The Market Ticker
Commentary on The Capital Markets- Category [Technology]
2018-01-02 18:26 by Karl Denninger
in Technology , 427 references
[Comments enabled]  

Hoh hoh it really is as bad as I thought.

At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs.

At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel's memory. Suffice to say, this is not great. The kernel's memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on. Imagine a piece of JavaScript running in a browser, or malicious software running on a shared public cloud server, able to sniff sensitive kernel-protected data.

No, at worst it means the hole could be abused to read hypervisor data, including encryption keys from other user's workspaces, since the Hypervisor by definition must be able to map all the guest address spaces.

In other words all cloud computing environments are insecure.

What's worse it looks like the root cause of this is that Intel cheated.  In other words their processors speculatively execute code in such a fashion that the actual access takes place before the privilege check is done.  This is good for performance but horrible for security in that it apparently can be leveraged to allow the reading of anything accessible from the hypervisor -- in other words, any other client's data.

This is a really big deal folks.  I've heard rumblings of a severe Xen problem (a common hypervisor) for a while now -- several months of relatively loud rumbling, starting with some little chirping about a year ago and change.  If this is the issue and is embedded in the architecture of the CPUs involved in modern systems then any cloud-based system will be forced to use the mitigation code which will slow it down dramatically.

Incidentally "not doing that" turns a "one machine cycle for one instruction" thing into, in many cases, a couple hundred machine cycles.  It's that bad and properly "fixed" via code workaround the performance bite will be taken on every system call.

The economic impact of this renders most so-called "cloud computing" arguments moot since we're talking performance hits of 30% or more for many common workloads -- especially those that make a lot of kernel calls!

You can bet the so-called "analysts" won't pay a bit of attention to this -- but they damn well should.  The "correct answer" is change all the CPUs to ones without this flaw -- RIGHT NOW -- but I'm sure you can figure out how happy some CIO (or CEO, or investors) will be to hear that.  The other answer is "buy 30%+ more CPUs to cover the performance deficit", which I'm sure will produce exactly the same sort of howl and should produce the same sort of hit to stock prices.

It probably won't, but it damn well should.

Then there's this -- it appears AMD's processors are not subject to this problem -- and it's been strongly hinted at by AMD that this is because they don't speculatively start execution of an instruction before determining whether it will result in a page fault.  A common complaint is that AMD's chips are somewhat slower than Intel's for "equivalent" clock speed and capability (generation, etc.)  Is the reason they were slower that Intel knowingly cheated and, if so, what implication does that have across the computing universe, especially in places where security is considered important like, oh, pretty-much everywhere?

View this entry with comments (opens new window)

2018-01-02 07:00 by Karl Denninger
in Technology , 289 references
[Comments enabled]  

As I have long maintained in the computing world unless you have physical control over a box and supervisory control over every single employee that has privileged access to said box you have no security whatsoever.


There will always be another bug.  Or a "misfeature", whether it arises out of hubris, incomplete security review, hurried production or malfeasance of some sort.

There is now some evidence that exactly that sort of "you're screwed" problem has been discovered that may well be a hardware issue in at least some commonly used processors in so-called "cloud" environments.

This would, if true, allow one "client" to "jump the fence" and either access someone else's memory (in other words, a different client) or, much worse, possibly get them access to the hypervisor at which point all pretense of security on said box falls to pieces. 

Please realize that any such breach is a "game over" sort of event because it allows recovery of active encryption keys and other highly-sensitive data in active use by said other customer/client.  If I can get your encryption key I can pretend to be you (bad) or simply steal all your encrypted data and decode it (maybe worse!)

The pointer to some specific discussions on this point was sent to me by a reader -- and perusing through it, and where that led me, leads me to believe this is quite real and a handful of people are extremely worried -- not only about it but about keeping it real quiet.

The question is whether that's an attempt to forestall "bad guys" from using it or customers of some of the biggest cloud providers from discovering that it can impact them and fleeing.

Given where this looks like it's aimed and heading my money is on the latter.


View this entry with comments (opens new window)

2017-12-30 16:53 by Karl Denninger
in Technology , 384 references
[Comments enabled]  

Done being a "fanboy" yet?  No?  You must like getting ripped off.

Hiding something you know is defective in a manner that will cause people to think their device should be replaced with a newer one, instead of either having it fixed under warranty or performing a relatively inexpensive repair, is outrageous.

Apple is being sued on this basis alleging consumer fraud, and IMHO rightly so.

Make no mistake -- Apple only came clean after being caught.  They didn't tell anyone up front, they didn't disclose the presence of the software change they made in anything like release notes that accompanied the new code, nothing.

They in fact said nothing despite people noting a problem until they were caught by irrefutable evidence that was presented to the public by a customer, and only then did they come clean as to what they did.

That is evidence of bad faith and intentional misconduct and I hope the plaintiffs shove it so far up Cook's and Apple's ass that they can taste it.

That was not a mistake.  It was in fact just the latest manifestation of what Apple as a company is -- an extractive firm that has managed to create a religious cult of fervent grape Kool-Aid drinkers among Americans who parade around like they've got some part of God in their pockets and thus are blessed.

The truth does not matter to any of those fanbois however, nearly all of whom will keep buying their crap despite now having hard evidence that they've been intentionally screwed.

Nor does it matter to Jeff "**********" Sessions or the FTC, both of whom should have come in and nailed the executives of Apple to the ****ing wall ten seconds after this deception was disclosed, for the company has without question profited to the tune of billions of dollars as a result of it.

No, instead of the government doing its job and kneecapping people who pull that sort of crap we have private litigation, which I hope bears fruit.

But heh, just like when your local hospital ass-rams you to within an inch of your physical life (and beyond your financial life) not one ******n finger is lifted by the criminal justice system in this country despite there being clear and in fact admitted evidence of intentional concealment.

For those who care (that seems to be basically nobody) there is a proper way to handle lithium chemistry batteries and their charging requirements. 

It's not very complicated either -- in fact, it's far simpler to charge these than NiMH cells, as those are quite-tricky to determine when they're actually full.  With lithium chemistry batteries it's easy:

1. If the voltage has been allowed to drop under 3.0v (the device should prevent this by turning off before that level is reached) then charge at 1/10c maximum (for a 3,000mah battery this means no more than 300mah) until the battery reaches 3.0v.  Display a warning to the user if this occurs that the cell may be permanently damaged in capacity due to abusive over-discharge.  This is extremely important because an over-discharged cell may be shorted and if you hit it with high current it may burst.  If the voltage does not rise to 3.0V in a reasonable amount of time (a half-hour or so) or if during this phase temperature rises to over 100F then call the battery dead (because it is) and refuse to charge it until manually informed that it has been changed.

2. Charge at up to 0.7c (you can go up to 1.0C if you've got good thermal monitoring) until the voltage on the cell reaches 4.2V.  For a fully discharged cell this will take about an hour.  The battery will be somewhere between 60-80% charged at this point depending on the rate at which you stuffed power in and how hot it is.  Do not permit continued charging over a cell temperature of 100F; if that temperature is reached stop the charge until the temperature falls back.  This should not happen unless the ambient temps are quite high.  If the CPU temperature is not elevated but the battery gets hot and this happens more than once sequentially display a warning to the user that the battery may be damaged and dangerous to continue to use (it may be partially shorted internally, to be specific.)  At the termination of this phase display a message to the user that rapid charging has ceased so if the user wishes to unplug they can do so; there is no harm in partially charging lithium batteries and in fact their life is extended by not going fully through the next (saturation) charge phase!

3. At 4.2V switch to constant-voltage charge at 4.2V and continue until the current drops to between 0.1 and 0.03C (for a 3,000mah battery, this means between 100 and 300ma.)  Split the difference if you'd like (e.g. 150ma.)  This will take about another 90 minutes to two hours.  If cell temperature goes over 100F, terminate the charge until it drops under.  Heating is normal during this part of the charge and thus if ambient temperatures are elevated it should be expected that the cell will get warm.  Again, unless the CPU temperature is elevated the cell should not go over 100F however (that is, unless ambient temps are high.)  When the cut-off current is reached the cell is full.

Further, the manufacturer should offer an option to the user to terminate the charge entirely at 80-85%.  Why?  Because doing so materially extends the number of cycles the battery will survive -- that is, how long it will last.

Why doesn't any cellphone manufacturer I'm aware of, including Apple, use this profile?

Because it takes three hours to charge the battery this way (that is, properly) and that assumes you have a charger with enough current delivery to run phase 2 at full potential.  If you don't then it may take four or more hours for a full charge.  It also requires on a technical level accurate instrumentation both at the charger circuit output (for voltage and current) and at the input to the voltage regulator for the phone's circuits (so the charging circuit can subtract back out the energy consumed by the phone if it's "on" when being charged and thus knows actual charge rate going into the battery.)

People are lazy and demand "right now", in short.

Charging beyond 4.2V without tapering the current does fairly severe damage to the cycle life (the number of times you can charge and discharge the battery before it loses enough capacity to******you off.)  Charging materially beyond 4.3V is dangerous and can cause gas pressure development in the cell, which causes it to bulge and can cause the cell to burst.  Continuing to charge beyond the point where the cell is "full" can plate lithium metal and cause internal shorts, which then lead to the potential for fires.

The answer to quickly-trashed batteries is for manufacturers to stop abusing them and for customers to demand that a proper charge profile be used for them, understanding that this means you cannot fully charge such a cell in an hour.

View this entry with comments (opens new window)

2017-12-22 07:00 by Karl Denninger
in Technology , 238 references
[Comments enabled]  

Sorry BlackBerry, you lose.

It's Christmas, you know, and the Motion has not been announced for the US.  It's allegedly around $450ish converted from Canadian money, but with no US support or warranty.... no thanks.

So what if you need a new device, or just want one?

Buy a flagship or some midrange unit?


Buy a slightly used LG V20.

It's last year's flagship and used to cost $700 or thereabouts.  But now it's out of favor, you see, and you can get ones that appear to be NOS -- literally, in that they have March 2017 firmware on them and thus will sit and play "update me" for two hours when first turned on -- for anywhere between $200-250.

What you get for that is a Snapdragon 820, 4Gb of RAM, Nougat (and should get Oreo) Android (7.0 right now), and, in most cases, 64Gb of storage plus a removable battery.  It also has an SD card slot and a headphone jack (both of which are missing on many newer devices.)

The cameras are somewhat-older spec but very decent and will shoot in RAW, which none of the midrange devices will; the main rear camera has OIS as well which is very helpful to reduce shake in low light.

The audio through the headphone jack is really good (it has a very high-quality DAC in it you can turn on; you won't notice it with $20 earbuds, but if you have high quality {not "beats"} headphones and listen to FLAC files you will) and it also has an array of mics in it that make for good recording capabilities, not that I'd ever think someone would do serious audio work from a phone.  It does lack the dual-speaker setup of the DTEK60 and the down-firing single speaker is pretty average in terms of volume and clarity -- oh well.

The removable battery means no water proofing, but it also means a $20 battery change when it wears out.  LG claims it's a "ruggedized" phone for shock although I bet testing that could be a $200 proposition (the screen will still break, I suspect.)  All the other expected things are there including fingerprint scanner, NFC, etc.  And, being that it's an 820 based phone, it's fast.

Finally, this device has pretty darn good RF, which translates into materially lower sleeping battery consumption than those with lesser RF capability.  Expect right near 1% per hour of battery drain when sleeping.

I have one gripe -- the "auto brightness" calibration is somewhat off in dim light.  Specifically, "auto" mode turns it down too far.  It's not a huge issue, but it's there and might make you reach for the manual brightness control in dimmer light (and then swear when you forget to put it back on "auto" and go outside!)  There's only a small range of low-light environments where this is a problem though; at ambient light levels above "dimly-lit room" it's fine.

These phones are big -- so if you don't like "phablet" form factor devices it's not for you.  If you want longer battery life there are aftermarket monster (some as much as 10,000 mah!) cells available that come with a replacement back door -- at the cost, of course, of thickness.  Three day battery life?  Sure, with one of those it's not hard.....

The LG Android software has a few annoying spammy things included but some can be actually uninstalled and others can be disabled --- and it's only lightly skinned unlike Samsung's Touchwiz garbage.  Not bad overall.

Be aware that if you allow the updates to all run you'll wind up with an "anti-rollback" problem should you try to root it in the future.  This is the wave of reality sweeping over the land, so if root + custom stuff is your thing do it on first turn-on and be careful, as it's entirely possible to get into serious trouble otherwise.  I recommend not loading custom firmware simply because none I'm aware of has support for the second screen, and that's a pretty cool feature.  I'm not willing to lose it in exchange.

Apparently there are plenty of either NOS or low-wear units that have been turned in on trade because there is no shortage of these things and the price has dropped like a stone.  For the money right now they're flat-out impossible to beat, especially considering that they have current Android firmware on them now and should get Oreo within the next couple of months.

If you want the BlackBerry Hub suite you can have it for a buck a month from the Play Store which isn't a bad deal at all.  Despite BlackBerry Mobile (TCL, really) basically abandoning the US market just in time for Christmas the software remains available and part of BlackBerry's subscription revenue stream -- and unlike so many other email clients, especially if you need or want encryption and have an Exchange server, just plain old-fashioned works.  Unfortunately there's no replacement for the quick and easy security management available with DTEK.

Don't waste close to a thousand bucks on either an iPhony or one of the new Sammys -- or IMHO even the LG V30.  Yeah, they're nice devices and the cameras are a bit better -- but they're not three to four times as nice, and that's what you're comparing against here.  You give up little against those newer units while keeping a ****-ton of money in your wallet.

I have no idea how long the NOS units (and nearly-NOS ones) will remain available at these nice prices, but right now they're the stand-out deal in the space among Android handsets.

**** you BlackBerry Mobile.

View this entry with comments (opens new window)

2017-12-18 10:30 by Karl Denninger
in Technology , 462 references
[Comments enabled]  

This company and it's CEO both deserve to be hit by an asteroid and destroyed:

 by tickerguy

Never mind the company funding those who are alleged to be sexual abusers.

During the "original" debate on this issue there's a pretty clean argument to be made that Netflix intentionally shifted transfers of its content onto a transport provider who it also barred from negotiating bilateral traffic payments.  It then blamed ISPs for "slowdowns" that it caused, intentionally.  There was never one single subpoena served on the firm to back this up, but the objective outside measurements available at the time made an extremely persuasive case for that being exactly what happened.

As I have pointed out in other articles the consequence of so-called "Net Neutrality" has been to essentially reinforce a monopoly by Netflix!  What monopolists do in the general sense is force other people to pay their costs, which they pocket.  It is usually done through nefarious and back door ways, since simply stealing billions tends to be noticed and might run into some pushback.

Amazon does this, for example, by subsidizing product sales with AWS.  They'd never be in business for 10+ years as a product sales company that is incapable of delivering a profit as fulfillment costs continue to ramp faster than top-line sales growth, especially when that happens over the space of many years (and it has.)  But if you can grab some cash from some other customer and make up the difference, especially if you can get the government to be part of the funding source, well.....

Hastings has effectively done the same thing.  

At the same time real issues of neutrality have gotten exactly zero attention.  ISPs during the entire "neutrality" period still blocked SMTP servers, for example, making it impossible for you to run your own mail.  Why?  They claim abuse potential but let's be serious -- forcing all your email through them allows them to mine that email for marketing purposes.  Google clearly does this through Gmail and it must be assumed every other large ISP is doing it now too.  That's your allegedly-private email but as soon as you start tossing it through someone else's server, unencrypted, there is no longer anything preventing said company from using what's in there and selling it.  The number of enforcement actions to force ISPs to stop this crap during so-called "neutrality"?  Zero.

We have a serious problem with last-mile monopolies in the ISP market today.  But you cannot solve that through regulation -- you can only solve it through competition.  There are natural monopolies that exist in certain areas (e.g. last mile easements) and the answer is for municipal, county and state governments to use their eminent domain power they have already exercised for power and water services to provide a "dark fiber" tap to each home or business, all terminated in a convenient and neutral point.  You then pay (if you wish to use it) for the use of that piece of glass and you then select an ISP who has located at the interconnect and that's where the plug goes.  The "central points" are open to all ISPs who wish to enter a market at the same price for the space, power and cooling with a small enough minimum purchase that modest-sized local and regional ISPs can participate.  This is simple, elegant, and can trivially provide gigabit-level transport to each house.  MCSNet would have been a participant in this instantly were it to be made available, and had any of the municipalities in our service area had  the tiniest shred of interest in doing it back in the 1990s I probably would not have sold the company to Winstar.

Let's note that such a model of breaking the back of the monopolists has also been mightily opposed by every single cable and DSL provider in the space today, including by getting laws passed prohibiting localities from doing this sort of thing.  Yeah.

But that someone is a jackass (e.g. Comcast, Cox, etc) and has done things that if anyone bothered to enforce 100+ year old law would send them all to prison doesn't make someone else doing the same thing and enforcing it through law right, just or appropriate.  All that does is make them willing co-conspirators which adds a Racketeering charge to what they should all be staring down.

Hastings and Netflix are slimeballs, and their renewed "public campaign" of misinformation and outright lies must be both exposed and destroyed.

That is, unless you like getting your pocket picked.

View this entry with comments (opens new window)

Main Navigation
MUST-READ Selection:
The License Server Paradigm

Full-Text Search & Archives
Archive Access

Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.