Slashdot Mirror

Esther Schindler (Slashdot reader #16,185) shared this story from Hewlett Packard's Enterprise blog: Storage is a staple of both science and science fiction, and forms the basis, or a crucial component, of many a piece of speculative fiction... [H]ere are eight past visions of the storage future that either passed their error checks or succumbed to bit rot.

Why store vast quantities of data on a device when you can just slap it into someone's head?
The article acknowledges that in many science fiction stories, data is simply preserved using such primitive technologies as "the written word" and "brute-force [human] memory," as well as ordinary real-world storage technologies like the server room in Rogue One: A Star Wars Story, or basic non-cloud-based computers. But there's also wetware -- think "Johnny Mnemonic "-- and the data crystals in Babylon Five.

The article even acknowledges that time Batman beat Mr. Freeze by carving binary code into a wall, giving future generations the recipe for antifreeze.

Hewlett-Packard's Enterprise blog summarizes a talk by Linux kernel developer Kees Cook at the North America edition of the 2018 Linux Security Summit. Its title? "Making C Less Dangerous." "C is a fancy assembler. It's almost machine code," said Cook, speaking to an audience of several hundred peers, who understood and appreciated the application speed resulting from C... Over time, Cook and the people he worked with discovered numerous native C problems. To deal with these weaknesses, the Kernel Self Protection Project has worked slowly and steadily on protecting the Linux kernel from attack. In the process, it has worked to remove troublesome code from Linux....

With its operational baggage and weak standard libraries, C contains a great deal of undefined behavior. Cook cited -- and agreed with -- Raph Levien's blog post "With Undefined Behavior, Anything Is Possible." Cook gave concrete examples. "What are the contents of 'uninitialized' variables? Whatever was in memory from before! Void pointers have no type, yet we can call typed functions through them? Sure! Assembly doesn't care: Everything can be an address to call! Why does memcpy() have no 'max destination length' argument? Just do what I say; memory areas are all the same!" Some of these idiosyncracies are relatively easy to deal with. Cook commented, "Linus [Torvalds] likes the idea of always initializing local variables. So, you should 'just do it....'"

The long-term solution? More security-savvy open source developers... While at times, the idea of coming up with a Linux C dialect has been attractive, that's not going to happen. The real issue behind the problem of dangerous code is "people don't want to do the work to clean up code -- not just bad code, but C itself," he said. As with all open source projects, "we need more dedicated developers, reviewers, testers, and backporters."
LWN.net has its own run-down of Cook's talk, as well as a link to a PDF file of his slides.

"Sound good," posted one of their commenters, "though ultimately I'd like kernel devs to adopt Rust as their main Linux kernel development language. Beats the crap out of C and C++ combined."

New submitter pgralla writes from a report via HPE: Many devices, designed for both long-term and short-term use, were shortsighted when it came to flexibility. How do you handle the hardware that never gets software updates, such as embedded systems and task-dedicated equipment? The article that pgralla shared provides the example of medical devices running Windows 7. "Many of the current generation, when they were first released, used Windows 7, and the devices still work well enough that they remain in service today," reports HPE. "But Microsoft ended mainstream support for Windows 7 back in January 2015, so the operating system gets updated only with an occasional security patch as part of Microsoft's extended support. In January 2020, that extended support will end as well." Many IoT devices are in a similar boat as they're powered by embedded Linux and are not designed to be updated after they enter service."

Of course, these outdated devices create all sorts of security concerns. "Hackers and their access to knowledge and computing power only go up as the years pass, which means that long-lived, fixed-firmware devices become ever more insecure over time," says Michael Barr, founder of the Barr Group, which provides engineering and consulting services for the embedded systems industry. The WannaCry ransomware hack in 2017 affected not just PCs but also medical devices, and ended up costing businesses $4 billion.

Public exploit code has been published for a severe vulnerability which last year affected Hewlett Packard Integrated Lights-Out 4 (HP iLO 4), a tool for remotely managing the company's servers.

HPE "silently released" patches last August, an anonymous reader reports, adding "details only emerged this spring after researchers started presenting their work at security conferences." The vulnerability is an authentication bypass that allows attackers access to HP iLO consoles. Researchers say this access can later be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware. But besides being a remotely exploitable flaw, this vulnerability is also as easy as it gets when it comes to exploitation, requiring a cURL request and 29 letter "A" characters, as below:

curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

Because of its simplicity and remote exploitation factor, the vulnerability — tracked as CVE-2017-12542 — received a severity score of 9.8 out of 10.

Long-time Slashdot reader Esther Schindler writes: Everyone who watches sports spends some amount of time yelling at the umpire or sports referee. For the past few years we've also been shouting, "Replace that ump with a robot!"

But is it technically feasible? Is the current level of AI and robotics tech up to the job? This article starts with the assumption that someone seriously wants to create a robot umpire or sports referee and then evaluates whether it possible to build an accurate and trustworthy augmented reality solution today.
The article points out that professional tennis matches already apply AI to high-definition video feeds from up to six different cameras to dispense binding judgments on whether a ball was in or out. At the same time, not every officiating decision in every sport is so easily automated, since AI "can't yet handle calls that hinge on judgment of players' intent."

But there's a larger question: do we really want to remove those human watchers from our sports? "Sports is a human activity," argues a professor of social sciences at Cardiff University in Wales, suggesting that human officials continue a cultural tradition which reminds us of who we are. "Humans are imperfect; that's OK."

What do Slashdot's readers think? Should professional sports switch to robot referees?

Esther Schindler shares an article from Hewlett Packard Enterprise: Video may have killed the radio star, but other media certainly make old AM radio towers superfluous... maybe. "As once-loyal listeners tune away, most AM stations are barely holding onto life, slashing staff and budgets as deeply as they can while struggling to find a return to profitability," reports HPE. "Once upon a time, having a broadcast license of any kind was like having a permit to print money. In today's world, that's no longer true." But, with some 10,000 AM broadcast towers in the United States stretching high into the sky, there may be an opportunity for wireless carriers who don't want to argue with community opposition from neighborhoods where residents don't want yet another cell tower. The amount of money an AM station owner can pocket by sharing its tower with a wireless partner varies widely, depending on the tower's location, height, and several other factors. But it's certainly more income -- and a way to keep "old" technology from becoming obsolete. "Using an AM tower, which has very often been in place for many years, avoids many zoning and other permitting issues, versus going in and creating a new site for a tower," Behr explains. He says local residents, businesses, and officials rarely complain about an AM broadcast tower that suddenly begins serving as a cell site. "That tower was there before they were, and it doesn't bother them," Lawrence Behr, CEO of Greenville, North Carolina-based LBA Group, says. "Hanging a few things on it is rarely controversial, so that's a real good thing for AMs."

Esther Schindler (Slashdot reader #16,185) writes that the Spectre and Meltdown vulnerabilities have become "a serious distraction" for sysadmins trying to apply patches and keep up with new fixes, sharing an HPE article described as "what other sysadmins have done so far, as well as their current plans and long-term strategy, not to mention how to communicate progress to management." Everyone has applied patches. But that sounds ever so simple. Ron, an IT admin, summarizes the situation succinctly: "More like applied, applied another, removed, I think re-applied, I give up, and have no clue where I am anymore." That is, sysadmins are ready to apply patches -- when a patch exists. "I applied the patches for Meltdown but I am still waiting for Spectre patches from manufacturers," explains an IT pro named Nick... Vendors have released, pulled back, re-released, and re-pulled back patches, explains Chase, a network administrator. "Everyone is so concerned by this that they rushed code out without testing it enough, leading to what I've heard referred to as 'speculative reboots'..."

The confusion -- and rumored performance hits -- are causing some sysadmins to adopt a "watch carefully" and "wait and see" approach... "The problem is that the patches don't come at no cost in terms of performance. In fact, some patches have warnings about the potential side effects," says Sandra, who recently retired from 30 years of sysadmin work. "Projections of how badly performance will be affected range from 'You won't notice it' to 'significantly impacted.'" Plus, IT staff have to look into whether the patches themselves could break something. They're looking for vulnerabilities and running tests to evaluate how patched systems might break down or be open to other problems.
The article concludes that "everyone knows that Spectre and Meltdown patches are just Band-Aids," with some now looking at buying new servers. One university systems engineer says "I would be curious to see what the new performance figures for Intel vs. AMD (vs. ARM?) turn out to be."

"In the absence of physical evidence, scientists are employing powerful computational tools to attempt to solve the greatest aviation mystery of our time: the disappearance of flight MH370." Slashdot reader Esther Schindler shared this article from HPE Insights: Satellite communications provider Inmarsat announced it had found recorded signals in its archives that MH370 had sent for another six hours after it disappeared. The plane had been aloft and flying for that whole time -- but where had it gone? As Inmarsat scientists examined the signals, they saw that what they had was not data such as text messages or location information. Rather, the signals contained metadata: information about the signal itself. This was recorded as the satellite automatically contacted the plane's communications system every hour to see if it was still logged on. Bafflingly, whoever had taken the plane hadn't used the satcom system to communicate with the outside world, but had switched it off and then on again, leaving it able to exchange hourly "pings" with the satellite. Some of the metadata related to extremely subtle variations in the frequency of the signal. "We're talking about changes as big as one part in a billion," says Inmarsat scientist Chris Ashton.

Nobody had tried to use this kind of data to try to locate an airplane before. At first, Ashton's team didn't know if the attempt would work. But painstakingly, over the course of weeks, the team figured out how the movement of the plane, the orbital wobble of the satellite, and the electronics within the satcom system all interacted to create the data values that had been received. "We had to create the model from scratch," Ashton says. Their work revealed that the plane had flown into the remote southern Indian Ocean. They didn't know where exactly. But since there are no islands in that part of the world, it was impossible that anyone could have survived. For the first time in history, hundreds of people were declared legally dead based on mathematics alone.
Then mathematician Dr. Neil Gordon led a team from the Defense Science and Technology Group "to extract a path from a subset of the Inmarsat data called the Burst Timing Offset. This measured how quickly the aircraft responded each time the satellite pinged it, and was used to determine the distance between the satellite and the plane." They ultimately generate "a probabilistic 'heat map' of the plane's most likely resting places using a technique called Bayesian analysis. These calculations allowed the DSTG team to draw a box 400 miles long and 70 miles across, which contained about 90 percent of the total probability distribution.

An anonymous reader quotes HPE Insights: Software developers and testers must be sick of hearing security nuts rant, "Beware SQL injection! Monitor for cross-site scripting! Watch for hijacked session credentials!" I suspect the developers tune us out... The industry has generated newer tools, better testing suites, Agile methodologies, and other advances in writing and testing software. Despite all that, coders keep making the same dumb mistakes, peer reviews keep missing those mistakes, test tools fail to catch those mistakes, and hackers keep finding ways to exploit those mistakes. One way to see the repeat offenders is to look at the Open Web Application Security Project Top 10, a sometimes controversial ranking of the 10 primary vulnerabilities, published every three or four years by the Open Web Application Security Project... It boggles the mind that a majority of top 10 issues appear across the 2007, 2010, 2013, and draft 2017 OWASP lists...

It's sad that eight out of 10 of the issues from 2013 are still top security issues in 2017. In fact, if you consider that the draft 2017 list combined two of the 2013 items, it's actually nine out of 10. Ouch... What can you do? Train everyone better, for starters. Look at coding and test tools that can help detect or prevent security vulnerabilities, but don't consider them silver bullets. Do dynamic application security testing, including penetration testing and fuzz testing. Ensure admins do their part to protect applications. And finally, make sure you establish a culture of security-aware programming and deployment.

Long-time Slashdot reader Esther Schindler quotes Hewlett Packard Enterprise: When you handle trillions of dollars a year in transactions and manage the largest known vault of gold in the world, security and efficiency are top priorities. Open source reusable software components are key to the New York Fed's successful operation, explains Colin Wynd, vice president and head of the bank's Common Service Organization... The nearly 2,000 developers across the Federal Reserve System used to have a disparate set of developer tools. Now, they benefit from a standard toolset and architecture, which also places limits on which applications the bank will consider using. "We don't want a third-party application that isn't compatible with our common architecture," said Wynd.

One less obvious advantage to open source adoption is in career satisfaction and advancement. It gives developers opportunities to work on more interesting applications, said Wynd. Developers can now take on projects or switch jobs more easily across Federal Reserve banks because the New York Fed uses a lot of common open source components and a standard tool set, meaning retraining is minimal if needed at all."
Providing training in-house also creates a more consistent use of best practices. "Our biggest headache is to prove to groups that an application is secure, because we have to defend against nation state attacks."

Slashdot reader #16,185, Esther Schindler writes: "By NASA's rules, not just any computer can go into space. Their components must be radiation hardened, especially the CPUs," reports HPE Insights. "Otherwise, they tend to fail due to the effects of ionizing radiation. The customized processors undergo years of design work and then more years of testing before they are certified for spaceflight." As a result, the ISS runs the station using two sets of three Command and Control Multiplexer DeMultiplexer computers whose processors are 20MHz Intel 80386SX CPUs, right out of 1988. "The traditional way to radiation-harden a spacecraft computer is to add redundancy to its circuits or by using insulating substrates instead of the usual semiconductor wafers on chips. That's expensive and time consuming. HPE scientists believe that simply slowing down a system in adverse conditions can avoid glitches and keep the computer running."

So, assuming the August 15 SpaceX Falcon 9 rocket launch goes well, there will be a supercomputer headed into space -- using off-the-shelf hardware. Let's see if the idea pans out. "We may discover a set of parameters with which a supercomputer can successfully run for at least a year without errors," says Dr. Mark R. Fernandez, the mission's co-principal investigator for software and SGI's HPC technology officer. "Alternately, one or more components of the system will fail, in which case we will then do the typical failure analysis on Earth. That will let us learn what to change to make the systems more reliable in the future."
The article points out that the New Horizons spacecraft that just flew past Pluto has a 12MHz Mongoose-V CPU, based on the MIPS R3000 CPU. "You may remember its much faster ancestor: the chip that took you on adventures in the original Sony PlayStation, circa 1994."

Long-time Slashdot reader Paul Fernhout writes: R. Stanley Williams, of Hewlett Packard Labs, wrote a report exploring the end of Moore's Law, saying it "could be the best thing that has happened in computing since the beginning of Moore's law. Confronting the end of an epoch should enable a new era of creativity by encouraging computer scientists to invent biologically inspired devices, circuits, and architectures implemented using recently emerging technologies." This idea is also looked at in a broader shorter article by Curt Hopkins also with HP Labs.
Williams argues that "The effort to scale silicon CMOS overwhelmingly dominated the intellectual and financial capital investments of industry, government, and academia, starving investigations across broad segments of computer science and locking in one dominant model for computers, the von Neumann architecture." And Hopkins points to three alternatives already being developed at Hewlett Packard Enterprise -- neuromorphic computing, photonic computing, and Memory-Driven Computing. "All three technologies have been successfully tested in prototype devices, but MDC is at center stage."

Long-time Slashdot reader Paul Fernhout writes: R. Stanley Williams, of Hewlett Packard Labs, wrote a report exploring the end of Moore's Law, saying it "could be the best thing that has happened in computing since the beginning of Moore's law. Confronting the end of an epoch should enable a new era of creativity by encouraging computer scientists to invent biologically inspired devices, circuits, and architectures implemented using recently emerging technologies." This idea is also looked at in a broader shorter article by Curt Hopkins also with HP Labs.
Williams argues that "The effort to scale silicon CMOS overwhelmingly dominated the intellectual and financial capital investments of industry, government, and academia, starving investigations across broad segments of computer science and locking in one dominant model for computers, the von Neumann architecture." And Hopkins points to three alternatives already being developed at Hewlett Packard Enterprise -- neuromorphic computing, photonic computing, and Memory-Driven Computing. "All three technologies have been successfully tested in prototype devices, but MDC is at center stage."

Long-time Slashdot reader Esther Schindler writes: An industry consortium called MulteFire wants to help you build your own LTE-like network that uses the Wi-Fi spectrum, with no need for carriers or providers, writes Andy Patrizio. Just don't expect to get started today. "In its basic specification, MulteFire Release 1.0 defines an LTE-like network that can run entirely on unlicensed spectrum frequencies. The alliance didn't try to do too much with the 1.0 spec; it simply wanted to get it out the door so partners and manufacturers could begin adoption. For 1.0, the alliance focused on the 5-GHz band. More functionality and more spectrums will be supported in future specs." Why would you want it? As Patrzio explains, MulteFire's target audience is fairly obvious: anyone who needs speed, scalability, and security beyond what Wi-Fi offers. "MulteFire is enabling cellular technologies to run in unassigned spectrum, where they are free to use it so long as they follow the rules of the spectrum band," says Mazen Chmaytelli, president of the MulteFire Alliance." Is this something you think would make a difference?
The alliance includes Qualcomm and Cisco Systems, and the article points out some advantages. LTE cell towers "can be miles apart versus Wi-Fi's range of just a few feet. Plus, LTE's security has never been breached, as far as we know."

An anonymous reader quotes a report from VentureBeat: Hewlett Packard Enterprise announced what it is calling a big breakthrough -- creating a prototype of a computer with a single bank of memory that can process enormous amounts of information. The computer, known as The Machine, is a custom-built device made for the era of big data. HPE said it has created the world's largest single-memory computer. The R&D program is the largest in the history of HPE, the former enterprise division of HP that split apart from the consumer-focused division. If the project works, it could be transformative for society. But it is no small effort, as it could require a whole new kind of software. The prototype unveiled today contains 160 terabytes (TB) of memory, capable of simultaneously working with the data held in every book in the Library of Congress five times over -- or approximately 160 million books. It has never been possible to hold and manipulate whole data sets of this size in a single-memory system, and this is just a glimpse of the immense potential of Memory-Driven Computing, HPE said. Based on the current prototype, HPE expects the architecture could easily scale to an exabyte-scale single-memory system and, beyond that, to a nearly limitless pool of memory -- 4,096 yottabytes. For context, that is 250,000 times the entire digital universe today.

Long-time reader Esther Schindler writes: Innovation occurs outside the Bay Area, New York, Boston, and Austin. So why is it so hard for a startup to get attention and acquire venture capital? Steve Case and Kara Swisher discussed this never-ending-topic recently, such as the fact 78% of U.S. venture capital last year went to just three states: California, New York, and Massachusetts. Case sees a "third wave" of venture capital funding and through his VC firm is investing in startups based outside major tech centers.

But, points out Stealthmode's Francine Hardaway, if you're in Boise or Baltimore you don't have to wait for Case to come to town. She shares advice about what's worked in other startup communities, focusing on the #YesPhx efforts.
Conventional wisdom says you should be in a major tech center to get funding, but the article offers an encouraging counterargument. "Never rely on conventional wisdom if you're an innovator. Money follows real innovation."

itwbennett writes from a report via CIO: Hewlett-Packard Enterprise announced Tuesday that it will spin off its enterprise services business and merge it with IT services company Computer Sciences Corp. (CSC) to create a company with $26 billion in annual revenue. The services business "accounts for roughly 100,000 employees, or two-thirds of the Silicon Valley giant's workforce," according to the Wall Street Journal. In a statement, HPE CEO Meg Whitman said customers would benefit from a "stronger, more versatile services business, better able to innovate and adapt to an ever-changing technology landscape." Layoffs were not a topic of discussion in Tuesday's announcement, but HPE did say last year they would cut 33,000 jobs by 2018, in addition to the 55,000 job cuts it had already announced. The company also split into two last year, betting that the smaller parts will be nimbler and more able to reverse four years of declining sales.

Ximenes Zalteca writes "According to a recent MacInTouch article, "cache-computing" has derived or simply copied Linux/PPC code licensed under the GNU GPL and replaced the existing copyright with one of their own. The article can be found here. It's worth noting that this is far worse than the controversy over BeOS, because the InfiniteOS project has done more than simply not follow a tenant of the GPL it has replaced a copyright illegally. This is likely due to the common misconception that "free" software under the GPL is public domain. "