I saw this problem recently at work, with a Go program running on Kubernetes. You can work around it by setting GOMAXPROCS to the same value as cpu limit in the container spec.
(So be careful not to assume this problem is specific to Java, the JVM, Mesos, or Twitter's environment)
It's clear what the incentive is for Taylor (the ice cream machine maker), but I wonder what the incentive is for McDonalds.
There must be some cash-flow from Taylor to McDonalds, but something as simple as "pay McDonalds $X million to specify Taylor machines in their franchise contracts" seems like a kickback.
Maybe the key is that the video shows that this particular machine is "by Taylor and McDonalds" (the McDonalds logo is on the instruction manuals). Perhaps McDonalds therefore get royalties or something similar.
Never assume malice when simple incompetence is likely.
I have read—somewhere I can’t remember—horror stories of how badly run the corporate owned McDonalds are vs the franchise owned locations. Simple procedures like cleaning out the soda machines on a regular basis are never completed or even known that they should be completed by staff or management leading to mold build up.
In a corporation as successful and large as McDonalds changing anything even if it is seemingly a logical and good idea is more dangerous than doing absolutely nothing. Being a friendly and agreeable employee will be better for career growth than being a hard-driving and demanding employee.
Being the employee that advocates changing vendors away from a long-time proven vendor is a great way to annoy and create headaches for your boss.
The dataflow analysis libraries in QL have significantly improved since 2015, and were used to find the ICMP vulnerability mentioned in the article. See the blog post for the query used. [1]
Dataflow analysis is a form of execution simulation that estimates the flow of control and data from one part of the program to another. Of course, there are many forms of simulation, and they vary in accuracy and the expense of computing them.
That's the interesting thing about the approach used to find this bug (automatic variant analysis): whilst there are no doubt more bugs to find in XNU, there aren't any more bugs like this.
The article says that the problem was found by codifying the mistake that led to a previous CVE as a query in a logic language called QL, and then running that query over XNU, so if there were any more they would have been found at the same time.
Semmle | Research/Software/Security Engineer | Oxford, UK | Onsite, Full-time
Semmle helps some of the biggest software and financial companies, such as Microsoft, Google, and Credit Suisse, develop more secure software, faster.
If you'd like to get a taste of our technology go to https://lgtm.com where we analyse over 70,000 of the most popular open source projects, or check out the vulnerabilities we've recently reported at https://lgtm.com/blog
We are looking for great engineers work on a mix of problems ranging from compiler work and program analysis to vulnerability finding to building solid 1000-node distributed systems.
Remove it at any time, no. The chip on the card is cryptographically signing the transaction, which includes the total. It can't sign it until the total is known.
In practice, I suspect the equipment is designed not to allow you to insert the card early so that you check the total first.
I often do that just to have a statement on which to place a breakpoint. It gets optimized out, but in debug builds it works fine. Putting a breakpoint on a line that just deals with the error code immediately after the error code will reliably display the error in the Auto Variables watch window in VStudio maligning it very convenient for rapid debugging.
The 'unlock' operation, at least on most central locking systems I've used, is the perfect example of an idempotent unary operation.
It doesn't matter how many times you apply the 'unlock' operation, it has the same effect as applying it once[1]. However, the 'unlock' operation is not safe[2].
(So be careful not to assume this problem is specific to Java, the JVM, Mesos, or Twitter's environment)