Archive for November 26, 2021

Friday, November 26, 2021 [Tweets] [Favorites]

Xcode’s Environmental Pollution

Daniel Jalkut (tweet):

After a lot of trial and error, I came across the strangest observation: if I invoke “xcodebuild” from within my Python-based build script, the warning is emitted. If I invoke it directly from the Terminal, it isn’t. In fact, if I simplify my build script to simply invoking “xcodebuild”, the warning happens. Stranger still? If I change the script from “python3” to just “python”, the warning goes away again.

[…]

Sure enough, the environment variables differed when I ran the script with “python” vs. “python3”.

[…]

That “CPATH” entry for example only exists when invoking the script with python3, and it’s this very environment variable that is creating the unexpected Xcode warnings!

I was perplexed about how or why the version of Python could impact these environment variables, but then I remembered that python3 is bundled in Xcode itself, and the version at /usr/bin/python3 is a special kind of shim binary that directs Apple to locate and run the Xcode-bundled version of the tool. Apparently, a side-effect of this mechanism causes the problematic environment variable to be set!

New Rowhammer Techniques

Catalin Cimpanu (via Hacker News):

Google says Rowhammer attacks are gaining range as RAM is getting smaller A team of Google security researchers said they discovered a new way to perform Rowhammer attacks against computer memory (RAM) cards that broaden the attack’s initial impact.

[…]

Initial Rowhammer attacks targeted RAM DDR3 memory cards, but academics kept researching the topic. In the following years, they also discovered that Rowhammer attacks could also impact RAM DDR4, that attacks could be executed via JavaScript code loaded on a web page, or even via network packets sent directly to a computer’s networking card.

Furthermore, researchers also found that Rowhammer attacks could also be used to exfiltrate data from the RAM (not only alter it) and that attacks could also be accelerated by using locally installed GPU or FPGA cards.

[…]

In a new attack variation named Half-Double, researchers said they managed to carry out a Rowhammer attack that caused bit flips at a distance of two rows from the “hammered” row instead of just one.

Computer Security Group (via Bruce Schneier):

We demonstrate that it is possible to trigger Rowhammer bit flips on all DRAM devices today despite deployed mitigations on commodity off-the-shelf systems with little effort.

[…]

As the search space of non-uniform patterns is huge, we conducted a series of further experiments to determine the structure of patterns that effectively bypass TRR. Our experiments showed that the order, regularity, and intensity of accessing aggressor rows in non-uniform patterns are essential. We noticed that our observations nicely match with common parameters of the frequency domain, namely frequency, phase, and amplitude. We used these parameters to design frequency-based Rowhammer patterns that can effectively explore the space of non-uniform patterns. We implemented these patterns in a black-box fuzzer named Blacksmith that determines suitable parameter values crafting effective patterns targeting a specific device.

Previously:

Metal-cpp

Apple (via Hacker News):

Metal-cpp is a low-overhead C++ interface for Metal that helps developers add Metal functionality to graphics apps, games, and game engines that are written in C++.

[…]

No measurable overhead compared to calling Metal Objective-C headers, due to inlining of C++ function calls.

[…]

For convenience, you can alternatively use metal-cpp as a single-header include in your project.

[…]

Metal-cpp follows the object allocation policies of Cocoa and Cocoa Touch. Understanding those rules is especially important when using metal-cpp because C++ objects are not eligible for automatic reference counting (ARC).

It’s not often that Apple encourages using C++.

Previously:

2021 E-reader Roundup

Jason Snell:

Which brings me to page-turn buttons. The Paperwhite still doesn’t have them. Amazon has decided that page-turn buttons are a premium feature that should only be available on its $270 Oasis. (This is one of the reasons I recommend the Kobo Libra 2.) Clicking a button is just a better way to move through a book than moving your finger from the edge of the device’s bezel to over the screen for a single tap or swipe, and then putting your finger back on the bezel.

[…]

If physical page-turn buttons are something you care about, and you don’t mind a screen that’s recessed into the bezel, the $180 Libra 2 is a great choice.

If you can’t countenance a recessed screen and want a larger screen, the $260 Kobo Sage is a big, beautiful e-reader with some fancy features like Dropbox support—and of course, physical page-turn buttons.

[…]

Beyond compatibility, though, the Kobo experience is remarkably similar to the Kindle. You can buy books on Kobo’s store, either on the device or on the web. The prices are the same as those found on the Kindle Store. Of course, Kindles have access to Amazon services like Kindle Unlimited. On the other hand, Kobos are much better citizens when it comes to borrowing e-books from your local public library.

Previously:

Update (2021-12-03): Jason Snell:

When I say Kobo e-readers are better at Overdrive than Kindles, I’m not saying Kindles don’t work. I’m saying that it’s not nearly as good as an experience as it is on a Kobo. (This is unsurprising, since the owners of Kobo also owned Overdrive for several years.)