Slashdot reader Applehu Akbar shared this report from MacRumors: Epic Games CEO Tim Sweeney commented on Apple's 'Find My' service, referring to it as "super creepy surveillance tech" that "shouldn't exist." Sweeney went on to explain that several years ago, "a kid" stole a Mac laptop out of his car. Years later, Sweeney was checking Find My, and as the Mac was still connected to his Apple ID account, it showed him the location where the thief lived.
When someone asked Sweeney if he'd at least gotten his laptop back, Sweeney answered "No. I was creeped the hell out by having unexpectedly received the kid's address, and turned off Find My iPhone on all of my devices."

Slashdot reader crmarvin42 quipped "Tell me you are stupidly rich, without telling me you are stupidly rich... Next someone will be saying that it is 'Creepy' to have security footage of someone taking your Amazon packages off of your porch." And they also questioned Sweeney's sincerity, suggesting that he's "just saying that to try and make Apple look bad because of all the lawsuits going on."

MacRumors followed the ensuing discussion: Sweeney said that the location of a device in someone's possession can't be tracked without tracking the person, and "people have a right to privacy." ["This right applies to second hand device buyers and even to thieves."] He claims that detection and recovery of a lost or stolen device should be "mediated by due process of law" and not exposed to the device owner "in vigilante fashion."
Some responded to Sweeney's comments by sharing the headline of a Vox news story about Epic's own privacy polices. ("Fortnite maker Epic Games has to pay $520 million for tricking kids and violating their privacy.")

MacRumors cited a 2014 report that thefts of iPhones dropped after the introduction of Apple's "Activation Lock" feature (which prevents the disabling of 'Find My' without a password).

But when the blog AppleInsider accused Sweeney of "an incredibly bad leap of logic" — Sweeney responded. "You're idealizing this issue as good guys tracking criminals to their lairs, but when Find My or Google's similar tech points a device owner to a device possessor's home, one must anticipate the presence of families and kids and innocent used device buyers, and ask whether it's really appropriate for a platform to use GPS and shadowy mesh network tech to set up physical confrontations among individuals."

Sweeney also posted a quote from Steve Jobs about how at Apple, "we worry that some 14-year-old is going to get stalked and something terrible is going to happen because of our phone."

An anonymous reader shares a report: A recent meeting of the American Society for Nutrition in Chicago was presented with an observational study of more than 500,000 people in the US. It found that those who ate the most UPFs (ultra-processed foods ) had a roughly 10% greater chance of dying early, even accounting for their body-mass index and overall quality of diet. In recent years, lots of other observational studies have shown a similar link - but that's not the same as proving that how food is processed causes health problems, or pinning down which aspect of those processes might be to blame.

So how could we get to the truth about ultra-processed food?

The kind of study needed to prove definitively that UPFs cause health problems would be extremely complex, suggests Dr Nerys Astbury, a senior researcher in diet and obesity at Oxford University. It would need to compare a large number of people on two diets -- one high in UPFs and one low in UPFs, but matched exactly for calorie and macronutrient content. This would be fiendishly difficult to actually do. Participants would need to be kept under lock and key so their food intake could be tightly managed. The study would also need to enrol people with similar diets as a starting point.

It would be extremely challenging logistically. And to counter the possibility that people who eat fewer UPFs might just have healthier lifestyles such as through taking more exercise or getting more sleep, the participants of the groups would need to have very similar habits. "It would be expensive research, but you could see changes from the diets relatively quickly," Dr Astbury says. Funding for this type of research could also be hard to come by. There might be accusations of conflicts of interest, since researchers motivated to run these kind of trials may have an idea of what they want the conclusions to be before they started.

An anonymous reader shared this report from the Washington Post: Earth's land lost much of their ability to absorb the carbon dioxide humans pumped into the air last year, according to a new study that is causing concern among climate scientists that a crucial damper on climate change underwent an unprecedented deterioration. Temperatures in 2023 were so high — and the droughts and wildfires that came with them were so severe — that forests in various parts of the world wilted and burned enough to have degraded the ability of the land to lock away carbon dioxide and act as a check on global warming, the study said.

The scientists behind the research, which focuses on 2023, caution that their findings are preliminary. But the work represents a disturbing data point — one that, if it turns into a trend, spells trouble for the planet and the people on it...

Philippe Ciais [a scientist at France's Laboratory of Climate and Environmental Sciences who co-authored the new research] and his colleagues saw that the concentration of CO2 measured at an observatory on Mauna Loa in Hawaii and elsewhere spiked in 2023, even though global fossil fuel emissions increased only modestly last year in comparison. That mismatch suggests that there was an "unprecedented weakening" in the Earth's ability to absorb carbon, the researchers wrote. The scientists then used satellite data and models for vegetative growth to try to pinpoint where the carbon sink was weakening. The team spotted abnormal losses of carbon in the drought-stricken Amazon and Southeast Asia as well as in the boreal forests of Canada, where record-breaking wildfires burned through tens of millions of acres.

An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what's known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon..., and it's not clear when it was taken down. The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.

Binarly researchers said their scans of firmware images uncovered 215 devices that use the compromised key, which can be identified by the certificate serial number 55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4. A table appearing at the end of this article lists each one. The researchers soon discovered that the compromise of the key was just the beginning of a much bigger supply-chain breakdown that raises serious doubts about the integrity of Secure Boot on more than 300 additional device models from virtually all major device manufacturers. As is the case with the platform key compromised in the 2022 GitHub leak, an additional 21 platform keys contain the strings "DO NOT SHIP" or "DO NOT TRUST." These keys were created by AMI, one of the three main providers of software developer kits that device makers use to customize their UEFI firmware so it will run on their specific hardware configurations. As the strings suggest, the keys were never intended to be used in production systems. Instead, AMI provided them to customers or prospective customers for testing. For reasons that aren't clear, the test keys made their way into devices from a nearly inexhaustive roster of makers. In addition to the five makers mentioned earlier, they include Aopen, Foremelife, Fujitsu, HP, Lenovo, and Supermicro.

Cryptographic key management best practices call for credentials such as production platform keys to be unique for every product line or, at a minimum, to be unique to a given device manufacturer. Best practices also dictate that keys should be rotated periodically. The test keys discovered by Binarly, by contrast, were shared for more than a decade among more than a dozen independent device makers. The result is that the keys can no longer be trusted because the private portion of them is an open industry secret. Binarly has named its discovery PKfail in recognition of the massive supply-chain snafu resulting from the industry-wide failure to properly manage platform keys. The report is available here. Proof-of-concept videos are here and here. Binarly has provided a scanning tool here. "It's a big problem," said Martin Smolar, a malware analyst specializing in rootkits who reviewed the Binarly research. "It's basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically... execute any malware or untrusted code during system boot. Of course, privileged access is required, but that's not a problem in many cases."

Binarly founder and CEO Alex Matrosov added: "Imagine all the people in an apartment building have the same front door lock and key. If anyone loses the key, it could be a problem for the entire building. But what if things are even worse and other buildings have the same lock and the keys?"

In Communications of the ACM, long-time FreeBSD contributor Poul-Henning Kamp mocks the idea that the free and open-source software movement has "come apart" and "will end in tears and regret." Economists and others focused on money — like my bank — have had a lot of trouble figuring out the free and open source software (FOSS) phenomenon, and eventually they seem to have reached the conclusion that it just makes no sense. So, they go with the flow. Recently, very serious people in the FOSS movement have started to write long and thoughtful opinion pieces about how it has all come apart and will end in tears and regret. Allow me to disagree...
What follows is a humorous history of how the Open Source movement bested a series of ill-conceived marketing failures starting after the "utterly bad" 1980s when IBM had an "unimaginably huge monopoly" — and an era of vendor lock-in from companies trying to be the next IBM: Out of that utter market failure came Minix, (Net/Free/Open)BSD, and Linux, at a median year of approximately 1991. I can absolutely guarantee that if we had been able to buy a reasonably priced and solid Unix for our 32-bit PCs — no strings attached — nobody would be running FreeBSD or Linux today, except possibly as an obscure hobby. Bill Gates would also have had a lot less of our money...
The essay moves on to when "that dot-com thing happened, fueled by the availability of FOSS operating systems, which did a much better job than any operating system you could buy — not just for the price, but in absolute terms of performance on any given piece of hardware. Thus, out of utter market failure, the FOSS movement was born."

And ultimately, the essay ends with our present day, and the phenomenon of companies that "make a business out of FOSS or derivatives thereof..." The "F" in FOSS was never silent. In retrospect, it seems clear that open source was not so much the goal itself as a means to an end, which is freedom: freedom to fix broken things, freedom from people who thought they could clutch the source code tightly and wield our ignorance of it as a weapon to force us all to pay for and run Windows Vista. But the FOSS movement has won what it wanted, and no matter how much oldsters dream about their glorious days as young revolutionaries, it is not coming back; the frustrations and anger of IT in 2024 are entirely different from those of 1991.

One very big difference is that more people have realized that source code is a liability rather than an asset. For some, that realization came creeping along the path from young teenage FOSS activists in the late 1990s to CIOs of BigCorp today. For most of us, I expect, it was the increasingly crushing workload of maintaining legacy code bases...

Tech companies scouring the country for electricity supplies have zeroed in on a key target: America's nuclear-power plants. From a report: The owners of roughly a third of U.S. nuclear-power plants are in talks with tech companies to provide electricity to new data centers needed to meet the demands of an artificial-intelligence boom. Among them, Amazon Web Services is nearing a deal for electricity supplied directly from a nuclear plant on the East Coast with Constellation Energy, the largest owner of U.S. nuclear-power plants, according to people familiar with the matter. In a separate deal in March, the Amazon subsidiary purchased a nuclear-powered data center in Pennsylvania for $650 million.

The discussions have the potential to remove stable power generation from the grid while reliability concerns are rising across much of the U.S. and new kinds of electricity users -- including AI, manufacturing and transportation -- are significantly increasing the demand for electricity in pockets of the country. Nuclear-powered data centers would match the grid's highest-reliability workhorse with a wealthy customer that wants 24-7 carbon-free power, likely speeding the addition of data centers needed in the global AI race. But instead of adding new green energy to meet their soaring power needs, tech companies would be effectively diverting existing electricity resources. That could raise prices for other customers and hold back emission-cutting goals.

Parks Kugle reports via the Daily Dot: A mechanic went viral when he posted a TikTok about technicians being locked out of computer systems in a new Dodge Ram. TikTok user Shorty of Shorty's Speed Shop (@shortysspeedshop) garnered over 301,000 views when he showed viewers what mechanics had to do to be able to repair newer car models. "It has officially happened. 2024 Ram 3500, authorization denied," Shorty said as he showed viewers the computer screen. "Cannot get into anything on this except generic OBD2 Software."

Shorty went on to explain that this update made his "manufacturer software 100 percent irrelevant." Then, Shorty showed viewers the Vehicle Security Professional (VSP) Registry on the National Automaker Service Task Force (NASTF) website. According to NASTF, automakers require mechanics to become credentialed VSPs if they want to purchase key and immobilizer codes, PIN numbers, and special tool access from Automaker websites. A VSP is required to "verify proof of ownership/authority prior to performing any security operation." "It's all part of the NASTF Security Professional Registery," Shorty explained.

Shorty believes that this rule allows manufacturers to lock mechanics out of anything they "deem security sensitive." Shorty then broke down the "requirements to gain VSP access." According to him, these include a $325 fee "every two years" and a $100 fee for every subsequent two-year license renewal. He says mechanics also need "commercial liability insurance of $1 million" and a "fidelity or employee dishonesty bond of $100,000." The VSP application page on NASTF's website confirms that there is a $100 Application Fee that covers a "Two Year Renewal" and a $325 Primary Account fee that covers a "Two Year License." It also confirms his claims about the required commercial liability insurance and fidelity or employee dishonesty bond. "There's a lot of people that don't know that this is going on, and it's going to affect everybody getting their cars fixed," Shorty remarked.

In a memo sent to employees, T-Mobile said it will be raising prices on some of its older plans, starting with the next bill. CNET reports: The memo was sent out by Jon Freier, president of T-Mobile's consumer group. The note doesn't list which plans are affected, but Freier specifically says that those on the carrier's latest assortment of Go5G plans will not see their prices increase. The same goes for the "millions of customers" who are covered by T-Mobile's Price Lock guarantee, which he says will continue to be in effect for those people. Freier says in the memo that T-Mobile is raising prices on older plans "for the first time in nearly a decade" and that the increases are designed to "keep up with rising inflation and costs."

It isn't known exactly how many people will be affected by the change. The note says that it will affect a "small portion" of T-Mobile's customers. Those with free lines from the carrier will not see increases on those lines, T-Mobile confirmed to CNET. The company expects to notify all affected customers on Wednesday.

T-Mobile previously tried to move customers on older, generally cheaper plans to some of its newer, pricier ones last year, only to back off the plan amid backlash. Whereas with that move people had the option to call T-Mobile's support and push back against the change, a source familiar with the company's plans tells CNET that this option won't be available with this new rate hike.

The Rabbit R1 is one of the first standalone AI companion devices to hit the market, offering the ability to translate languages, identify objects in your environment, and order DoorDash, among other things. It's been in the news last week for its all around poor reviews that cite poor battery life, painfully slow responses, and missing features (sound familiar?). Now, it's been confirmed that the Rabbit R1 is powered by an Android app that can run on existing Android phones. Android Authority reports: What ended up souring a lot of people's opinions on the product was the revelation -- in an Android Authority original report -- that the R1 is basically an Android app in a box. Many consumers who believed that the product would be better suited as a mobile app felt validated after our report, but there was one stickler in it that we needed to address: how we got the R1 launcher up and running on an Android phone. See, in our preliminary report, we mentioned that the Rabbit R1's launcher app is intended to be preinstalled in the firmware and be granted several privileged, system-level permissions. While that statement is still true, we should've clarified that the R1 launcher doesn't actually need those permissions. In fact, none of the system-level permissions that the R1 launcher requests are at all necessary for the app to perform its core functionality.

To prove this, we got the Rabbit R1 launcher up and running again on a stock, unrooted Android device (a Xiaomi 13T Pro), thanks to help from a team of reverse engineers including ChromMob, EmilyLShepherd, marceld505, thel3l, and uwukko. We were able to go through the entire setup process as if our device was an actual Rabbit R1. Afterwards, we were able to talk to ChatGPT, use the Vision function to identify objects, play music from Spotify, and even record voice notes. As demonstrated in our hands-on video at the top of this article, all of the existing core functionality that the Rabbit R1 offers would work as an Android or even iOS app. The only functions that wouldn't work are unrelated to the product's core functionality and are things your phone can already do, such as powering off or rebooting the device, toggling Bluetooth, connecting to a cellular or Wi-Fi network, or setting a screen lock.

During our research, Android Authority was also able to obtain a copy of the Rabbit R1's firmware. Our analysis reveals that Rabbit did not make significant modifications to the BSP (Board Support Package) provided by MediaTek. The R1, in fact, still ships with all the standard apps included in AOSP, as well as the many apps provided by MediaTek. This is despite the fact that none of these apps are needed nor ever shown to the user, obviously. Rabbit only made a few changes to the AOSP build that MediaTek provided them, such as adding the aforementioned R1 launcher app, adding a fork of the open-source "AnySoftKeyboard" app with a custom theme, adding an OTA updater app, and adding a custom boot animation. [...] Yes, it's true that all the R1 launcher does is act as a local client to the cloud services offered by Rabbit, which is what truly handles the core functionality. It's also true that there's nothing wrong or unusual with companies using AOSP for their own hardware. But the fact of the matter is that Rabbit does little to justify its use of custom hardware except by making the R1 have an eye-catching design.

An anonymous reader shared this report from SFGate: Late last year, tales of tech workers paying $700 a month for tiny "bed pods" in downtown San Francisco went viral. The story provided a perfect distillation of SF's wild (and wildly expensive) housing market — and inspired schadenfreude when the city deemed the situation illegal. But the provocative living situation wasn't an anomaly, according to a city official.

"We've definitely seen an uptick of these 'pod'-type complaints," Kelly Wong, a planner with San Francisco's code enforcement and zoning and compliance team, told SFGATE... Wong stressed that it's not that San Francisco is inherently against bed pod-type arrangements, but that the city is responsible for making sure these spaces are safe and legally zoned.

So Brownstone Shared Housing is still renting one bed pod location — but not accepting new tenants — after citations for failing to get proper permits and having a lock on the front door that required a key to exit.

And SFGate also spoke to Alex Akel, general manager of Olive Rooms, which opened up a co-living and co-working space in SoMa earlier this year (and also faced "a flurry of complaints.") "Unfortunately, we had complaints from neighbors because of foot traffic and noise, and since then we cut the number of people to fit the ordinance by the city," Akel wrote. Olive Rooms describes its space as targeted at "tech founders from Central Asia, giving them opportunities to get involved in the current AI boom." Akel added that its residents are "bringing new energy to SF," but that the program "will not accept new residents before we clarify the status with the city."

In April, the city also received a complaint about a group called Let's Be Buds, which rents out 14 pods in a loft on Divisadero Street that start at $575 per month for an upper bunk.

While this recent burst of complaints is new, bed pods in San Francisco have been catching flak for years... a company called PodShare, which rents — you guessed it — bed pods, squared itself away with the city and has operated in SF since 2019.
Brownstone's CEO told SFGate "A lot of people want to be here for AI, or for school, or different opportunities." He argues that "it's literally impossible without a product like ours," and that their residents had said the option "positively changed the trajectory of their lives."

An anonymous reader shared this report from the Times of India: Several Apple customers were inexplicably locked out of their Apple ID accounts Friday evening in a major service disruption, forcing them to reset their passwords across all devices and services. According to user reports on social media, the widespread outage began around 8 p.m. ET. People complained that they were abruptly signed out of their Apple IDs on Macs, iPhones, iPads, and other Apple devices.

When attempting to sign back in with their existing passwords, they received an error message preventing access... To regain access, users had to go through Apple's account recovery process to reset their Apple ID passwords. However, many reported difficulties even completing the reset process initially due to high demand...

The outage affected iCloud services like iCloud Drive, iMessage, FaceTime, and the App Store. Third-party apps and services that integrate with Apple ID sign-in were also disrupted for those impacted.

Chris Plante reports via Polygon: Phil Spencer doesn't just want Xbox games on other consoles. He wants other video game retailers on Xbox, too. In an interview with Microsoft's CEO of Gaming during the annual Game Developers Conference, Spencer told Polygon about the ways he'd like to break down the walled gardens that have historically limited players to making purchases through the first-party stores tied to each console. Or, in layperson terms, why you should be able to buy games from other stores on Xbox -- not just the official storefront. Spencer mentioned his frustrations with closed ecosystems, so we asked for clarity. Could he really see a future where stores like Itch.io and Epic Games Store existed on Xbox? Was it just a matter of figuring out mountains of paperwork to get there? "Yes," said Spencer. "[Consider] our history as the Windows company. Nobody would blink twice if I said, 'Hey, when you're using a PC, you get to decide the type of experience you have [by picking where to buy games]. There's real value in that." Spencer believes console players would benefit from that freedom too -- and so would console makers like Microsoft.

Spencer explained how, in the past, console makers would typically subsidize the cost of expensive hardware, knowing that a portion of every dollar spent on games for the platform over the years would eventually make it back to the console maker. Then, in time, the console maker would recoup the subsidy -- and hopefully more. But, Spencer said, "Moore's Law has slowed down. The price of the components of a console aren't coming down as fast as they have in previous generations." Worse, he explained, the console market isn't growing, with more gamers moving to PC and handheld options. Now, the notion of subsidizing a console -- and forcing players to purchase games through the official storefront to help recoup costs -- might not make sense. The walls meant to lock people into consoles might be motivating them to stay out.

"[Subsidizing hardware] becomes more challenging in today's world," Spencer said. "And I will say, and this may seem too altruistic, I don't know that it's growing the industry. So I think, what are the barriers? What are the things that create friction in today's world for creators and players? And how can we be part of opening up that model?" The answer, in part, is scrapping exclusivity on more and more Xbox games. Spencer explained that the game experience is hindered when it matters what consoles we play on or what shops sell us our games. As an example, he pointed to Sea of Thieves. A player, he explained, shouldn't have to worry about what hardware they or their friends own. They should just know if their friends have and want to play Sea of Thieves. Now, Spencer said, "if I want to play on a gaming PC, then I feel like I'm more a continuous part of a gaming ecosystem as a whole. As opposed to [on console], my gaming is kind of sharded -- to use a gaming term -- based on these different closed ecosystems that I have to play across."

An anonymous reader quotes a report from The Week Magazine: The advancement of new technologies appears to have given rise to a new problem across the United States: a crippling power shortage on the horizon. The advent of these technologies, such as eco-friendly factories and data centers, has renewed concerns that America could run out of electrical power. These worries also come at a time when the United States' aging power grid is in desperate need of repair. Heavily publicized incidents such as the 2021 Texas power outage, which was partially blamed on crypto-farming, exposed how vulnerable the nation's power supply is, especially during emergencies. There have also been warnings from tech moguls such as Elon Musk, who has stated that the United States is primed to run out of electricity and transformers for artificial intelligence in 2025. But the push to extend the life of the nation's power grid, while also maintaining eco-friendly sustainability, begs the question: Is the United States really at risk of going dark?

The emergence of new technologies means demand is soaring for power across the country; in Georgia, "demand for industrial power is surging to record highs, with the projection of electricity use for the next decade now 17 times what it was only recently," Evan Halper said for The Washington Post. Northern Virginia "needs the equivalent of several large nuclear power plants to serve all [its] new data centers," Halper said, while Texas faces a similar problem. This demand is resulting in a "scramble to try to squeeze more juice out of an aging power grid." At the same time, companies are "pushing commercial customers to go to extraordinary lengths to lock down energy sources, such as building their own power plants," Halper said. Much of this relates to the "rapid innovation in artificial intelligence, which is driving the construction of large warehouses of computing infrastructure," Halper said. This infrastructure requires significantly more power than traditional data centers, with the aforementioned crypto farms also sucking up massive amounts of power.

Climate change is also hurting sustainability efforts. A recent report from the North American Electric Reliability Corporation estimated that more than 300 million people in the U.S. and Canada could face power shortages in 2024. It also found that electricity demand is rising faster now than at any time in the past five years. This is partially because the "push for the electrification of heating and transportation systems -- including electric cars -- is also creating new winter peaks in electricity demand," Jeremy Hsu said for New Scientist. One of the main issues with these sustainability efforts is the push to move away from fossil fuels toward renewable power. Natural gas is often seen as a bridge between fossils and renewables, but this has also had unintended consequences for the power grid. The system delivering natural gas "doesn't have to meet the same reliability standards as the electric grid, and in many cases, there's no real way to guarantee that fuel is available for the gas plants in the winter," Thomas Rutigliano of the Natural Resources Defense Council said to New Scientist. As a result, the "North American electricity supply has become practically inseparable from the natural gas supply chain," John Moura of the North American Electric Reliability Corporation said to New Scientist. As such, a "reliable electricity supply that lowers the risk of power outages depends on implementing reliability standards for the natural gas industry moving forward," but this may be easier said than done.

It's "a free and open-source, software-defined storage platform," according to Wikipedia, providing object storage, block storage, and file storage "built on a common distributed cluster foundation". The charter advisory board for Ceph included people from Canonical, CERN, Cisco, Fujitsu, Intel, Red Hat, SanDisk, and SUSE.

And Nite_Hawk (Slashdot reader #1,304) is one of its core engineers — a former Red Hat principal software engineer named Mark Nelson. (He's now leading R&D for a small cloud systems company called Clyso that provides Ceph consulting.) And he's returned to Slashdot to share a blog post describing "a journey to 1 TiB/s". This gnarly tale-from-Production starts while assisting Clyso with "a fairly hip and cutting edge company that wanted to transition their HDD-backed Ceph cluster to a 10 petabyte NVMe deployment" using object-based storage devices [or OSDs]...) I can't believe they figured it out first. That was the thought going through my head back in mid-December after several weeks of 12-hour days debugging why this cluster was slow... Half-forgotten superstitions from the 90s about appeasing SCSI gods flitted through my consciousness...

Ultimately they decided to go with a Dell architecture we designed, which quoted at roughly 13% cheaper than the original configuration despite having several key advantages. The new configuration has less memory per OSD (still comfortably 12GiB each), but faster memory throughput. It also provides more aggregate CPU resources, significantly more aggregate network throughput, a simpler single-socket configuration, and utilizes the newest generation of AMD processors and DDR5 RAM. By employing smaller nodes, we halved the impact of a node failure on cluster recovery....

The initial single-OSD test looked fantastic for large reads and writes and showed nearly the same throughput we saw when running FIO tests directly against the drives. As soon as we ran the 8-OSD test, however, we observed a performance drop. Subsequent single-OSD tests continued to perform poorly until several hours later when they recovered. So long as a multi-OSD test was not introduced, performance remained high. Confusingly, we were unable to invoke the same behavior when running FIO tests directly against the drives. Just as confusing, we saw that during the 8 OSD test, a single OSD would use significantly more CPU than the others. A wallclock profile of the OSD under load showed significant time spent in io_submit, which is what we typically see when the kernel starts blocking because a drive's queue becomes full...

For over a week, we looked at everything from bios settings, NVMe multipath, low-level NVMe debugging, changing kernel/Ubuntu versions, and checking every single kernel, OS, and Ceph setting we could think of. None these things fully resolved the issue. We even performed blktrace and iowatcher analysis during "good" and "bad" single OSD tests, and could directly observe the slow IO completion behavior. At this point, we started getting the hardware vendors involved. Ultimately it turned out to be unnecessary. There was one minor, and two major fixes that got things back on track.
It's a long blog post, but here's where it ends up:

• Fix One: "Ceph is incredibly sensitive to latency introduced by CPU c-state transitions. A quick check of the bios on these nodes showed that they weren't running in maximum performance mode which disables c-states."

• Fix Two: [A very clever engineer working for the customer] "ran a perf profile during a bad run and made a very astute discovery: A huge amount of time is spent in the kernel contending on a spin lock while updating the IOMMU mappings. He disabled IOMMU in the kernel and immediately saw a huge increase in performance during the 8-node tests." In a comment below, Nelson adds that "We've never seen the IOMMU issue before with Ceph... I'm hoping we can work with the vendors to understand better what's going on and get it fixed without having to completely disable IOMMU."

• Fix Three: "We were not, in fact, building RocksDB with the correct compile flags... It turns out that Canonical fixed this for their own builds as did Gentoo after seeing the note I wrote in do_cmake.sh over 6 years ago... With the issue understood, we built custom 17.2.7 packages with a fix in place. Compaction time dropped by around 3X and 4K random write performance doubled."

The story has a happy ending, with performance testing eventually showing data being read at 635 GiB/s — and a colleague daring them to attempt 1 TiB/s. They built a new testing configuration targeting 63 nodes — achieving 950GiB/s — then tried some more performance optimizations...

An anonymous reader quotes a report from Ars Technica: Intel on Tuesday pushed microcode updates to fix a high-severity CPU bug that has the potential to be maliciously exploited against cloud-based hosts. The flaw, affecting virtually all modern Intel CPUs, causes them to "enter a glitch state where the normal rules don't apply," Tavis Ormandy, one of several security researchers inside Google who discovered the bug, reported. Once triggered, the glitch state results in unexpected and potentially serious behavior, most notably system crashes that occur even when untrusted code is executed within a guest account of a virtual machine, which, under most cloud security models, is assumed to be safe from such faults. Escalation of privileges is also a possibility.

The bug, tracked under the common name Reptar and the designation CVE-2023-23583, is related to how affected CPUs manage prefixes, which change the behavior of instructions sent by running software. Intel x64 decoding generally allows redundant prefixes -- meaning those that don't make sense in a given context -- to be ignored without consequence. During testing in August, Ormandy noticed that the REX prefix was generating "unexpected results" when running on Intel CPUs that support a newer feature known as fast short repeat move, which was introduced in the Ice Lake architecture to fix microcoding bottlenecks. The unexpected behavior occurred when adding the redundant rex.r prefixes to the FSRM-optimized rep mov operation. [...]

Intel's official bulletin lists two classes of affected products: those that were already fixed and those that are fixed using microcode updates released Tuesday. An exhaustive list of affected CPUs is available here. As usual, the microcode updates will be available from device or motherboard manufacturers. While individuals aren't likely to face any immediate threat from this vulnerability, they should check with the manufacturer for a fix. People with expertise in x86 instruction and decoding should read Ormandy's post in its entirety. For everyone else, the most important takeaway is this: "However, we simply don't know if we can control the corruption precisely enough to achieve privilege escalation." That means it's not possible for people outside of Intel to know the true extent of the vulnerability severity. That said, anytime code running inside a virtual machine can crash the hypervisor the VM runs on, cloud providers like Google, Microsoft, Amazon, and others are going to immediately take notice.

After months of high-level meetings and discussions, government officials and Big Tech leaders have agreed on one thing about artificial intelligence: The potentially world-changing technology needs some ground rules. But many in Silicon Valley are skeptical. WashingtonPost: A growing group of tech heavyweights -- including influential venture capitalists, the CEOs of midsize software companies and proponents of open-source technology -- are pushing back, claiming that laws for AI could snuff out competition in a vital new field. To these dissenters, the willingness of the biggest players in AI, such as Google, Microsoft and ChatGPT maker OpenAI to embrace regulation is simply a cynical ploy by those firms to lock in their advantages as the current leaders, essentially pulling up the ladder behind them. These tech leaders' concerns ballooned last week, when President Biden signed an executive order laying out a plan to have the government develop testing and approval guidelines for AI models -- the underlying algorithms that drive "generative" AI tools such as chatbots and image-makers.

"We are still in the very early days of generative AI, and it's imperative that governments don't preemptively anoint winners and shut down competition through the adoption of onerous regulations only the largest firms can satisfy," said Garry Tan, the head of Y Combinator, a San Francisco-based start-up incubator that helped nurture companies including Airbnb and DoorDash when they were just starting. The current discussion hasn't incorporated the voices of smaller companies enough, Tan said, which he believes is key to fostering competition and engineering the safest ways to harness AI. Companies like influential AI start-up Anthropic and OpenAI are closely tied to Big Tech, having taken huge amounts of investment from them.

"They do not speak for the vast majority of people who have contributed to this industry," said Martin Casado, a general partner at venture capital firm Andreessen Horowitz, which made early investments in Facebook, Slack and Lyft. Most AI engineers and entrepreneurs have been watching the regulatory discussions from afar, focusing on their companies instead of trying to lobby politicians, he said. "Many people want to build, they're innovators, they're the silent majority," Casado said. The executive order showed those people that regulation could come sooner than expected, he said. Casado's venture capital firm sent a letter to Biden laying out its concerns. It was signed by prominent AI start-up leaders including Replit CEO Amjad Masad and Mistral's Arthur Mensch, as well as more established tech leaders such as e-commerce company Shopify's CEO Tobi Lutke, who had tweeted "AI regulation is a terrible idea" after the executive order was announced.

Jennifer Pattison Tuohy reports via The Verge: The Chamberlain Group -- owners of the MyQ smart garage door controller tech -- has announced it's shut off all "unauthorized access" to its APIs. The move breaks the smart home integrations of thousands of users who relied on platforms such as Homebridge and Home Assistant to do things like shut the garage door when they lock their front door or flash a light if they leave their door open for 10 minutes, or whatever other control or automation they wanted to do with the device they bought and paid for.

The move comes a year after Chamberlain discontinued its official Apple HomeKit integration and a few months after it finally killed support for Google Assistant. It's sadly another example of how the company continues to be hostile to the interoperable smart home. Last week, in a blog post, Dan Phillips, chief technology officer of Chamberlain, explained the reasons behind its latest move: "Chamberlain Group recently made the decision to prevent unauthorized usage of our myQ ecosystem through third-party apps. This decision was made so that we can continue to provide the best possible experience for our 10 million+ users, as well as our authorized partners who put their trust in us. We understand that this impacts a small percentage of users, but ultimately this will improve the performance and reliability of myQ, benefiting all of our users." When asked what customers that relied on these now-defunct integrations do, a spokesperson for the company said: "We have a number of authorized partners that we will be happy for people to use," pointing to its partner webpage.

"However, those partners are primarily smart security companies with monthly subscriptions (such as Alarm.com and Vivint) and car manufacturers," notes The Verge. Some alternatives to a MyQ smart garage controller are mentioned in the report, such as Tailwind's $90 iQ3 Pro smart garage controller, Meross' $60 Smart Wi-Fi Garage Door Opener, iSmartgate's $40 iSmartgate Mini, and Ratgdo's $30 Wi-Fi control board.

The moral for smart home users, as summed up by Home Assistant founder Paulus Schoutsen, is: "Buy products that work locally and won't stop functioning when management wants an additional revenue stream."

The city of Washington D.C. is planning to give residents Apple AirTags to help officers track down stolen vehicles. PCMag reports: "Last week, we introduced legislation to address recent crime trends; this week, we are equipping residents with technology that will allow MPD to address these crimes, recover vehicles, and hold people accountable," D.C. Mayor Muriel Bowser said in a statement. "We have had success with similar programs where we make it easier for the community and MPD to work together -- from our Private Security Camera Incentive Program to the wheel lock distribution program -- and we will continue to use all the tools we have, and add new tools, to keep our city safe."

At launch, the AirTags will be available to residents in specific areas of the city that have recently seen the largest increase in vehicle thefts. To obtain the tags, residents will have to attend one of three scheduled distribution events next week where officers will install the device on the resident's cars and help them set up the tracking tag on their mobile devices. The program is currently available for residents who live in Police Service Areas 106, 501, 502, 603, 605, and 606. Check where you live on the MPD's website.

An anonymous reader quotes a report from ZDNet: First shown off at 2022 CES, the Masonite M-PWR comes with a built-in Ring video doorbell and Yale smart lock, plus motion-activated LED lights and a door sensor -- all powered by your home's electrical system so there are no batteries to replace. An onboard battery backup keeps the door operational for 24 hours in the event of a power loss. Both doorbell and lock components can be upgraded over time as technology advances. If you were hoping for an all-in-one app, however, you'll be disappointed. To use all the door's features, you need the Yale app, the Ring app, and the M-PWR app.

What's all this technology going to cost you? The fiberglass Masonite M-PWR starts at $4,000 -- and that's for the basic model. Several finishes/designs/glass options are available, with pricing on the higher-end versions reaching $7,000. If you consider that a decent front door, Ring doorbell, and Yale smart lock from the same retailer can be had for under $1,000, this is clearly a door for people who want the finer things. And that price doesn't include installation, something most homeowners can't do on their own as the door needs to be hard-wired. The door has been available in new construction homes since 2022, but this marks the first time you can buy it separately.

John.Banister writes: SUSE announced that they're spending $10 million on maintaining a fork of RHEL, with the source code of the fork to be freely available to all. I don't know that people who want to copy RHEL source will necessarily see copying the source of a fork as furthering their goals, but it could be that SUSE will build a nice alternative enterprise Linux to complement their current product. And, I reckon, better SUSE than Oracle, since I keep reading comments on people getting screwed by Oracle, but not so many on people getting screwed by SUSE. ZDNet's Steven Vaughan-Nichols writes: This all started when Red Hat's VP of core platforms, Mike McGrath, declared, "CentOS Stream will now be the sole repository for public RHEL-related source code releases. For Red Hat customers and partners, source code will remain available via the Red Hat Customer Portal." That may not sound like much to you, but those were fighting words to many open-source and Linux distributors. According to Linux's fundamental license, the GPLv2, no restrictions can be placed on distributing the source code to those who've received the binaries. In the view of many in the open-source community, that's exactly what Red Hat has done.

Others see this as the latest step in the long dance between Red Hat's business licensing demands and open-source licensing. Red Hat has had conflicts with the RHEL clones since 2005, when Red Hat's trademarks were the issue of the day. Usually, these fights stayed confined to the RHEL and its immediate clone rivals. Not this time.

Dirk-Peter van Leeuwen, SUSE CEO, said this: "For decades, collaboration and shared success have been the building blocks of our open-source community. We have a responsibility to defend these values. This investment will preserve the flow of innovation for years to come and ensures that customers and community alike are not subjected to vendor lock-in and have genuine choice tomorrow as well as today." What does that mean? While SUSE will continue to invest in and support its own Linux distributions, SUSE Linux Enterprise (SLE) and openSUSE, SUSE plans on creating its own RHEL-compatible clone. Once completed, this new distro will be contributed to an open-source foundation, which will provide ongoing free access to alternative source code.