Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "code your own os"
-
I'm getting ridiculously pissed off at Intel's Management Engine (etc.), yet again. I'm learning new terrifying things it does, and about more exploits. Anything this nefarious and overreaching and untouchable is evil by its very nature.
(tl;dr at the bottom.)
I also learned that -- as I suspected -- AMD has their own version of the bloody thing. Apparently theirs is a bit less scary than Intel's since you can ostensibly disable it, but i don't believe that because spy agencies exist and people are power-hungry and corrupt as hell when they get it.
For those who don't know what the IME is, it's hardware godmode. It's a black box running obfuscated code on a coprocessor that's built into Intel cpus (all Intell cpus from 2008 on). It runs code continuously, even when the system is in S3 mode or powered off. As long as the psu is supplying current, it's running. It has its own mac and IP address, transmits out-of-band (so the OS can't see its traffic), some chips can even communicate via 3g, and it can accept remote commands, too. It has complete and unfettered access to everything, completely invisible to the OS. It can turn your computer on or off, use all hardware, access and change all data in ram and storage, etc. And all of this is completely transparent: when the IME interrupts, the cpu stores its state, pauses, runs the SMM (system management mode) code, restores the state, and resumes normal operation. Its memory always returns 0xff when read by the os, and all writes fail. So everything about it is completely hidden from the OS, though the OS can trigger the IME/SMM to run various functions through interrupts, too. But this system is also required for the CPU to even function, so killing it bricks your CPU. Which, ofc, you can do via exploits. Or install ring-2 keyloggers. or do fucking anything else you want to.
tl;dr IME is a hardware godmode, and if someone compromises this (and there have been many exploits), their code runs at ring-2 permissions (above kernel (0), above hypervisor (-1)). They can do anything and everything on/to your system, completely invisibly, and can even install persistent malware that lives inside your bloody cpu. And guess who has keys for this? Go on, guess. you're probably right. Are they completely trustworthy? No? You're probably right again.
There is absolutely no reason for this sort of thing to exist, and its existence can only makes things worse. It enables spying of literally all kinds, it enables cpu-resident malware, bricking your physical cpu, reading/modifying anything anywhere, taking control of your hardware, etc. Literal godmode. and some of it cannot be patched, meaning more than a few exploits require replacing your cpu to protect against.
And why does this exist?
Ostensibly to allow sysadmins to remote-manage fleets of computers, which it does. But it allows fucking everything else, too. and keys to it exist. and people are absolutely not trustworthy. especially those in power -- who are most likely to have access to said keys.
The only reason this exists is because fucking power-hungry doucherockets exist.26 -
A group of Security researchers has officially fucked hardware-level Intel botnet officially branded as "Intel Management Engine" they did so by gathering it all the autism they were able to get from StackOverflow mods... though they officially call it a Buffer Overflow.
On Wednesday, in a presentation at Black Hat Europe, Positive Technologies security researchers Mark Ermolov and Maxim Goryachy plan to explain the firmware flaws they found in Intel Management Engine 11, along with a warning that vendor patches for the vulnerability may not be enough.
Two weeks ago, the pair received thanks from Intel for working with the company to disclose the bugs responsibility. At the time, Chipzilla published 10 vulnerability notices affecting its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE).
The Intel Management Engine, which resides in the Platform Controller Hub, is a coprocessor that powers the company's vPro administrative features across a variety of chip families. It has its own OS, MINIX 3, a Unix-like operating system that runs at a level below the kernel of the device's main operating system.
It's a computer designed to monitor your computer. In that position, it has access to most of the processes and data on the main CPU. For admins, it can be useful for managing fleets of PCs; it's equally appealing to hackers for what Positive Technologies has dubbed "God mode."
The flaws cited by Intel could let an attacker run arbitrary code on affected hardware that wouldn't be visible to the user or the main operating system. Fears of such an attack led Chipzilla to implement an off switch, to comply with the NSA-developed IT security program called HAP.
But having identified this switch earlier this year, Ermolov and Goryachy contend it fails to protect against the bugs identified in three of the ten disclosures: CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707.
The duo say they found a locally exploitable stack buffer overflow that allows the execution of unsigned code on any device with Intel ME 11, even if the device is turned off or protected by security software.
For more of the complete story go here:
https://blackhat.com/eu-17/...
https://theregister.co.uk/2017/12/...
I post mostly daily news, commentaries and such on my site for anyone that wish to drop by there19 -
I'll use this topic to segue into a related (lonely) story befitting my mood these past weeks.
This is entire story going to sound egotistical, especially this next part, but it's really not. (At least I don't think so?)
As I'm almost entirely self-taught, having another dev giving me good advice would have been nice. I've only known / worked with a few people who were better devs than I, and rarely ever received good advice from them.
One of those better devs was my first computer science teacher. Looking back, he was pretty average, but he held us to high standards and gave good advice. The two that really stuck with me were: 1) "save every time you've done something you don't want to redo," and 2) "printf is your best debugging friend; add it everywhere there's something you want to watch." Probably the best and most helpful advice I've ever received 😊
I've seen other people here posting advice like "never hardcode" or "modularity keeps your code clean" -- I had to discover these pretty simple concepts entirely on my own. School (and later college) were filled with terrible teachers and worse students, and so were almost entirely useless for learning anything new.
The only decent dev I knew had brilliant ideas (genetic algorithms, sandboxing, ...) before they were widely used, but could rarely implement them well because he was generally an idiot. (Idiot sevant, I think? Definitely the idiot part.) I couldn't stand him. Completely bypassing a ridiculously long story, I helped him on a project to build his own OS from scratch; we made very impressive progress, even to this day. Custom bootloader, hardware interfacing, memory management, (semi) sandboxed processes, gui, example programs ...; we were in highschool. I'm still surprised and impressed with what we accomplished.
But besides him, almost every other dev I met was mediocre. Even outside of school, I went so many years without having another competent dev to work with. I went through various jobs helping other dev(s) on their projects (or rewriting them), learning new languages/frameworks almost every time: php, pascal, perl, zend, js, vb, rails, node, .... I learned new concepts occasionally (which was wonderful) but overall it was just tedious and never paid well because I was too young to be taken seriously (and female, further exacerbating it). On the bright side, it didn't dwindle my love for coding, and I usually spent my evenings playing with projects of my own.
The second dev (and one one of the best I've ever met) went by Novo. His approach to a game engine reminded me of General Relativity: Everything was modular, had a rich inheritance tree, and could receive user input at any point along said tree. A user could attach their view/control to any object. (Computer control methods could be attached in this way as well.) UI would obviously change depending on how the user could interact and the number of objects; admins could view/monitor any of these. Almost every object / class of object could talk to almost everything else. It was beautiful. I learned so much from his designs. (Honestly, I don't remember the code at all, and that saddens me.) There were other things, too, but that one amazed me the most.
I havent met anyone like him ever again.
Anyway, I don't know if I can really answer this week's question. I definitely received some good advice while initially learning, but past that it's all been through discovering things on my own.
It's been lonely. ☹2 -
Step 1: Run to the store to buy a USB card reader because all of a sudden you have a need to use a 16Mb CF card that was tossed in a junk drawer for 20 years (hoping it still works, of course), but that was the easy part...
Step 2: Realize that the apps - your own - you want to run on your new (old) Casio E-125 PocketPC (to re-live "glory" days) are compiled in ARM format, not MIPS, which is the CPU this device uses, and the installer packages you have FOR YOUR OWN APPS don't include MIPS, only ARM (WHY DID I DO THAT?!), so, the saga REALLY begins...
Step 3: Get a 20-year old OS to install in a Hyper-V VM... find out that basic things like networking don't work by default because the OS is so damn old, so spend hours solving that and other issues to get it to basically run well enough to...
Step 4: Get that OS updated so that it's at least kind/sorta/maybe (but between you and me, not really!) safe online, all without a browser that will work on ANY modern site (oh, and good luck finding a version of Firefox that runs on it - that all took a few hours)...
Step 5: Okay, OS is ready to go, now get 20-year old dev tools that you haven't even seen in that many years working. Oh, do this with a missing CD key and ISO's that weren't archived in a format that's usable today, plus a bunch of missing dependencies because the OS is, again, SO old (a few MORE hours)...
Step 6: Get 20-year old code written in a language you haven't used in probably almost that long to compile, dealing with pathing issues, missing libs, and several other issues, all the while trying to dust off long-dormant knowledge somewhere in the deep, dark recesses of your brain... surprisingly, it all came back to me, more or less, in under an hour, which lead to...
Step 7: FINALLY get it all to work, FINALLY get the code to compile, FINALLY get it transferred to the device (which has no network capabilities, by the way, which is where the card reader and CF card came into play) and re-live the glory of your old, crappy PocketPC apps and games running on the real thing! WOO-HOO!
Step 8: Realize it's 3:30am by the time that's all done and be VERY thankful that you're on vacation this week or work tomorrow would SSUUCCKK!!!!
Step 9. Get called into work the next day for a production issue despite being tired from the night before and an afternoon of errands, lose basically a whole day of vacation (7 hours spent on it) and not actually resolve it by after midnight when you finally say that's enough :(
Talk about your highs and your lows.6 -
! exactly dev
I'd ditched Windows and spent a while exploring the Linux ecosystem for content creation. And I have to say, it was not a nice experience.
As much as I respect the Linux mantra of "free as in freedom" and "you need to roll up your sleeves and figure out stuff on your own", it just isn't good enough for non-dev work. Sorry guys, but I need software that gets out of my way and at least does what it's supposed to do. I can't stand a horrible UI or delays and random crashes, which is exactly what happens with most things under Linux.
To replace my Windows workflow I used the following:
1. Windows -> elementaryOS (because Debian/Ubuntu repositories seem to have the best software support, and elementaryOS is the least horrible looking thing that supports that) and then Arch, because, well, Arch.
2. Blender + Maya -> Blender + Maya on Linux.
3. Reaper + FL Studio -> Ardour + LMMS.
4. Photoshop -> GIMP + Krita + Inkscape.
5. ZBrush -> nothing :(
As you can see, my use cases are pretty much all over the spectrum.
Firstly, installing and configuring stuff. A pleasure on Windows, an absolute pain on Linux. Everything just worked on Windows, I had to wrestle with library versions and patches and unstable audio layers (Linux audio just sucks, except for JACK) on Linux.
Out of these, Blender and Maya were the best experience. But even then, both would suffer from random crashes that just didn't happen on Windows.
Ardour is actually really nice when it works. Its use of JACK for routing makes it really really flexible, but it just isn't stable enough to depend on. LMMS is utter crap. I'm sorry, but I just hate the UI. Can't stand it.
GIMP, Krita, and Inkscape can't beat Photoshop, even when you consider them together. Adobe software workflow is just so much better and more intuitive.
Blender 3D sculpting is not bad, but it's nowhere as good as ZBrush.
Also, if you're a C++ dev like me, nothing beats Visual Studio 2017. Nothing. That IDE just blows everything else out of the water. Even VSCode. And it's not slow at all, it handled a fairly large project (PBRTv3) just fine on my Windows development VM. Yes, a VM.
So...I ditched Linux and went back to Windows, but I keep Linux as a VM for when I actually want to mess with Blender or Ardour. Or some dev stuff which Windows sucks at (which is becoming less frequent because of WSL).
Out of all the above, the only one I'd consider ready for production use would be Blender. Developers of open source software, please learn from Blender. Kickass UI and user friendly operation is extremely important, you can't make a random window with GTK buttons and text boxes and arcane config files and expect people to use it for serious work.
Also, Windows beats Linux hands down as an everyday OS. It's always been rock solid, if you take care of it properly (and that goes for any OS). Updates hardly take any time because I run it on a SSD. As for all the advertising and marketing bullshit, you can block a large amount of stuff. And for what can't be blocked, well, I just have to live with it, because the alternative is compromising on my creative output, which is too much for me.
I still run Linux on my server, though. And on my embedded devices (Pi, BeagleBone, etc.). It absolutely rocks there.
I realize that Linux software is not going to improve unless we do something about it, so I'll be contributing fixes and code (the joys of being a C++ dev, yay). Still, I feel that the platform and software as a whole is just not mature enough.18 -
Visual Studio Code - ever since the beta.
VS Code is... amazing. There's no words to describe it. It's just amazing.
VSCode since the inception was just this tiny version of Visual Studio that you can transform into your own little IDE. That was the whole point of VSCode - it was a extensible editor. For many years I've used it and never looked back, I still use VS from time to time but Microsoft really nailed this one.
Most of the editors I knew lacked good auto completion and good linting, which IntelliSense was good, and it became even greater once support for languages started piling up. Themes also were top notch, I still remember you can't theme the entire window just the editor, nowadays you can.
And last but not the least is the Remote integration. I didn't need to leave my OS just to do work from another, I just need a SSH agent and it works. It's very straightforward and easy.
Overall Visual Studio Code is a editor that is more about choice and your own style - which makes it unique from IDEs, its fresh and its definitely earned its place as one of the most sought after tools in development.3 -
Despite common sense, I think technology is not making our lives easier. It's just build chaos on top of chaos.
Take server-side programming for instance.
First you have to find someone to host your thing, or a PaaS provider. Then you have to figure out how much RAM and storage you need, which OS you're going to use. And then there's Docker (which will run on top of a VM on AWS or GCP anyway, making even less sense). And then there's the server technology: nginx, Apache (and many many more; if, that is, you're using a server at all). And then there are firewalls, proxies, SSL. And then you go back to the start, because you have to check if your hosting provider will support the OS or Docker or your server. (I smell infinite recursion here.)
Each of these moving parts come with their own can of worms in terms of configuration and security. A whole bible to read if you want to have the slightest clue about what you're doing.
And then there's the programming language to use and its accompanying frameworks. Can they replace the server technology? Should you? Will they conflict with each other and open yet another backdoor into your system? Is it supported by your hosting provider? (Did I mention an infinite recursion somewhere?)
And then there's the database. Does it have a port to the language/framework of your choosing? Why does it expose an web interface? Is it supposed to replace your server? And why are its security features optional again? (Just so I have to test both the insecure and the secure environments?)
And you haven't written a single line of code yet, mind you.4 -
i hate linux like a lot , how do you guys use it
like you guys dont want an advertising ID, how the fuck will advertisers know who you are and what you like?
open source , give me a break, you mean your os devs are soo untrustworthy that you just have to see what they wrote in the code, who does that?
free come on, how poor are you linux people, i mean, quality stuff gets paid for, free stuff just means it's trash
and the linux devs , the aint like real coders they are just hobbysts, making your os in their free time
and who wants to install their own software anyway, on other platforms the company curates restricted software that you can use, and i know you'll say its oppressive but its just customer protection.
and i do want my platform to track everything i do, it only helps them build better stuff for me.
and whenever they decide to outdate my hardware and kill support for it, it only means they care and want me to get the latest tech, how considerate.
wait , i hear you say, there are no bugs in linux, my vendor makes sure my os comes with the latest antivirus software, nothing can break my system.
and just because linux runs on servers and most super computers only shows that common users like you and me are ignored, at least my vendor is not a sellout, and still makes stuff for the masses.
you say freedom i say safety i can sleep safe and sound for am protected nutured under one echosystem of software that i can not leave.22 -
Avoid ACPICA if at all possible. It's one garbage tier cluster fuck of bad design, horrible documentation and downright misleading and wrong code
It's meant to consist of an ASL compiler, disassembler, debugger, dumper, various user space utitilies and a kernel resident OSPM implementation *if* you can figure out what belongs to what. Even just compiling this pile of trash is a mystery in itself. Think you need the source files in source/common? EEEEH, wrong. Well, at least partially since most of them seem to be for the user space stuff..? Other ones *are* needed on the other hand. At least the disassembler and/or debugger and/or dumper components seem to reference them. Not that I could figure out how to compile those anyways. The real path to your goal seems to be to ignore a seemingly arbitrary subset of source and header files until your linker stops complaining
There's also a bunch of configuration defines, some of which *you* define, some defined *for* you, based on again others. Of course most of them do stupid shit. Enabling the debugger automatically enables debug logging. Enabling the disassembler force enables debug allocation tracking... What?
The code itself isn't of much help either. Looking in "os_specific/service_layers" you find what looks to be reference implementations of acpica functions in certain os' like windows and unix. Of course I had a look because AcpiOsReadMemory is supposed to read physical memory and I don't know how I would even implement that. But hey, osunixxf.c (xf for interface... of course) should tell me. I'll let you see for yourself in the attached image. Apparently it does fuck all and just returns AE_OK. No error, no logging, no nothing. Just ok. As you can imagine, AcpiOsWriteMemory doesn't do much more either.
...okay so maybe physical memory accesses aren't actually used and these functions are some sort of relic from past times? Nope! They are absolutely necessary for doing low level device interaction. WTF. So finally I went to the linux source and checked how *they* implemented them, and just as I thought, these functions are anything but no-ops...
...So for what fucking reason do these stupid interface implementations even exist but to purposefully mislead you?? They aren't used for fucking anything! As far as I know Windows doesn't even *use* ACPICA and Linux have their own fork with working implementations... They just sit there, just to tell you how to NOT do it
So that's some of my thoughts about ACPICA. Note that I haven't even used it as a library yet, I just got it to compile and link and it already fucked with me this much.
There's also so much more I didn't mention like that you *have* to modify the acpica source in order to get your own platform header working (else #error) eventhough the docs explicitely instruct you not too but you get the point
Don't use ACPICA if you don't have to. Save your sanity for something that's worth it -
Im building an android library that basically does file compression/ image compression etc its just a wrapper library around android's native c++ code.
I wonder how this is going to behave on different devices, as you all know when you do low level stuff, each manufacturer has his own way of doing things in their version of the Android OS.
Once i put this lib up on github please use the lib on your devices and tell me if you get any issues :D -
Do you trust github/gitlab/bitbucket? If you self-host, do you trust your hosting? do you trust gitea? if you don't use gitea, do you trust git? do you trust the way you got your copy of git? do you trust your os, as it might have tampered with your git? did you read the code? do you trust your internet connection that might have changed some packets? do you trust your https implementation? did you examine the traffic? do you trust your traffic sniffing tool? if you use your own hardware, do you trust it? do you trust its CPU/bios? if it's risk-v, do you trust chinese vendors of your cpu? they might have put some backdoors there. do you trust your other hardware? okay, you have the money to make your own cpus. do you trust your employees? do you trust your silicon? do you trust the measuring equipment you used to check if your cpu is safe? do you trust the literature in the field? but did you verify it though? did you?
it's always who you trust. if you want to bake an apple pie from scratch, you must first create the universe.9 -
Build my own phone and support the Zerophone project by writing code.
Seriously what the fuck is going on with the development of major companies smartphones. Every year all there is are larger displays, better and more cameras, faster processors and some more 'AI' thrown into the mix.
What the heck am I supposed to do with a phone costing multiple hundreds of euros but locked down with an OS spying on you. The processing power available is hardly ever used because most people just use apps like Instagram, WhatsApp or other messaging services.
I get why larger screens are useful but at some point it gets ridiculous.
Better cameras are useful to some degree as well but there's a limit to it.
If you really want to get into photographing then please buy an actual camera.
Another aspect I'd of course like to talk about is privacy. It's hardly existent on IOS or Android smartphones with Google services. Of course one can install different ROMs like Lineage OS but if I already pay multiple hundreds for a device then I'd prefer it working for and not against me.
And dare you break a single part of your phone. You can't really repair it yourself anymore and one can't even change its battery. Most people either have it repaired or just buy a new one and throw it away. There is so much electronic waste, very difficult and expensive to dispose of, just buried in the ground somewhere.
Summing up: I don't really know where the development of smartphones is heading. A phone is a device you carry around with you almost everyday so I'd like it to be tailored to me and not spy on me.
I hope the Librem phone will be a success and other open source phone projects will gain more attention. I want a phone I can repair myself and tailor the software running on it to my needs. I'd like to write messages, listen to music, make calls, run a WiFi hot-spot on the phone and maybe play some tiny games on it once in a while.6 -
Microsoft is always at it.
Hello, I recently discovered this eye candy of a looking website and how good the CSS looks (Kudos to whoever made this) , and I decided to post a rant of my own. And its about MS Edge and other applications.
So I built my own ATX tower a while back (Loving it) , and I found that it was WONDERFUL to have a computer that was brand new, that didnt have candy crush preinstalled on it when I got it.
Windows 10 users, do this:
Press WIN+I to open the settings menu.
Go to "Apps"
Scroll down the list....
How many applications do you see there that are actually useful , or that you have downloaded?
I never downloaded a Realtek Driver... and I never need it for anything to work. This is the case for 90% of the things you may see in the applications.
Why is HULU installed?
Why is NETFLIX installed?
Why is MINECRAFT BETA INSTALLED? THE BETA HASNT BEEN OUT IN YEARS?
But I digress, this is the case when I work on a computer such as my grandmothers who, bless her soul, isnt very adept at basic file management. Heck , she uses free Norton Antivirus against my recommendation to use the PAID active firewall application on her computer (VIPRE)
So needless to say she needs help. All the time.
So here comes microsoft recently, reinstalling like 15 different programs on her computer , including MS edge. Who else is tired of bloating? I know I am.
I recently found this program on Git!
Its the Sycnex Windows 10 DeBloater
But guess what? DONT USE IT.
Wanna know why?
Because if you do, it works, and if it works, it disables:
- Cortana (basic search engine for your OS, good luck finding candy crush).
- Microsoft Store (That means no XBOX games pass either)
- It breaks part of the file explorer
Wanna know why? BeCaUsE it geTs riD oF Ms EdGe
And believe it or not, apparently MS edges source code is Mandatory for certain functions on your computer. So even If you try to uninstall the browser, it stays behind in some form.
So there you have it. They hard coded it into windows.
Enjoy!
So its not even the author of the GITHUB programs fault, its just a real techincal limitation of the platform.
I hate that stuff man. I really do. There should be 20 things installed on my computer and thats it. Everything else is just, space for games on a solid state. Or Eclipse Photon, etc.
I would post links to show you guys a few things but. Unfortunately I cant post URLs yet!
However, thats my first rant. Hope you liked it.20 -
- Dealing only with your own code
- Having enough time to improve and refactor your code whenever you want
- Bug reports are detailed af and not just like "doesn't work"
- Choosing the IDE (and OS maybe, too) by yourself
- Having enough time for bugfixes, implementations
- Software is ready, when you want it, not anyone else.
- Visiting trainings or seminars to improve your skills whenever you want
Yeah, that would be pretty awesome.3 -
I spent the whole damn day trying to setup grpc-web, but this protocol is documented so damn poorly!
You manage to set grpc up for one language and it’s all cool, then you stupidly think that you are free to reuse the compiler you used for the nodejs version for your frontend part but nope! Our web module is now deprecated, please use this module instead!
“Ah yes just clone the repo and check out (…) and you can also check this link whic is in no way highlighted in the middle of a wall of text (…)”
*checking the other page*
Ah yes you need to install a package available only on your unix machine (great! Screw the devs in my team who use windows I guess, they’ll be happy to hear this!) and don’t forget to clone this repo to build your own plugin! And by that I ofc mean to compile it on your own!
- compiler error
After digging for an hour you find a requirement in an obscure issue opened and closed cause “ah yes we have a dependency not stated anywhere” *close issue and never add it to the project*
Fine, fine I can survive this bs
- another compiler error, no solution found after 2 hours
Honestly? Why the fuck do I need to compile this stuff? Just give me a damn npm package I can use? Goddamn it’s just transpiling, you don’t need access to my OS! (Aside for fs to save the files, and which btw is accessible via nodejs)
Now, I COULD download the latest realease as a precompiled, but… honestly?
I give up, I’ll do some shitty rest apis cause the customer’s not paying me enough for even THINKING to go trough this shit again when they’ll ask an iOS app. Or having colleagues asking me to help them understand how to do it.
Side note: also add typescript support to the web-code-generation ffs! Why does node have it and web don’t?5