A series of random observations organized in reverse chronological order.
How to defeat the AnC Address Space Layout Randomization exploit
Not long ago, the tragic news was broached that Address Space Layout Randomization (ASLR)
can be defeated using a technique of walking
page tables and measuring the delays caused by
cache line misses. This is possible because
it turns out, Intel, AMD and others use the caches to store
page table entries (PTEs) rather than bypassing the
caches. While putting PTEs in the cache speeds up software, it makes
ASLR trivial to defeat.
The exploit is called ASLR⊕Cache, or AnC for short.
The essential flaw is that when PTEs are stored in
a cache, part of their address is of course used
to determine where in the cache the entry will go,
and this fact can be used to coax the cache into
revealing that part of the address. Remaining address bits
can be obtained using a related technique.
Once it's known what entries in each
are in use, a full understanding of what specific virtual pages
are in use can be constructed.
I believe there is a solution to this exploit. Well, two really.
The first and obvious solution is for CPU manufacturers
should in future stop using the caches to speed up accesses to
page table entries. They should also provide microcode
patches for existing CPUs, when microcode was used
to implement the page table walk.
The problem is that while some companies put page table entry loading in microcode,
which can be updated, not all do; some implement it in hardware.
My second proposal is slightly tedious but probably should have be done anyway:
Use decoy pages. Let's say you're running a web
browser that has a 40MB footprint. That's 10,000
4kB pages. If you produce 4 times that in
decoy pages, another 40,000 pages, any attacker
using the ASLR-defeating exploit will have to scan 5 times the
number of true pages to find what it wants.
But 80% of the pages will be useless decoys,
meaning a 1 in 5 chance of success.
But what shall you put in those decoys?
Assuming the exploit is looking for particular
libraries or data structures, you simply need
to create fake pages that look real enough
while being harmless. They may need to have
pointers to one another just like real pages,
and real-looking strings and code.
But the code shouldn't do anything useful, like make valid system calls.
And the strings shouldn't contain anything useful, like real domain names or usernames.
Object-oriented assembly language (OOA)
My new article on how to write object-oriented code in x86 asm is
iOS: Areas for improvement
While some like to hold Apple above criticism, because for whatever reason
they think Apple is perfect, it has become obvious that
some aspects of iOS hardware and software need a rethink.
iOS devices really do need SD slots that can read and write files. For a tool to be useful
it has to be fit for purpose and a computing device without a serious storage option
(iCloud is not that) is not an effective tool.
A photo editor running on iOS has to be able to save an edited file somewhere useful like an SD card
from where it can then be efficiently archived.
The iCloud or Dropbox solution is not ideal for privacy or speed (upload speeds being generally slow).
Regarding sensitive photos, uploading to the cloud may be fine for trivial photos
but anything at all sensitive or important needs to go somewhere
safer than iCloud.
The same goes for critical business files like contracts, customer lists and sales data.
No business manager worth his salary is going to accept putting
important and confidential business documents into
the cloud where a hacker or a government operative
can steal them, corrupt them, or delete them and thereby disrupt the smooth operation of his company.
Files need to be saveable to a physical medium like SD flash and then put into
The fact that an SD card slot is needed is only half the problem.
iOS needs the ability to write to SD cards that have
encrypted file systems (like macOS can)
to protect user data before it is archived.
The app launch screen (Springboard) is no better than it was in 2007.
Android's home screens have useful gadgets of various types like a search bar,
and concise news headlines.
It is quite bizarre that Apple, which fanboys claim is a fount of innovation,
is clearly being out-innovated by its imitator.
Apple's obsession with streaming sounds very clever to fanboys,
who argue that the age of physical media is already over.
But there is a problem:
WiFi frequencies are in the microwave range and
as such they do go straight through your body and they do
cook you slightly.
While industry scientists claim this is harmless, that is not true
according to some research.
Microwaves are officially non-ionizing radiation unlike Xrays
so genetic damage should not be observed but the problem is,
it has been observed nevertheless.
Thus WiFi microwaves may be the new smoking: safe only if
you trust the industry and ignore the evidence.
Touches too precise?
The premise of the touch screen is that tapping
is so easy that it is hard to screw it up.
Unless you are in motion.
Anyone who has been a passenger in a car
or bus or
just walking down the street knows that taps are harder to
get right while in motion.
There are several reasons why this is so,
but one is that Apple seems to be encouraging
user interfaces that require more and more precise taps.
Perhaps Apple bigwigs only ride in
super-smooth transport like shuttle buses and let their retinue
take the bumpier road.
But for the Rest of Us there is an obvious solution
that at least Apple could embrace for its apps.
What is that solution?
Certain types of businesses capitalize on bad decisions.
Alcohol and tobacco vendors.
Junk food manufacturers.
Casinos and lotteries.
Narcissism-boosting social media.
Subprime mortgage providers.
by encouraging cloud storage instead of physical storage
to SD cards,
by encouraging streaming and electromagnetic radiation exposure,
joined the ranks of these predatory businesses
that capitalize on poor reasoning,
pretending all the while to be
somehow embracing the future.
Is anyone besides the fanboys buying it?
Safari not included with OS/X?
On iOS, I can open Safari by saying Siri, open Safari.
Such is not the case on MacOS.
Siri disclaims any knowledge of Safari.
If MacOS were free/open-source software, or a hobby project, this kind of obvious bug might be understandable.
But it isn't written by volunteers.
It's not a hobby project.
What is wrong at Apple?
How to fetch a file through TOR
Run the TOR browser.
On OS/X use this command: curl --socks5 127.0.0.1:9150 $url -o $name
On GNU/Linux or Windows the port may be different.
What does MacOS Sierra look like when its windows server malfunctions?
How did Apple screw up to even make this possible?
Reminder: Even X-Windows never looked this bad.
What did I do to cause it? It's my secret.
Did I create an error ticket on Apple's website? Oh hello no.
I've done that before; they always deflect my concerns and ignore my ample evidence.
If Apple is against computers with touch screens...
Why is it making this then?
Are they taking a page from Magritte?
Ceci n'est pas un écran à toucher.
The meaning of Magritte's painting is the pedestrian observation that a word is not the thing.
But in order to think, we need accurate words to describe a thing.
If Apple makes a touch-screen computer but then says they don't believe in making touch-screen computers,
what are they saying?
What is the iPad with keyboard then really? A surveillance device?
Without an SD card slot or a USB port, it certainly isn't a serious tool for productivity.
Consumers want solutions to problems, not
Their money is hard-earned.
They are not idiots and you treat them like idiots at your peril.
How to make a universal i.e. fat library for iOS
Turns out, it's a simple command:
lipo -create x86.a arm64.a ... -o universal.a
Notice the pun. Lipo is the prefix for "fatty" e.g. liposuction, lipoprotein etc.
Testing is, in a sense, like making a hamburger.
It is not terribly difficult but it has to be done right.
As with making hamburgers, doing testing wrongly can result in a tragedy.
As with making hamburgers, some people should not be doing it.
Some common mistakes:
Failing to report obvious bugs therefore letting bugs pass through to the customer.
Not reporting critical facts or circumstances about a defect e.g. that Wifi has to be on, that it only occurs right after midnight etc.
Not providing any evidence of a defect e.g. screenshot, videos taken with a phone, or log files.
Not being knowledgable enough about the product that you are testing to know how it is
supposed to behave, leading to the response that is how it is supposed to work.
Not taking the effort to write down what happened at the moment when it happened. Instead trying to remember much later.
Not wanting to check everything that needs to be checked and/or not prioritizing.
Not testing the latest product. Wasting time testing code whose defects are already fixed.
Accepting second-hand information (hearsay or rumors or lies) as totally legitimate instead of speculative.
Some red flag mistakes that may indicate you should not be working in QA:
Doing QA because you like to complain.
Turning QA into a political tool e.g. to criticize whomever you dislike this week.
Declaring that something doesn't work but refusing to say how or why or when.
Being opposed to learning a new platform in order to test software on that platform e.g. I don't do iOS. (Yes; I have heard that.)
Having a passive-aggressive personality or otherwise unable to be direct.
Management as a service job
Human nature being what it is, many people enter management
positions even though they don't understand people, therefore they suck at management.
Or they don't understand themselves, therefore they suck at management.
Why then would such people think they should manage?
A few hypotheses:
He/she is bossy i.e. a micromanager, blamer or control freak.
He/she is lazy i.e. actual work is super-hard and to be avoided.
He/she is greedy i.e. they think management is the road to riches and therefore use it to climb the ladder.
Example: Carly Fiorina.
He/she is classist or casteist, i.e. thinking oneself to be above little-people work.
Just as a wife beater should never be allowed to become a cop...
Nor a compulsive liar a politician...
Nor a kleptomaniac a banker...
Nor a bully a lawyer...
The person who has some/all of the above-mentioned problems should be kept out of management.
We're not in the 1970's any more; we can do better, no matter what the venture capitalists say.
Management is essentially a service job.
It's not at the same level as a cashier at a fast-food joint,
but a manager cannot manage well unless
he puts his ego aside, is humble and admits it when he doesn't know, can step back and just let people work,
and realizes he has to
A manager must serve the customers and not deem them disposable, gullible or stupid.
A manager must serve the workers to aid them in bring out their best and achieving goals and not boss them around.
A manager must serve the money people as well; but not by deceiving them nor kissing their asses.
The blaming manager, the micromanager, the scheming player --
they can ruin products, divisions and even companies.
Is the 5.5 inch iPhone 6 Plus practical?
I was one of the vocal proponents of a big-screen iPhone, telling anyone who'd listen
that Apple needs to make one with a 5.5 or 6 inch screen.
I expected the 6 Plus was going to prove me right.
After owning the iPhone 6 Plus, I believe I was wrong.
It's not a terrible phone.
But the 6 Plus is rather heavy.
While the 6 Plus only weighs 1.52 ounces more than the 6 (6.07 versus 4.55 ounces respectively),
that is 1.33 times the weight, and the difference is almost alarming when they're side by side.
The expense and delicateness of the 6 Plus means a rugged case is vital.
That adds substantially to the weight -- at least an ounce.
My preferred case is the Magpul field case,
but it's heavy.
Having also owned the cheaper, lighter, and plasticy $150 LG Stylo 2 Plus, which is 5.1 ounces
but has a screen that is 5.7 inches, I can say that the 6 Plus compares quite poorly.
The bare 6 Plus is already 1 ounce heavier.
The 6 Plus's high cost and fragility militates for using a rugged case.
The LG Stylo 2 Plus can be used daily without a case because it is cheap and replaceable.
However the 6 Plus with rugged case weighs over 7 ounces.
Given the weight situation,
only software -- iOS -- saves the 6 Plus, because Android is frankly crap.
So why go with the 6 Plus at all?
While a 5.5 inch screen is a good size for web browsing on the go, it's not a
great replacement for a tablet or a laptop.
If you are not working as a security guard or a librarian,
or are otherwise idle in a quiet environment,
you won't have a strong need for watching video outside of the home or
away from a laptop.
Even a 10-inch tablet can make web browsing difficult.
A 5.5" screen will be much worse, and it isn't going to be a great improvement over say, a 4.7" display.
But it will be much better than a 4-inch screen.
I'd say that if Apple cannot make a less delicate, expensive, and weighty phone,
it should settle on a smaller size.
A 5-inch screen may be the Goldilocks size: Not too large, not too small,
not too heavy. Just right for practical use while keeping the weight down.
A repeat loop kludge for Objective C
Many a-time there's a need in C and Objective C for a simple repetition loop à la
8086 instruction LOOPNZ.
But one doesn't always need access to the loop counter itself.
To this end, here's a simple
#define that gives you precisely that.
It may not work in every compiler, but it seems to be safe when used in Xcode.
#define repeat(COUNT) unsigned long x##__LINE__ =COUNT; while (x##__LINE__ --)
The only caveat is that as of Xcode 5,
llvm is performing a lot of type checking so you may need
to type-cast the variable from the loop and countdown macros.
Jerry Seinfeld explains why he didn't become a mere TV mogul
But I didn't take that bait... because I know what it is... You can't pull that over on me.
I've sat in all those chairs.
I've been in those rooms. I know what it is.
What is it? You'll just have to listen to
Alec Baldwin's interesting and funny interview of Jerry Seinfeld:
Resize images from the command line
On OS/X there is no need to install ImageMagick in order to resize images from the command line.
Let's say you want to generate a new set of icons for an iOS app.
You can do it with two commands: cp and sips.
Below I offer an example, left as an exercise for the reader,
on how you might do this from a script: