lucky13

Lead OpenBSD developer Theo de Raadt has mentioned some problems with Intel’s Core 2 processors that “will *ASSUREDLY* be exploitable from userland code.” Here’s an easy to view (i.e., non-PDF) image of the errata list.

Theo adds:

At this time, I cannot recommend purchase of any machines based on the Intel Core 2 until these issues are dealt with (which I suspect will take more than a year). Intel must be come more transparent.

(While here, I would like to say that AMD is becoming less helpful day by day towards open source operating systems too, perhaps because their serious errata lists are growing rapidly too).

He says that serious problems could (or will) persist because “some are things that every operating system will do until about mid-2008, because that is how the MMU has always been managed on all generations of Intel/AMD/whoeverelse hardware.” Out of the 20-30 bugs that can’t be worked around by operating systems, Theo says he’d be willing to bet money at least two or three of them is exploitable.

The thread is available here.

This one made me laugh pretty good:

I have compiled a kernel, it’s just that I was not successful.
–nipun_jain (DSL forums)

It’s either-or, not a shade of grey.

T-Mobile begins offering US customers unlicensed mobile access (UMA) today. This merges WiFi with cellular, enabling better indoor reception via wireless router (so it requires you to have broadband) as well as connection at T-Mobile’s hotspots.

The initial pricing scheme allows users to add unlimited At-Home service for $10 (regular price will be $20). Family plan prices are $10 a month higher ($20 promotionally, $30 regular). Minutes on WiFi are unlimited and calls started on WiFi and then switched to cellular are also free (so start your calls at Starbucks using WiFi and then carry the discussion over as you roam to cellular coverage).

T-Mobile is offering two different routers that are free after $50 rebate, but the service will work on any WiFi router. T-Mobile says the approved routers they sell gives calls a higher priority, so there won’t be any conflict between power users downloading large files and throttling bandwidth so much that it affects (or drops) calls.

Quality is said to be constant, and calls automatically switch between WiFi and cellular. T-Mobile’s approved routers (the ones they sell) encrypt calls at the touch of a button and without having to enter a password; no word yet about a similarly easy way to encrypt calls through your own router.

I wrote a couple months ago about why I was reluctant to support GPLv3. Now that the final draft is out, I’m more firmly against it.

OBJECTION 1: The “anti-Tivoization” clauses deal with hardware issues, not software issues. Tivo has released back code changes per the requirements of GPLv2. They haven’t done anything to violate the spirit or letter of GPLv2. All they’ve done is set signatures in their players that allow their software to run. This is no different from what other hardware vendors — including Apple — do. The new restrictions in GPLv3 would prevent other Linux vendors from releasing anything with digital signatures. There are beneficial uses of digital signatures. Instead of fighting for more freedoms, the FSF is fighting against both freedom and against security.

OBJECTION 2: GPLv3’s attack on DRM is completely wrong. DRM’s goal is to protect data, not to prevent users from having access to the software code. Rather than find ways to work with groups like RIAA to protect copyrighted material, FSF has set itself up as the arbiter of what is and isn’t worthy of copyright protection. In a perfect world, people would respect copyrights rather than find new ways to violate them.

A digital audio tune is data, not software. So is a movie that’s been converted from DVD. The copyright protections afforded the contents of the tune or the movie don’t change because someone has digitized them.

The focus of FSF is no longer software, they’re taking on hardware and data. That’s a shame. All they have to do is make a public case for hardware vendors to release specs so open source drivers can be written so everyone has access to new hardware. And instead of taking on manufacturers of video cards, they’re taking shots at Tivo — a user and big supporter of open source. Just goes to show that what’s successful gets attacked by certain quarters.

Also a shame is the fact that many software projects have chosen language like “GPLv2 or greater” in their licenses and have locked themselves in to GPLv3 whether it suits their software and their politics. At least the Linux kernel is GPLv2, period. I don’t know how many people would have to give Linus permission, but I know he’s not inclined to change licenses himself.

My philosophical preference has always been the BSD license. BSD licensing allows full freedom for the developer and the user. It respects that some people may want to lock up certain code for certain reasons (this has benefited Linux and nearly every other OS that has functional TCP/IP, including NT). It doesn’t make demands of the user (e.g., submitting changes back, as Tivo has done to the satisfaction of Linus and even the FSF). It doesn’t make demands of hardware manufacturers. It doesn’t make demands of people who have copyrights on software, books, music, or movies. It just respects that everyone is different and entitled to rights to use, change, etc., code as they see fit rather than as FSF sees fit.

New category: FSF sucks.

I’ve added a list of my favorite podcasts related to Linux, BSD, and open source. More to follow.

Apple will release their highly-advertised and highly-coveted iPhone a week from today. With all the clamor about how nifty it is, I think it’s time for a reality check. And I don’t mean how much an iPhone will cost upfront, or how owners and users will be locked into multiple subscriptions (AT&T will require a two-year service contract, Apple will require iTunes subscription, etc.).

I mean, How secure is OSX.

Apple products, aside from iPod, have never garnered enough use to warrant the kind of onslaught Windows has faced from hackers. I think iPhone is about to change that.

Why do people rob banks? That’s where the money is. Hackers attack Windows because of its prevalence. It helps that it’s historically been so vulnerable to system compromise, but it’s not attacked simply because it’s vulnerable. Windows is hacked because it dominates desktops, laptops, and has a sizable share of other devices like phones and PDAs. Hackers generally don’t target OSX because 5% of the market — and it’s actually a lucrative 5% of the market given Apple’s demographics — isn’t worth the hassle when 95% of the market is awash in Windows. Windows is where the money is.

If iPhone really is all the rage, suddenly mobile phones running OSX become a legitimate target. That can change the dynamics because all of a sudden Apple will have their OS on devices in a lot of hands, which means hackers will have more reason to probe and exploit vulnerabilities in OSX.

And for the same reasons they attack Windows computers.

Many people already use smartphones for managing the content of their lives. Banking transactions can be carried out via Java applets. Other personal data are transmitted. Some of it’s encrypted. A lot of web use, though, isn’t.

Apple has yet to address questions about security related to iPhone. So has AT&T. The only articles I found in searching for those company names along with iPhone and security this morning relate to stepped up loss-prevention in AT&T and Apple stores next week. I haven’t found very much about securing data on iPhones or across networks.

Most of the security articles I’ve found about iPhone, in fact, deal with how IT professionals are implementing policies about iPhone use on their networks. In many cases, they’re pre-emptively banning them from their networks.

Aside from bashing Microsoft in silly ads, Apple doesn’t have much experience with security. They’ve lived in their sheltered world with a comfort that comes from a small slice of the market, not from inherently safer code. The release of Safari for Windows — yes, I know it was pre-beta — shows that they’re not on the ball. To their credit, they released their first security patches within 96 hours. But Apple won’t get away with reactive security on mobile devices like that.

I linked to articles about Dino Dai Zovi’s nine-hour pwn of a MacBook at CanSecWest (see Apple Sucks). It took people like Aviv Raff and Thor Larholm less time to find holes in Safari for Windows.

With the iPhone, there will be a lot more eyes looking for exploits in OSX. The exploits are already there.

The iPhone could very well turn into the iPwn.

I added a window shot to the page mentioned in the previous entry.

I’ve added another page with a screenshot. Nothing fancy. If anything, it’s a few steps back from the direction I’ve been going.

I hope to have more time for blogging and working on more Rox stuff in the next couple weeks. Things have been really hectic the last month.

I came across an article comparing a MacPlus (circa 1986) and a brand new AMD DualCore. The benchmarks are timings focused on user experience — boot times, performing data manipulation in Excel, and performance running Word.

The two decade-old MacPlus — with its 8mhz chip and 4MB RAM (maxed out for this comparison) — performed admirably against the 2×2.4ghz (and 1GB RAM) computer:

For the functions that people use most often, the 1986 vintage Mac Plus beats the 2007 AMD Athlon 64 X2 4800+: 9 tests to 8! Out of the 17 tests, the antique Mac won 53% of the time!

I’m not surprised since the “most common uses” are generally things that don’t require much in the way of resource. Cutting and pasting hasn’t changed significantly in 20 years, and you don’t need amounts of RAM we associated with supercomputing back then to enter text into a word processing or spreadsheet application and then manipulate it. I still use text-based applications (spreadsheet, text editing/word processing, etc.) on computers without GUIs or in situations where I need to conserve the battery on my laptop. I’m not missing anything when I do that, aside from “eye candy” that requires system resources many of my computers lack.

As far as living on the bleeding edge goes, I’ve taken a strong stand that there’s no such thing as an obsolete computer. A computer may be at a dead end with respect to upgrading, but it’s still useful as long as it can boot and the requisite I/O devices (monitors, keyboards, drives) work.

One of the reasons I’ve become such a fan of Damn Small Linux is because of its focus on legacy support and its small size. It’s a modern OS, it’s just spared of the bloat that comes with other distros. I can do everything with the computer I normally use (with a 400mhz Celeron with 128MB RAM) that I can do on this newer machine (Athlon 1.4Ghz with 1GB RAM). The older, under-equipped (by today’s standards anyway) computer boots faster, is more responsive when not overloaded (running Open Office on it is a pain in the neck — and forget about using audacity on it ever again), and gets everything done the same way this one does. The difference is in the bloat. The newer computer runs XP (it’s dual boot, but I seldom use anything else on here) which requires a significantly greater percentage of the available resources than Linux (X11, oroborus, rox, etc.) does on the older computer. That accounts for what Hal Licino found in his tests.

Sure, there are things that require a GB of RAM and the efficiency of a faster CPU. I have applications like audacity, GIMP, and imagemagick installed the two computers mentioned above. There’s no way in the world I’ll ever use audacity on the older computer again, unless I find more RAM for it (and the same goes for sox, a command line equivalent to edit audio files). There are also some image-related tasks I do in XP instead of the old box for the same reason. But for running standard applications, browsing, etc., the old box continues to prove itself very worthy and it admirably performs those kinds of things on par with this faster box.

The problem more often than not isn’t the hardware, it’s the software. Another reason I like DSL is that I don’t have to rush out to buy hardware (upgrades or new systems) just to bring my computer up to date. I can wait for DSL upgrades or do my own (and the latter is usually the case for me — my system is no longer DSL, DSL was just my starting point). My kernel can be upgraded by itself. X11 can be upgraded by itself. My window manager (oroborus is my window manager of choice) can be upgraded by itself. The kernel can support new hardware if I choose to buy some, it doesn’t force me to go out and buy new hardware to make an upgrade. And best of all, the only “bloat” is the crap I chose to install. It wasn’t set there by default.

That’s in stark contrast to what Apple and Microsoft have done. I can’t run OSX on my old Mac (but I can upgrade its case with a Mini-ITX and then run Linux on it — stay tuned for an upgrade page if I do that). I can’t run Vista on my NT box or my “usual” computer (really can’t even run XP on the former, though the latter could limp along with XP). I think this computer would marginally run Vista. And at the end of the day, all the extra resources required to run the upgraded OS don’t increase my typing speed or enhance the ability to cut and paste, copy, etc., the data I work with.

And to be fair, I can’t let a lot of Linux distros off the hook with respect to the above paragraph. They’ve jumped on the bandwagon that expects users to upgrade hardware when they upgrade software. They ignore those who use functional legacy hardware. They make releases with the assumption that everyone uses 512MB of RAM, which is barely adequate for running their default environments much less flashy, spinning windows of doom like Beryl. Their focus is no longer on function, it’s on aesthetics. And it’s at the expense of system resources.

That’s appealing to consumerism, without necessarily increasing function at the same time. It takes the same amount of time to type a document and edit it now as it did in 1986. Consumerism doesn’t change that — that’s a constant. Consumerism may make older hardware difficult to use, maintain, or even keep, but it doesn’t make it obsolete. It’s still usable and useful.

My last entry on 23 May preceded or coincided with another blogsavy crash. I experimented with a couple other sites but I want to continue using a WordPress site. I also appreciate the generosity afforded by blogsavy, even though the downtime is rather offputting. I’m going to resume my blog here.

There’s much to write about: Google has released Gears (adding offline usability to its online applications) and Mashup Editor, Apple has released Safari for Windows (it’s so freaking buggy and full of vulnerabilities it makes IE look stable and well-executed), Microsoft has made more deals with Linux vendors, and I have some new DSL-related content to add.  Stay tuned.