zimmie

I think there is a meaningful difference between posts individuals make (speech on the platform), and recommendations companies make (speech by the platform). The major issue—which has been demonstrated repeatedly—is that algorithms optimized for "engagement" are ultimately trying to get people addicted, and extremist media is addictive, so they recommend it. Targeting just those recommendations is the scalpel to the hand grenade of removing Section 230 entirely.

I also think most of the goal could be accomplished while leaving Section 230 in place with no modifications. Recommendations of what to view next from the platform aren't part of what the user posted. If YouTube and Facebook had not recommended conspiracy nonsense for so long, we wouldn't have millions of people thinking world leaders are literally drinking the blood of children who are kept in tunnels under major cities.

crowley said:

I'd have thought that doubling the GPU core count will still leave it pretty limited compared to a dedicated graphics card unless there's some other special sauce in there.

The M1's GPU can perform 2.6 TFLOPS. The 16" MacBook Pro currently ships with one of three GPU options:

Radeon Pro 5300M: 3.2 TFLOPS
Radeon Pro 5500M: 4.0 TFLOPS
Radeon Pro 5600M: 5.3 TFLOPS

The iMacs ship with a handful of GPU options:

Intel Iris Plus 645: 0.8 TFLOPS
Radeon Pro 555X: 1.4 TFLOPS
Radeon Pro 560X: 2.1 TFLOPS
Radeon Pro Vega 20: 3.3 TFLOPS
Radeon Pro 5300: 3.7-4.6 TFLOPS
Radeon Pro 5500: 4.7-5.2 TFLOPS
Radeon Pro 5700: 6.7-7.9 TFLOPS
Radeon Pro 5700 XT: 8.2-9.8 TFLOPS

GPU performance scales almost linearly with core count, so this "M1X" (I still think "M1 Pro" is more likely) should manage around 5.2 TFLOPS. That matches the top-end optional GPU on the 16" MacBook Pro and matches the Radeon Pro 5500 on the iMacs (better than the best available GPU for the 21.5" iMac, matches the midrange GPU for the 27" iMac).

AMD doesn't currently make any higher-performing laptop parts, so this is plenty of performance for a 16" MacBook Pro. Matches the best you can get on the Intel version at much lower power consumption. I think either this chip or something very much like it will end up in a high-end Mac mini, the 16" MacBook Pro, and the 21.5" iMac.

Forgot to mention: the M1 also has twice the GPU performance of the Xbox One or Xbox One S. They're still pretty decent compared to dedicated desktop video cards.

22july2013 said:

Does anyone know if Spectre and Meltdown will affect M1? https://meltdownattack.com <--

M1 isn't equal to ARM, but the ARM website itself says ARM may be affected: https://developer.arm.com/support/arm-security-updates <--

I'm particularly curious about the Rowhammer attack.

Apple should update this page to discuss M1 Macs: https://support.apple.com/en-us/HT208394

Ignoring a big chunk of the post which has already been shown to be bogus.

Spectre (CVE-2017-5753 and CVE-2017-5715) theoretically impacts any processor design which uses speculative execution (a technique used to speed up a single thread on a processor), but the negative security impact of speculative execution had been known for years beforehand. The exact vulnerabilities given the "Spectre" name require the ability to run code on the same core uninterrupted for a while to train the branch prediction, and that gets you a few bytes of target data. Then you have to start again to get a few more bytes. Bad for servers (especially servers where your adversary can buy the ability to run software, like AWS), but mostly a non-issue for personal machines.

Meltdown (CVE-2017-5754) involves relying on out-of-order execution (again, a technique used on modern processors to improve thread performance). When you try to read a given memory location, some processor designs sometimes copy the memory into cache before they check whether you are allowed to read the data. This is more reliable, and takes much less time than training the branch predictor for Spectre, but it still requires the ability to already run arbitrary code on the system in question. Again, bad for servers, especially multi-tenant systems like AWS, but mostly not a problem for personal machines.

Rowhammer is a physical property of dynamic RAM. With low-privilege code, you can potentially retrieve data from adjacent RAM locations to the locations you are using, but you have no control over where the system puts you, and no way to see actual memory addresses. And if you have control over the memory layout, you already have the ability to execute privileged code. This is almost entirely a non-issue for any machine, because exploiting it effectively requires having a level of access which makes exploiting it unnecessary.

All of these are substantially overhyped. Don't run programs from sketchy sources, and they're basically non-issues.

The "prevent platform holders from doing business on their own platform" is one bit of regulation which has worked really well in Texas. Here, companies are not allowed to both own power lines and own power generation capacity. Only one company handles the power lines to my house (giving them the captive market which justifies infrastructural spending), but their prices are regulated. Meanwhile, the power generation market is competitive. I can buy my electricity from a bunch of companies.

Unfortunately, we don't extend it to telecom companies. Owning the lines and owning content you sell over those lines should be prohibited.

auxio said:

zimmie said:

auxio said:

Given how long these tools have been around (40+ years in some cases), how relatively simple the code is compared to modern software, and the fact that they're used in server environments, I'm very surprised they haven't been fully security audited by now.

sudo is not at all simple, and it has reached the level of complexity where it's basically impossible to confidently reason about it. The OpenBSD team made something simpler (doas) a while ago. Maybe this is the kick people need to finally adopt it more broadly.

I agree that Apple should be paying attention to what the OpenBSD community is doing.  That said, every developer I've ever met thinks that recreating the world in their own image is better than trying to fix what already exists.  Right up until the point where they no longer have the time/desire to maintain the world they created, and the next developer who comes along has the same attitude.  Given that it's no small undertaking to integrate new, low level tools, I'm sure Apple (and others) don't want to spend the effort to change, just to have to change again.  They'll wait for a level of maturity, maintenance, and acceptance before changing.

TedU is great at fixing things which already exist, and when he decides it's time to start over, I'm inclined to believe him. It's like if John Carmack says you really should use a new game engine.

The sudoers manpage alone is 2871 lines long. It opens with a "quick guide to Extended Backus-Naur Form", which is a language for defining the grammar of formal languages. That's gratuitously complicated. sudo's source tree has 374 C-language files in it right now.

In comparison, the whole of doas is ~1400 lines of code, including manpages for doas itself and its config file, doas.conf. A program that small is possible to reason about effectively.