Category Archives: News

Article note: While Intel going royalty-free on their interconnect is useful, none of the articles I've seen are discussing the security implications. Thunderbolt supports DMA (and other lower-level access) that USB doesn't, and there have been a variety of exploits in the wild for like 5 years at this point (see Thunderstrike & co.). USB is a relatively low-privilege connection, making the power socket, cheap peripheral connector, and other throwaway connections able to surreptitiously ask to root around the host system's memory seems like a questionable feature.

Enlarge / A very dramatic-looking Thunderbolt 3 cable.

Fulfilling its 2017 promise to make Thunderbolt 3 royalty-free, Intel has given the specification for its high-speed interconnect to the USB Implementers Forum (USB-IF), the industry group that develops the USB specification. The USB-IF has taken the spec and will use it to form the basis of USB4, the next iteration of USB following USB 3.2.

Thunderbolt 3 not only doubles the bandwidth of USB 3.2 Gen 2×2, going from 20Gb/s to 40Gb/s, it also enables the use of multiple data and display protocols simultaneously. We would expect the USB4 specification to be essentially a superset of the Thunderbolt 3 and USB 3.2 specifications, thus incorporating both the traditional USB family of protocols (up to and including the USB 3.2 Gen 2×2) and the Thunderbolt 3 protocol in a single document. Down the line, this should translate into USB4 controllers that support the whole range of speeds.

Intel has previously announced that its Ice Lake platform, due to ship later this year, will integrate both Thunderbolt 3 and USB 3.1 Gen 2 (aka USB 3.2 Gen 2) controllers. Currently, offering Thunderbolt 3 requires the use of an additional chip, one of Intel's Alpine Ridge or Titan Ridge Thunderbolt 3 controllers. Integration into the platform means that system-builders no longer need to choose whether or not to include the extra chip; the capability will be built in, and as such, we'd expect to see it become nearly universal.

Article note: Again? It's a classic "strcopy into a buffer fixed-bytes away from the return address" bug.

Article note: It's not a great essay, but at least it does hit the "proximity and reach as the primary problems" point that I've been steadily more convinced of. The internet (and especially social media) means you are constantly confronted with your neighbors' ideas you find abhorrent, and you and your neighbor can both round up a global-scale mob who share your probably abhorrent to others ideas, and that's a recipe for disaster. I read Neal Stephenson's Diamond Age (published in 1995) recently, and while its most interesting thoughts (to me) are about education, it also has an _awful_ lot about the inherent difficulties of pluralistic society, especially in the face of delocalization. Tragically, it didn't have much in the way of good advice on solutions.

Article note: I really like this "concrete examples in familiar products, explained with implications" presentation of agitating for better behavior.

Article note: Damn. The UC system is not a small player, and while several large European institutions have already done so, AFIK they're the first large entity in the U.S. to ditch Elsevier. It is a legitimate "death to the parasites" situation, but also a little annoying on the ground floor to have to take "alternate" methods to get to publications.

Article note: That looks like a really great form-factor - had something like this been available and credible at the time I bought my SGS9 I would have gone for it instead.

Article note: rad. It's presumably aimed at the same niche as the TI AM335x (think BeagleBone) only instead of having more-deeply-integrated but weird custom PRU-things for real-time offload, it has a Cortex A4 coprocessor just like the widely-used STM32F4 family for similar purposes. Should be _awesome_ for standalone machine controllers and the like.

Article note: Interesting. Some of those are reasonably low-hanging problems, most are way past the sophistication of anything but a serious targeted attack. The relatively good performance of KeePass does provide further evidence for my "I want my password manager to have as little surface area as possible" principle. You can't have network and plugin leaks if the features aren't there.

Article note: I increasingly view leading on people who aren't ready as _cruel_ and bordering on theft. The absurd cost of college makes dithering in college a life-fucking proposition for many, and having students who (for example I have to deal with) don't understand _variables_ in sophomore-level math based courses is a demoralizing waste of time for all involved. I sometimes get unpublished numbers through the grapevine, the 5-year success rates for students admitted to UK's college of engineering who aren't calculus-ready is so low as to be essentially inevitable failure. Empirically, many of our most successful students are the ones who had the wherewithal to pre-position themselves at a community college at a tiny fraction of the cost. We want more of the latter and fewer of the former. Build a robust system to get them into programs that position them to succeed. Find ways to make those programs cheaper, more accessible, and more cleanly connected to college paths. I'm not sure that one of my colleague's "Offer deficient students admittance contingent on attending and successfully completing a remedial summer program" could be made to work here in reality, but it's still more promising than leading them on for a very expensive year then torturing them until they drop out. Universities are disincentivized to do the right thing here because then they don't get to cash in on the crash-and-burn process of hopeless cases filling seats in their giant service courses.

Article note: Shit. There are a lot of unattended-updating, Debian/ARM appliances in the world, and this can brick them. It sounds like, ironically, there might be a regression in their not-breaking-ABI patchset, which is why less-stability-focused distros didn't get hit.