Details
-
Aboutminimal web things
-
SkillsJavaScript, Go, Linux, Kubernetes
-
LocationNew Delhi, India
Joined devRant on 6/15/2016
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Accidentally hugged my boss. It's fine, I can't have more than 100 years left to carry this memory around anyways.26
-
Okay, this is a rather technical rant and I am sure some of you are working on the patches already, if you are then lets connect cause, I am an ardent researcher for the same as of now.
So here it goes:
As soon as kernel page table isolation(KPTI) bug will be out of embargo, Whatsapp and FB will be flooded with over-night kernel "shikhuritee" experts who will share shitty advices non-stop.
1. The bug under embargo is a side channel attack, which exploits the fact that Intel chips come with speculative execution without proper isolation between user pages and kernel pages. Therefore, with careful scheduling and timing attack will reveal some information from kernel pages, while the code is running in user mode.
In easy terms, if you have a VPS, another person with VPS on same physical server may read memory being used by your VPS, which will result in unwanted data leakage. To make the matter worse, a malicious JS from innocent looking webpage might be (might be, because JS does not provide language constructs for such fine grained control; atleast none that I know as of now) able to read kernel pages, and pawn you real hard, real bad.
2. The bug comes from too much reliance on Tomasulo's algorithm for out-of-order instruction scheduling. It is not yet clear whether the bug can be fixed with a microcode update (and if not, Intel has to fix this in silicon itself). As far as I can dig, there is nothing that hints that this bug is fixable in microcode, which makes the matter much worse. Also according to my understanding a microcode update will be too trivial to fix this kind of a hardware bug.
3. A software-only remedy is possible, and that is being implemented by all major OSs (including our lovely Linux) in kernel space. The patch forces Translation Lookaside Buffer to flush if a context switch happens during a syscall (this is what I understand as of now). The benchmarks are suggesting that slowdown will be somewhere between 5%(best case)-30%(worst case).
4. Regarding point 3, syscalls don't matter much. Only thing that matters is how many times syscalls are called. For example, if you are using read() or write() on 8MB buffers, you won't have too much slowdown; but if you are calling same syscalls once per byte, a heavy performance penalty is guaranteed. All processes are which are I/O heavy are going to suffer (hostings and databases are two common examples).
5. The patch can be disabled in Linux by passing argument to kernel during boot; however it is not advised for pretty much obvious reasons.
6. For gamers: this is not going to affect games (because those are not I/O heavy)
Meltdown: "Meltdown" targeted on desktop chips can read kernel memory from L1D cache, Intel is only affected with this variant. Works on only Intel.
Spectre: Spectre is a hardware vulnerability with implementations of branch prediction that affects modern microprocessors with speculative execution, by allowing malicious processes access to the contents of other programs mapped memory. Works on all chips including Intel/ARM/AMD.
For updates refer the kernel tree: https://git.kernel.org/…/ke…/...
For further details and more chit-chats refer: https://lwn.net/SubscriberLink/...
~Cheers~
(Originally written by Adhokshaj Mishra, edited by me. )22 -
I hate Munich. Instead of using Windows, the city administration had built their own Linux distro called LiMux for all of the ~30000 city's computers. They invested years into developing it, because, hey, it's open source! Now they used it for four years, and just as Microsoft opens an office in town, they throw it all overboard and go back to Windows. Why? Because, umm, they can't even use MS Word, what all the others use and such.
This is such a bullshit. You had a good thing going here, in times of NSA surveillance and monopolies. Munich is such a capitalistic town. I'm happy to have moved out of it for good.13 -
I hired a woman for senior quality assurance two weeks ago. Impressive resume, great interview, but I was met with some pseudo-sexist puzzled looks in the dev team.
Meeting today. Boss: "Why is the database cluster not working properly?"
Team devs: "We've tried diagnosing the problem, but we can't really find it. It keeps being under high load."
New QA: "It might have something to do with the way you developers write queries".
She pulls up a bunch of code examples with dozens of joins and orderings on unindexed columns, explains that you shouldn't call queries from within looping constructs, that it's smart to limit the data with constraints and aggregations, hints at where to actually place indexes, how not to drag the whole DB to the frontend and process it in VueJS, etc...
New QA: "I've already put the tasks for refactoring the queries in Asana"
I'm grinning, because finally... finally I'm not alone in my crusade anymore.
Boss: "Yeah but that's just that code quality nonsense Bittersweet always keeps nagging about. Why is the database not working? Can't we just add more thingies to the cluster? That would be easier than rewriting the code, right?"
Dev team: "Yes... yes. We could try a few more of these aws rds db.m4.10xlarge thingies. That will solve it."
QA looks pissed off, stands up: "No. These queries... they touch the database in so many places, and so violently, that it has to go to therapy. That's why it's down. It just can't take the abuse anymore. You could add more little brothers and sisters to the equation, but damn that would be cruel right? Not to mention that therapy isn't exactly cheap!"
Dev team looks annoyed at me. My boss looks even more annoyed at me. "You hired this one?"
I keep grinning, and I nod.
"I might have offered her a permanent contract"45 -
Fucked up an sql join once and accidentally deleted myself from the employee table in the prod database. So I kinda fired myself... Good thing we had backups. 😂2
-
I uploaded a release APK to Play Store with the API host set to the local address I used in dev 192.168.x.x:8000 :/8
-
I once set a customers server on fire.
Litterally.
I put my laptop ontop of the server rack and the additional heat generated caused blue smoke to fill the room.
The whole building had to be evacuated.
Firetrucks came.
The customer eyeballed me quite a bit after he talked to the firemarshal regarding where the fire had originated.10 -
Client asked to change the shade of blue to a little lighter shade. Deleted the hex code and typed the same hex code again and showed it to him. Instantly approved.8
-
Any devs from CIA's Frankfurt department here? I can't remember if I shut my TV off before I left home, can you check?
KTHXBYE19 -
They give you 2 containers, one with one amibea the second with 2 amibeas.
Amibeas divide themselves into 2 identical amibeas after 3 minutes.
The container with 2 amibeas get filled up after 3 hours.
How long does it take the one with one amibea to get filled up.
The test was named:"Javascript Test"....
I first thought, should I write this in JS?
Spoiler: the answer is 3h and 3 minutes.
But why? What's the link with JS?3