Bug

How Are Sysadmins Handling Spectre/Meltdown Patches? (hpe.com) 36

Esther Schindler (Slashdot reader #16,185) writes that the Spectre and Meltdown vulnerabilities have become "a serious distraction" for sysadmins trying to apply patches and keep up with new fixes, sharing an HPE article described as "what other sysadmins have done so far, as well as their current plans and long-term strategy, not to mention how to communicate progress to management." Everyone has applied patches. But that sounds ever so simple. Ron, an IT admin, summarizes the situation succinctly: "More like applied, applied another, removed, I think re-applied, I give up, and have no clue where I am anymore." That is, sysadmins are ready to apply patches -- when a patch exists. "I applied the patches for Meltdown but I am still waiting for Spectre patches from manufacturers," explains an IT pro named Nick... Vendors have released, pulled back, re-released, and re-pulled back patches, explains Chase, a network administrator. "Everyone is so concerned by this that they rushed code out without testing it enough, leading to what I've heard referred to as 'speculative reboots'..."

The confusion -- and rumored performance hits -- are causing some sysadmins to adopt a "watch carefully" and "wait and see" approach... "The problem is that the patches don't come at no cost in terms of performance. In fact, some patches have warnings about the potential side effects," says Sandra, who recently retired from 30 years of sysadmin work. "Projections of how badly performance will be affected range from 'You won't notice it' to 'significantly impacted.'" Plus, IT staff have to look into whether the patches themselves could break something. They're looking for vulnerabilities and running tests to evaluate how patched systems might break down or be open to other problems.

The article concludes that "everyone knows that Spectre and Meltdown patches are just Band-Aids," with some now looking at buying new servers. One university systems engineer says "I would be curious to see what the new performance figures for Intel vs. AMD (vs. ARM?) turn out to be."
Google

Former Google Employee Files Lawsuit Alleging the Company Fired Him Over Pro-Diversity Posts (theverge.com) 308

According to court documents filed today, a former Google engineer is suing the company for discrimination, harassment, retaliation, and wrongful termination. "Tim Chevalier, a software developer and former site-reliability engineer at Google, claims that Google fired him when he responded with internal posts and memes to racist and sexist encounters within the company and the general response to the now-infamous James Damore memo," reports The Verge. From the report: Chevalier said in a statement to The Verge, "It is a cruel irony that Google attempted to justify firing me by claiming that my social networking posts showed bias against my harassers." Chevalier, who is also disabled and transgender, alleges that his internal posts that defended women of color and marginalized people led directly to his termination in November 2017. He had worked at Google for a little under two years. Notably, Chevalier's posts had been quoted in Damore's lawsuit against Google -- in which Damore sued the company for discrimination against conservative white men -- as evidence Google permitted liberals to speak out at the company unpunished. Chevalier's lawsuit alleges that his firing is, in fact, a form of punishment. The lawsuit was filed in San Francisco County Superior Court and Chevalier is seeking damages for lost wages, emotional distress, punitive damages, and injunctive relief against those alleged harmful acts. Google did not immediately respond to a request for comment.
Google

AMP For Email Is a Terrible Idea (techcrunch.com) 177

An anonymous reader shares an excerpt from a report via TechCrunch, written by Devin Coldewey: Google just announced a plan to "modernize" email with its Accelerated Mobile Pages platform, allowing "engaging, interactive, and actionable email experiences." Does that sound like a terrible idea to anyone else? It sure sounds like a terrible idea to me, and not only that, but an idea borne out of competitive pressure and existing leverage rather than user needs. Not good, Google. Send to trash. See, email belongs to a special class. Nobody really likes it, but it's the way nobody really likes sidewalks, or electrical outlets, or forks. It not that there's something wrong with them. It's that they're mature, useful items that do exactly what they need to do. They've transcended the world of likes and dislikes. Email too is simple. It's a known quantity in practically every company, household, and device. The implementation has changed over the decades, but the basic idea has remained the same since the very first email systems in the '60s and '70s, certainly since its widespread standardization in the '90s and shift to web platforms in the '00s. The parallels to snail mail are deliberate (it's a payload with an address on it) and simplicity has always been part of its design (interoperability and privacy came later). No company owns it. It works reliably and as intended on every platform, every operating system, every device. That's a rarity today and a hell of a valuable one.

More important are two things: the moat and the motive. The moat is the one between communications and applications. Communications say things, and applications interact with things. There are crossover areas, but something like email is designed and overwhelmingly used to say things, while websites and apps are overwhelmingly designed and used to interact with things. The moat between communication and action is important because it makes it very clear what certain tools are capable of, which in turn lets them be trusted and used properly. We know that all an email can ever do is say something to you (tracking pixels and read receipts notwithstanding). It doesn't download anything on its own, it doesn't run any apps or scripts, attachments are discrete items, unless they're images in the HTML, which is itself optional. Ultimately the whole package is always just going to be a big , static chunk of text sent to you, with the occasional file riding shotgun. Open it a year or ten from now and it's the same email. And that proscription goes both ways. No matter what you try to do with email, you can only ever say something with it -- with another email. If you want to do something, you leave the email behind and do it on the other side of the moat.

The Internet

Trump's Infrastructure Plan Has No Dedicated Money For Broadband (arstechnica.com) 103

An anonymous reader quotes a report from Ars Technica: President Trump's new 10-year plan for "rebuilding infrastructure in America" doesn't contain any funding specifically earmarked for improving Internet access. Instead, the plan sets aside a pool of funding for numerous types of infrastructure projects, and broadband is one of the eligible categories. The plan's $50 billion Rural Infrastructure Program lists broadband as one of five broad categories of eligible projects.

Eighty percent of the program's $50 billion would be "provided to the governor of each state." Governors would take the lead in deciding how the money would be spent in their states. The other 20 percent would pay for grants that could be used for any of the above project categories. Separately, broadband would be eligible for funding from a proposed $20 billion Transformative Projects Program, along with transportation, clean water, drinking water, energy, and commercial space. Trump's plan would also add rural broadband facilities to the list of eligible categories for Private Activity Bonds, which allow private projects to "benefit from the lower financing costs of tax-exempt municipal bonds." The plan would also let carriers install small cells and Wi-Fi attachments without going through the same environmental and historical preservation reviews required for large towers.

Software

Windows 10 Will Soon Get Progressive Web Apps To Boost the Microsoft Store (techradar.com) 152

The next major update to Windows 10 will bring Progressive Web Apps (PWAs) to the Microsoft Store. PWAs are websites (or web apps) which are implemented as native apps, and delivered just like a normal app through Windows 10's store. According to TechRadar, "The big advantages are that no platform-specific code is required, allowing devs to make apps that run across different platforms, and that PWAs are hosted on the developer's server, so can be updated directly from there (without having to push updates to the app store)." The other benefit for Microsoft is that they will be getting a bunch of new apps in Windows 10's store. From the report: As Microsoft explains in a blog post, these new web apps are built on a raft of nifty technologies -- including Service Worker, Fetch networking, Push notifications and more -- all of which will be enabled when EdgeHTML 17 (the next version of the rendering engine that powers the Edge browser) goes live in Windows 10 in the next big update. PWAs can be grabbed from the Microsoft Store as an AppX file, and will run in their own sandboxed container, without needing the browser to be open at all. As far as the user is concerned, they'll be just like any other app downloaded from the store. Microsoft says it is already experimenting with crawling and indexing PWAs from the web to pick out the quality offerings, which it will draft into the Microsoft Store. The firm has already combed through some 1.5 million web apps to pick out a small selection of PWAs for initial testing. As well as discovering apps via web crawling, developers will also be able to submit their offerings directly to Microsoft for approval.
OS X

Apple Deprecates More Services In OS X Server (apple.com) 145

Long-time Slashdot reader HEMI426 writes: Long ago, Apple used to produce rack servers, and a special flavor of OS X for that hardware with extra, server-friendly features. After Apple got out of the rack server game, OS X Server soldiered on, with the occasional change in cost or distribution method.

The next stop on the long, slow death march of OS X Server is here. With a recent post to their knowledgebase, Apple states that almost all of the services not necessary for the management of networked Macs and other iDevices are being deprecated. These services will be hidden for new installs, and dropped in the future.

Apple writes that "those depending on them should consider alternatives, including hosted services."
Networking

Is It Time For Zero-Trust Corporate Networks? (csoonline.com) 150

An anonymous reader quotes CSO: "The strategy around Zero Trust boils down to don't trust anyone. We're talking about, 'Let's cut off all access until the network knows who you are. Don't allow access to IP addresses, machines, etc. until you know who that user is and whether they're authorized,'" says Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Mass... The Zero Trust model of information security basically kicks to the curb the old castle-and-moat mentality that had organizations focused on defending their perimeters while assuming everything already inside didn't pose a threat and therefore was cleared for access. Security and technology experts say the castle-and-moat approach isn't working. They point to the fact that some of the most egregious data breaches happened because hackers, once they gained access inside corporate firewalls, were able move through internal systems without much resistance...

Experts say that today's enterprise IT departments require a new way of thinking because, for the most part, the castle itself no longer exists in isolation as it once did. Companies don't have corporate data centers serving a contained network of systems but instead today typically have some applications on-premises and some in the cloud with users -- employees, partners, customers -- accessing applications from a range of devices from multiple locations and even potentially from around the globe... The Zero Trust approach relies on various existing technologies and governance processes to accomplish its mission of securing the enterprise IT environment. It calls for enterprises to leverage micro-segmentation and granular perimeter enforcement based on users, their locations and other data to determine whether to trust a user, machine or application seeking access to a particular part of the enterprise... Zero Trust draws on technologies such as multifactor authentication, Identity and Access Management (IAM), orchestration, analytics, encryption, scoring and file system permissions. Zero Trust also calls for governance policies such as giving users the least amount of access they need to accomplish a specific task.

"Most organizational IT experts have been trained, unfortunately, to implicitly trust their environments," says the chief product officer at an IAM/PIM solutions supplier.

"Everybody has been [taught] to think that the firewall is keeping the bad guys out. People need to adjust their mindset and understand that the bad actors are already in their environment."
Books

Walmart Teams Up With Kobo To Sell EBooks and Audiobooks (engadget.com) 35

An anonymous reader quotes a report from Engadget: Later this year, you'll be able to buy ebooks and audiobooks straight from Walmart's website. The big box retailer has teamed up with Japanese e-commerce titan Rakuten to launch a business that can take on Amazon's Kindle offerings. Walmart will give its customers in the U.S. an easy way to access to Kobo's library -- Kobo is Rakuten's digital book division -- and its six million titles from tens of thousands of publishers. The company will also start selling Kobo eReaders, which will set you back at least $120, online and in stores sometime this year. Walmart said Kobo's titles will be fully integrated into its website, so the ebook and audiobook versions of the title you're searching for will appear alongside the listing of its physical book. However, you won't be able to access the digital files through random apps. You'll have to use the co-branded apps for iOS, Android and desktop that Walmart and Kobo will release in the future, though you'll of course be able access ebooks through a Kobo e-reader.
HP

Dell and HP Advise All Their Customers To Not Install Spectre BIOS Updates (bleepingcomputer.com) 88

An anonymous reader writes: The Spectre and Meltdown mess continues with Dell now recommending their customers to not install the BIOS updates that are supposed to resolve the Spectre (Variant 2) vulnerabilities. These updates have been causing numerous problems for users including performance issues, boot issues, reboot issues, and general system stability. Due to this, Dell EMC has updated its knowledgebase article with a statement advising customers to not install the BIOS update and to potentially rollback to the previous BIOS if their computers are exhibiting "unpredictable system behavior". ZDNet reports that HP too has issued a similar advisory. The computer manufacturer pulled its softpaqs BIOS updates with Intel's patches from its website, and said it would be releasing a BIOS update with a previous version of Intel's microcode on Thursday.
Network

Lenovo Discovers and Removes Backdoor In Networking Switches (bleepingcomputer.com) 42

An anonymous reader writes: Lenovo engineers have discovered a backdoor in the firmware of RackSwitch and BladeCenter networking switches. The company released firmware updates last week. The Chinese company said it found the backdoor after an internal security audit of firmware for products added to its portfolio following the acquisitions of other companies. Lenovo says the backdoor affects only RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System).

The backdoor was added to ENOS in 2004 when ENOS was maintained by Nortel's Blade Server Switch Business Unit (BSSBU). Lenovo claims Nortel appears to have authorized the addition of the backdoor "at the request of a BSSBU OEM customer." In a security advisory regarding this issue, Lenovo refers to the backdoor under the name of "HP backdoor." The backdoor code appears to have remained in the firmware even after Nortel spun BSSBU off in 2006 as BLADE Network Technologies (BNT). The backdoor also remained in the code even after IBM acquired BNT in 2010. Lenovo bought IBM's BNT portfolio in 2014.

Microsoft

Microsoft: We're Not Giving Up On Cortana (Even In Home Automation) (zdnet.com) 93

Microsoft is trying to fight back against perceptions that Cortana may be its next consumer-centric technology to face the chopping block. Yesterday, the company issued a press release touting recent wins for Cortana. Among these are the officially unveiled Johnson Controls' Cortana-powered thermostat (which goes on sale for $319 starting in March). ZDNet reports the "other recent Cortana device partners": Allwinner: This company has the Tech R16 Quad Core IoT solution (a reference design for device partners).
Synaptics: This ODM (original design manufacturer) and far-field voice processing vendor produces reference designs for consumer IoT, smart speakers, PC, and more that integrate Cortana.
TONLY: Another reference design vendor working with Microsoft on Cortana devices that make use of Skype.
Qualcomm: In addition to partnering with Microsoft on Windows-on-ARM "Always Connected" PCs, Qualcomm is building reference designs on its Smart Audio and Mesh Networking platforms that use Cortana.
"In addition to our currently supported home automation partners, we are announcing new partnerships with Ecobee, Geeni, Honeywell Lyric, IFTTT, LIFX, TP-Link Kasa, and Honeywell Total Connect Comfort. Cortana currently supports lights, outlets, switches, and thermostats across all providers," the spokesperson said.
Networking

Can Mesh Networks Save a Dying Web? (thenextweb.com) 201

From an anonymous reader: "The web is dying, but mesh networks could save it," writes open source hacker Andre Staltz. He warns that Facebook, Google, and Amazon plan to "grow beyond browsers, creating new virtual contexts where data is created and shared," and predicts the next wave of walled gardens will be a "social internet" bypassing the web altogether. "The Web may die like most other technologies do, simply by becoming less attractive than newer technologies."

He wants to build a mobile mesh web that works with or without internet access to reach the four billion people currently offline, adding that all the tools we need are already in our hands: smartphones, peer-to-peer protocols, and mesh networks. His vision? "Novel peer-to-peer protocols such as IPFS and Dat help replace HTTP and make the web a content-centered cyberspace... Browsers can be made to work like that, and although it's a small tweak to how the web works, it has massive effects on social structures in cyberspace... Now that we have experience with some of the intricacies of the social web, we can reinvent it to put people first without intermediate companies... We can actually beat the tech giants at this game by simply giving local and regional connectivity to people in developing countries. With mobile apps that are built mesh-first, the smartphones would make up self-organizing self-healing mobile ad-hoc networks... In internet-less regions, there is potential for scaling quickly, and through that, we can spawn a new industry around peer-to-peer wireless mesh networks."

He cites mega-projects "to rescue the web from the internet", which include progress on peer-to-peer and mesh networking protocols, followed by adoption on smartphones (and then a new wave of apps) -- plus a migration of existing web content to the new protocols, "to fix the overutilization of the wirenet and the underutilization of airnets, bringing balance to the wire-versus-air dichotomy, providing choice in how data should travel in each case...But it can only happen if the web takes a courageous step towards its next level."

Cellphones

White House Bans Use of Personal Devices From West Wing (cbsnews.com) 205

In the wake of damaging reports of a chaotic Trump administration detailed in a new book from Michael Wolff, the White House is instituting new policies on the use of personal cellphones in the West Wing. CBS News reports: White House Press Secretary Sarah Huckabee Sanders released the following statement on the policy change: "The security and integrity of the technology systems at the White House is a top priority for the Trump administration and therefore starting next week the use of all personal devices for both guests and staff will no longer be allowed in the West Wing. Staff will be able to conduct business on their government-issued devices and continue working hard on behalf of the American people."

Wolff reportedly gained access to the White House where he conducted numerous interviews with staffers on the inner-workings of the Trump campaign and West Wing operations. Sanders told reporters Wednesday that there were about "a dozen" interactions between Wolff and White House officials, which she said took place at Bannon's request. The White House swiftly slammed the book and those who cooperated with Wolff.

Network

Asus Is Turning Its Old Routers Into Mesh Wi-Fi Networks (theverge.com) 30

Asus' new AiMesh system lets you repurpose your existing Asus routers as part of a mesh network, potentially saving you lots of money since you won't have to replace your whole network with a bunch of new devices. The Verge reports: For now, the mesh support is coming to a few routers today in beta, including the ASUS RT-AC68U, RT-AC1900P, RT-AC86U, RT-AC5300, and the ROG Rapture GT-AC5300, with additional support planned for the RT-AC88U and RT-AC3100 later this year. The setup looks pretty simple, too. Once your main router is set up and updated to the latest firmware, just take your other routers that are going to be the mesh nodes, plug them in near the main router, and run a factory reset, after which they'll automatically pop up in the Asus Router app to add to your mesh.
Wireless Networking

Roombas Will Soon Build a Wi-Fi Coverage Map While They Clean (techcrunch.com) 58

An anonymous reader quotes a report from TechCrunch: The feature is arriving later this month on the iRobot app, making it possible for WiFi-enabled Roombas to create a map of indoor signals. The map exists alongside the existing Clean Map feature, letting users toggle between the two, like they would, say, satellite and standard imagery in Google Maps. The maps themselves won't go into too much detail -- no upload and download speeds like you see on many mobile speed test apps. Instead, the information will show up as decibel readings. Really, it's intended as a handy way of showing off where you might want to toss a range extender, to help get rid of dead spots. All of Roomba's vacuums, save for the lowest-end model, will support the feature. The beta program launches January 23rd and appears to only be available for U.S. users.
Programming

New Year's Resolutions For Linux Admins: Automate More, Learn New Languages (networkworld.com) 139

An anonymous reader writes: A long-time Unix sys-admin is suggesting 18 different New Year's resolutions for Linux systems adminstrators. And #1 is to automate more of your boring stuff. "There are several good reasons to turn tedious tasks into scripts. The first is to make them less annoying. The second is to make them less error-prone. And the last is to make them easier to turn over to new team members who haven't been around long enough to be bored. Add a small dose of meaningful comments to your scripts and you have a better chance of passing on some of your wisdom about how things should be done."

Along with that, they suggest learning a new scripting language. "It's easy to keep using the same tools you've been using for decades (I should know), but you might have more fun and more relevance in the long run if you teach yourself a new scripting language. If you've got bash and Perl down pat, consider adding Python or Ruby or some other new language to your mix of skills."

Other suggestions include trying a new distro -- many of which can now be run in "live mode" on a USB drive -- and investigating the security procedures of cloud services (described in the article as "trusting an outside organization with our data").

"And don't forget... There are now only 20 years until 2038 -- The Unix/Linux clockpocalypse."

The Internet

Some Telcos and ISPs are Frustrating IPv6 Adoption (guardian.ng) 135

An anonymous reader writes: "There are indications that telecommunications operators and traditional ISPs in the country are frustrating adoption of Internet Protocol version six (IPv6) by other networks," reports Nigeria's Guardian newspaper, citing Nigeria CommunicationsWeek. The magazine found 32 networks with IPv6 addresses -- but only three which are using them. And the newspaper cites "a network engineer with a university who does not want to be named" frustrated that their ISP's network isn't IPv6-compatible, so the university can't use its own IPv6 address. "Mohammed Rudman, chairman, IPv6 Council Nigeria, said that most telecommunications operators and internet service providers in the country have not adopted IPv6 which raises the issue of compatibility with other networks."
Firefox has a fast-fallback-to-IPv4 option, which you can disable in about:config (as well as an option to disable IPv6 altogether). But "the Chrome browser supports IPv6 natively and doesn't allow users to decide which protocol to use," reports TechGlimpse.com.

How does your browser perform? Long-time Slashdot reader ourlovecanlastforeve shared a link to Test-IPv6.com, which detects whether "when given the choice, your browser decided it would prefer to use IPv4 instead of IPv6."
Electronic Frontier Foundation

EFF: Accessing Publicly Available Information On the Internet Is Not a Crime (eff.org) 175

An anonymous reader quotes a report from EFF: EFF is fighting another attempt by a giant corporation to take advantage of our poorly drafted federal computer crime statute for commercial advantage -- without any regard for the impact on the rest of us. This time the culprit is LinkedIn. The social networking giant wants violations of its corporate policy against using automated scripts to access public information on its website to count as felony "hacking" under the Computer Fraud and Abuse Act, a 1986 federal law meant to criminalize breaking into private computer systems to access non-public information.

EFF, together with our friends DuckDuckGo and the Internet Archive, have urged the Ninth Circuit Court of Appeals to reject LinkedIn's request to transform the CFAA from a law meant to target "hacking" into a tool for enforcing its computer use policies. Using automated scripts to access publicly available data is not "hacking," and neither is violating a website's terms of use. LinkedIn would have the court believe that all "bots" are bad, but they're actually a common and necessary part of the Internet. "Good bots" were responsible for 23 percent of Web traffic in 2016. Using them to access publicly available information on the open Internet should not be punishable by years in federal prison. LinkedIn's position would undermine open access to information online, a hallmark of today's Internet, and threaten socially valuable bots that journalists, researchers, and Internet users around the world rely on every day -- all in the name of preserving LinkedIn's advantage over a competing service. The Ninth Circuit should make sure that doesn't happen.

Software

T-Mobile Is Becoming a Cable Company (engadget.com) 92

T-Mobile has revealed that it's launching a TV service in 2018, and that is has acquired Layer3 TV (a company that integrates TV, streaming and social networking) to make this happen. The company thinks people are ditching cable due to the providers, not TV itself. Engadget reports: It claims that it can "uncarrier" TV the way it did with wireless service, and has already targeted a few areas it thinks it can fix: it doesn't like the years-long contracts, bloated bundles, outdated tech and poor customer service that are staples of TV service in the U.S. T-Mobile hasn't gone into detail about the functionality of the service yet. How will it be delivered? How much will it cost? Where will it be available? And will this affect the company's free Netflix offer? This is more a declaration of intent than a concrete roadmap, so it's far from certain that the company will live up to its promises. Ultimately, the move represents a big bet on T-Mobile's part: that people like TV and are cutting the cord based on a disdain for the companies, not the service. There's a degree of truth to that when many Americans are all too familiar with paying ever-increasing rates to get hundreds of channels they don't watch. However, there's no guarantee that it'll work in an era when many people (particularly younger people) are more likely to use Netflix, YouTube or a streaming TV service like Sling TV.
China

German Intelligence Warns of Increased Chinese Cyberspying (apnews.com) 75

The head of Germany's domestic intelligence agency has warned that China allegedly is using social networks to try to cultivate lawmakers and other officials as sources. From a report: Hans-Georg Maassen said his agency, known by its German acronym BfV, believes more than 10,000 Germans have been targeted by Chinese intelligence agents posing as consultants, headhunters or researchers, primarily on the social networking site LinkedIn. "This is a broad-based attempt to infiltrate in particular parliaments, ministries and government agencies," Maassen said.

Slashdot Top Deals