Linus Torvalds Sees Lots of Hardware Headaches Ahead
by Peter Reutemann
'Linux founder Linus Torvalds "warns that managing software is about
to become a lot more challenging, largely because of two hardware
issues that are beyond the control of DevOps teams," reports
DevOps.com.
An anonymous reader shares their report about Torvalds remarks at the
KubeCon + CloudNative + Open Source Summit China conference:
The first, Torvalds said, is the steady stream of patches being
generated for new cybersecurity issues related to the speculative
execution model that Intel and other processor vendors rely on to
accelerate performance... Each of those bugs requires another patch to
the Linux kernel that, depending on when they arrive, can require
painful updates to the kernel, Torvalds told conference attendees.
Short of disabling hyperthreading altogether to eliminate reliance on
speculative execution, each patch requires organizations to update
both the Linux kernel and the BIOS to ensure security. Turning off
hyperthreading eliminates the patch management issue, but also reduces
application performance by about 15 percent.
The second major issue hardware issue looms a little further over the
horizon, Torvalds said. Moore's Law has guaranteed a doubling of
hardware performance every 18 months for decades. But as processor
vendors approach the limits of Moore's Law, many developers will need
to reoptimize their code to continue achieving increased performance.
In many cases, that requirement will be a shock to many development
teams that have counted on those performance improvements to make up
for inefficient coding processes, he said.'
-- source: https://news.slashdot.org/story/19/06/28/2245250
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/
http://www.data-mining.co.nz/
11 months, 1 week
Tech Press Rushes To Cover New Linus Torvalds Mailing List Outburst
by Peter Reutemann
'"Linux frontman Linus Torvalds thinks he's 'more self-aware' these
days and is 'trying to be less forceful' after his brief absence from
directing Linux kernel developers because of his abusive language on
the Linux kernel mailing list," reports ZDNet.
"But true to his word, he's still not necessarily diplomatic in his
communications with maintainers..."
Torvalds' post-hiatus outburst was directed at Dave Chinner, an
Australian programmer who maintains the Silicon Graphics (SGI)-created
XFS file system supported by many Linux distros. "Bullshit, Dave,"
Torvalds told Chinner on a mailing list. The comment from Chinner that
triggered Torvalds' rebuke was that "the page cache is still far, far
slower than direct IO" -- a problem Chinner thinks will become more
apparent with the arrival of the newish storage-motherboard interface
specification known as Peripheral Express Interconnect Express (PCIe)
version 4.0. Chinner believes page cache might be necessary to support
disk-based storage, but that it has a performance cost....
"You've made that claim before, and it's been complete bullshit before
too, and I've called you out on it then too," wrote Torvalds. "Why do
you continue to make this obviously garbage argument?" According to
Torvalds, the page cache serves its correct purpose as a cache. "The
key word in the 'page cache' name is 'cache'," wrote Torvalds....
"Caches work, Dave. Anybody who thinks caches don't work is
incompetent. 99 percent of all filesystem accesses are cached, and
they never do any IO at all, and the page cache handles them
beautifully," Torvalds wrote.
"When you say the page cache is slower than direct IO, it's because
you don't even see or care about the *fast* case. You only get
involved once there is actual IO to be done."
"The thing is," reports the Register, "crucially, Chinner was talking
in the context of specific IO requests that just don't cache well, and
noted that these inefficiencies could become more obvious as the
deployment of PCIe 4.0-connected non-volatile storage memory spreads."
Here's how Chinner responded to Torvalds on the mailing list. "You've
taken one single statement I made from a huge email about complexities
in dealing with IO concurrency, the page cache and architectural flaws
in the existing code, quoted it out of context, fabricated a
completely new context and started ranting about how I know nothing
about how caches or the page cache work."
The Register notes their conversation also illustrates a crucial
difference from closed-source software development. "[D]ue to the open
nature of the Linux kernel, Linus's rows and spats play out in public
for everyone to see, and vultures like us to write up about."'
-- source: https://news.slashdot.org/story/19/06/28/2339245
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/
http://www.data-mining.co.nz/
11 months, 1 week
Google's New ReCAPTCHA Has a Dark Side
by Peter Reutemann
'We've all tried to log into a website or submit a form only to be
stuck clicking boxes of traffic lights or storefronts or bridges in a
desperate attempt to finally convince the computer that we're not
actually a bot. For many years, this has been one of the predominant
ways that reCaptcha -- the Google-run internet bot detector -- has
determined whether a user is a bot or not. But last fall, Google
launched a new version of the tool, with the goal of eliminating that
annoying user experience entirely. Now, when you enter a form on a
website that's using reCaptcha V3, you won't see the "I'm not a robot"
checkbox, nor will you have to prove you know what a cat looks like.
Instead, you won't see anything at all.
Google is also now testing an enterprise version of reCaptcha v3,
where Google creates a customized reCaptcha for enterprises that are
looking for more granular data about users' risk levels to protect
their site algorithms from malicious users and bots. But this new,
risk-score based system comes with a serious trade-off: users'
privacy. According to two security researchers who've studied
reCaptcha, one of the ways that Google determines whether you're a
malicious user or not is whether you already have a Google cookie
installed on your browser. It's the same cookie that allows you to
open new tabs in your browser and not have to re-log in to your Google
account every time. But according to Mohamed Akrout, a computer
science PhD student at the University of Toronto who has studied
reCaptcha, it appears that Google is also using its cookies to
determine whether someone is a human in reCaptcha v3 tests. Akrout
wrote in an April paper about how reCaptcha v3 simulations that ran on
a browser with a connected Google account received lower risk scores
than browsers without a connected Google account.
"Because reCaptcha v3 is likely to be on every page of a website, if
you're signed into your Google account there's a chance Google is
getting data about every single webpage you go to that is embedded
with reCaptcha v3 -- and there many be no visual indication on the
site that it's happening, beyond a small reCaptcha logo hidden in the
corner," the report adds.'
-- source: https://tech.slashdot.org/story/19/06/27/2139219
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/
http://www.data-mining.co.nz/
11 months, 1 week
WireGuard on Windows early preview
by Peter Reutemann
'WireGuard is a new peer-to-peer VPN technology that has the potential
for greater speed, smaller attack surface, and easier configuration
than commonly used and better-established VPN platforms such as
OpenVPN and IPSec. It has been available on Linux, FreeBSD, macOS,
Android, and even iOS for quite some time now, with Windows being the
one platform frustratingly missing. There are good reasons for
that—lead developer Jason Donenfeld didn't want to inherit the
problems of OpenVPN's OpenTAP adapter code, and when he investigated
Microsoft's built-in VPN API, he didn't like that either. So his first
move was to take a giant step backward on the Windows platform and
develop an extremely simple virtual adapter that could be used not
only for WireGuard, but also for other projects that might need the
same kind of very basic, socket-and-tunnel functionality. This became
Wintun.
For the moment, WireGuard for Windows is still in what creator Jason
Donenfeld refers to as "pre-alpha," with an alpha build due out
sometime in the next week or two. The good news is that it's an easy
install now, with no dev-fu required to get it running happily on a
Windows 10 (or Server 2016, as seen below) system. There are
self-contained, signed MSI installers for both 64-bit and 32-bit
builds there; downloading and running them just works, with no
complaints from Defender about unsigned or untrusted anything. I was
curious about what makes v0.0.14 "pre-alpha" rather than merely
"alpha." Donenfeld told me one reason he called it pre-alpha was to
keep journalists like me (as well as the generally unadventurous) from
writing about it before it's ready.'
-- source: https://arstechnica.com/information-technology/2019/06/taking-a-spin-on-w...
Here's the link the article covering the Linux version:
https://arstechnica.com/gadgets/2018/08/wireguard-vpn-review-fast-connect...
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/
http://www.data-mining.co.nz/
11 months, 1 week
Mozilla Launches GeckoView-Powered Firefox Preview For Android
by Peter Reutemann
'Mozilla today announced Firefox Preview, a pilot of its new Android
browser. Firefox Preview, which is powered by Mozilla's own GeckoView
engine, will ultimately replace the current Firefox for Android mobile
app "this fall." At the same time, Mozilla has put Firefox Focus for
Android development on hold. If you're a developer or just an early
adopter, you can download Firefox Preview from Google Play.
On desktop, Firefox is the second most popular browser after Chrome.
Firefox holds about 10% desktop market share, according to Net
Applications. On mobile, however, Firefox has less than 0.5% share.
Despite regular releases alongside the desktop browser over the years,
Firefox's mobile share has not improved.'
-- source: https://news.slashdot.org/story/19/06/27/1720215
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/
http://www.data-mining.co.nz/
11 months, 1 week
Researchers Demonstrate How US Emergency Alert System Can Be Hijacked and Weaponized
by Peter Reutemann
'After an emergency alert was accidentally sent to Hawaii residents
last year, warning of an impending nuclear ballistic missile attack,
researchers at the University of Colorado Boulder were prompted to ask
the question: How easy would it be to exploit the nation's emergency
alert systems, wreaking havoc on the American public via fake or
misleading alerts? In short, they found that it wasn't very difficult
at all. Motherboard reports:
Their full study was recently unveiled at the 2019 International
Conference on Mobile Systems, Applications and Services (MobiSys) in
Seoul, South Korea. It documents how spoofing the Wireless Emergency
Alert (WEA) program to trick cellular users wasn't all that difficult.
To prove it, researchers built a mini "pirate" cell tower using
easily-available hardware and open source software. Using isolated RF
shield boxes to mitigate any real-world harm, they then simulated
attacks in the 50,000 seat Folsom Field at the University. 90 percent
of the time, the researchers say they were able to pass bogus alerts
on to cell phones within range. The transmission of these messages
from the government to the cellular tower is secure. It's the
transmission from the cellular tower to the end user that's open to
manipulation and interference, the researchers found. The
vulnerability potentially impacts not just US LTE networks, but LTE
networks from Europe to South Korea. '
-- source: https://tech.slashdot.org/story/19/06/26/2347257
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/
http://www.data-mining.co.nz/
11 months, 1 week
Intel, Arm To Help Create New IoT Standard For Device Onboarding
by Peter Reutemann
'Intel is working with rival Arm to create a new industry standard for
an important issue in the Internet of Things market: making sure that
devices are properly configured and connected to the cloud. From a
report:
The Santa Clara, Calif.-based chipmaker announced on Wednesday that
the company is a founding member of the new IoT Technical Working
Group within the FIDO Alliance, an industry consortium founded by
PayPal, Lenovo and others in 2012 to develop standards for
password-less authentication. The goal of FIDO's IoT Technical Working
Group, which will also include experts from Microsoft, Google and
Amazon, is to create a standard specification for "large-scale IoT
onboarding," the process in which devices are configured and connected
to IoT cloud management services at the time of installation. Lorie
Wigle, the executive in charge of Intel's platform security efforts,
told CRN that it is important to create a standard around IoT
onboarding because many companies currently face challenges with the
practice when it comes to handling large-scale deployments and
security. [...] Once FIDO develops the standard, market forces will
compel companies to adhere and participate, according to Wigle, who
said it will also increase device variety, lower costs and accelerate
deployments.'
-- source: https://it.slashdot.org/story/19/06/26/1524200
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/
http://www.data-mining.co.nz/
11 months, 1 week
Google Now Allows Users To Auto-Delete Their Location History
by Peter Reutemann
'Google today began rolling out location history deletion tools to
Android and iOS, giving users a relatively simple way to limit the
scope of Google's location tracking. Users can only choose between
deleting data after three or 18 months. In a blog post, Google wrote:
Choose a time limit for how long you want your activity data to be
saved -- 3 or 18 months -- and any data older than that will be
automatically deleted from your account on an ongoing basis. These
controls are coming first to Location History and Web & App Activity
and will roll out in the coming weeks.'
-- source: https://yro.slashdot.org/story/19/06/26/1730250
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/
http://www.data-mining.co.nz/
11 months, 1 week