Dr. Jerry Pournelle

Email Me

Why not subscribe now?

Chaos Manor Subscribe Now

Useful Link(s)...


Hosting by

Powered by Apache

Computing At Chaos Manor: August 7, 2006

The User's Column, August, 2006
Column 313, part 2
Jerry Pournelle jerryp@jerrypournelle.com
Copyright 2006 Jerry E. Pournelle, Ph.D.

Continued from last week.

The big news in August often comes from the Apple Worldwide Developers Conference. Apple didn't disappoint us. The conference was on Monday, August 7, this year. I didn't get to that conference, so we open this month with a special report from Peter Glaskowsky, who did get there.

WWDC 2006: New Systems, New Software

Peter N. Glaskowsky
The Envisioneering Group
Formerly Editor in Chief, Microprocessor Report

Today, Apple CEO Steve Jobs took the stage at the company's Worldwide Developers Conference to announce two new high-end systems and describe some of the features of Apple's upcoming Mac OS X version 10.5, known as "Leopard."

The new systems replace the Power Macintosh G5 and Xserve systems, which were based on IBM's PowerPC 970 processors. Although the Intel-based Xserve was announced today, it doesn't ship until October. The G5 replacement, dubbed "Mac Pro," is available immediately.

Both new machines use Intel's latest dual-core Xeon processor, code-named "Woodcrest". Dual-processor configurations are standard on all models, so these are quad-core systems. Woodcrest is the first 64-bit processor from Intel that can outrun the PowerPC 970 on the media-rich applications used by Apple's professional customers, so it was logical for Apple to wait until now to upgrade these systems.

Apple's consumer and mobile-professional systems (Mac mini, iMac, MacBook, and MacBook Pro) all moved to the Intel platform earlier this year, so today's announcements complete Apple's transition away from PowerPC in just 210 days. That's a remarkable accomplishment, faster and smoother than the two-year shift from Motorola's 68000 processor family to PowerPC in the mid-1990s.

The Mac Pro comes in the same heavy-duty aluminum enclosure used on the Power Mac G5, but it's been completely redesigned inside. Heat sinks for the processors no longer take up as much room, so Apple has been able to fit four hard disks plus two optical "SuperDrives" inside the case. Also, the new machine doubles the amount of RAM (up to 16GB) and comes with two Gigabit Ethernet interfaces instead of one.

Apple is using a standard Intel chipset (the 5000X) on the new Mac Pro, but it has found a way to differentiate itself from mainstream PC vendors with its PCI Express slots. The system comes with four slots. One is a double-width 16-lane slot for high-performance graphics (Apple offers NVIDIA's high-end Quadro FX 4500 as an option) and one is a standard x1 slot, but the other two are unique. If a double-width graphics card is installed in the lower of these two slots, the other slot can be disabled and its PCI Express lanes re-routed to the graphics card to create a x8 slot. If two storage or networking cards are installed in these slots, each gets four lanes. No other Intel-based system offers this flexibility. A small point, perhaps, but evidence that Apple continues to innovate on PC platform technology.

The new systems are much faster than the ones they replace. On the industry-standard SPEC multiprocessing benchmarks, the 3.0 GHz Mac Pro is 113% faster on integer tests and 58% faster on floating point. Apple's testing on professional multimedia applications show the new system is 40% to 80% faster. Power efficiency for the Xeon processor is up to three times as good as that of the G5.

The new systems are also priced reasonably, both coming in around $800 to $1,000 cheaper than Dell workstations and servers with the same processors, memory, and hard disks. The Mac Pro starts at $2,499, while a basic Xserve will run $3,000 or so.

The other half of Jobs' presentation covered ten of the new features coming in Mac OS X 10.5, code-named "Leopard." Leopard is now scheduled to ship in the spring of 2007. Many expected it to come out between January and March, but Apple was never so specific. Even if you think of this new schedule as a delay, at least Leopard is gaining features as it goes along - unlike Microsoft's Windows Vista, which has shed a number of the features it was originally intended to include.

The ten improvements described in the keynote were a mix of developer and end-user components; some reside deep in the OS, and some provide important new user-interface features. Jobs said there were many other changes that he wasn't yet willing to reveal, however, so that Microsoft couldn't copy them.

  1. 64-bit support now extends throughout the programming model. Previously, "Carbon" and "Cocoa" user-interface code had to operate in 32-bit mode.
  2. Leopard will integrate a new backup utility called "Time Machine." Actually, it's unfair to call it a backup utility. Time Machine includes enhancements to the filesystem itself and to many key applications that track every change to every file on the machine, and allow the user to roll back an individual file, a folder, or the entire system to the state it was in at any previous time. Time Machine comes with a new 3D-based user interface that must be seen to be appreciated. The folder or application window being rolled back is presented against a moving starscape. Copies of the window march into the distance using real-time 3D animation. This is perhaps the first application-level appearance of a 3D user interface that is not merely gratuitous eye candy. I was very impressed.
  3. Existing Apple applications are being updated for the Leopard release, including Boot Camp (the Windows dual-boot software package), iCal, and others. Optional features such as Front Row (the multimedia-playback user interface) and Photo Booth (which creates real-time special effects for built-in cameras on MacBook and iMac systems) are being integrated into the basic OS.
  4. Leopard supports a virtual-desktop scheme called Spaces. Applications can be assigned to one of four desktops, and keyboard shortcuts let the user swap between these desktops. The Spaces demo showed some significant limitations, but I'll wait to see how this feature turns out in the final release before drawing any conclusions.
  5. Spotlight is being extended to search servers and other Macs where the user has access permissions. It also gains advanced-search options, an application launcher like the quick search-and-launch function in Vista, and a Recent Items list.
  6. A new developer feature called Core Animation has been added that greatly simplifies 3D user-interface management. Core Animation is what Apple used to create the moving starscape for Time Machine, for example.
  7. Leopard's Universal Access feature has been upgraded with a very sophisticated text-to-speech algorithm that sounds much better than the synthesizers found in Mac OS X 10.4 or in Microsoft's Vista beta releases.
  8. The Mail application has been much improved. As fellow Envisioneering analyst Dan Sokol commented, this was "not hard." Mail now supports stationery for easy HTML email creation plus special Note and To-Do message types. These message types can also be generated by other apps using a new software interface.
  9. Dashboard, the Mac OS X "widget" system, has a few new features. Developers get Dashcode, a new tool to simplify the creation of custom widgets. End users get Web Clip, which allows any portion of any existing website to be turned into a custom widget with just a few clicks. In a demo, we saw how to clip out just the Dilbert comic strip from the Dilbert.com website and turn it into a widget-without the ads that usually surround the strip. I expect this ability will provoke strong objections from commercial website operators, advertisers, and others who want to retain control over how their content is presented. It's basically an OS-level version of the old "framing" problem.
  10. Finally, iChat has been extended to support multiple simultaneous logins and chat sessions using a tabbed window, animated icons, video recording, and video effects using Photo Booth. iChat can also put a backdrop behind the user based on still images or movies-if you want to look like you're chatting from Times Square, now you can. More seriously, iChat can now be used to present images, slides, QuickTime movies, or other content in a videoconference with multiple users. Business users will find that feature immensely valuable.

The initial reaction to the keynote announcements on some of the popular Apple message boards was mixed. The usual pre-keynote rumors led to high hopes and subsequent wry humor. As Michael Weisert commented on the Infinite Loop email list, "Let me call you on my iPhone and we can chat about it. That, or you can upload a video podcast for me to see it on my new full-screen iPod."

Actually, the new iChat should help with creating video podcasts. But there was no iPhone and no new iPods.

New MacBook Pro and iMac systems must be in the pipeline somewhere, however. Apple made no announcements related to Intel's Core 2 Duo processors, which officially began shipping today. That surprised me, but it's only been seven months since the MacBook Pro was announced, and sales are still very strong. Jobs reminded the audience of research firm NPD's estimate that Apple had 12% of the US retail market for notebook computers in June. However, Apple's notebook market share worldwide, across all sales channels, must be much smaller. Having sold roughly 800,000 notebooks during the most recent quarter, Apple's overall share worldwide is probably around 4%.

That's still a big improvement over past years, and it means Apple can afford to wait a month or two before upgrading the Pro laptops to the Core 2 Duo "Merom" processor, which delivers significantly improved performance (but basically the same battery life). Intel has said that Merom notebooks won't be available from anyone until the end of August, so perhaps Apple decided to give these machines their own launch event.

The MacBook Pro today suffers from the lack of 64-bit support and too-close competition from the cheaper (and arguably more attractive) MacBook machines, which have the same basic features. Upgrading the Pro series with a Core 2 Duo processor will help set these systems apart from their cheaper cousins and help keep Apple's sales growing for another year.

Peter Glaskowsky is a Mac enthusiast who regularly uses Windows machines at work. He also drives a BMW, which is not irrelevant. He does not play computer games.

Bob Thompson, who has never been a Mac enthusiast and has entirely given up Windows for Linux machines, says of the Mac's PCI slot arrangement,

Perhaps I'm jaded, but this strikes me as a gimmick. A standard PCIe x1 slot offers 250 MB/s, which is sufficient for most storage or networking cards. (It's true that the current SATA standard defines 3 Gb/s transfers, but single hard drives max out at a small fraction of that transfer rate. Even dual external SATA hard drives aren't bottlenecked by a 250 MB/s interface, and it's a rare external PC-class array that would be constrained by an interface that supports 250 MB/s transfers.)

Many PC motherboards have an arguably more useful arrangement, such as dual x16 (some actually dual x8 electrically, but some true dual x16) video card slots, and two x1 slots. Some offer dual x16 video slots, an x1 slot, and an x4 slot.

I tend to side with Peter in that it's an innovation, but I do wonder how many will take advantage of this feature. More on this discussion next week.

My advice to those contemplating powerful new computers: if you're mostly doing video editing, get the hottest Xeon Mac Pro you can afford. The chances that you'll regret it are small, and when you're not doing video editing you'll be able to run both Mac and Windows software at far better than acceptable speeds. Of course, this assumes you need a machine with world class power. Most of us don't run any kind of software that requires that much power.

For the rest of us, it's probably still not time to upgrade our Mac PowerBooks to the new Intel MacBook machines. The Core 2 Duo "Merom" systems show enormous promise, and I for one intend to wait for them.

All told, Apple has once again proven to be a major player in the high end market.

DEFCON and the Wi-Fi Exploit

One reliable (and very knowledgeable) observer reports:

What these guys have done is to do a proof-of-concept demonstration for a *class* of vulnerabilities. Lots of folks, including yours truly, have idly speculated about this sort of thing for a while; they went and did it. They used a third-party USB adaptor in their demonstration video a) in order to make it clear that this wasn't limited to the Macs, but is rather a general category of vulnerabilities applicable to multiple chipsets/drivers/OSes and b) because Apple asked them not to lean too heavily on the specific Mac chipset angle until Apple releases a fix.

They didn't provide any details - the 802.11 Wi-Fi spec is big and complex and rococo (it includes layer-2 fragmentation, for God's sake), and so the architectural complexity of what's required to implement the spec means that it isn't too surprising that an issue of this type would arise, given that one man/group does the networking chipset, another man/group does the firmware, another man/ group does the OS networking subsystem, and another man/group does the driver. There's very little system-level testing going on in terms of looking for corner-cases which could present problems.

Although there were no hints of this in the presentations, one wonders if a similar class of vulnerabilities might exist for standard wired Ethernet (and potentially other media) adaptors, as well.

Another interesting session had to do with printer vulnerabilities - modern networked printers are essentially computers, and there was a session showing examples of how Xerox networked printers could be compromised, copies of all print-jobs stolen, the printers themselves used as jumping-off points to identify and compromise other computers, etc. The researcher in question worked with Xerox to help them identify and correct these vulnerabilities, and Xerox customers can download fixed code from Xerox.

More from DEFCON

Everyone knows that the US Federal Government sends agents to DEFCON. Usually there is at least one overt official attending, but there will also be covert agents. One supposes they hope to spot bad guys among the audience and presenters.

This has resulted in an annual game of "spot the Fed." This year was somewhat different. I have this report from a reliable source:

There was a new twist on 'Spot the Fed' this year - a young woman identified a chap as a Fed, and instead of doing the normal routine in which the accused is brought before the crowd and asked directed questions in order to hopefully narrow down his agency affiliation and job, she simply asserted that she -knew- he was an Army E-6 because she picked him up at a party, slept with him, and then rummaged through his things once he'd fallen asleep (he's apparently TDY at some TLA in the D.C. area). I guess they don't teach the Army guys about Mata Hari and honeytraps, these days.

Peter Glaskowsky on Wi-Fi Vulnerability

Continuing the discussion of the Wi-Fi story, last week I said:

> it's the Wi-Fi hardware itself that provides
> the hacker entry into the system.

Peter comments:

This is true, but in the sense that the Ethernet jack is involved in conventional attacks. The problem isn't with Wi-Fi per se, but in what happens once packets come in through the Wi-Fi connection.

What's happening here is that Wi-Fi adapters aren't completely independent of the rest of the system. Even when the machine isn't supposed to be connected to any wireless network, software running on the CPU processes certain packets coming into the Wi-Fi interface. For example, if your machine is set up to automatically connect to your office network when you arrive at your office, software runs on the CPU to check the name of each newly discovered network against the networks you've approved.

The vulnerability involves constructing packets that contain machine code for the targeted CPU that will cause some kind of problem, such as a buffer overflow error, that forces the CPU to start running the code. I don't know if this particular attack uses a buffer overflow, or if it involves the network discovery function, but that doesn't really matter at the moment.

So the problem is that the Wi-Fi adapter is always active even when it isn't connected to a network; it's sort of like having your wired Ethernet plugged into a hotel network even when you aren't using it. Or you could think of it as leaving your modem connected to the phone system, so people can dial in and start sending data to it in hopes of causing a malfunction without you noticing what's going on.

Personally, I've always assumed that Wi-Fi is potentially vulnerable to this sort of attack. Since the early days of Wi-Fi, there have been warnings about people creating bogus networks with popular names like "Wireless" so that your machine will automatically associate with them and they can start hacking. This new attack is much more subtle, but it's the same principle.


Stay tuned. We haven't seen the last of this.

On The Road

We came down to the beach house in San Diego this week, and there were adventures aplenty. Some stories had a moral.

Sometimes when we come down here I bring Satine, a LAN Party system built into an Antec Super LANBOY case. It's easy to transport, and quite reliable. It's also one more large thing to carry, and we were in a hurry, so I decided to make do with Lisabetta, my HP TabletPC, and Orlando, my T42p IBM ThinkPad which I think of as new even if he's a bit old in comparison with what they have now. Before we left I had arranged an appointment with Time Warner to install cable modem, which is now available at our place. Unlike Cox, and Adelphia, in our region, Time Warner has no self-installation kits; a technician has to come install it for you.

Entropy runs fast at the beach. We got here in time to discover that the salt air had worked havoc on the telephone system. We had no dial tone. There was a work ticket telling us that a technician had tried to fix it but hadn't access to the equipment, and had given up; we should make contact with (actually it said we should contact) our Service Provider. Of course, the ticket made no mention of just whom our Service Provider might be. Our neighbors told us "AT&T" which seems reasonable, there being nothing else around now, but when we called AT&T we were told that, well, our service provider had been AT&T before the merger, and I was now talking to the new AT&T, and this AT&T (which used to be SBC) didn't have access to the "Old AT&T" and its records. I would have to call that other AT&T which no longer existed.

Learning that took about two hours, most of it spent with a cell phone in my ear listening to bad music initiated by a mechanical voice and phone tree, and then punctuated with unctuous announcements about how important this call was to them. When got a human being I was told to start over. That got another phone tree and more bad music. Eventually we spoke with a very helpful lady who arranged for someone to appear the next day. He showed up in an SBC truck - Old AT&T had leased SBC equipment and SBC maintained it, and they hadn't got around to repainting his truck. He was thoroughly competent and replaced several corroded elements in our telephone system, one outside at the service box and the other an unused extension jack in the condominium itself.

First moral of the story: if you live near salt air, do not leave your telephone jacks uncovered with nothing plugged into them. Plug in a blank stub, or put tape over the opening. The salt air will corrode and short out the system.

Now I had dial tone and dialup access to the Internet. I also got the information that DSL was available here, but it would come through the same twisted pair copper wires that corrode and fail rather frequently. This didn't change my decision to use cable modem; but I am told that next November there will be some new upgrades involving fiber and new corrosion resistant fixtures, and I should look into it then.

Next day a Time Warner technician came, not just on time but an hour early - he telephoned first to see if that was all right. It took about ten minutes to install the Cable Modem and another five for him to activate it, and now I was on my own.

I have kept a D-Link router here for a long time in anticipation of this event. D-Link manuals and installation wizards work painlessly. The first step was to get on the Internet with dialup and download the firmware updates for the router.

That was a minor adventure, because of course I had disconnected the telephone line from the computer, and of course I had forgotten that; and when you tell a system to dial, you will hear the biddle-beeps of the dialing, but nothing else will happen. After the third try I realized what I wasn't hearing, namely dial tone before it tried to dial.

Once I got that taken care of it took almost no time to get the router updated. D-Link exhorts you several times not to try updating firmware with a wireless connection. Always use wired Ethernet. Otherwise, there's nothing tricky about it, and I soon had the router set up, with wireless and WPA encryption.

The D-Link instructions for updating firmware in their router do not tell you to power cycle the router - there is a soft reset built into the installation process - but it is always a good idea to do that after changing router software. The firmware upgrade wipes out all your settings, but a power cycle reset is good belt and suspenders practice.

So: with that done I could connect wirelessly to the router, but I couldn't connect to the Internet. IBM ThinkPads have some connectivity software of their own, and it can get in the way of Microsoft's automatic connection procedure. In particular, it gets in the way of error messages. Knowing this, I decided to try connecting with Lisabetta, and just to be certain I connected to the router with an Ethernet cable.

I got an odd message: that I had a connection but it didn't reach the Internet, did I want to try a repair? Repair got me a new IP address, but still no connectivity: opening Explorer got a "server not found" error unless I typed in, which is the address of the router. That worked fine. By now, you have figured what I needed to do, but it took me another couple of minutes before the light bulb went off in my head. I disconnected power to the cable modem, counted to fifty, reconnected it, and Lo! Now that Lisabetta was connected by Ethernet cable I connected by wireless with the ThinkPad. That worked just fine. Now I have both Lisabetta and Orlando wirelessly connected to the Internet.

The moral of the story is that you have to let the cable modem believe in the router before you can let the router connect you to the Internet.

More next week, including just how invaluable InBoxer has become.