Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "design flaw"
-
https://git.kernel.org/…/ke…/... sure some of you are working on the patches already, if you are then lets connect cause, I am an ardent researcher for the same as of now.
So here it goes:
As soon as kernel page table isolation(KPTI) bug will be out of embargo, Whatsapp and FB will be flooded with over-night kernel "shikhuritee" experts who will share shitty advices non-stop.
1. The bug under embargo is a side channel attack, which exploits the fact that Intel chips come with speculative execution without proper isolation between user pages and kernel pages. Therefore, with careful scheduling and timing attack will reveal some information from kernel pages, while the code is running in user mode.
In easy terms, if you have a VPS, another person with VPS on same physical server may read memory being used by your VPS, which will result in unwanted data leakage. To make the matter worse, a malicious JS from innocent looking webpage might be (might be, because JS does not provide language constructs for such fine grained control; atleast none that I know as of now) able to read kernel pages, and pawn you real hard, real bad.
2. The bug comes from too much reliance on Tomasulo's algorithm for out-of-order instruction scheduling. It is not yet clear whether the bug can be fixed with a microcode update (and if not, Intel has to fix this in silicon itself). As far as I can dig, there is nothing that hints that this bug is fixable in microcode, which makes the matter much worse. Also according to my understanding a microcode update will be too trivial to fix this kind of a hardware bug.
3. A software-only remedy is possible, and that is being implemented by all major OSs (including our lovely Linux) in kernel space. The patch forces Translation Lookaside Buffer to flush if a context switch happens during a syscall (this is what I understand as of now). The benchmarks are suggesting that slowdown will be somewhere between 5%(best case)-30%(worst case).
4. Regarding point 3, syscalls don't matter much. Only thing that matters is how many times syscalls are called. For example, if you are using read() or write() on 8MB buffers, you won't have too much slowdown; but if you are calling same syscalls once per byte, a heavy performance penalty is guaranteed. All processes are which are I/O heavy are going to suffer (hostings and databases are two common examples).
5. The patch can be disabled in Linux by passing argument to kernel during boot; however it is not advised for pretty much obvious reasons.
6. For gamers: this is not going to affect games (because those are not I/O heavy)
Meltdown: "Meltdown" targeted on desktop chips can read kernel memory from L1D cache, Intel is only affected with this variant. Works on only Intel.
Spectre: Spectre is a hardware vulnerability with implementations of branch prediction that affects modern microprocessors with speculative execution, by allowing malicious processes access to the contents of other programs mapped memory. Works on all chips including Intel/ARM/AMD.
For updates refer the kernel tree: https://git.kernel.org/…/ke…/...
For further details and more chit-chats refer: https://lwn.net/SubscriberLink/...
~Cheers~
(Originally written by Adhokshaj Mishra, edited by me. )23 -
Rant rant = new Rant
rant.isRant = false // !!!
I woke up this morning after not thinking about my code for a day, and realized i had a flaw in my validation design. I fixed it before opening my eyes.
It's kind of amazing how not thinking about a problem can help solve it. Even if you don't know it's there!6 -
I hate buying new laptops. HATE IT. The manufacturers are always trying to do something that makes it more complicated to buy a laptop confidently.
Why not name all of the laptops with numbers? Make them really hard to differentiate. Then offer the same model number across multiple years so it is difficult to determine which year the laptop is from.
Oh. And let’s make sure every laptop has a major flaw in the form factor.
Let’a add a numpad that squishes the keyboard to the left in a weird way. Lets do something to the trackpad to make it awkward to use. Maybe the keyboard should have a weird configuration. Maybe we can put 4 spare characters of various colours on the symbol key caps. How about a battery only lasts a few hours. May we add specialized hardware so you are stuck with windows. Maybe we can make it super thick and heavy. Lets have a screen with terrible viewing angles. Since this laptop has no major flaws we should overprice it. No repairs or upgrades on this one because we filled the computer with glue. Lets double the amount of useless media keys.
It is like manufacturers are trying to design laptops like RPG game character classes. The fighter has no magic or stealth. The magician is weak and gets fatigued. The rogue is very stealthy but has poor defence and attack. The cleric can use magic but only to heal so it is useless in battle. The ranger is good at distance but has poor defence and no magic.
The only notebooks sold that are trying to make balanced character classes are MacBooks. Those cost a premium and aren’t reparable.17 -
Amazing how people misuse the term technical debt.
A bug is a flaw in your design/development.
Tech debt is a conscious decision/tradeoff, which is often tracked and removed as the product matures.
The difference is subtle. Avoid this mix up at least in written communication.10 -
What a new years start..
"Kernel memory leaking Intel processor design flaw forces Linux, Windows redesign"
"Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down"
"It is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the layout or contents of protected kernel memory areas."
"The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers."
>How can this security hole be abused?
"At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel's memory."
https://theregister.co.uk/2018/01/...22 -
The worst part of being a dev is when you realize you have a major design flaw in your architecture at 4:50 PM on a Friday. Goodbye weekend, hello intense thought.2
-
!dev
So after 5 months of complaining and ISP denying that the modem was at fault for the issues ("because they'd get more complaints if it was") while trying to rip us off as well[1], they finally gave in to sending us one of the modems "intended for their business users"[2].
Low and behold... I haven't had any issues yet in the past few days (as opposed to having issues between 3 and 8 times a day).
Nah lads, surely wasn't the piece of shit old modem that is known to have a severe design flaw right? :^)
Must have been my router and devices behind it right? :^)
References:
1: https://devrant.com/rants/4378988/...
2: https://devrant.com/rants/4399477/...2 -
As a guy with a Intel 6800K I now really feel robbed of my money by Intel.
For over 10 years they knew of the heavy design flaw and put it through.
The ironic thing is, that every country will set up a penalty for Intel, but the Customers with the CPU's wont even see a buck.
It sucks that I have up to 30% less CPU Power after next weeks patch.
I will banish Intel now forever!! You should never come again in my Business!!!
Even my newly ordered Tablet with a Intel chip will suck d*ck now...9 -
Why the heck would you allow (or need) nested block comments? Imo this is a major design flaw in the kotlin linter.
I always use /*... //*/ so I can remove the comment starter w/o having to remove the comment end, but kotlin just starts a second, nested comment there.
Java, C, Cpp, C#, JS,... Not one of these uses nested block comments. I think jetbrains was just lazy?
I mean, I know why such stuff happens. I also developed DSLs in MPS, but there sure are ways to go around such things..7 -
Take a day off, entire system goes down. Come in the next day: "We need to fix this".
12 hours later we get the system back up and a significant design flaw is now known which needs to be fixed on Monday.
It feels good to have the bandaid in place.
Don't use cursors kids, unless you absolutely have to.3 -
Virgin Powerbeats™ pro:
- can’t even fit into your pocket, you have to buy special iPants™ with bigger pockets, that would be $1499, thank you
- have buttons so finicky and annoying that you’re really better off with a touch area
- silicone tips deteriorate and are prone to stay inside your ears. Uh oh, anyone but certified iOtholaryngologists™ aren’t authorized to remove them or else they would be put to Apple Jail™. The removal would be $499 per ear, thank you
- you have to be a PhD topologist to figure out how to put them back into their case
- uh oh, one bud just randomly stopped working because of a design flaw in our case, that’s User Error™, would you like to pay for a replacement with your Apple Card™?
- a feel of greasy deteriorating clamshell
Chad Jabra Elite
- a feel of a brass zippo, magnets are just perfect
- firm, real buttons. Improve then just one level and you got the feel of IBM Model M
- you press a button and you hear whatever mics are picking, no need to ever pull them out
- most comfortable buds I’ve ever tried
- small case fits into pockets of my tight booty shorts just fine
- waterproof
- sounds better than anything Noble Audio have ever done
Beats suck i guess 🤷6 -
Today is one of those magnificent days for my code. One of those days where I stumble up on the weirdest bugs and pull a fix out of my hat barely looking at any doc. One of those days where I find out there is a very tricky flaw in our project design and yet I end up finding an elegant solution to circumvent future problems. One of those days where I find the informations I want even though the documentation is the worst I've ever seen.
I love that productive feeling.random efficient docs efficiency i actually don't like tags bugfix bug fix doc bug documentation productive -
Day 8 without a laptop and I am losing my mind!!! I am behind on all projects with a review coming up on Saturday!!!!😡
My MacBook fell victim to the flex gate design flaw, costing a fortune to fix. I am getting a surface book instead and it was supposed to arrive today!!!! Now they are saying there’s a delay and I don’t even know when it will arrive!!!!!!! I am losing my mind! Help! 😩 what can I do to pass the time and take my mind off being behind on projects? It hit so bad I started learning to dance from YouTube! I’m tired of reading too!!!! Help! 😰5 -
I hate the elasticsearch backup api.
From beginning to end it's an painful experience.
I try to explain it, but I don't think I will be able to cover it all.
The core concept is:
- repository (storage for snapshots)
- snapshots (actual backup)
The first design flaw is that every backup in an repository is incremental. ES creates an incremental filesystem tree.
Some reasons why this is a bad idea:
- deletion of (older) backups is slow, as newer backups need to be checked for integrity
- you simply have to trust ES that it does the right thing (given the bugs it has... It seems like a very bad idea TM)
- you have no possibility of verification of snapshots
Workaround... Create many repositories as each new repository forces an full backup.........
The second thing: ES scales. Many nodes / es instances form a cluster.
Usually backup APIs incorporate these in their design. ES does not.
If an index spans 12 nodes and u use an network storage, yes: a maximum of 12 nodes will open an eg NFS connection and start backuping.
It might sound not so bad with 12 nodes and one index...
But it get's pretty bad with 100s of indexes and several dozen nodes...
And there is no real limiting in ES. You can plug a few holes, but all in all, when you don't plan carefully your backups, you'll get a pretty f*cked up network congestion.
So traffic shaping must be manually added. Yay...
The last thing is the API itself.
It's a... very fragile thing.
Especially in older ES releases, the documentation is like handing you a flex instead of toilet paper for a wipe.
Documentation != API != Reality.
Especially the fault handling left me more than once speechless...
Eg:
/_snapshot/storage/backup
gives you a state PARTIAL
/_snapshot/storage/backup/_status
gives you a state SUCCESS
Why? The first one is blocking and refers to the backup status itself. The second one shouldn't be blocking and refers to the backup operation.
And yes. The backup operation state is SUCCESS, while the backup state might be PARTIAL (hence no full backup was made, there were errors).
So we have now an additional API that we query that then wraps the API of elasticsearch. With all these shiny scary workarounds like polling, since some APIs are blocking which might lead to a gateway timeout...
Gateway timeout? Yes. Since some operations can run a LONG (multiple hours) time and you don't want to have a ton of open connections hogging resources... You let the loadbalancer kill it. Most operations simply run in ES in the background, while the connection was killed.
So much joy and fun, isn't it?
Now add the latest SMR scandal and a few faulty (as in SMR instead of CMD) hdds in a hundred terabyte ZFS pool and you'll get my frustration level.
PS: The cluster has several dozen terabyte and a lot od nodes. If you have good advice, you're welcome - but please think carefully about this fact.
I might have accidentially vaporized people sending me links with solutions that don't work on large scale TM.2 -
Without diving into OO or "Micro$oft", I think the one major flaw in C# is the ability to use "regions".
It's like a feature that was specifically designed to hide shitty code.
If you know how to separate your logic properly and focus on good design principles, you should never have to use a "region" to "clean up" the way your source looks!5 -
I wrote my first proper promise today
I'm building a State-driven, ajax fed Order/Invoice creation UI which Sales Reps use to place purchases for customers over the phone. The backend is a mutated PHP OSCommerce catalog which I've been making strides in refactoring towards OOP/eliminating spahgetti code and the need for a massive bootstrapper file which includes a ton of nonsense (I started by isolating the session and several crucial classes dealing with currency, language and the cart)
I'm using raw JS and jquery with copious reorganization.
I like state driven design, so I write all my data objects as classes using a base class with a simple attribute setter, and then extend the class and define it's attributes as an array which is passed to the parent setter in the construct.
I have also populateFromJson method in the parent class which allows me to match the attribute names to database fields in the backend which returns via ajax.
I achieve the state tracking by placing these objects into an array which underscore.js Observe watches, and that triggers methods to update the DOM or other objects.
Sure, I could do this in react but
1) It's in an admin area where the sales reps using it have to use edge/chrome/Firefox
2) I'm still climbing the react learning curve, so I can rapid prototype in jquery faster instead of getting hung up on something I don't understand
3) said admin area already uses jquery anyway
4) I like a challenge
Implementing promises is quickly turning messy jquery ajax calls into neat organized promise based operations that fit into my state tracking paradigm, so all jquery is responsible for is user interaction events.
The big flaw I want to address is that I'm still making html elements as JS strings to generate inputs/fields into the pseudo-forms.
Can anyone point me in the direction of a library or practice that allows me to generate Dom elements in a template-style manner.4 -
Sigh same bug
Or design flaw
Fuck off
The box it grows to encompass a character for extraction to certain parameters
But if the page has a border it selects the whole page -
It's been over 7 months of being deployed to help finish a project that's crossed the deadline umpteenth times. There's only this guy who had started on this project and me as developers. He's a nice guy, but I'm finding him to be a snowflake that's extremely difficult to work with. Every time I mention a critical problem with his original design, or the approaches he takes on this project, he takes it personally. He would pour out a long spiel of why this and why that, and waste most of the meeting time. Or he would run to his outdated diagrams or documents that he had created himself somewhere deep in the wiki forest, and use that as a defense. He creates his own user stories and tasks on a whim with no PM supervision. I've noted to the managers that this is a project to fail, and all they've done is assign a busy PM to this project, and the new PM is perfectly fine w/ the way the project has been handled so far.
I point out a small flaw with his assumptions just the other day, and he even managed to hyperventilate and again fall back to his outdated document... WTF? I'd rather start from scratch and get this project finished faster.. and even though I've expressed my objection to continue on this path, the managers foolishly believe that this project will be completed somehow. I don't hate my development partner, or PM, or people in the management, but I hate the fact that I don't have control over so many aspects of this project, including the half-assed, unnecessarily complex design, and the dev workflow itself. I feel like I'm tied to a car that's being thrown over the cliff, and assigned to fix the junky car w/ its engine broken before the car hits the ground. Something like this would never be allowed to go in a commercial sector. I just wish that the management could just give me control over project as THE lead & PM over this project, and get this project tied up for good, and with better reusability and quality.1