POPULARITY
Time to round up the latest in lawsuits against the Trump administration. The trans military ban is blocked. Renditioning Venezuelans to El Salvador without due process is blocked. The shutdown of the CFPB is blocked. The shutdown of the US Inst of Peace … not blocked. Yet! Liz and Andrew run down a bunch of the Trump cases and explain why it seems like every day brings another restraining order. (Hint: It's because Trump wants to do lots of illegal stuff in a hurry.) Links: Name & Shame https://www.lawandchaospod.com/p/name-and-shame Shilling v. Trump Docket https://www.courtlistener.com/docket/69617888/shilling-v-trump/ Jenner & Block v. DOJ Docket https://www.courtlistener.com/docket/69807126/jenner-block-llp-v-us-department-of-justice/ WilmerHale v. Executive Office of the President Docket https://www.courtlistener.com/docket/69807328/wilmer-cutler-pickering-hale-and-dorr-llp-v-executive-office-of-the/ Georgetown students' letter to Skadden https://bsky.app/profile/heidilifeldman.bsky.social/post/3llon26enmc2o US v. Sanders (5th Cir. 2025) https://www.ca5.uscourts.gov/opinions/pub/15/15-31114-CR0.pdf Eakin v. Adams County Board of Elections Docket https://www.courtlistener.com/docket/65738841/eakin-v-adams-county-board-of-elections/ J.G.G. v. Trump (D.D.C. - Judge Boasberg - Alien Enemies Act) docket https://www.courtlistener.com/docket/69741724/jgg-v-trump/ Trump v. JGG (SCOTUS Docket) https://www.supremecourt.gov/search.aspx?filename=/docket/docketfiles/html/public/24a931.html US Institute for Peace v. Jackson Docket https://www.courtlistener.com/docket/69754533/united-states-institute-of-peace-v-jackson/ NTEU v. Vought (DDC docket) https://www.courtlistener.com/docket/69624423/national-treasury-employees-union-v-vought/? NTEU v. Vought (DC Cir Appeal) https://www.courtlistener.com/docket/69821739/national-treasury-employees-union-v-russell-vought/ Show Links: https://www.lawandchaospod.com/ BlueSky: @LawAndChaosPod Threads: @LawAndChaosPod Twitter: @LawAndChaosPod
Voter registration lawsuit https://mcusercontent.com/08cb3e52aa1308600f84d49ea/files/8827e8ea-0eb8-123c-23b9-5d39b2e8c0e4/1_2024_08_13_Complaint.pdf UAW charges Trump for Musk interview https://www.reuters.com/world/us/uaw-files-labor-charges-against-trump-musk-2024-08-13/ EU threatens Musk https://x.com/lindayaX/status/1823052643733823640 Pepsi class action https://www.courthousenews.com/wp-content/uploads/2024/08/ian-mccausland-v-pepsico-ruling-mtd.pdf Fourth Amendment victory https://www.ca5.uscourts.gov/opinions/pub/23/23-60321-CR0.pdf Scott Peterson innocence claim https://www.courthousenews.com/scott-peterson-makes-bid-to-clear-his-name-by-dna-testing-evidence-from-pregnant-wifes-murder/ AI fake nudes https://www.courthousenews.com/wp-content/uploads/2024/08/nudify-websites-lawsuit.pdf Big Tech battle https://cdn.ca9.uscourts.gov/datastore/opinions/2024/08/16/23-2969.pdf Facebook censorship https://cdn.ca9.uscourts.gov/datastore/opinions/2024/08/09/21-16210.pdf Bank seizure https://www.ca10.uscourts.gov/sites/ca10/files/opinions/010111094414.pdf Legality of price controls https://scholarship.law.duke.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=2373&context=dlj Tik Tok ban https://sf16-va.tiktokcdn.com/obj/eden-va2/hkluhazhjeh7jr/2024.06.20%20-%20TT%20v.%20Garland%20-%20%5B2060743%5D%20Brief%20of%20Petitioners%20TikTok%20Inc%20and%20ByteDance%20Ltd.pdf
The exciting conclusion to Chapter Two: Renal Circulation and Glomerular Filtration Rate - Determinants of GFR - First step in making urine is separation of an ultrafiltrate - Governed by starling forces - Balance of hydraulic and osmotic forces - GFR = LpS (P gc – P us - Osmotic Pressure Cap p) - Normal GFR 95 in women, 120 in men - Cap Hydrolic pressure remains constant - glom cap Oncotic progressively rises - Due to filtration of protein free fluid (protein concentration rises in the capillary) - Filtration gradient begins at 13 mmHg and falls to zero after filtration of 20% or RPF! - GFR is capped at 20% of RPF called filtration equilibrium - So GFR is dependent on RPF, unless you can change glomerular hydraulic pressure - Glomerular hydraulic pressure is controlled by balance of twin arteriole (afferent and efferent) - Constriction of afferent arteriole reduces RPF, GFR, and glom pressure - Dilation of afferent arteriole increases RPF, GFR, and glom pressure - Constriction of the efferent arteriole increases Glom pressure, increasing GFR - Besides glom hydrostatic pressure the other starlings forces are rarely relevant to changes in GFRLetty says: referred to this NEJM review article later JC thought she was referring to something else -see #2- and then Roger referred to this again)Normotensive Acute Renal Failure from Gary Abuelo in NEJM 2007. https://www.nejm.org/doi/10.1056/NEJMra064398 (note in this article, Dr. Abuelo acknowledges the newer terminology of the time, AKI rather than ARF but chooses not to embrace it). In figure 2, he highlights the classic examples of how autoregulation can be affected. In the table, additional examples are provided but all within the framework of alterations related to autoregulation and the interplay between the two resistance vessels.- Regulation of GFR - Autoregulation - The ability to keep glomerular pressure constant over wide range of systemic arterial pressure - When pressure < 70 autoregulation fails and GFR will fall with decreases in systemic pressure - When pressure falls below 40-50 GFR ceases - At least some of this autoregulation is mediated with Ang2. Giving ACEi markedly disrupts autoregulation - Nitric oxide, not important - TGF - Chloride in macula densa - Blocked by furosemide - Group affect of nephrons - Ang 2 sensitizes - Adenosine mediates - Function of TGF - 90% of filtrate is reabsobed in PT and LOH - 10% is reabsobed dismally - Need to control the amount of fluid delivered distally to prevent overwhelming the resorptive capacity of the distal nephron - Talks about acute renal success without naming it (but did reference it) - Mentions glucosuria blunts TGF. Hmmm... - Neurohormonal influences - Volume changes in ang2, sympathetic NS - Role of PGE - Interesting discussion of change of the nephrons perfumed with volume depletion, shifting of blood from outer coretex to inner medullary cortical gloms with their long loops - Dopamine and ANP both increased with volume up - Dopamine causes vasodilation of afferent and efferent arteriole - ANP causes afferent vasodilation and efferent vasodilation constriction, increasing GFR without affecting RPF - Glomerular hemodynamics and renal failure - Decreased glomerular mass results in hyperfiltration of remaining gloms - Mediated through afferent vasodilationJC talks about this classic study in critical care: High vs. Low blood pressure target in Septic Shock. https://www.nejm.org/doi/pdf/10.1056/NEJMoa1312173In this multi-center open label trial of 776 patients randomized to either a MAP of 65-70 or 80-85 with the primary endpoint of mortality. There was no difference in mortality at 28 days between the two groups (but a small difference in AKI in the patients who had chronic HTN- in the higher BP target, there was a decrease in need for RRT; there was also a higher incidence of afib in the high target group overall). - Results in compensation and stable GFR in short term, long term maladaptive - Reason for ACEi- Clinical Evaluation of Renal Circulation - Concept of clearance and measurement of GFR - GFR as an index of functioning renal mass - Had a patient today s/p nephrotomy, 72 years old, Cr0.9!Melanie referred to this article in Circulation which demonstrates that SGLT2 inhibitors do decrease single nephron GFR (in mice) and that this is related to a decrease in the afferent arteriole diameter and then they show that this is related to a local increase in adenosine. Kidokoro K, Cherney DZI et al. Evaluation of glomerular hemodynamic function by empagliflozin in diabetic mice using in vivo imaging Circulation 140 (4) 2019https://www.ahajournals.org/doi/10.1161/CIRCULATIONAHA.118.037418 - Fall in GFR earlier and only sign of renal disease - Serial monitoring is used to assess severity and follow the course of disease - GFR is useful for dosing drugs - How to measure GFR - Consider fructose polysaccharide inulin (love the parenthetical, not insulin) - Inulin filtered = inulin excreted - Filtered inulin = plasma inulin concentration x GFR - Inulin excreted = urine concentration x urine volume - Use Alber a to get GFR = [Urine]insulin x urine volume / [plasma]inulin - GFR = inulin clearance - There is not an available assay for inulin - Creatinine clearance - Freely filtered - Not reanbsorbed - Not metabolized - Small amount excreted - CrCl exceeds GFR by 10-20%Roger says the SGLT2 inhibitor story is about the afferent arteriole and he thought it reminded him of the MDRD study and the concept that the lower protein intake would be protective and delay the progression of CKD. The concept was that low protein diets would decrease glomerular pressure by decreasing the intake of amino acids that lead to arteriolar vasodilation and increased GFR. Klaur S, Levey AS et al. The effects of Dietary Protein Restirciton and blood-pressure control on the progression of chronic renal disease. NEJM 1994 330:877-884. https://www.nejm.org/doi/full/10.1056/nejm199403313301301 - Compensated for by noncreatinine chromogens (acetone proteins, as Orbi acid, pyruvate) that over estimate Cr by 10-20% - Cr Cl = [Urine]cr x urine volume / [Plasma]cr - Two major limitations - Incomplete collections - 20-25 mg/kg in adult men - 15-20 mg/kg in adult womenThe term “Acute renal success” comes from Thurau K and Boylan JW. Acute renal success. The unexpected logic of oliguria in acute renal failure. Am J Med 1976 61(3): 3038-15. - Falls by 50% from age 50 to 90 to 10 mg/kg - Increased tubular secretion with decreased kidney function - GFR of 40-80 cr secretion may account for as much as 35% of creatinine excretion - In some cases CrCl can exceed GFR by a factor of 2 - Give cimetidine 1200 mg! - It is important to appreciate however that exact knowledge of GFR is not required. More important to know if GFR is changing - Why is radio labeling the solution DTPA and iothalamate? - Talks about the reality of progressive disease despite stable GFR and CrCl - On to plasma Cr and GFRIf you think placing dialysis lines is too easy, here is a wonderful review of micropuncture technique in the kidneys by Volker Vallon.Micropuncturing the Nephron. Pflugers Arch 2009 458(1): 189-201. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2954491/ - Creatinine excretion = creatinine production (and this is constant) - Creatinine excretion = [Cr] x GFR = constant - If GFR falls in half, creatinine excretion will fall in half, while creatinine production remains the same, so creatinine will rise and rise until [Cr] x GFR = creatinine production and then it will level off. - Changes in creatinine load - High protein diet can increase it - Vegetarian diet can decrease itJC brought up studies on fenoldopam, of which there are many. This is one such study in patients undergoing cardiac surgery. JAMA 2014 Bove T et al. Effect of fenoldopam on use of renal replacement therapy among patients with acute kidney injury after cardiac surgery: a randomized clinical trial https://pubmed.ncbi.nlm.nih.gov/25265449/ - Cooked meat can increase Cr by 1 mg/dL - Talks about need for steady state to assess GFR - Talks about the curvilinear relationship - Then he talks Cockcroft GaultThe one, the only: The Cockcroft Gault: Prediction of creatinine clearance from serum creatinine. Nephron 16: 31–41, 1976 https://pubmed.ncbi.nlm.nih.gov/1244564/ - Cirrhosis masks kidney insufficiency, low meat intake, low BUN production - Can someone explain what we are supposed to take from figure 2-12 - Stable Cr does not mean stable kidney diseaseRoger describes the study design for the seminal paper on the use of ACE inhibitors to slow the decline in renal function in diabetic kidney disease (then called diabetic nephropathy) and the decision to use the doubling of the serum creatinine as an endpoint. Lewis EJ The effect of Angiotensin-converting-enzyme inhibition on diabetic nephropathy NEJM 1993 https://www.nejm.org/doi/full/10.1056/NEJM199311113292004 - Ketoacidosis can raise the Cr 0.5 to 2.0mg/dL - On to BUN - Destination of amino acids produces ammonia - We detoxify ammonia by converting to urea - Increased with increased protein load - Increased catabolismMelanie mentioned an old study on ingestion of expired blood: Cohen TD. Induced azotemia in humans following massive protein and blood ingestion and the mechanism of azotemia in gastrointestinal hemorrhage. AM J Med Sci 1956 https://pubmed.ncbi.nlm.nih.gov/13302213/ - Tetracycline causes decreased anabolism - Trauma - Steroids - Urea excretion is variable and tied to hydration and FF - Renal plasma flow and PAH
CR0 to SE22 via Rangers, Steve Evans' Jaguar, Kenilworth Road and Brighton.
After the defeat of the mysterious robot, CR0, at the hands of an unorganized and unknown group of metahuman teenagers, Mayor Archer Fletcher calls a press conference. But those meddling kids have something more important to worry about: school! At HalC Academy, Kim Cooper (Holly) delivers a pep talk to a classmate unlucky in love, Davey Domingos (Jovian) has an amicable conversation with the eldritch horror granting him powers, and Dav Monroe (Meg) offers tutelage to his classmate, Pearce Beckett. Within the walls of AEGIS, BC-282 (Bee) and Celeste Blake (Chris) receive private lessons, and Celeste requests a formal headquarters for her newfound metahuman allies. When the new group meets again, they receive their first mission as a team: stopping a superpowered bank robbery in progress!
Facebooking jurors, an unpopular church, a very bad cop, and a tire-tapping trespass. Use iTunes? https://itunes.apple.com/us/podcast/short-circuit/id309062019 Use Android (RSS)? http://feeds.soundcloud.com/users/soundcloud:users:84493247/sounds.rss Newsletter: http://ij.org/about-us/shortcircuit/ Want to email us? shortcircuit@ij.org Facebooking jurors: http://www.opn.ca6.uscourts.gov/opinions.pdf/19a0015p-06.pdf Church zoning: http://www.ca4.uscourts.gov/opinions/181450.P.pdf Little Rock’s finest: http://media.ca8.uscourts.gov/opndir/19/02/172079P.pdf Tire tap search: http://www.ca5.uscourts.gov/opinions/pub/17/17-40299-CR0.pdf
War of the Silver Kings - Season 1, Episode 1 - 22 Sep. 1957 - We first glimpse Bret unshaven & dirty, lugging a rifle, trying to register at a classy hotel. Using the $1000 bill pinned inside his jacket, and adding some dollar-size strips cut from a newspaper, Bret cadges a room via a bulging envelope for the guest safe.Maverick s01e01 War of the Silver Kings,mp4
The Secret Service takes down Dr. Evil, Trump’s travel ban, cell-phone surveillance, and the FAA’s hobby drone registry. Use iTunes? https://itunes.apple.com/us/podcast/short-circuit/id309062019 Use Android (RSS)? http://feeds.soundcloud.com/users/soundcloud:users:84493247/sounds.rss Newsletter: http://ij.org/about-us/shortcircuit/ Want to email us? shortcircuit@ij.org Dr. Evil: http://www.opn.ca6.uscourts.gov/opinions.pdf/17a0105p-06.pdf Travel ban: http://www.ca4.uscourts.gov/Opinions/Published/171351.P.pdf Cell-phone surveillance: http://www.ca5.uscourts.gov/opinions/pub/16/16-40702-CR0.pdf Hobby drone registry: https://www.cadc.uscourts.gov/internet/opinions.nsf/FA6F27FFAA83E20585258125004FBC13/$file/15-1495-1675918.pdf
A spooky cellphone warning, a sign on a stick, a “ruminating” judge, and an update from the civil forfeiture hotbed of Tenaha, TX. Use iTunes? https://itunes.apple.com/us/podcast/short-circuit/id309062019 Use Android (RSS)? http://feeds.soundcloud.com/users/soundcloud:users:84493247/sounds.rss Newsletter: http://ij.org/about-us/shortcircuit/ Want to email us? shortcircuit@ij.org Cellphone warning: http://cdn.ca9.uscourts.gov/datastore/opinions/2017/04/21/16-15141.pdf?mc_cid=30ca413c30&mc_eid=04fa1e224a Sign on a stick: http://media.ca8.uscourts.gov/opndir/17/05/161190P.pdf?mc_cid=93a80a669c&mc_eid=04fa1e224a “Ruminating”: http://cdn.ca9.uscourts.gov/datastore/opinions/2017/05/05/14-16514.pdf?mc_cid=93a80a669c&mc_eid=04fa1e224a Tenaha: http://www.ca5.uscourts.gov/opinions/pub/15/15-41641-CR0.pdf?mc_cid=30ca413c30&mc_eid=04fa1e224a
This week on BSDNow, reports from AsiaBSDcon, TrueOS and FreeBSD news, Optimizing IllumOS Kernel, your questions and more. This episode was brought to you by Headlines AsiaBSDcon Reports and Reviews () AsiaBSDcon schedule (https://2017.asiabsdcon.org/program.html.en) Schedule and slides from the 4th bhyvecon (http://bhyvecon.org/) Michael Dexter's trip report on the iXsystems blog (https://www.ixsystems.com/blog/ixsystems-attends-asiabsdcon-2017) NetBSD AsiaBSDcon booth report (http://mail-index.netbsd.org/netbsd-advocacy/2017/03/13/msg000729.html) *** TrueOS Community Guidelines are here! (https://www.trueos.org/blog/trueos-community-guidelines/) TrueOS has published its new Community Guidelines The TrueOS Project has existed for over ten years. Until now, there was no formally defined process for interested individuals in the TrueOS community to earn contributor status as an active committer to this long-standing project. The current core TrueOS developers (Kris Moore, Ken Moore, and Joe Maloney) want to provide the community more opportunities to directly impact the TrueOS Project, and wish to formalize the process for interested people to gain full commit access to the TrueOS repositories. These describe what is expected of community members and committers They also describe the process of getting commit access to the TrueOS repo: Previously, Kris directly handed out commit bits. Now, the Core developers have provided a small list of requirements for gaining a TrueOS commit bit: Create five or more pull requests in a TrueOS Project repository within a single six month period. Stay active in the TrueOS community through at least one of the available community channels (Gitter, Discourse, IRC, etc.). Request commit access from the core developers via core@trueos.org OR Core developers contact you concerning commit access. Pull requests can be any contribution to the project, from minor documentation tweaks to creating full utilities. At the end of every month, the core developers review the commit logs, removing elements that break the Project or deviate too far from its intended purpose. Additionally, outstanding pull requests with no active dissension are immediately merged, if possible. For example, a user submits a pull request which adds a little-used OpenRC script. No one from the community comments on the request or otherwise argues against its inclusion, resulting in an automatic merge at the end of the month. In this manner, solid contributions are routinely added to the project and never left in a state of “limbo”. The page also describes the perks of being a TrueOS committer: Contributors to the TrueOS Project enjoy a number of benefits, including: A personal TrueOS email alias: @trueos.org Full access for managing TrueOS issues on GitHub. Regular meetings with the core developers and other contributors. Access to private chat channels with the core developers. Recognition as part of an online Who's Who of TrueOS developers. The eternal gratitude of the core developers of TrueOS. A warm, fuzzy feeling. Intel Donates 250.000 $ to the FreeBSD Foundation (https://www.freebsdfoundation.org/news-and-events/latest-news/new-uranium-level-donation-and-collaborative-partnership-with-intel/) More details about the deal: Systems Thinking: Intel and the FreeBSD Project (https://www.freebsdfoundation.org/blog/systems-thinking-intel-and-the-freebsd-project/) Intel will be more actively engaging with the FreeBSD Foundation and the FreeBSD Project to deliver more timely support for Intel products and technologies in FreeBSD. Intel has contributed code to FreeBSD for individual device drivers (i.e. NICs) in the past, but is now seeking a more holistic “systems thinking” approach. Intel Blog Post (https://01.org/blogs/imad/2017/intel-increases-support-freebsd-project) We will work closely with the FreeBSD Foundation to ensure the drivers, tools, and applications needed on Intel® SSD-based storage appliances are available to the community. This collaboration will also provide timely support for future Intel® 3D XPoint™ products. Thank you very much, Intel! *** Applied FreeBSD: Basic iSCSI (https://globalengineer.wordpress.com/2017/03/05/applied-freebsd-basic-iscsi/) iSCSI is often touted as a low-cost replacement for fibre-channel (FC) Storage Area Networks (SANs). Instead of having to setup a separate fibre-channel network for the SAN, or invest in the infrastructure to run Fibre-Channel over Ethernet (FCoE), iSCSI runs on top of standard TCP/IP. This means that the same network equipment used for routing user data on a network could be utilized for the storage as well. This article will cover a very basic setup where a FreeBSD server is configured as an iSCSI Target, and another FreeBSD server is configured as the iSCSI Initiator. The iSCSI Target will export a single disk drive, and the initiator will create a filesystem on this disk and mount it locally. Advanced topics, such as multipath, ZFS storage pools, failover controllers, etc. are not covered. The real magic is the /etc/ctl.conf file, which contains all of the information necessary for ctld to share disk drives on the network. Check out the man page for /etc/ctl.conf for more details; below is the configuration file that I created for this test setup. Note that on a system that has never had iSCSI configured, there will be no existing configuration file, so go ahead and create it. Then, enable ctld and start it: sysrc ctld_enable=”YES” service ctld start You can use the ctladm command to see what is going on: root@bsdtarget:/dev # ctladm lunlist (7:0:0/0): Fixed Direct Access SPC-4 SCSI device (7:0:1/1): Fixed Direct Access SPC-4 SCSI device root@bsdtarget:/dev # ctladm devlist LUN Backend Size (Blocks) BS Serial Number Device ID 0 block 10485760 512 MYSERIAL 0 MYDEVID 0 1 block 10485760 512 MYSERIAL 1 MYDEVID 1 Now, let's configure the client side: In order for a FreeBSD host to become an iSCSI Initiator, the iscsd daemon needs to be started. sysrc iscsid_enable=”YES” service iscsid start Next, the iSCSI Initiator can manually connect to the iSCSI target using the iscsictl tool. While setting up a new iSCSI session, this is probably the best option. Once you are sure the configuration is correct, add the configuration to the /etc/iscsi.conf file (see man page for this file). For iscsictl, pass the IP address of the target as well as the iSCSI IQN for the session: + iscsictl -A -p 192.168.22.128 -t iqn.2017-02.lab.testing:basictarget You should now have a new device (check dmesg), in this case, da1 The guide them walks through partitioning the disk, and laying down a UFS file system, and mounting it This it walks through how to disconnect iscsi, incase you don't want it anymore This all looked nice and easy, and it works very well. Now lets see what happens when you try to mount the iSCSI from Windows Ok, that wasn't so bad. Now, instead of sharing an entire space disk on the host via iSCSI, share a zvol. Now your windows machine can be backed by ZFS. All of your problems are solved. Interview - Philipp Buehler - pbuehler@sysfive.com (mailto:pbuehler@sysfive.com) Technical Lead at SysFive, and Former OpenBSD Committer News Roundup Half a dozen new features in mandoc -T html (http://undeadly.org/cgi?action=article&sid=20170316080827) mandoc (http://man.openbsd.org/mandoc.1)'s HTML output mode got some new features Even though mdoc(7) is a semantic markup language, traditionally none of the semantic annotations were communicated to the reader. [...] Now, at least in -T html output mode, you can see the semantic function of marked-up words by hovering your mouse over them. In terminal output modes, we have the ctags(1)-like internal search facility built around the less(1) tag jump (:t) feature for quite some time now. We now have a similar feature in -T html output mode. To jump to (almost) the same places in the text, go to the address bar of the browser, type a hash mark ('#') after the URI, then the name of the option, command, variable, error code etc. you want to jump to, and hit enter. Check out the full report by Ingo Schwarze (schwarze@) and try out these new features *** Optimizing IllumOS Kernel Crypto (http://zfs-create.blogspot.com/2014/05/optimizing-illumos-kernel-crypto.html) Sašo Kiselkov, of ZFS fame, looked into the performance of the OpenSolaris kernel crypto framework and found it lacking. The article also spends a few minutes on the different modes and how they work. Recently I've had some motivation to look into the KCF on Illumos and discovered that, unbeknownst to me, we already had an AES-NI implementation that was automatically enabled when running on Intel and AMD CPUs with AES-NI support. This work was done back in 2010 by Dan Anderson.This was great news, so I set out to test the performance in Illumos in a VM on my Mac with a Core i5 3210M (2.5GHz normal, 3.1GHz turbo). The initial tests of “what the hardware can do” were done in OpenSSL So now comes the test for the KCF. I wrote a quick'n'dirty crypto test module that just performed a bunch of encryption operations and timed the results. KCF got around 100 MB/s for each algorithm, except half that for AES-GCM OpenSSL had done over 3000 MB/s for CTR mode, 500 MB/s for CBC, and 1000 MB/s for GCM What the hell is that?! This is just plain unacceptable. Obviously we must have hit some nasty performance snag somewhere, because this is comical. And sure enough, we did. When looking around in the AES-NI implementation I came across this bit in aes_intel.s that performed the CLTS instruction. This is a problem: 3.1.2 Instructions That Cause VM Exits ConditionallyCLTS. The CLTS instruction causes a VM exit if the bits in position 3 (corresponding to CR0.TS) are set in both the CR0 guest/host mask and the CR0 read shadow. The CLTS instruction signals to the CPU that we're about to use FPU registers (which is needed for AES-NI), which in VMware causes an exit into the hypervisor. And we've been doing it for every single AES block! Needless to say, performing the equivalent of a very expensive context switch every 16 bytes is going to hurt encryption performance a bit. The reason why the kernel is issuing CLTS is because for performance reasons, the kernel doesn't save and restore FPU register state on kernel thread context switches. So whenever we need to use FPU registers inside the kernel, we must disable kernel thread preemption via a call to kpreemptdisable() and kpreemptenable() and save and restore FPU register state manually. During this time, we cannot be descheduled (because if we were, some other thread might clobber our FPU registers), so if a thread does this for too long, it can lead to unexpected latency bubbles The solution was to restructure the AES and KCF block crypto implementations in such a way that we execute encryption in meaningfully small chunks. I opted for 32k bytes, for reasons which I'll explain below. Unfortunately, doing this restructuring work was a bit more complicated than one would imagine, since in the KCF the implementation of the AES encryption algorithm and the block cipher modes is separated into two separate modules that interact through an internal API, which wasn't really conducive to high performance (we'll get to that later). Anyway, having fixed the issue here and running the code at near native speed, this is what I get: AES-128/CTR: 439 MB/s AES-128/CBC: 483 MB/s AES-128/GCM: 252 MB/s Not disastrous anymore, but still, very, very bad. Of course, you've got keep in mind, the thing we're comparing it to, OpenSSL, is no slouch. It's got hand-written highly optimized inline assembly implementations of most of these encryption functions and their specific modes, for lots of platforms. That's a ton of code to maintain and optimize, but I'll be damned if I let this kind of performance gap persist. Fixing this, however, is not so trivial anymore. It pertains to how the KCF's block cipher mode API interacts with the cipher algorithms. It is beautifully designed and implemented in a fashion that creates minimum code duplication, but this also means that it's inherently inefficient. ECB, CBC and CTR gained the ability to pass an algorithm-specific "fastpath" implementation of the block cipher mode, because these functions benefit greatly from pipelining multiple cipher calls into a single place. ECB, CTR and CBC decryption benefit enormously from being able to exploit the wide XMM register file on Intel to perform encryption/decryption operations on 8 blocks at the same time in a non-interlocking manner. The performance gains here are on the order of 5-8x.CBC encryption benefits from not having to copy the previously encrypted ciphertext blocks into memory and back into registers to XOR them with the subsequent plaintext blocks, though here the gains are more modest, around 1.3-1.5x. After all of this work, this is how the results now look on Illumos, even inside of a VM: Algorithm/Mode 128k ops AES-128/CTR: 3121 MB/s AES-128/CBC: 691 MB/s AES-128/GCM: 1053 MB/s So the CTR and GCM speeds have actually caught up to OpenSSL, and CBC is actually faster than OpenSSL. On the decryption side of things, CBC decryption also jumped from 627 MB/s to 3011 MB/s. Seeing these performance numbers, you can see why I chose 32k for the operation size in between kernel preemption barriers. Even on the slowest hardware with AES-NI, we can expect at least 300-400 MB/s/core of throughput, so even in the worst case, we'll be hogging the CPU for at most ~0.1ms per run. Overall, we're even a little bit faster than OpenSSL in some tests, though that's probably down to us encrypting 128k blocks vs 8k in the "openssl speed" utility. Anyway, having fixed this monstrous atrocity of a performance bug, I can now finally get some sleep. To made these tests repeatable, and to ensure that the changes didn't break the crypto algorithms, Saso created a crypto_test kernel module. I have recently created a FreeBSD version of crypto_test.ko, for much the same purposes Initial performance on FreeBSD is not as bad, if you have the aesni.ko module loaded, but it is not up to speed with OpenSSL. You cannot directly compare to the benchmarks Saso did, because the CPUs are vastly different. Performance results (https://wiki.freebsd.org/OpenCryptoPerformance) I hope to do some more tests on a range of different sized CPUs in order to determine how the algorithms scale across different clock speeds. I also want to look at, or get help and have someone else look at, implementing some of the same optimizations that Saso did. It currently seems like there isn't a way to perform addition crypto operations in the same session without regenerating the key table. Processing additional buffers in an existing session might offer a number of optimizations for bulk operations, although in many cases, each block is encrypted with a different key and/or IV, so it might not be very useful. *** Brendan Gregg's special freeware tools for sysadmins (http://www.brendangregg.com/specials.html) These tools need to be in every (not so) serious sysadmins toolbox. Triple ROT13 encryption algorithm (beware: export restrictions may apply) /usr/bin/maybe, in case true and false don't provide too little choice... The bottom command lists you all the processes using the least CPU cycles. Check out the rest of the tools. You wrote similar tools and want us to cover them in the show? Send us an email to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) *** A look at 2038 (http://www.lieberbiber.de/2017/03/14/a-look-at-the-year-20362038-problems-and-time-proofness-in-various-systems/) I remember the Y2K problem quite vividly. The world was going crazy for years, paying insane amounts of money to experts to fix critical legacy systems, and there was a neverending stream of predictions from the media on how it's all going to fail. Most didn't even understand what the problem was, and I remember one magazine writing something like the following: Most systems store the current year as a two-digit value to save space. When the value rolls over on New Year's Eve 1999, those two digits will be “00”, and “00” means “halt operation” in the machine language of many central processing units. If you're in an elevator at this time, it will stop working and you may fall to your death. I still don't know why they thought a computer would suddenly interpret data as code, but people believed them. We could see a nearby hydropower plant from my parents' house, and we expected it to go up in flames as soon as the clock passed midnight, while at least two airplanes crashed in our garden at the same time. Then nothing happened. I think one of the most “severe” problems was the police not being able to open their car garages the next day because their RFID tokens had both a start and end date for validity, and the system clock had actually rolled over to 1900, so the tokens were “not yet valid”. That was 17 years ago. One of the reasons why Y2K wasn't as bad as it could have been is that many systems had never used the “two-digit-year” representation internally, but use some form of “timestamp” relative to a fixed date (the “epoch”). The actual problem with time and dates rolling over is that systems calculate timestamp differences all day. Since a timestamp derived from the system clock seemingly only increases with each query, it is very common to just calculate diff = now - before and never care about the fact that now could suddenly be lower than before because the system clock has rolled over. In this case diff is suddenly negative, and if other parts of the code make further use of the suddenly negative value, things can go horribly wrong. A good example was a bug in the generator control units (GCUs) aboard Boeing 787 “Dreamliner” aircrafts, discovered in 2015. An internal timestamp counter would overflow roughly 248 days after the system had been powered on, triggering a shut down to “safe mode”. The aircraft has four generator units, but if all were powered up at the same time, they would all fail at the same time. This sounds like an overflow caused by a signed 32-bit counter counting the number of centiseconds since boot, overflowing after 248.55 days, and luckily no airline had been using their Boing 787 models for such a long time between maintenance intervals. The “obvious” solution is to simply switch to 64-Bit values and call it day, which would push overflow dates far into the future (as long as you don't do it like the IBM S/370 mentioned before). But as we've learned from the Y2K problem, you have to assume that computer systems, computer software and stored data (which often contains timestamps in some form) will stay with us for much longer than we might think. The years 2036 and 2038 might be far in the future, but we have to assume that many of the things we make and sell today are going to be used and supported for more than just 19 years. Also many systems have to store dates which are far in the future. A 30 year mortgage taken out in 2008 could have already triggered the bug, and for some banks it supposedly did. sysgettimeofday() is one of the most used system calls on a generic Linux system and returns the current time in form of an UNIX timestamp (timet data type) plus fraction (susecondst data type). Many applications have to know the current time and date to do things, e.g. displaying it, using it in game timing loops, invalidating caches after their lifetime ends, perform an action after a specific moment has passed, etc. In a 32-Bit UNIX system, timet is usually defined as a signed 32-Bit Integer. When kernel, libraries and applications are compiled, the compiler will turn this assumption machine code and all components later have to match each other. So a 32-Bit Linux application or library still expects the kernel to return a 32-Bit value even if the kernel is running on a 64-Bit architecture and has 32-Bit compatibility. The same holds true for applications calling into libraries. This is a major problem, because there will be a lot of legacy software running in 2038. Systems which used an unsigned 32-Bit Integer for timet push the problem back to 2106, but I don't know about many of those. The developers of the GNU C library (glibc), the default standard C library for many GNU/Linux systems, have come up with a design for year 2038 proofness for their library. Besides the timet data type itself, a number of other data structures have fields based on timet or the combined struct timespec and struct timeval types. Many methods beside those intended for setting and querying the current time use timestamps 32-Bit Windows applications, or Windows applications defining _USE32BITTIMET, can be hit by the year 2038 problem too if they use the timet data type. The _time64t data type had been available since Visual C 7.1, but only Visual C 8 (default with Visual Studio 2015) expanded timet to 64 bits by default. The change will only be effective after a recompilation, legacy applications will continue to be affected. If you live in a 64-Bit world and use a 64-Bit kernel with 64-Bit only applications, you might think you can just ignore the problem. In such a constellation all instances of the standard time_t data type for system calls, libraries and applications are signed 64-Bit Integers which will overflow in around 292 billion years. But many data formats, file systems and network protocols still specify 32-Bit time fields, and you might have to read/write this data or talk to legacy systems after 2038. So solving the problem on your side alone is not enough. Then the article goes on to describe how all of this will break your file systems. Not to mention your databases and other file formats. Also see Theo De Raadt's EuroBSDCon 2013 Presentation (https://www.openbsd.org/papers/eurobsdcon_2013_time_t/mgp00001.html) *** Beastie Bits Michael Lucas: Get your name in “Absolute FreeBSD 3rd Edition” (https://blather.michaelwlucas.com/archives/2895) ZFS compressed ARC stats to top (https://svnweb.freebsd.org/base?view=revision&revision=r315435) Matthew Dillon discovered HAMMER was repeating itself when writing to disk. Fixing that issue doubled write speeds (https://www.dragonflydigest.com/2017/03/14/19452.html) TedU on Meaningful Short Names (http://www.tedunangst.com/flak/post/shrt-nms-fr-clrty) vBSDcon and EuroBSDcon Call for Papers are open (https://www.freebsdfoundation.org/blog/submit-your-work-vbsdcon-and-eurobsdcon-cfps-now-open/) Feedback/Questions Craig asks about BSD server management (http://pastebin.com/NMshpZ7n) Michael asks about jails as a router between networks (http://pastebin.com/UqRwMcRk) Todd asks about connecting jails (http://pastebin.com/i1ZD6eXN) Dave writes in with an interesting link (http://pastebin.com/QzW5c9wV) > applications crash more often due to errors than corruptions. In the case of corruption, a few applications (e.g., Log-Cabin, ZooKeeper) can use checksums and redundancy to recover, leading to a correct behavior; however, when the corruption is transformed into an error, these applications crash, resulting in reduced availability. ***
A judge Googles outside of the record, legalized sports gambling in New Jersey goes boink, and prosecutorial misconduct at the DOJ. Use iTunes? https://itunes.apple.com/us/podcast/short-circuit/id309062019 Use Android (RSS)? http://feeds.soundcloud.com/users/soundcloud:users:84493247/sounds.rss Newsletter: http://www.ij.org/short-circuit Legal research: http://media.ca7.uscourts.gov/cgi-bin/rssExec.pl?Submit=Display&Path=Y2015/D08-19/C:14-3316:J:Posner:aut:T:fnOp:N:1607993:S:0 Sports gambling: http://www2.ca3.uscourts.gov/opinarch/144546p.pdf DOJ misconduct: http://www.ca5.uscourts.gov/opinions/pub/13/13-31078-CR0.pdf
When cops don’t know the law, a heartbreaking deportation case, and charity donation bins … that speak! Cops: http://www.ca5.uscourts.gov/opinions/pub/13/13-50745-CR0.pdf Deportation: media.ca1.uscourts.gov/pdf.opinions/13-1550P-01A.pdf Charity bins: http://www.ca6.uscourts.gov/opinions.pdf/15a0063p-06.pdf Subscribe today to receive Short Circuit, a weekly email roundup of important decisions from the U.S. Courts of Appeal. It’s a Friday afternoon treat for the legal world. ij.org/short-circuit