Originally posted by Sonadow
View Post
Announcement
Collapse
No announcement yet.
Richard Stallman Calls LLVM A "Terrible Setback"
Collapse
X
-
NSA attack is believed to be on random number generator
Originally posted by profoundWHALE View PostWait, did I miss the tinfoil hat handouts?
Also, with you guys going on about the NSA, who's to say they didn't put backdoors right into the CPUs THEMSLEVES. (I'm referring to x86) They do have built in encryption/decryption which was worked on by the NSA don't they?
A secret register storing encryption keys would be forever etched in silicon, waiting to be found by the MSS, the FSB, or even some kid noticing odd behavior in an unusual binary he wrote. Thus, it is believed that the NSA may have instead compromised Intel's random number generator, so as to generate a weaker set of random numbers that could be predicted with the computational resources available to the NSA, but not otherwise. This would be in line with known NSA hacks on encryption embedded in some commercial application suites that work by making part of the key fixed and known, so as to reduce the keyspace to something the NSA believes nobody else can brute-force but which they can.
Linux kernel developers refused the "advice" of Intel to simply map /dev/random to the hardware "random" number generator and are now damned glad they did. Instead, they chose to take the output of the legacy software random number generator and Xor it with the output of Intel's. Since predicting the output of Xor requires knowing both inputs, the result is a random number generator more secure against adversaries other than the NSA and at least as secure against the NSA. If the NSA has anything more than this, they are not about to risk blowing Intel out of the water over the location of an ALF/ELF fugitive, much less over that warrant for your refusal to show up in court for an "underage" drinking case. The existance of Intel is worth too much to them.
When you refuse to decrypt your laptop for TSA thugs, they will probably attempt a dictionary attack at most. If they return the machine, throw it out if it has been out of your sight, as TSA or Secret Service would gladly admit in court to flashing a new BIOS in a single machine under these conditions.
Comment
-
Originally posted by Luke View PostThe NSA does not want EVERYONE to be able to defeat encryption, or all foreign countries get to read US government and corporate comms. If every kid with 4 Radeon 6990s on a board can brute-force encryption used by banks, guess what happens to online banking and sales?
A secret register storing encryption keys would be forever etched in silicon, waiting to be found by the MSS, the FSB, or even some kid noticing odd behavior in an unusual binary he wrote. Thus, it is believed that the NSA may have instead compromised Intel's random number generator, so as to generate a weaker set of random numbers that could be predicted with the computational resources available to the NSA, but not otherwise. This would be in line with known NSA hacks on encryption embedded in some commercial application suites that work by making part of the key fixed and known, so as to reduce the keyspace to something the NSA believes nobody else can brute-force but which they can.
Linux kernel developers refused the "advice" of Intel to simply map /dev/random to the hardware "random" number generator and are now damned glad they did. Instead, they chose to take the output of the legacy software random number generator and Xor it with the output of Intel's. Since predicting the output of Xor requires knowing both inputs, the result is a random number generator more secure against adversaries other than the NSA and at least as secure against the NSA. If the NSA has anything more than this, they are not about to risk blowing Intel out of the water over the location of an ALF/ELF fugitive, much less over that warrant for your refusal to show up in court for an "underage" drinking case. The existance of Intel is worth too much to them.
When you refuse to decrypt your laptop for TSA thugs, they will probably attempt a dictionary attack at most. If they return the machine, throw it out if it has been out of your sight, as TSA or Secret Service would gladly admit in court to flashing a new BIOS in a single machine under these conditions.
Comment
-
Non-electronic tracking is too manpower intensive for bulk use.
Originally posted by erendorn View Post1) Unusual behaviour makes you more likely to be tracked by standard methods.
2) Have you any evidence of any such things having ever been found, by, say, any non-US intelligence agency (that would look for it, and have jurisdiction were these devices are manufactured)? Or even from US agency leaks?
There are not enough cops to put a tail on every person or even every activist who is not on Facebook, not on Google, and not carrying a phone. The NSA does flag all Tor users, but has admitted that they can't de-anonymize all or most Tor users. It took them 8 months to use oldschool Windows malware to go around Tor and find the authors of Inspire. That means they do NOT have a way to bypass Tor in bulk and have not cracked it. They don't have 8 months to use on every Tor user telling his high school principal to fuck off with the "mix-gender couples only" prom rules. As a result, most NSA Tor monitoring is copying stuff they can neither read nor track to disk,.
Let's look at not packing a cellphone. No alarm goes off when you walk by a cop without one, and if you are arrested without one you don't get an addtional charge. Now let's look at the manpower requirements to track you, If you carry an operating phone you are a tiny part of the load on one workstation tracking many users. Example: all Occupy Wall Street phones were tracked in realtime by GPS. On the other hand, to tail an experienced operator in the street can require 12 cops in six cars per shift, per person. It is even harder against people changing modes of transit: car to bike, bus to train, etc. Bikes are especially hard to track without getting caught, meaning they get only random sightings.
In 2004 during the runup to the GOP Convention, the NYPD claimed to be tracking 56 anarchists in DC in realtime, saying they sent a busload of cops to DC for this purpose. I was at the top of the alleged list, mentioned by name on Nightline. I was able to prove they either were lying or incompetent with sime simple surveillance detection runs by car, into areas that were dark and empty with many exits, Nobody followed, and nobody was waiting at any of the ways out. Some of the claims that you cannot stop them from tracking you are nothing but FUD.
Comment
-
Malicious network card a proven mode of attack.
Originally posted by erendorn View Post1) Unusual behaviour makes you more likely to be tracked by standard methods.
2) Have you any evidence of any such things having ever been found, by, say, any non-US intelligence agency (that would look for it, and have jurisdiction were these devices are manufactured)? Or even from US agency leaks?
You may have heard of the "Bus Pirate," a very useful PCI device that can rescue a motherboard with a corrupted BIOS, a BIOS that won't recognize your CPU, or a malicious BIOS that might simulate a reflash. It becomes bus master, as all DMA capable PCI devices can do, the uses the bus to reflash the BIOS. Recent revelations of NSA intercepting computers shipped to known targets for a BIOS reflash are likely to make the bus pirate a very popular device, as it's the only trusted way to save such a board.
Well, a PCI network card is also a PCI or PCI-e device, and has a microprocessor capable of running general purpose code, just like the bus pirate. Unlike the bus pirate, it is connected to something you cannot trust: the network, There is this proof of concept for using the network card as a remote attack vector:
In this proof of concept both writing to main memory and rewriting the card firmware are mentioned. From this it would be a short hop to that rewritten firmware using the card as a remotely controlled "Bus Pirate." You've already got the ability to read system memory and presumably the entire filesystewm, so lshw tells you the exact make and model of the motherboard. Here is another proof of concept for a malicious BIOS based on Coreboot and Seabios-one which backs itself up to network card and DVD player firmware as well:
This sort of thing is why I am running a USB wifi adapter to connect to a wifi router connected to the Internet: it's much harder to gain control over the chipset by USB than by PCI-E. This kind of attack seems to be exceptionally rare, but since I already have the USB device, I use it as a way to get extra protection for free. Think of the network as an unknown but desirable sex partner, the PCI bus as your bloodstream-and that USB interface as a condom.
I have yet to hear of any intelligence agency abroad blowing the whistle on NSA hacks to hardware, we know their current preference is to intercept machines in shipment to install a malicious BIOS locally. That speaks to limited ability on their part of install a new BIOS by remote attack. The use on their part of radar retro-reflectors added to VGA cables also speaks to limited ability on their part to read content from an unmodified computer. A lot of this comes down to physical security of your machine, and closing all attack vectors you are aware of and have the ability to close.
Comment
-
Phoronix biased towards llvm and invalid benchmarks
I wonder if you have read:
As for Phoronix, so far I saw several pitfalls in their testing methodology:
o Micro-benchmarking. E.g. favorite benchmark Scimark2 contains a few tests with only one small hot loop, like LU-factorization where most benchmark time is spent in 2-lines loop. It means that the worse results for GCC can be easily fixed as Jakub Jelinek recently improved Scimark SOR by 42% by a small patch:
o Comparing LLVM and GCC on Fortran benchmarks. LLVM has no fortran FE and just quietly call system GCC. So comparison of LLVM and GCC on Fortran benchmarks means comparison of system GCC and a given GCC.
o IMHO, the data in articles lack credability may be because a wrong setup (by me or by phoronix). E.g. I tried to reproduce Scimark results for GCC4.8 and LLVM3.3 from his article "LLVM Clang 3.4 Already Has Some Performance Changes":
Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
Phoronix used i7-4770K for this. I used the closest machine I found i5-4670 (with switched turbo mode off). The important difference is 0.1Ghz in frequency (3.5Ghz vs. 3.4 Ghz). I got GCC Scimark (-large) composite score close to the article when I used -O and still on my machine the composite score was 20% higher than the article reports although the article says that -O3 -march=core-avx were used.
o Phoronix articles about LLVM and GCC usually contains a lot of negative emotions about GCC and positive ones about LLVM. Such bias to LLVM is suspicious at least for me and make me feel Phoronix as just LLVM marketing machine.Yeah, that is my experience too, e.g. on
Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
Phoronix claims the LU benchmark improved 80% with LLVM 3.4 and ahead of GCC,
but I couldn't reproduce anything close to that, while LLVM 3.4 slightly
improved compared to LLVM 3.3, it was still comparable to GCC 4.8 and behind
GCC 4.9. All that matters in the benchmark is a single loop though:
for (jj=j+1; jj<N; jj++)
Aii[jj] -= AiiJ * Aj[jj];
vectorized by all tested compilers, so clearly a microbenchmark.
It is not that long that Phoronix used to compile some of the benchmarks
e.g. with -O0 and claim they were compiled with -O3, or tune for a
completely different CPU than what it has been tested on, their articles often
comment on the numbers in quite biased way without actually bothering
to look at why are the numbers changing, what number changes are within the
noise and if something changes more than that and is repeatable, why it
happened, so their numbers and benchmarks can't be considered the most
credible benchmarks out there.
Comment
-
Originally posted by PawlersonTaking too much crack, aren't you? GPL is truly a freedom license. BSD is anti freedom one. However, what to expect from BSD slut?
BSD: Does not force software freedom (open source)
GPL: Forces software freedom (open source)
Just because it doesn't force something, it doesn't mean that it is against it.Last edited by profoundWHALE; 27 January 2014, 07:00 PM.
Comment
-
Originally posted by Pawlerson View Post
Comment
-
Originally posted by profoundWHALE View PostThe messages in that link quickly escalated to a nice little cat fight and I stopped reading. Are they really grown men/women?
And people wonder why our politicians do the same thing: Monkey see, monkey do. US Federal debt is $14.5 Trillion. US Household debt is $14.5 Trillion. Monkey see, monkey do.
Its really that simple: People are idiots who lash out whenever their preconceived notions are in danger, rather then having an honest intellectual debate.
Comment
Comment