS over UDP on high-speed links

Using NFS over UDP on high-speed links such as Gigabit can cause silent data corruption.

The problem can be triggered at high loads, and is caused by problems in IP fragment reassembly. NFS read and writes typically transmit UDP packets of 4 Kilobytes or more, which have to be broken up into several fragments in order to be sent over the Ethernet link, which limits packets to 1500 bytes by default. This process happens at the IP network layer and is called fragmentation.

In order to identify fragments that belong together, IP assigns a 16bit IP ID value to each packet; fragments generated from the same UDP packet will have the same IP ID. The receiving system will collect these fragments and combine them to form the original UDP packet. This process is called reassembly. The default timeout for packet reassembly is 30 seconds; if the network stack does not receive all fragments of a given packet within this interval, it assumes the missing fragment(s) got lost and discards those it already received.

The problem this creates over high-speed links is that it is possible to send more than 65536 packets within 30 seconds. In fact, with heavy NFS traffic one can observe that the IP IDs repeat after about 5 seconds.

This has serious effects on reassembly: if one fragment gets lost, another fragment from a different packet but with the same IP ID will arrive within the 30 second timeout, and the network stack will combine these fragments to form a new packet. Most of the time, network layers above IP will detect this mismatched reassembly - in the case of UDP, the UDP checksum, which is a 16 bit checksum over the entire packet payload, will usually not match, and UDP will discard the bad packet.

However, the UDP checksum is 16 bit only, so there is a chance of 1 in 65536 that it will match even if the packet payload is completely random (which very often isn't the case). If that is the case, silent data corruption will occur.

This potential should be taken seriously, at least on Gigabit Ethernet. Network speeds of 100Mbit/s should be considered less problematic, because with most traffic patterns IP ID wrap around will take much longer than 30 seconds.

It is therefore strongly recommended to use NFS over TCP where possible, since TCP does not perform fragmentation.

Jumbo frames are the top-rated workaround.

p.s. Olaf Kirch's overview of NFS on Linux says that TCP was always the default.

chasil

stunnel, wireguard

I used stunnel in the past to encrypt NFSv4 over TCP. NFS makes use of ONC RPC.

Wireguard also has a much, much smaller footprint than any TLS implementation, and would likely shield any and all RPC traffic.

https://www.linuxjournal.com/content/encrypting-nfsv4-stunnel-tls

You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone's web privacy

chasil

Re: This is why I set Firefox to clear cache, etc... on close

On Android, Firefox sometimes stalls when clearing the cache prior to exiting.

The solution to that is to swipe it away from the task list, open it again, and close it. If it again stalls, repeat.

I wish that would get fixed.

chasil

Webview

Android is the most popular computing platform, and it offers "Webview," which had previously been based on Apple Webkit/KDE Konqueror KHTML, but was forked and diverted by Google beginning with Android Lollipop.

Any application can call Webview to render remote or local HTML. There are dozens of browsers that do this in differing ways, and likely hundreds or thousands of apps that do this for specific uses that are not part of their core function.

Windows also does something similar with the historical "Trident" rendering engine, but is now done with EdgeHTML on Windows 10.

Android Phones are 10: For once, Google won fair and square

chasil

Re: Android is a terrible operating system.

And just in case anyone here has doubts about how awful Android's media system is, let's refer to an authoritative source:

"Don't start me on [Android] Stagefright and Mediaserver, I could rant for 2 or 3 hours non-stop! Seriously, the code over there is crap, and has insane concepts, like aborting the whole mediaserver (and all related media decoding of all other applications running at the same time), when it parses a file with attributes it does not know, instead of skipping the file. We discovered some issues in Stagefright (busy loops, device reboots, mediaserver crashes) quite early, but we never thought about submitting them."

https://interviews.slashdot.org/story/16/08/26/1338246/the-slashdot-interview-with-videolan-president-and-lead-vlc-developer-jean-baptiste-kempf

chasil

Android is a terrible operating system.

If you are building an OS that cannot receive regular updates, then you have to make some sacrifices for security. Android most certainly did not do this.

Using chroot() for untrusted apps is a well-known practice that Android ignored.

The Java JRE and other bytecode emulators (i.e. .NET) have led an extremely troubled existence from a security perspective; ADA compiled to native code would have been a far safer choice.

Instead of doing any of these things, Android requires all of the media libraries to be linked into the Zygote process which is forked to run apps. This is about the same as systemd refusing to run without a complete copy of VLC in its shared text segment. Android's media system is a particular disaster.

Android won because of the deal-making behind it - it certainly did not win on technical merit.

The consequence is that, every month, we have new critical flaws, addressed by OEM patches that either don't exist or are quite tardy.

See for yourself:

https://source.android.com/security/bulletin/

Microsoft hopes it has a sequel better than Godfather Part II: SQL Server 2019 previewed

chasil

sqlite is the most popular database

SQLite is the most popular, bar none. They just got window functions last month, too.

https://www.sqlite.org/mostdeployed.html

Every Android device

Every iPhone and iOS device

Every Mac

Every Windows10 machine

Every Firefox, Chrome, and Safari web browser

Every instance of Skype

Every instance of iTunes

Every Dropbox client

Every TurboTax and QuickBooks

PHP and Python

Most television sets and set-top cable boxes

Most automotive multimedia systems

Linux kernel 'give me root, now' security hole sighted, dubbed 'Mutagen Astronomy'

chasil

I wonder which versions of Oracle's UEK were vulnerable.

The 862.14.4 kernel just came down yesterday.

Heads up: Fujitsu tips its hand to reveal exascale Arm supercomputer processor – the A64FX

chasil

Re: Why no ARM servers?

ARM 64-bit support only emerged in 2011, and it's vastly different from the 32-bit ISA (I understand it's much more like MIPS).

This also came late to x86 with the Opteron in 2003.

MIPS owned supercomputing in the 90s starting with the 1991 release of the 64-bit R4000.

The ARM 32-bit ISA had design decisions that limited performance. I would say that Sophie's ISA was perfect for an '80s Acorn, but not so much for a Cray.

https://www.jwhitham.org//2016/02/risc-instruction-sets-i-have-known-and.html

Systemd-free Devuan Linux looses version 2.0 release candidate

chasil

inittab

The article doesn't mention what init system replaced it - we have all assumed a clasic SysVinit. Is this so?

I have some old systems that use respawn behavior in the inittab to keep some of my Oracle clients running. I have them all set up to run with init 4. Unfortunately, the inittab only respawns ROOT processes, so I needed a wrapper to setuid() and drop various privileges, then get the Oracle environment variables in place, erase any lock files, then finally execute the correct program. My C code that does this resembles duct tape and bailing wire.

Moving these processes to systemd was VERY pleasant. I created units that ran as the correct users, read environment files and set them before executing, erased lock files before forking the main process, then ran final settings mods after the last program was up. I did not need any of my ugly C for this at all.

I can do all of this under either system, but what I needed was much more straightforward with systemd. I understand why people don't like it, but it does work for me when I need it.

Intel gives Broadwells and Haswells their Meltdown medicine

chasil

Re: New processor? - NO!

The microcode is needed for Spectre V2. Ubuntu already has the Retpoline workaround in their kernels addressing this. Call out to RedHat - why can't you do this?

Retpolines are faster than the microcode. If at all possible, use them instead. Below is an ancient Core Duo that is fully protected.

root@squib:~# ./spectre-meltdown-checker.sh ...

Kernel is Linux 4.13.0-36-generic #40-Ubuntu SMP Fri Feb 16 20:07:48 UTC 2018 x86_64

CPU is Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz...

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'...

> STATUS: NOT VULNERABLE (Mitigation: OSB (observable speculation barrier, Intel v6))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'...

* Mitigation 2

* Kernel compiled with retpoline option: YES

* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)

* Retpoline enabled: YES

> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'...

> STATUS: NOT VULNERABLE (Mitigation: PTI)

Liberating SSH from Logjam leftovers

chasil

detect, fix

I wasn't expecting this, but 1024/1535 bit primes are in the latest CentOS.

# fgrep ' 1023 ' /etc/ssh/moduli | wc -l

29

# fgrep ' 1535 ' /etc/ssh/moduli | wc -l

49

This "in-place" sed edit command will remove them (restart sshd after edit):

sed -i.BAK 's/^.*[ ]1023[ ]/#&/;s/^.*[ ]1535[ ]/#&/' /etc/ssh/moduli

Oracle ZFS man calls for Big Red to let filesystem upstream into Linux

chasil

Re: GPL2? Think of the *BSDs!

Many, many people hold copyright on the Linux kernel. They could sue when Oracle violated their copyrights with sections 3.1 and 3.4 of the CDDL:

https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/

Oracle cannot continue to use Linux/ZFS unless the CDDL terms are relaxed. Sun designed the CDDL specifically to prevent it from spreading into Linux.

Here are the relevant sections.

[§]3.1 … Any Covered Software that You distribute or otherwise make available in Executable form must also be made available in Source Code form and that Source Code form must be distributed only under the terms of this License. …

[§] 3.4 … You may not offer or impose any terms on any Covered Software in Source Code form that alters or restricts the applicable version of this License

"We believe Sun was aware when drafting CDDLv1 of the incompatibilities; in fact, our research into its history indicates the GPLv2-incompatibility was Sun's design choice. At the time, Sun's apparent goal was to draw developers away from GNU and Linux development into Solaris. Not only did Sun not want code from GNU and Linux in Solaris, more importantly, Sun did not want technological advantages from Solaris' kernel to appear in Linux."

chasil

Re: Linux people are retar@ds

As I understand it, CDDL-licensed code requires anything that links with it to also be CDDL-licensed. Shipping a compiled kernel that includes ZFS binary modules would apply that CDDL license to all the other kernel code.

This would open the distributor to a lawsuit from all of the other contributors who did not agree to relicense their GPLv2 contributions under the CDDL.

Here is a discussion of these points (mentioned specifically as points 3.1 and 3.4):

https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/

This relicensing liability does not fall on a distributor if ZFS is obtained in source file format (*.c) and the user invokes the compiler during the installation (via "dkml"). I know of one Linux distribution that does exactly this.

chasil

Re: Everything they touch gets forked

Solaris. I believe that these are the most well-known forks:

https://www.openindiana.org/

https://www.joyent.com/smartos

I believe that they both use this kernel:

https://wiki.illumos.org/display/illumos/illumos+Home

Fuming Qualcomm smashed with 23 BILLION DOLLAR fine in monopoly abuse probe

chasil

Intel

Intel's purchase of Infineon places it in the top 5 GSM chipset providers (I believe).

A quick deal by Qualcomm buying access to Intel's fabs is likely in order. A goodwill gesture to bundle Intel's modem with a Krait (aarch64-variety) would do much to assuage the regulatory anger. Some careful Qualcomm engineering attention to Intel's discrete modem chip that brings the GSM performance closer to Snapdragon would likely satisfy Apple.

Qualcomm has the power to broaden access to mobile - their CDMA patents lock them as to sole supplier for Verizon, Sprint, and U.S. Cellular. Regulators are demanding "coopetetion," and this is not unreasonable. Qualcomm needs to execute on monetizing their patent portfolio in a way that is friendly to all market segments and allows competitors to survive.

SPARC will fly: Your cheat sheet for cocktail banter at Oracle's upcoming shindig

chasil

Re: Even x86 is an option for legacy SPARC, these days

SPARC is prized among developers because it is NOT x86. When your code compiles cleanly on Linux and SPARC/Solaris, then you are reasonably sure that its portable. There is lots of compiler support for SPARC.

Microsoft once did exactly this thing. The original NT kernel was first prepared on MIPS. I think that x86 was the 3rd target platform.

The SPARC M2 is the most powerful 64-bit CPU design that is completely open and free for anyone to adapt. Alas, that has never excited great interest, even though it should.

http://www.oracle.com/technetwork/systems/opensparc/index.html

chasil

Disliking SPARC

Everybody always loves it when I post this.

https://www.jwhitham.org/2016/02/risc-instruction-sets-i-have-known-and.html

Bing fling sting: Apple dumps Microsoft search engine for Google

chasil

But we do say...

...this search is to sensitive for Google, so I'll use DuckDuckGo.com.

Bing is the backend for DuckDuckGo.

Oracle softly increments SPARC M7 to M8, then whispers: We'll still love you, Solaris, to 2034

chasil

Not so

OpenSSH is a major component of OpenBSD. OpenSSH is the market-dominant UNIX ssh server distro.

Lots of other OpenBSD-centric technologies have moved into far larger markets.

chasil

Disliking RISC

Everybody seems to love it when I post this link.

https://www.jwhitham.org/2016/02/risc-instruction-sets-i-have-known-and.html

SUSE pledges endless love for btrfs, says Red Hat's dumping irrelevant

chasil

Oracle - the ZFS/BtrFS connection

Oracle launched the development of BtrFS and supports it in their Red Hat clone.

https://docs.oracle.com/cd/E37670_01/E37355/html/ol_btrfs.html

Oracle controls the licensing for ZFS, and is actively preventing it from from reaching Red Hat.

Oracle has issued XFS patches (toward dedup), and is likely extremely familiar with Red Hat's position.

https://blogs.oracle.com/linuxkernel/upcoming-xfs-work-in-linux-v48-v49-and-v410%2c-by-darrick-wong

Red Hat has removed BtrFS to compromise Oracle's clone.

I am guessing that Red Hat wants either a) Oracle to contribute more to Red Hat for BtrFS support (in terms of cash, code, or both), or b) Oracle to release ZFS under a compatible license.

Oracle distributes a "Red Hat-compatible kernel" which might now be stripped of BtrFS. There are likely ways around that, but it forces a divergence which is to Red Hat's liking.

The Next Big Thing in Wi-Fi? Multiple access points in every home

chasil

Tomato WDS

The Tomato Linux distribution for MIPS and ARM routers is already able to do this.

The AP + WDS mode is used to slave the MAC addresses of the master and slave nodes.

https://learntomato.com/choose-wireless-bridge-mode-tomato-network/

https://en.wikibooks.org/wiki/Tomato_Firmware/Installation_and_Configuration

I'm a big fan of the Shibby Tomato Bandwidth Limiter feature - it's the easiest way that I know of to keep Windows 10 bandwidth usage under control. Runs well on an old, cheap WRT54G.

Android-ocalypse postponed: Jide withdraws Remix OS from consumer frontline

chasil

Linux apps on Android?

cc -static and Bob's your uncle.

Linus Torvalds slams 'pure garbage' from 'clowns' at Grsecurity

chasil

SELinux is not the answer.

SELinux is not the answer - pledge() is the answer.

https://news.ycombinator.com/item?id=10537674

http://www.openbsd.org/papers/hackfest2015-pledge/mgp00001.html

Android has been running SELinux since JellyBean (I think), and has been repeatedly owned despite this.

Defend yourself against ISP tracking in an Trump-era free-for-all

chasil

Re: Tor will be even slower than a VPN

This is one of many reasons for us to wean ourselves off of Google.

We will have to use DuckDuckGo, which has outsourced much of their search infrastructure to Bing (try parallel searches and you will see that they match).

Our traffic to non-Tor-friendly sites should be the exception, not the rule. They do not observe the consensus.

What's a consensus?

http://www.linuxjournal.com/content/tor-security-android-and-desktop-linux

Intel, Samsung join Apple, FTC firing squad against rival Qualcomm

chasil

Samsung?

I'm actually surprised that Samsung was willing to join the litigants.

Qualcomm could just as easily turn to Intel for foundry services, or perhaps TSMC. They could also grant HTC 6 months exclusive use of all new chips, in a similar deal to what Samsung enjoys now.

That could very well end the galaxy line. I'll bet this exact discussion has taken place many times between members of Qualcomm's board.

'Nobody's got to use the internet,' argues idiot congressman in row over ISP privacy rules

chasil

Tor

You can also just choose to use Tor.

http://www.linuxjournal.com/content/tor-security-android-and-desktop-linux

Large Hadron Collider turns up five new particles

chasil

H2O2 is not bleach.

Hydrogen Peroxide (H2O2) is not Sodium Hypochlorite (NaClO).

Hydrogen Peroxide might be more loosely called a bleaching agent.

FTFY.

chasil

Re: Er, "new" particle?

Let's take muons. They are unstable particles, but we are bombarded by them constantly on the surface of the earth (due to time dilation).

While they are unstable, they have definite impacts upon our environment, and they are vital for understanding the theory.

I can DB clearly now the clouds are gone: Oracle 12c on-premises for Linux, SPARC

chasil

Patch weekend

I can usually get Oracle db patch sets applied in about 15 minutes. I only do single-instance, no rolling-RAC. I can't complain about the time it takes an experienced DBA to apply.

I can, however, complain when Oracle divides everything up into two sets of patches and forces you to run OPatch twice (as they did in the last set). I can also complain about all the GRANTs that I have to remember to run so the patch doesn't barf. The patch process should be as simple as "yum update."

I can also bitterly complain about how terrible the encryption tools are for TNS. It is *so much easier* to bolt an stunnel instance in front of the listener and never, ever, ever use an Oracle wallet - and safer too, since stunnel can sink itself into a chroot().

Oracle databases - wonderful software, until it's not.

81's 99 in 17: Still a lotta love for the TI‑99/4A – TI's forgotten classic

chasil

Re: My first home computer...

It was mine too.

The software was terrible. The BASIC lacked peek() and poke(), so getting down to the metal with the bare-bones model was not possible.

The CPU in the base unit had a TINY amount of RAM (less than 1k) - all the memory was tied to the TMS9918(a) video chip. This is where a user's BASIC program was stored, and the CPU would converse with the VDP to run the user's program. Wow, that was a terrible idea.

You could get a "Mini Memory" cartridge with a watch battery that gave you 4k of CPU ram, but it was laughable for development in assembler. There was a full Editor/Assembler cartridge, but you had to have a memory expansion and disk system before you could run it.

This machine required a very large pile of peripherals before it gave you any glimpse of how it actually worked.

When I read about the BBC Micro and the wonderful interpreter it bundled, I'm convinced that TI should never write an interpreter of any sort ever again.

Solaris continuous upgrades have already begun, says Oracle

chasil

SPARC

I firmly believe that Oracle has made a tremendous mistake with the SPARC platform.

Both Intel and ARM now bundle a "management engine" of opaque code that the owner cannot control. This engine can access most devices on the system. We can't trust modern CPUs.

http://www.networkworld.com/article/3085494/security/intel-management-engines-security-through-obscurity-should-scare-the-out-of-you.html

Sun released both the SPARC T1 and T2 as "open-source" processors. They don't have a management engine, and they can be trusted to a much greater extent than anything Intel currently produces.

http://www.oracle.com/technetwork/systems/opensparc/opensparc-t2-page-1446157.html

Oracle can market all T# processors as CPUs that you can trust, which will never include a management engine. A market segment will want this, regardless of performance.

A slow system that you can trust is worth far more than a fast system that you can't.

Android tops 2016 vuln list, with 523 bugs

chasil

Re: The lack of update to phones is a bigger problem

...and I am still waiting for Samsung to ship a 4.4.2 security update. Slackers.

chasil

Re: Cyanogenmod: not tested, or no vulnerabilities?

OpenBSD won't help you. These cellular modem chipsets have an iommu that can do DMA to any RAM on the device.

"There are no secure smartphones."

https://www.devever.net/~hl/nosecuresmartphone

That appeared on Hacker News nearly a year ago.

HMS Illustrious sets sail for scrapyard after last-ditch bid fails

chasil

Temeraire - Shame

This too shall pass.

The Fighting Temeraire tugged to her last berth to be broken up, 1838

https://en.wikipedia.org/wiki/The_Fighting_Temeraire

Cassini tickles Saturn's rings ahead of final death plunge

chasil

Why destroy the spacecraft?

We just discovered that Saturn's great hexagon has turned green. Nobody has any idea why.

Dropping the probe into Saturn's atmosphere deprives us of any further ability to observe the poles at all.

This seems quite counterproductive.

What do you give a bear that wants to fork SSL? Whatever it wants!

chasil

TLS 1.3

It would make more sense, to support *ONLY* (draft) TLS 1.3 if minimal footprint is required.

TLS 1.3 will only allow two symmetric ciphers (initially), and they must be AEAD. The selected ciphers are AES-GCM, and ChaCha20-Poly1305. All the older ciphers are gone.

Limited support for TLS 1-1.2 might be acceptable, but only with the allowed TLS 1.3 AEAD set.

Do we really need to keep dragging SHA1 into new systems?

Definitely not another Stuxnet, researchers claim as they demo industrial control rootkit

chasil

"Management Engines"

Another major problem with electronics security is the "management engine" found on Intel and ARM CPUs. Both architecutres bundle opaque processor controls that have unrestricted access to networking, memory, and i/o.

http://www.networkworld.com/article/3085494/security/intel-management-engines-security-through-obscurity-should-scare-the-out-of-you.html

It appears that the best "open" CPU architecture is the decade-old SPARC T2 - the full Verilog source for the CPU is provided, and there is no "management engine."

http://www.oracle.com/technetwork/systems/opensparc/opensparc-t2-page-1446157.html

Unfortunately, no "Raspberry Pi" or otherwise reduced form-factor board is available on the market at this time. If you want to run a SPARC T2, you will likely have to purchase a used Netra server.

Linus Torvalds says ARM just doesn't look like beating Intel

chasil

The only safe PC is a SPARC

Both Intel and [most of the] ARM [community] are guilty of bundling opaque processor controls, and the i386/ARM architectures cannot be trusted as the opaque components have unrestricted access to networking, memory, and i/o.

http://www.networkworld.com/article/3085494/security/intel-management-engines-security-through-obscurity-should-scare-the-out-of-you.html

It appears that the best "open" CPU architecture is the decade-old SPARC T2 - the full Verilog source for the CPU is provided, and there is no "management engine."

http://www.oracle.com/technetwork/systems/opensparc/opensparc-t2-page-1446157.html

Unfortunately, no "Raspberry Pi" or otherwise reduced form-factor board is available on the market at this time. If you want to run a SPARC T2, you will likely have to purchase a used Netra server.

Latest Androids have 'god mode' hack hole, thanks to Qualcomm

chasil

Re: Towelroot refresh?

What app would I ever want to run that insisted that I relinquish control of my phone?

NONE!

What sane app would *insist* that we run a flawed /system/lib/libstagefright.so that would allow a system to be cracked like an egg?

What SHOULD happen is banking and finance apps that refuse to run on vulnerable systems. When Citibank and Wells Fargo start blocking Android 4.4 KitKat and lower, Google and the OEMs will probably find a way to get patches out.

chasil

Towelroot refresh?

It would be wonderful if a user-focused .APK was released that installed SuperSU on vulnerable phones using this exploit, as Towelroot did.

Even better if it managed to get S-OFF, and we could use it to definitively clear this vendor brain damage.

Perhaps Sunshine will be getting an update soon.

Free Windows 10 upgrade: Time is running out – should you do it?

chasil

What should have been written in this article.

Reasons to upgrade:

-Continued life for old hardware for the indefinite future.

-Access to the Windows Store.

-Edge browser, if that's your thing.

-Windows 7 updates get slower/stall every month. 10 works ok for now.

Reasons NOT to upgrade:

-Windows 7 was the most aesthetically pleasing version ever. Welcome back to uglyville.

-2GB ram minimum (raised from one - surprise! - Netbooks and 1GB tablets should spurn)

-Privacy issues. Lots of privacy issues. Wow, the privacy issues.

-French lawsuit.

-OpenSSH is not integrated yet. We would really like that now.

-BASH is not as good of a fit as the Midnight Korn shell (used in Android).

-BASH is also not integrated yet.

-The Windows store is not well-organized.

-You're KEEPING Candy Crush, end of story!

Maxthon web browser blabs about your PC all the way back to Beijing

chasil

Android version is awful

Maxthon for Android just wraps new UI controls around the system webkit in /system/lib/webcore.so.

Webcore *never* gets updates (apart from "rare-as-hens'-teeth" OTAs) on everything up to KitKat.

Use Maxthon on Jellybean and browse to http://ssllabs.com to see just how bad an Android browser can be. Most of the 3rd party browsers do exactly the same thing.

If a browser advertises itself as "small and fast," the security generally is terrible.

Dolphin fans freak, blast browser's bumbling bundles of bloatware

chasil

Good? It was NEVER good.

Dolphin is just a rebadged-Webkit.

Lollipop is the first OS release where the Webkit can receive upgrades from the Play store. In earlier versions, /system/lib/libwebcore.so *CANNOT* be modified, nor can the TLS implementation.

Most browser just put new UI controls around the existing webkit. You can imagine that the older versions have some severe security problems, as Apple patched 100 security bugs in 2015 alone.

Take Dolphin on Jellybean and point it at http://ssllabs.com - you will see the STRONGEST recommendation to upgrade your browser, but you cannot.

The safest browsers on Android include their own rendering engine, and that engine is not Webkit.

Tech firms reel from Leave's Brexit win

chasil

Re: London Falling

This was an advisory referendum only, with no force of law. The United Kingdom is not obligated to leave the EU.

Yes, a pro-separation change in government will soon take place. However, the more forcefully that the new government pushes for a full departure, the more forcefully Scotland and Northern Ireland will attempt to disentangle themselves from the United Kingdom.

Northern Ireland in particular might see a real increase in sectarian violence if EU separation is not handled with great care, so internal security and continental policy will become even deeper-entwined. These forces will certainly blunt immediate impulses towards separation.

The EU bureaucracy has allowed a large, hostile contingent to form in several European nations. Perhaps now an inward gaze, compelled by credible criticism, can form a more perfect union.

Fujitsu picks 64-bit ARM for Japan's monster 1,000-PFLOPS super

chasil

Re: This is why AMD and NVidia are making ARM chips

The 64-bit ARM instruction set is relatively new, and it dispensed with a number of problems from the 32-bit set.

From a programmer's perspective, 32-bit ARM was quite good compared to MIPS and SPARC. For a taste of using those architectures from the perspective of machine language, read this post:

http://blog.jwhitham.org/2016/02/risc-instruction-sets-i-have-known-and.html

A few highlights:

MIPS... You can read from a register before that register is ready.

SPARC also has a crazy feature all of its own, the "rotating register file", which makes code incredibly hard to understand.

Both SPARC and MIPS share another horrid feature - delayed branches.

...on PowerPC, r0 has special properties. Usually, r0 means general-purpose register (GPR) 0. But for some instructions it means a literal zero.

ARM-32-bit: Design errors, like having r15 as the program counter or making every instruction conditional, are problems for CPU architects rather than programmers, and it's no surprise that they disappeared in the 64-bit version of the ARM architecture. They must have made it awfully hard to implement superscalar, out-of-order execution.

Fujitsu likely sees 64-bit ARM as an opportunity to retire a steaming pile of SPARC cruft.

Shhhh! Facebook is listening

chasil

Xprivacy

I've rooted my phone, and loaded the Xposed framework.

This allowed me to load Xprivacy, and deny the "sensors" privilege to Facebook.

This configuration is compatible with many more OS releases, assuming that you can pry root access from your carrier and OEM.

Android's security patch quagmire probed by US watchdogs

chasil

At the very least...

...carriers who abandon phones within 5 years of introduction should be compelled to release any signing keys that they used to lock bootloaders.

If Verizon wants to create a walled garden with locked bootloaders, then they have a responsibility to maintain it. Any devices that do not receive quarterly security patches should be forced open, allowing Cyanogenmod to become an option for security fixes.

Page:

Biting the hand that feeds IT © 1998–2019