Intel

Intel Says Newer Chips Also Hit by Unwanted Reboots After Patch (zdnet.com) 112

Intel says the unexpected reboots triggered by patching older chips affected by Meltdown and Spectre are happening to its newer chips, too. From a report: Intel confirmed in an update late Wednesday that not only are its older Broadwell and Haswell chips tripping up on the firmware patches, but newer CPUs through to the latest Kaby Lake chips are too. The firmware updates do protect Intel chips against potential Spectre attacks, but machines with Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake architecture processors are rebooting more frequently once the firmware has been updated, Intel said. Intel has also updated its original Meltdown-Spectre advisory with a new warning about the stability issues and recommends OEMs and cloud providers test its beta silicon microcode updates before final release. These beta releases, which mitigate the Spectre Variant 2 CVE-2017-5715 attack on CPU speculative execution, will be available next week.
AI

Google Has Made It Simple For Anyone To Tap Into Its Image Recognition AI (gizmodo.com) 42

An anonymous reader quotes a report from Gizmodo: Google released a new AI tool on Wednesday designed to let anyone train its machine learning systems on a photo dataset of their choosing. The software is called Cloud AutoML Vision. In an accompanying blog post, the chief scientist of Google's Cloud AI division explains how the software can help users without machine learning backgrounds harness artificial intelligence. All hype aside, training the AI does appear to be surprisingly simple. First, you'll need a ton of tagged images. The minimum is 20, but the software supports up to 10,000. Using a meteorologist as an example for their promotional video was an apt choice by Google -- not many people have thousands of tagged HD images bundled together and ready to upload. A lot of image recognition is about identifying patterns. Once Google's AI thinks it has a good understanding of what links together the images you've uploaded, it can be used to look for that pattern in new uploads, spitting out a number for how well it thinks the new images match it. So our meteorologist would eventually be able to upload images as the weather changes, identifying clouds while continuing to train and improve the software.
Privacy

Amazon Won't Say If It Hands Your Echo Data To the Government (zdnet.com) 105

Zack Whittaker reports via ZDNet of how Amazon still won't say whether or not it hands your Echo data to the government -- three years after the Echo was first released. From the report: Amazon has a transparency problem. Three years ago, the retail giant became the last major tech company to reveal how many subpoenas, search warrants, and court orders it received for customer data in a half-year period. While every other tech giant had regularly published its government request figures for years, spurred on by accusations of participation in government surveillance, Amazon had been largely forgotten. Eventually, people noticed and Amazon acquiesced. Since then, Amazon's business has expanded. By its quarterly revenue, it's no longer a retail company -- it's a cloud giant and a device maker. The company's flagship Echo, an "always listening" speaker, collects vast amounts of customer data that's openly up for grabs by the government. But Amazon's bi-annual transparency figures don't want you to know that. In fact, Amazon has been downright deceptive in how it presents the data, obfuscating the figures in its short, but contextless, twice-yearly reports. Not only does Amazon offer the barest minimum of information possible, the company has -- and continues -- to deliberately mislead its customers by actively refusing to clarify how many customers, and which customers, are affected by the data demands it receives.
The Military

'Don't Fear the Robopocalypse': the Case for Autonomous Weapons (thebulletin.org) 148

Lasrick shares "Don't fear the robopocalypse," an interview from the Bulletin of the Atomic Scientists with the former Army Ranger who led the team that established the U.S. Defense Department policy on autonomous weapons (and has written the upcoming book Army of None: Autonomous Weapons and the Future of War). Paul Scharre makes the case for uninhabited vehicles, robot teammates, and maybe even an outer perimeter of robotic sentries (and, for mobile troops, "a cloud of air and ground robotic systems"). But he also argues that "In general, we should strive to keep humans involved in the lethal force decision-making process as much as is feasible. What exactly that looks like in practice, I honestly don't know."

So does that mean he thinks we'll eventually see the deployment of fully autonomous weapons in combat? I think it's very hard to imagine a world where you physically take the capacity out of the hands of rogue regimes... The technology is so ubiquitous that a reasonably competent programmer could build a crude autonomous weapon in their garage. The idea of putting some kind of nonproliferation regime in place that actually keeps the underlying technology out of the hands of people -- it just seems really naive and not very realistic. I think in that kind of world, you have to anticipate that there are, at a minimum, going to be uses by terrorists and rogue regimes. I think it's more of an open question whether we cross the threshold into a world where nation-states are using them on a large scale.

And if so, I think it's worth asking, what do we mean by"them"? What degree of autonomy? There are automated defensive systems that I would characterize as human-supervised autonomous weapons -- where a human is on the loop and supervising its operation -- in use by at least 30 countries today. They've been in use for decades and really seem to have not brought about the robopocalypse or anything. I'm not sure that those [systems] are particularly problematic. In fact, one could see them as being even more beneficial and valuable in an age when things like robot swarming and cooperative autonomy become more possible.

Open Source

20 Years Later, Has Open Source Changed the World? (infoworld.com) 217

"Most code remains closed and proprietary, even though open source now dominates enterprise platforms," notes Matt Asay, former COO at Canonical (and an emeritus board member of the Open Source Initiative). "How can that be?" he asks, in an essay noting it's been almost 20 years since the launch of the Open Source Initiative, arguing that so far open source "hasn't changed the world as promised." [T]he reason most software remains locked up within the four walls of enterprise firewalls is that it's too costly with too small of an ROI to justify open-sourcing it. At least, that's the perception. Such a perception is impossible to break without walking the open source path, which companies are unwilling to walk without upfront proof. See the problem? This chicken-and-egg conundrum is starting to resolve itself, thanks to the forward-looking efforts of Google, Facebook, Amazon, and other web giants that are demonstrating the value of open-sourcing code.

Although it's unlikely that a State Farm or Chevron will ever participate in the same way as a Microsoft, we are starting to see companies like Bloomberg and Capital One get involved in open source in ways they never would have considered back when the term "open source" was coined in 1997, much less in 2007. It's a start. Let's also not forget that although we have seen companies use more open source code over the past 20 years, the biggest win for open source since its inception is how it has changed the narrative of how innovation happens in software. We're starting to believe, and for good reason, that the best, most innovative software is open source.

The article strikes a hopeful note. "We're now comfortable with the idea that software can, and maybe should, be open source without the world ending. The actual opening of that source, however, is something to tackle in the next 20 years.
Virtualization

VMware Bug Allowed Root Access (arstechnica.com) 33

c4231 quotes Ars Technica: While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell's EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools -- EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection -- could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server's file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.
Government

Will Facial Recognition in China Lead To Total Surveillance? (washingtonpost.com) 122

schwit1 shares a new Washington Post article about China's police and security state -- including the facial recognition cameras allow access to apartment buildings. "If I am carrying shopping bags in both hands, I just have to look ahead and the door swings open," one 40-year-old woman tells the Post. "And my 5-year-old daughter can just look up at the camera and get in. It's good for kids because they often lose their keys." But for the police, the cameras that replaced the residents' old entry cards serve quite a different purpose. Now they can see who's coming and going, and by combining artificial intelligence with a huge national bank of photos, the system in this pilot project should enable police to identify what one police report, shared with The Washington Post, called the "bad guys" who once might have slipped by... Banks, airports, hotels and even public toilets are all trying to verify people's identities by analyzing their faces. But the police and security state have been the most enthusiastic about embracing this new technology.

The pilot in Chongqing forms one tiny part of an ambitious plan, known as "Xue Liang," which can be translated as "Sharp Eyes." The intent is to connect the security cameras that already scan roads, shopping malls and transport hubs with private cameras on compounds and buildings, and integrate them into one nationwide surveillance and data-sharing platform... At the back end, these efforts merge with a vast database of information on every citizen, a "Police Cloud" that aims to scoop up such data as criminal and medical records, travel bookings, online purchase and even social media comments -- and link it to everyone's identity card and face.

China

Apple's China iCloud Data Migration Sweeps Up International User Accounts (techcrunch.com) 45

Yesterday, it was reported that Apple's iCloud services in mainland China will be operated by a Chinese company from next month. What wasn't reported was the fact that Apple has included iCloud accounts that were opened in the U.S., are paid for using U.S. dollars and/or are connected to U.S.-based App Store accounts in the data that will be handled by local partner Guizhou-Cloud Big Data (GCBD) from February 28. TechCrunch reports: Apple has given China-based users the option to delete their data, but there is no opt out that allows them to have it stored elsewhere. That has concerned some users who are uneasy that the data migration is a sign of closer ties with the Chinese government, particularly since GCBD is owned by the Guizhou provincial government. When asked for comment, Apple pointed TechCrunch to its terms and conditions site which explains that it is migrating iCloud accounts based on their location: "The operation of iCloud services associated with Apple IDs that have China in their country or region setting will be subject to this transition. You will be notified of this transition via email and notifications on your devices. You don't need to take any further action and can keep using iCloud in China. After February 28, 2018, you will need to agree to the terms and conditions of iCloud operated by GCBD to keep using iCloud in China."

However, TechCrunch found instances of iCloud accounts registered overseas that were part of the migration. One user did find an apparent opt-out. That requires the user switching their iCloud account back to China, then signing out of all devices. They then switch their phone and iCloud settings to the U.S. and then, upon signing back into iCloud, their account will (seemingly) not be part of the migration. Opting out might be a wise-move, as onlookers voice concern that a government-owned company is directly involved in storing user data.

Security

Cisco Can Now Sniff Out Malware Inside Encrypted Traffic (theregister.co.uk) 97

Simon Sharwood, writing for The Register: Cisco has switched on latent features in its recent routers and switches, plus a cloud service, that together make it possible to detect the fingerprints of malware in encrypted traffic. Switchzilla has not made a dent in transport layer security (TLS) to make this possible. Instead, as we reported in July 2016, Cisco researchers found that malware leaves recognisable traces even in encrypted traffic. The company announced its intention to productise that research last year and this week exited trials to make the service -- now known as Encrypted Traffic Analytics (ETA) -- available to purchasers of its 4000 Series Integrated Service Routers, the 1000-series Aggregation Services Router and the model 1000V Cloud Services Router 1000V. Those devices can't do the job alone: users need to sign up for Cisco's StealthWatch service and let traffic from their kit flow to a cloud-based analytics service that inspects traffic and uses self-improving machine learning algorithms to spot dodgy traffic.
Patents

TiVo Sues Comcast Again, Alleging Operator's X1 Infringes Eight Patents (variety.com) 57

TiVo's Rovi subsidiary on Wednesday filed two lawsuits in federal district courts, alleging Comcast's X1 platform infringes eight TiVo-owned patents. "That includes technology covering pausing and resuming shows on different devices; restarting live programming in progress; certain advanced DVR recording features; and advanced search and voice functionality," reports Variety. From the report: A Comcast spokeswoman said the company will "aggressively defend" itself. "Comcast engineers independently created our X1 products and services, and through its litigation campaign against Comcast, Rovi seeks to charge Comcast and its customers for technology Rovi didn't create," the Comcast rep said in a statement. "Rovi's attempt to extract these unfounded payments for its aging and increasingly obsolete patent portfolio has failed to date."

TiVo's legal action comes after entertainment-tech vendor Rovi (which acquired the DVR company in 2016 and adopted the TiVo name) sued Comcast and its set-top suppliers in April 2016, alleging infringement of 14 patents. In November 2017, the U.S. International Trade Commission ruled that Comcast infringed two Rovi patents -- with the cable operator prevailing on most of the patents at issue. However, because one of the TiVo patents Comcast was found to have violated covered cloud-based DVR functions, the cable operator disabled that feature for X1 customers. Comcast is appealing the ITC ruling.

Businesses

Dropbox Files Confidentially For IPO (bloomberg.com) 20

Dropbox, the file-sharing private company valued at $10 billion, has filed confidentially for a U.S. initial public offering. From the report: Goldman Sachs Group Inc. and JPMorgan Chase & Co. will lead the potential listing, according to the people, who asked not to be identified because the filing wasn't public. Dropbox is talking to other banks this month to fill additional roles on the IPO, the people said. The company is aiming to list in the first half of this year, one of the people said. Dropbox could be one of the biggest U.S. enterprise technology companies to list domestically in recent years.

Dropbox is likely to tout its biggest investment in recent years: its own cloud. It's spent hundreds of millions of dollars to build data centers and mostly wean itself off of Amazon.com Inc.'s servers, a rare feat for a software business with hundreds of millions of users. That's made it easier for Dropbox to cut costs while speeding file transfers, Chief Operating Officer Dennis Woodside said in an interview last year.

China

Apple To Transfer Chinese iCloud Operations To Chinese Firm (bbc.com) 72

Apple's iCloud services in mainland China will be operated by a Chinese company from next month, the tech giant has confirmed, though Apple will still have access to all data stored on iCloud. The company said it had made the move to comply with the country's cloud computing regulations. iCloud accounts registered outside of China are not affected. BBC reports: The Chinese cyber security rules, introduced in July last year, include a requirement for companies to store all data within China. The firm, Guizhou on the Cloud Big Data (GCBD), is owned by the Guizhou provincial government in southern China. Guizhou is where Apple opened a $1 billion data center last year to meet the regulations. iCloud data will be transferred from February 28, Apple said. Customers living in mainland China who did not want to use iCloud operated by GCBD were given the option to terminate their account. Apple said the "partnership" with GCBD would allow it to "improve the speed and reliability of our iCloud services products while also complying with newly passed regulations that cloud services be operated by Chinese companies." It added that Apple had "strong data privacy and security protections in place and no backdoors will be created into any of our systems." However, some on social media have said the step gives Beijing more opportunity to monitor its citizens and others living in the country.
Data Storage

Western Digital 'My Cloud' Devices Have a Hardcoded Backdoor (betanews.com) 160

BrianFagioli shares a report from BetaNews: Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital MyCloud NAS drives have a hardcoded backdoor, meaning anyone can access them -- your files are at risk. It isn't even hard to take advantage of it -- the username is "mydlinkBRionyg" and the password is "abc12345cba" (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company did nothing. GulfTech Research and Development explains, "The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc." The My Cloud Storage devices affected by this backdoor include: MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100. Firmware 2.30.172 reportedly fixes the bug, so make sure your device is updated before reconnecting to the internet.
Advertising

Your Car May Soon Start Serving You Ads (siliconbeat.com) 310

An anonymous reader quotes SiliconBeat: Santa Clara auto-tech firm Telenav has just announced an "in-car advertising platform" for cars that connect to the internet. Telenav wants to sell the system to major auto manufacturers. And although it's probably the last thing many consumers want, vehicle owners will pay more for connected-car services if they decline the ads. "This approach helps car makers offset costs related to connected services, such as wireless data, content, software and cloud services," a spokeswoman for Telenav said Jan. 5. "In return for accepting ads in vehicles, drivers benefit from access to connected services without subscription fees, as well as new driving experiences that come from the highly-targeted and relevant offers delivered based on information coming from the vehicle."

Auto makers including Toyota, Lexus, Ford, GM and Cadillac already use the company's connected-car products, the spokeswoman said. Telenav CEO H.P. Jin in a press release called the ad platform "an exciting new opportunity" for vehicle manufacturers to "monetize connectivity to cover service costs and even drive healthy profits while enriching the consumer experience with safely delivered, engaging and relevant offers"...

To prevent driver distraction, "ads only appear when the vehicle is stopped, such as at car startup, traffic lights and upon arrival," Telenav said... Of course, driver distraction won't be an issue in self-driving cars, and this technology suggests the captive audiences in those vehicles will likely be subjected to an ad barrage in robotic ride-sharing vehicles and automated cars whose owners decline to pay more to avoid in-car advertising.

Intel

Can We Replace Intel x86 With an Open Source Chip? (zdnet.com) 359

An anonymous reader quotes, Jason Perlow, the senior technology editor at ZDNet: Perhaps the Meltdown and Spectre bugs are the impetus for making long-overdue changes to the core DNA of the semiconductor industry and how chip architectures are designed... Linux (and other related FOSS tech that forms the overall stack) is now a mainstream operating system that forms the basis of public cloud infrastructure and the foundational software technology in mobile and Internet of Things (IoT)... We need to develop a modern equivalent of an OpenSPARC that any processor foundry can build upon without licensing of IP, in order to drive down the costs of building microprocessors at immense scale for the cloud, for mobile and the IoT. It makes the $200 smartphone as well as hyperscale datacenter lifecycle management that much more viable and cost-effective.

Just as Linux and open source transformed how we view operating systems and application software, we need the equivalent for microprocessors in order to move out of the private datacenter rife with these legacy issues and into the green field of the cloud... The fact that we have these software technologies that now enable us to easily abstract from the chip hardware enables us to correct and improve the chips through community efforts as needs arise... We need to stop thinking about microprocessor systems' architectures as these licensed things that are developed in secrecy by mega-companies like Intel or AMD or even ARM... The reality is that we now need to create something new, free from any legacy entities and baggage that has been driving the industry and dragging it down the past 40 years. Just as was done with Linux.

The bigger question is which chip should take its place. "I don't see ARM donating its IP to this effort, and I think OpenSPARC may not be it either. Perhaps IBM OpenPOWER? It would certainly be a nice gesture of Big Blue to open their specification up further without any additional licensing, and it would help to maintain and establish the company's relevancy in the cloud going forward.

"RISC-V, which is being developed by UC Berkeley, is completely Open Source."
Cloud

New US Customs Guidelines Limit Copying Files and Searching Cloud Data (theverge.com) 71

The U.S. Customs and Border Protection Agency has updated its guidelines for electronic border searches, adding new detail to border search rules that were last officially updated in 2009. The Verge reports: Officers can still request that people unlock electronic devices for inspection when they're entering the U.S., and they can still look through any files or apps on those devices. But consistent with a statement from acting commissioner Kevin McAleenan last summer, they're explicitly banned from accessing cloud data -- per these guidelines, that means anything that can't be accessed while the phone's data connection is disabled. The guidelines also draw a distinction between "basic" and "advanced" searches. If officers connect to the phone (through a wired or wireless connection) and copy or analyze anything on it using external devices, that's an advanced search, and it can only be carried out with reasonable suspicion of illegal activity or a national security concern. A supervisor can approve the search, and "many factors" might create reasonable suspicion, including a terrorist watchlist flag or "other articulable factors."
Space

The Alien Megastructure Around Mysterious 'Tabby's Star' Is Probably Just Dust, Analysis Shows (theguardian.com) 75

An analysis by more than 200 astronomers has been published that shows the mysterious dimming of star KIC 8462852 -- nicknamed Tabby's star -- is not being produced by an alien megastructure. "The evidence points most strongly to a giant cloud of dust occasionally obscuring the star," reports The Guardian. From the report: KIC 8462852 is approximately 1,500 light years away from the Earth and hit the headlines in October 2015 when data from Nasa's Kepler space telescope showed that it was dimming by unexplainably large amounts. The star's light dropped by 20% first and then 15% making it unique. Even a large planet passing in front of the star would have blocked only about 1% of the light. For an object to block 15-20%, it would have to be approaching half the diameter of the star itself. With this realization, a few astronomers began whispering that such a signal would be the kind expected from a gigantic extraterrestrial construction orbiting in front of the star -- and the idea of the alien megastructure was born.

In the case of Tabby's star, the new observations show that it dims more at blue wavelengths than red. Thus, its light is passing through a dust cloud, not being blocked by an alien megastructure in orbit around the star. The new analysis of KIC 8462852 showing these results is to be published in The Astrophysical Journal Letters. It reinforces the conclusions reached by Huan Meng, University of Arizona, Tucson, and collaborators in October 2017. They monitored the star at multiple wavelengths using Nasa's Spitzer and Swift missions, and the Belgian AstroLAB IRIS observatory. These results were published in The Astrophysical Journal.

Google

Google Says CPU Patches Cause 'Negligible Impact On Performance' With New 'Retpoline' Technique (theverge.com) 120

In a post on Google's Online Security Blog, two engineers described a novel chip-level patch that has been deployed across the company's entire infrastructure, resulting in only minor declines in performance in most cases. "The company has also posted details of the new technique, called Retpoline, in the hopes that other companies will be able to follow the same technique," reports The Verge. "If the claims hold, it would mean Intel and others have avoided the catastrophic slowdowns that many had predicted." From the report: "There has been speculation that the deployment of KPTI causes significant performance slowdowns," the post reads, referring to the company's "Kernel Page Table Isolation" technique. "Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance." "Of course, Google recommends thorough testing in your environment before deployment," the post continues. "We cannot guarantee any particular performance or operational impact."

Notably, the new technique only applies to one of the three variants involved in the new attacks. However, it's the variant that is arguably the most difficult to address. The other two vulnerabilities -- "bounds check bypass" and "rogue data cache load" -- would be addressed at the program and operating system level, respectively, and are unlikely to result in the same system-wide slowdowns.

Intel

By Next Week, Intel Expects To Issue Updates To More Than 90% of Processor Products Introduced Within Past Five Years (intel.com) 289

Intel said on Thursday that by next week it expects to have patched 90 percent of its processors that it released within the last five years, making PCs and servers "immune" from both the Spectre and Meltdown exploits. The company adds: Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.

Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact. System updates are made available by system manufacturers, operating system providers and others.

Google

Google Says Almost All CPUs Since 1995 Vulnerable To 'Meltdown' And 'Spectre' Flaws (bleepingcomputer.com) 269

Catalin Cimpanu, reporting for BleepingComputer: Google has just published details on two vulnerabilities named Meltdown and Spectre that in the company's assessment affect "every processor [released] since 1995." Google says the two bugs can be exploited to "to steal data which is currently processed on the computer," which includes "your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents." Furthermore, Google says that tests on virtual machines used in cloud computing environments extracted data from other customers using the same server. The bugs were discovered by Jann Horn, a security researcher with Google Project Zero, Google's elite security team. These are the same bugs that have been reported earlier this week as affecting Intel CPUs. Google was planning to release details about Meltdown and Spectre next week but decided to publish the reports today "because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."

Slashdot Top Deals