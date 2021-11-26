Email is often seen as a technology with a dim future; it is slow, easily faked, and buried in spam. Kids These Days want nothing to do with it, and email has lost its charm with many others as well. But many development projects are still dependent on it, and even non-developers still cope with large volumes of mail. While development forges show one possible path away from email, they are not the only one. What if new structures could be built on top of email to address some of its worst problems while keeping the good parts that many projects depend on? The "lei" system recently launched by Konstantin Ryabitsev is a hint of how such a future might look. One of the initial motivations for creating LWN, back in 1997, was to spare readers from the impossible task of keeping up with the linux-kernel mailing list. After all, that list was receiving an astounding 100 messages every day, and no rational human being would try to read such a thing. Some 24 years later, that situation has changed: linux-kernel now runs over 1,000 messages per day, and there are dozens of other busy, kernel-oriented mailing lists as well. It is easy to miss important messages while trying to follow that kind of traffic — and few developers even try. While much of the traffic that appears on any mailing list is quickly forgettable, some of it has lasting value; that means that good archives are needed. For most of the kernel project's history, those archives did not exist. There were indeed archives for most lists, but they were scattered, of mixed reliability, difficult to search, and usually incomplete. It is only a few years ago that Ryabitsev put together lore.kernel.org to serve as a better solution to this problem. By using a search-friendly archiving system (public-inbox), building complete archives from pieces obtained from numerous sources, and archiving most kernel-oriented lists, Ryabitsev was able to create a resource that quickly became indispensable within the community. Lei (which stands for "local email interface") comes out of the public-inbox community. It works nicely with lore, to the point that Ryabitsev refers to the whole system as "lore+lei". The idea behind this combination is to create a new way of dealing with email that allows developers to see interesting messages without having to subscribe to an entire list. Public-inbox is built on some interesting ideas, including the use of Git to store the archive itself. The real key to its usefulness, though, is the use of Xapian to implement a fast, focused search capability. The "fast" part allows for nearly instantaneous searches within the millions of messages in the email archive; this query, for example, shows immediately that the term "dromedary" has been used exactly 30 times in all of the lists archived on lore.

More and more data is being created every day. It truly is non-stop. In 2021 alone, it was predicted that enterprise storage vendors would ship almost 150 Exabytes in capacity, and this number is only expected to increase again in 2022! We now see 20TB hard drives on the market to help with these needs, but we have to remain vigilant when building storage clusters, as the access speed of these drives hasn’t really changed at all over the last few years. In failure scenarios, where we have to recreate replicas or erasure-coded shards of data, it can take many many hours with drives of such high capacity. So the rule of thumb remains the same: a larger number of smaller drives leads to a more predictable system for any amount of capacity. Of course, you do have to remain pragmatic to balance capacity needs with the cost of increasing the number of spindles. [...] Open source storage solutions such as Ceph can readily help solve for the growth and scaling challenges seen across the industry.

SuperTux 0.6.3 is here just in time for the Christmas holidays and introduces new features like swimming, wall jumping, new snow tiles, autotiles, new objects (e.g. falling blocks, sideways bumper, etc.), a new rublight object, custom particles, new color picker, as well as in-game progress statistics. Additionally, the new release introduces an add-on creator to allow you to create add-on packages with your world, adds the ability to skip cutscenes, updates the editor to automatically save your changes at regular intervals, and adds timeshift ambience in the worldmap.

Security and Resilience Leftovers Blocking straight-line speculation — eventually [LWN.net] On its face, this code is safe; it will only attempt to index into obj->array if the given offset is within bounds. A CPU running this code, though, may be unable to fetch obj->array_length from cache, meaning that it will have to wait for that value to come from memory. Rather than do nothing, the CPU can make a guess as to how the comparison will turn out and continue execution in a speculative mode; it may guess wrong and index obj->array with an out-of-bounds offset. Again, this shouldn't be a problem; once the array length shows up and it becomes clear that the branch was not correctly predicted, the speculative work will be thrown away. The problem, of course, is that this speculative execution can leave traces elsewhere in the system (most often the memory caches) that can be used to exfiltrate data that an attacker would otherwise be unable to access. In the worst cases, Spectre vulnerabilities can be used to attack the kernel or to carry out attacks between virtual machines running on the same physical host. They are a real threat, which is why numerous mitigations have been adopted to thwart these attacks despite a high performance cost. Straight-line speculation, which was initially disclosed in this white paper from Arm, differs in that it does not depend on erroneous branch prediction; indeed, no conditional branches are involved at all. Instead, it takes advantage of some strange behavior around unconditional control-flow changes. There are a lot of instructions that will result in a change to the program counter; on Arm, these include instructions that generate exceptions, but also unconditional direct branches and the RET instruction to return from a function call.

AWS power failure in US-EAST-1 region killed some hardware and instances A small group of sysadmins have a disaster recovery job on their hands, on top of Log4J fun, thanks to a power outage at Amazon Web Services’ USE1-AZ4 Availability Zone in the US-EAST-1 Region. The lack of fun kicked off at 04:35AM Pacific Time (PST – aka 12:35PM UTC) on December 22nd, when AWS noticed launch failures and networking issues for some instances in its Elastic Compute Cloud IaaS service. 26 minutes later the cloud colossus ‘fessed up to a power outage and recommended moving workloads to other parts of its cloud that were still receiving electricity. Power was restored at 05:39AM PST and AWS reported slow recovery of services, however a 6:51AM update admitted that ongoing networking issues were hampering efforts at full restoration. At the time of writing, AWS has still not fully restored networking.

FLOSS Weekly 661: Open Source for Observability - Computer Security, VIZIO Lawsuit Is it a coincidence that observability is both an essential feature of open source and also a scourge of our wantonly spied lives online? Can we use the former to solve the latter? That and many other questions are discussed during FLOSS Weekly. Join Doc Searls as he is joined by co-hosts Jonathan Bennett and Simon Phipps for a year-end look at the crazy state of our connected world and discussing other topics such as the VIZIO class-action lawsuit & the Linux Tech Tips Linux challenge.

Audio bugging with the Fisher Price Chatter Bluetooth Telephone | Pen Test Partners The Fisher Price Chatter Bluetooth Telephone is a reincarnation of a familiar kids toy. It acts as a Bluetooth headset, so the user can connect their smartphone to it and take calls using the kids phone handset. Cute! Unfortunately, little to no consideration has been given to privacy and security, resulting in it becoming an audio bug in some circumstances. [...] Fisher Price released their Bluetooth Chatter Telephone to much fanfare. I’ll be honest – I quite want one too! It brings back memories of my childhood. The phone is currently only available from Best Buy in the USA and promptly sold out. We had a chat with Zack Whittaker of Tech Crunch, a lovely Brit based in NYC, who ordered one on our behalf. About 6 weeks later the phone arrived with him, so we worked through a test plan together. In the meantime, we went hunting for the Bluetooth specs and instruction manuals. The FCC filings are here: https://fccid.io/PIYHGJ69-21A5T though most of the entries were at the time still confidential. Our work on My Friend Cayla some years ago showed a very similar issue. An attacker within Bluetooth range could simply connect a Bluetooth audio device (e.g. a smartphone) with no further security challenges and listen to the dolls microphone, or speak through its speaker to a child playing with the doll. This led to widespread concern from consumer protection groups such as Forbrukerrådet (the Norwegian Consumer Council) and product bans across multiple countries, led by Germany’s Federal Network Agency (Bundesnetzagentur).