* Posts by chasil

108 posts • joined 18 Jul 2014


Eclipse boss claims Visual Studio Code is an open-source poseur – though he would say that, wouldn't he?


Re: Open Rewrap - VS-Codium

Actually, when I do rare work on Windows, I usually rely on the Busybox port of vi.

I still login to HP-UX systems on occasion, and I imagine that I am using the real Bill Joy code there.


Open Rewrap - VS-Codium

Similar to Chromium ports of Google Chrome on various platforms, there is a completely open and free rewrap known as VS-Codium that only includes the open-source telemetry variant.

I have installed the RPM version of this, and I have tinkered with it. I don't use it regularly, as a full blink/v8 stack is really too much of an attack surface for simple editing. Vim is more to my tastes.

It's a no to ZFS in the Linux kernel from me, says Torvalds, points finger of blame at Oracle licensing


Re: Hypocritical

Antergos actually did all of this Linux/ZFS meshing in their installer. I wrote about that here:


Unfortunately, maintenance for Antergos has apparently ended.


Wondering where the strontium in your old CRT monitor came from? Two colliding neutron stars show us


Re: An awesome 10th of a gram...

This is incorrect.

The S-Process follows a completely different pathway, and is mentioned in the article.


What is discussed in the subject of neutron star collisions is the R-Process.


Proton capture is another pathway.


IBM hears the RISC-V kids partying next door, decides it will make its Power CPU ISA free, too


RISC-V criticism

The author of this post may exhibit bias, but perhaps the architecture is not as well-designed as some would hope.


Canonical adds ZFS on root as experimental install option in Ubuntu


ZFS benefits

ZFS is able to roll back to previous snapshots. If an OS upgrade does not work properly and the root is on ZFS, then the whole upgrade can be rolled back.

ZFS includes several types of checksums, including sha256, which can be set at any time. Every byte written to storage will be covered by a checksum, and you can "scrub" your storage to verify that everything on it is correct.

ZFS includes several types of compression. This compression can be adjusted dynamically at any time.

ZFS has a raid5 implementation that closes the "write hole," and can be safely used without battery backup.

All of us need storage that is efficient and correct. This is not delivered as well on older filesystems (EXT2/3/4, XFS, NTFS, FFS).

BtrFS delivers some of this (it does not have a reliable raid5); it does deliver defrag, which ZFS does not.

ZFS is, however, the best file system for a number of uses, some of which work well in a home/personal environment. Microsoft is reimplementing some ZFS features into ReFS, and that will be widely deployed at some point as I understand it.

Don't be an April Fool: Update your Android mobes, gizmos to – hopefully – pick up critical security fixes


I care about 3rd-party support.

The first thing that I did when I got my Nexus 6 three years ago was wipe stock.

After running Lineage with gapps for years, I finally made the jump to the MicroG reroll of Lineage.

I feel far safer.

Using a free VPN? Why not skip the middleman and just send your data to President Xi?


Just use Tor.

There are many cases where hostile sites block Tor exit nodes, and shopping through one subjects you to much more extensive 2fa, but the more people who use Tor, the more accommodating they will become.

Oi! Not encrypting RPC traffic? IETF bods would like to change that


Re: stunnel, wireguard

There are also situations where NFS should NEVER EVER EVER be run over UDP. I guess you can save stunnel for those scenarios.

Isn't there also a userspace implementation of wireguard? Perhaps you would be happier with that version.

From "man 5 nfs:"

Using NFS over UDP on high-speed links

Using NFS over UDP on high-speed links such as Gigabit can cause silent data corruption.

The problem can be triggered at high loads, and is caused by problems in IP fragment reassembly. NFS read and writes typically transmit UDP packets of 4 Kilobytes or more, which have to be broken up into several fragments in order to be sent over the Ethernet link, which limits packets to 1500 bytes by default. This process happens at the IP network layer and is called fragmentation.

In order to identify fragments that belong together, IP assigns a 16bit IP ID value to each packet; fragments generated from the same UDP packet will have the same IP ID. The receiving system will collect these fragments and combine them to form the original UDP packet. This process is called reassembly. The default timeout for packet reassembly is 30 seconds; if the network stack does not receive all fragments of a given packet within this interval, it assumes the missing fragment(s) got lost and discards those it already received.

The problem this creates over high-speed links is that it is possible to send more than 65536 packets within 30 seconds. In fact, with heavy NFS traffic one can observe that the IP IDs repeat after about 5 seconds.

This has serious effects on reassembly: if one fragment gets lost, another fragment from a different packet but with the same IP ID will arrive within the 30 second timeout, and the network stack will combine these fragments to form a new packet. Most of the time, network layers above IP will detect this mismatched reassembly - in the case of UDP, the UDP checksum, which is a 16 bit checksum over the entire packet payload, will usually not match, and UDP will discard the bad packet.

However, the UDP checksum is 16 bit only, so there is a chance of 1 in 65536 that it will match even if the packet payload is completely random (which very often isn't the case). If that is the case, silent data corruption will occur.

This potential should be taken seriously, at least on Gigabit Ethernet. Network speeds of 100Mbit/s should be considered less problematic, because with most traffic patterns IP ID wrap around will take much longer than 30 seconds.

It is therefore strongly recommended to use NFS over TCP where possible, since TCP does not perform fragmentation.

Jumbo frames are the top-rated workaround.

p.s. Olaf Kirch's overview of NFS on Linux says that TCP was always the default.


stunnel, wireguard

I used stunnel in the past to encrypt NFSv4 over TCP. NFS makes use of ONC RPC.

Wireguard also has a much, much smaller footprint than any TLS implementation, and would likely shield any and all RPC traffic.


You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone's web privacy


Re: This is why I set Firefox to clear cache, etc... on close

On Android, Firefox sometimes stalls when clearing the cache prior to exiting.

The solution to that is to swipe it away from the task list, open it again, and close it. If it again stalls, repeat.

I wish that would get fixed.



Android is the most popular computing platform, and it offers "Webview," which had previously been based on Apple Webkit/KDE Konqueror KHTML, but was forked and diverted by Google beginning with Android Lollipop.

Any application can call Webview to render remote or local HTML. There are dozens of browsers that do this in differing ways, and likely hundreds or thousands of apps that do this for specific uses that are not part of their core function.

Windows also does something similar with the historical "Trident" rendering engine, but is now done with EdgeHTML on Windows 10.

Android Phones are 10: For once, Google won fair and square


Re: Android is a terrible operating system.

And just in case anyone here has doubts about how awful Android's media system is, let's refer to an authoritative source:

"Don't start me on [Android] Stagefright and Mediaserver, I could rant for 2 or 3 hours non-stop! Seriously, the code over there is crap, and has insane concepts, like aborting the whole mediaserver (and all related media decoding of all other applications running at the same time), when it parses a file with attributes it does not know, instead of skipping the file. We discovered some issues in Stagefright (busy loops, device reboots, mediaserver crashes) quite early, but we never thought about submitting them."



Android is a terrible operating system.

If you are building an OS that cannot receive regular updates, then you have to make some sacrifices for security. Android most certainly did not do this.

Using chroot() for untrusted apps is a well-known practice that Android ignored.

The Java JRE and other bytecode emulators (i.e. .NET) have led an extremely troubled existence from a security perspective; ADA compiled to native code would have been a far safer choice.

Instead of doing any of these things, Android requires all of the media libraries to be linked into the Zygote process which is forked to run apps. This is about the same as systemd refusing to run without a complete copy of VLC in its shared text segment. Android's media system is a particular disaster.

Android won because of the deal-making behind it - it certainly did not win on technical merit.

The consequence is that, every month, we have new critical flaws, addressed by OEM patches that either don't exist or are quite tardy.

See for yourself:


Microsoft hopes it has a sequel better than Godfather Part II: SQL Server 2019 previewed


sqlite is the most popular database

SQLite is the most popular, bar none. They just got window functions last month, too.


Every Android device

Every iPhone and iOS device

Every Mac

Every Windows10 machine

Every Firefox, Chrome, and Safari web browser

Every instance of Skype

Every instance of iTunes

Every Dropbox client

Every TurboTax and QuickBooks

PHP and Python

Most television sets and set-top cable boxes

Most automotive multimedia systems

Linux kernel 'give me root, now' security hole sighted, dubbed 'Mutagen Astronomy'


I wonder which versions of Oracle's UEK were vulnerable.

The 862.14.4 kernel just came down yesterday.

Heads up: Fujitsu tips its hand to reveal exascale Arm supercomputer processor – the A64FX


Re: Why no ARM servers?

ARM 64-bit support only emerged in 2011, and it's vastly different from the 32-bit ISA (I understand it's much more like MIPS).

This also came late to x86 with the Opteron in 2003.

MIPS owned supercomputing in the 90s starting with the 1991 release of the 64-bit R4000.

The ARM 32-bit ISA had design decisions that limited performance. I would say that Sophie's ISA was perfect for an '80s Acorn, but not so much for a Cray.


Systemd-free Devuan Linux looses version 2.0 release candidate



The article doesn't mention what init system replaced it - we have all assumed a clasic SysVinit. Is this so?

I have some old systems that use respawn behavior in the inittab to keep some of my Oracle clients running. I have them all set up to run with init 4. Unfortunately, the inittab only respawns ROOT processes, so I needed a wrapper to setuid() and drop various privileges, then get the Oracle environment variables in place, erase any lock files, then finally execute the correct program. My C code that does this resembles duct tape and bailing wire.

Moving these processes to systemd was VERY pleasant. I created units that ran as the correct users, read environment files and set them before executing, erased lock files before forking the main process, then ran final settings mods after the last program was up. I did not need any of my ugly C for this at all.

I can do all of this under either system, but what I needed was much more straightforward with systemd. I understand why people don't like it, but it does work for me when I need it.

Intel gives Broadwells and Haswells their Meltdown medicine


Re: New processor? - NO!

The microcode is needed for Spectre V2. Ubuntu already has the Retpoline workaround in their kernels addressing this. Call out to RedHat - why can't you do this?

Retpolines are faster than the microcode. If at all possible, use them instead. Below is an ancient Core Duo that is fully protected.

root@squib:~# ./spectre-meltdown-checker.sh ...

Kernel is Linux 4.13.0-36-generic #40-Ubuntu SMP Fri Feb 16 20:07:48 UTC 2018 x86_64

CPU is Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz...

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'...

> STATUS: NOT VULNERABLE (Mitigation: OSB (observable speculation barrier, Intel v6))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'...

* Mitigation 2

* Kernel compiled with retpoline option: YES

* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)

* Retpoline enabled: YES

> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'...


Liberating SSH from Logjam leftovers


detect, fix

I wasn't expecting this, but 1024/1535 bit primes are in the latest CentOS.

# fgrep ' 1023 ' /etc/ssh/moduli | wc -l


# fgrep ' 1535 ' /etc/ssh/moduli | wc -l


This "in-place" sed edit command will remove them (restart sshd after edit):

sed -i.BAK 's/^.*[ ]1023[ ]/#&/;s/^.*[ ]1535[ ]/#&/' /etc/ssh/moduli

Oracle ZFS man calls for Big Red to let filesystem upstream into Linux


Re: GPL2? Think of the *BSDs!

Many, many people hold copyright on the Linux kernel. They could sue when Oracle violated their copyrights with sections 3.1 and 3.4 of the CDDL:


Oracle cannot continue to use Linux/ZFS unless the CDDL terms are relaxed. Sun designed the CDDL specifically to prevent it from spreading into Linux.

Here are the relevant sections.

[§]3.1 … Any Covered Software that You distribute or otherwise make available in Executable form must also be made available in Source Code form and that Source Code form must be distributed only under the terms of this License. …

[§] 3.4 … You may not offer or impose any terms on any Covered Software in Source Code form that alters or restricts the applicable version of this License

"We believe Sun was aware when drafting CDDLv1 of the incompatibilities; in fact, our research into its history indicates the GPLv2-incompatibility was Sun's design choice. At the time, Sun's apparent goal was to draw developers away from GNU and Linux development into Solaris. Not only did Sun not want code from GNU and Linux in Solaris, more importantly, Sun did not want technological advantages from Solaris' kernel to appear in Linux."


Re: Linux people are retar@ds

As I understand it, CDDL-licensed code requires anything that links with it to also be CDDL-licensed. Shipping a compiled kernel that includes ZFS binary modules would apply that CDDL license to all the other kernel code.

This would open the distributor to a lawsuit from all of the other contributors who did not agree to relicense their GPLv2 contributions under the CDDL.

Here is a discussion of these points (mentioned specifically as points 3.1 and 3.4):


This relicensing liability does not fall on a distributor if ZFS is obtained in source file format (*.c) and the user invokes the compiler during the installation (via "dkml"). I know of one Linux distribution that does exactly this.


Re: Everything they touch gets forked

Solaris. I believe that these are the most well-known forks:



I believe that they both use this kernel:


Fuming Qualcomm smashed with 23 BILLION DOLLAR fine in monopoly abuse probe



Intel's purchase of Infineon places it in the top 5 GSM chipset providers (I believe).

A quick deal by Qualcomm buying access to Intel's fabs is likely in order. A goodwill gesture to bundle Intel's modem with a Krait (aarch64-variety) would do much to assuage the regulatory anger. Some careful Qualcomm engineering attention to Intel's discrete modem chip that brings the GSM performance closer to Snapdragon would likely satisfy Apple.

Qualcomm has the power to broaden access to mobile - their CDMA patents lock them as to sole supplier for Verizon, Sprint, and U.S. Cellular. Regulators are demanding "coopetetion," and this is not unreasonable. Qualcomm needs to execute on monetizing their patent portfolio in a way that is friendly to all market segments and allows competitors to survive.

SPARC will fly: Your cheat sheet for cocktail banter at Oracle's upcoming shindig


Re: Even x86 is an option for legacy SPARC, these days

SPARC is prized among developers because it is NOT x86. When your code compiles cleanly on Linux and SPARC/Solaris, then you are reasonably sure that its portable. There is lots of compiler support for SPARC.

Microsoft once did exactly this thing. The original NT kernel was first prepared on MIPS. I think that x86 was the 3rd target platform.

The SPARC M2 is the most powerful 64-bit CPU design that is completely open and free for anyone to adapt. Alas, that has never excited great interest, even though it should.



Disliking SPARC

Everybody always loves it when I post this.


Bing fling sting: Apple dumps Microsoft search engine for Google


But we do say...

...this search is to sensitive for Google, so I'll use DuckDuckGo.com.

Bing is the backend for DuckDuckGo.

Oracle softly increments SPARC M7 to M8, then whispers: We'll still love you, Solaris, to 2034


Not so

OpenSSH is a major component of OpenBSD. OpenSSH is the market-dominant UNIX ssh server distro.

Lots of other OpenBSD-centric technologies have moved into far larger markets.


Disliking RISC

Everybody seems to love it when I post this link.


SUSE pledges endless love for btrfs, says Red Hat's dumping irrelevant


Oracle - the ZFS/BtrFS connection

Oracle launched the development of BtrFS and supports it in their Red Hat clone.


Oracle controls the licensing for ZFS, and is actively preventing it from from reaching Red Hat.

Oracle has issued XFS patches (toward dedup), and is likely extremely familiar with Red Hat's position.


Red Hat has removed BtrFS to compromise Oracle's clone.

I am guessing that Red Hat wants either a) Oracle to contribute more to Red Hat for BtrFS support (in terms of cash, code, or both), or b) Oracle to release ZFS under a compatible license.

Oracle distributes a "Red Hat-compatible kernel" which might now be stripped of BtrFS. There are likely ways around that, but it forces a divergence which is to Red Hat's liking.

The Next Big Thing in Wi-Fi? Multiple access points in every home


Tomato WDS

The Tomato Linux distribution for MIPS and ARM routers is already able to do this.

The AP + WDS mode is used to slave the MAC addresses of the master and slave nodes.



I'm a big fan of the Shibby Tomato Bandwidth Limiter feature - it's the easiest way that I know of to keep Windows 10 bandwidth usage under control. Runs well on an old, cheap WRT54G.

Android-ocalypse postponed: Jide withdraws Remix OS from consumer frontline


Linux apps on Android?

cc -static and Bob's your uncle.

Linus Torvalds slams 'pure garbage' from 'clowns' at Grsecurity


SELinux is not the answer.

SELinux is not the answer - pledge() is the answer.



Android has been running SELinux since JellyBean (I think), and has been repeatedly owned despite this.

Defend yourself against ISP tracking in an Trump-era free-for-all


Re: Tor will be even slower than a VPN

This is one of many reasons for us to wean ourselves off of Google.

We will have to use DuckDuckGo, which has outsourced much of their search infrastructure to Bing (try parallel searches and you will see that they match).

Our traffic to non-Tor-friendly sites should be the exception, not the rule. They do not observe the consensus.

What's a consensus?


Intel, Samsung join Apple, FTC firing squad against rival Qualcomm



I'm actually surprised that Samsung was willing to join the litigants.

Qualcomm could just as easily turn to Intel for foundry services, or perhaps TSMC. They could also grant HTC 6 months exclusive use of all new chips, in a similar deal to what Samsung enjoys now.

That could very well end the galaxy line. I'll bet this exact discussion has taken place many times between members of Qualcomm's board.

'Nobody's got to use the internet,' argues idiot congressman in row over ISP privacy rules



You can also just choose to use Tor.


Large Hadron Collider turns up five new particles


H2O2 is not bleach.

Hydrogen Peroxide (H2O2) is not Sodium Hypochlorite (NaClO).

Hydrogen Peroxide might be more loosely called a bleaching agent.



Re: Er, "new" particle?

Let's take muons. They are unstable particles, but we are bombarded by them constantly on the surface of the earth (due to time dilation).

While they are unstable, they have definite impacts upon our environment, and they are vital for understanding the theory.

I can DB clearly now the clouds are gone: Oracle 12c on-premises for Linux, SPARC


Patch weekend

I can usually get Oracle db patch sets applied in about 15 minutes. I only do single-instance, no rolling-RAC. I can't complain about the time it takes an experienced DBA to apply.

I can, however, complain when Oracle divides everything up into two sets of patches and forces you to run OPatch twice (as they did in the last set). I can also complain about all the GRANTs that I have to remember to run so the patch doesn't barf. The patch process should be as simple as "yum update."

I can also bitterly complain about how terrible the encryption tools are for TNS. It is *so much easier* to bolt an stunnel instance in front of the listener and never, ever, ever use an Oracle wallet - and safer too, since stunnel can sink itself into a chroot().

Oracle databases - wonderful software, until it's not.

81's 99 in 17: Still a lotta love for the TI‑99/4A – TI's forgotten classic


Re: My first home computer...

It was mine too.

The software was terrible. The BASIC lacked peek() and poke(), so getting down to the metal with the bare-bones model was not possible.

The CPU in the base unit had a TINY amount of RAM (less than 1k) - all the memory was tied to the TMS9918(a) video chip. This is where a user's BASIC program was stored, and the CPU would converse with the VDP to run the user's program. Wow, that was a terrible idea.

You could get a "Mini Memory" cartridge with a watch battery that gave you 4k of CPU ram, but it was laughable for development in assembler. There was a full Editor/Assembler cartridge, but you had to have a memory expansion and disk system before you could run it.

This machine required a very large pile of peripherals before it gave you any glimpse of how it actually worked.

When I read about the BBC Micro and the wonderful interpreter it bundled, I'm convinced that TI should never write an interpreter of any sort ever again.

Solaris continuous upgrades have already begun, says Oracle



I firmly believe that Oracle has made a tremendous mistake with the SPARC platform.

Both Intel and ARM now bundle a "management engine" of opaque code that the owner cannot control. This engine can access most devices on the system. We can't trust modern CPUs.


Sun released both the SPARC T1 and T2 as "open-source" processors. They don't have a management engine, and they can be trusted to a much greater extent than anything Intel currently produces.


Oracle can market all T# processors as CPUs that you can trust, which will never include a management engine. A market segment will want this, regardless of performance.

A slow system that you can trust is worth far more than a fast system that you can't.

Android tops 2016 vuln list, with 523 bugs


Re: The lack of update to phones is a bigger problem

...and I am still waiting for Samsung to ship a 4.4.2 security update. Slackers.


Re: Cyanogenmod: not tested, or no vulnerabilities?

OpenBSD won't help you. These cellular modem chipsets have an iommu that can do DMA to any RAM on the device.

"There are no secure smartphones."


That appeared on Hacker News nearly a year ago.

HMS Illustrious sets sail for scrapyard after last-ditch bid fails


Temeraire - Shame

This too shall pass.

The Fighting Temeraire tugged to her last berth to be broken up, 1838


Cassini tickles Saturn's rings ahead of final death plunge


Why destroy the spacecraft?

We just discovered that Saturn's great hexagon has turned green. Nobody has any idea why.

Dropping the probe into Saturn's atmosphere deprives us of any further ability to observe the poles at all.

This seems quite counterproductive.

What do you give a bear that wants to fork SSL? Whatever it wants!


TLS 1.3

It would make more sense, to support *ONLY* (draft) TLS 1.3 if minimal footprint is required.

TLS 1.3 will only allow two symmetric ciphers (initially), and they must be AEAD. The selected ciphers are AES-GCM, and ChaCha20-Poly1305. All the older ciphers are gone.

Limited support for TLS 1-1.2 might be acceptable, but only with the allowed TLS 1.3 AEAD set.

Do we really need to keep dragging SHA1 into new systems?

Definitely not another Stuxnet, researchers claim as they demo industrial control rootkit


"Management Engines"

Another major problem with electronics security is the "management engine" found on Intel and ARM CPUs. Both architecutres bundle opaque processor controls that have unrestricted access to networking, memory, and i/o.


It appears that the best "open" CPU architecture is the decade-old SPARC T2 - the full Verilog source for the CPU is provided, and there is no "management engine."


Unfortunately, no "Raspberry Pi" or otherwise reduced form-factor board is available on the market at this time. If you want to run a SPARC T2, you will likely have to purchase a used Netra server.

Linus Torvalds says ARM just doesn't look like beating Intel


The only safe PC is a SPARC

Both Intel and [most of the] ARM [community] are guilty of bundling opaque processor controls, and the i386/ARM architectures cannot be trusted as the opaque components have unrestricted access to networking, memory, and i/o.


It appears that the best "open" CPU architecture is the decade-old SPARC T2 - the full Verilog source for the CPU is provided, and there is no "management engine."


Unfortunately, no "Raspberry Pi" or otherwise reduced form-factor board is available on the market at this time. If you want to run a SPARC T2, you will likely have to purchase a used Netra server.

Latest Androids have 'god mode' hack hole, thanks to Qualcomm


Re: Towelroot refresh?

What app would I ever want to run that insisted that I relinquish control of my phone?


What sane app would *insist* that we run a flawed /system/lib/libstagefright.so that would allow a system to be cracked like an egg?

What SHOULD happen is banking and finance apps that refuse to run on vulnerable systems. When Citibank and Wells Fargo start blocking Android 4.4 KitKat and lower, Google and the OEMs will probably find a way to get patches out.


Towelroot refresh?

It would be wonderful if a user-focused .APK was released that installed SuperSU on vulnerable phones using this exploit, as Towelroot did.

Even better if it managed to get S-OFF, and we could use it to definitively clear this vendor brain damage.

Perhaps Sunshine will be getting an update soon.



Biting the hand that feeds IT © 1998–2020