I recently came across SerenityOS when it was featured in hxp CTF and then on LiveOverflow’s YouTube channel. SerenityOS is an open source operating system written from scratch by Andreas Kling and now has a strong and active community behind it. If you’d like to learn a bit more about it then the recent CppCast episode is a good place to start, as well as all of the fantastic videos by Andreas Kling. Two of the recent videos were about writing exploits for a typed array bug in javascript, and a kernel bug in munmap. The videos were great to watch and got me thinking that it would be fun to try and find a couple of bugs that could be chained together to create a full chain exploit such as exploiting a browser bug to exploit a kernel bug to get root access. You don’t get articles like this very often – exploiting a small hobby operating system? Sure, why not.
This document proposes a mechanism for running unmodified Linux programs on Fuchsia. The programs are run in userspace process whose system interface is compatible with the Linux ABI. Rather than using the Linux kernel to implement this interface, we will implement the interface in a Fuchsia userspace program, called starnix. Largely, starnix will serve as a compatibility layer, translating requests from the Linux client program to the appropriate Fuchsia subsystem. Many of these subsystems will need to be elaborated in order to support all the functionality implied by the Linux system interface. As we expand the universe of software we wish to run on Fuchsia, we are encountering software that we wish to run on Fuchsia that we do not have the ability to recompile. For example, Android applications contain native code modules that have been compiled for Linux. In order to run this software on Fuchsia, we need to be able to run binaries without modifying them. Just more signs that Google has big plans for Fuchsia. With Google it’s always difficult to assess if they’ll go through with it, but I think they intend for Fuchsia to become the base operating system across Chrome OS, Android, their smart devices like Google Home, and everything else they might one day make. The project is too wide and deep to be anything else.
In the tests that matter, most noticeably the 3D rendering tests, we’re seeing a 3% speed-up on the Threadripper Pro compared to the regular Threadripper at the same memory frequency and sub-timings. The core frequencies were preferential on the 3990X, but the memory bandwidth of the 3995WX is obviously helping to a small degree, enough to pull ahead in our testing, along with the benefit of having access to 8x of the memory capacity as well as Pro features for proper enterprise-level administration. The downside of this comparison is the cost: the SEP difference is +$1500, or another 50%, for the Threadripper Pro 3995WX over the regular Threadripper 3990X. With this price increase, you’re not really paying +50% for the performance difference (ECC memory also costs a good amount), but the feature set. Threadripper Pro is aimed at the visual effects and rendering market, where holding 3D models in main memory is a key aspect of workflow speed as well as full-scene production. Alongside the memory capacity difference, having double the PCIe 4.0 lanes means more access to offload hardware or additional fast storage, also important tools in the visual effects space. Threadripper Pro falls very much into the bucket of ‘if you need it, this is the option to go for‘. AMD is entirely in a league of its own with these processors. I keep repeating it, but AMD’s comeback is one of the most remarkable stories in the history of technology.
Suing technology firms when they mess up is already hard, especially over privacy violations. Now, Facebook, Google, and the trade groups representing all the big tech firms are asking the Supreme Court to make it even harder for class actions to pursue cases against them. Facebook, Google, and all the others submitted a filing (PDF) to the Supreme Court this week basically arguing that if you cannot prove the specific extent to which their screwup injured you, you should not have any grounds to be part of a lawsuit against them. They are already pretty much invulnerable, but of course, they want even more protections than their sheer size, wealth, influence, and monopoly positions already give them. How surprising.
The beta for the upcoming 5.21 release of the KWinFT projects is now available. It contains a monumental rewrite of KWinFT’s windowing logic. Read on for an overview of the changes and why this rewrite was necessary. KWinFT is such a poster child for open source development. Someone wasn’t happy with KWin, a core aspect of their desktop, and put their money where their mouth is and forked it into something that they think is better. I wouldn’t be surprised to see parts of KWinFT, or even the project as a whole, make its way to become KDE’s default window manager.
There are well documented security flaws in GSM, and publicly available tools to exploit them. At the same time, it has become considerably cheaper and easier to analyze GSM traffic over the past few years. Open source tools such as gr-gsm have matured, and the community has developed methods for capturing the GSM spectrum without the need for expensive SDR radios. With less than $100 and a weekend it’s possible to capture and analyze GSM traffic. With some extra effort it’s possible to decrypt your own traffic, and depending on how your mobile provider has set up their network it may even be possible for somebody else to illegally decrypt traffic they don’t own. GSM is terrifying.
hello (also known as helloSystem) is a desktop system for creators with focus on simplicity, elegance, and usability. Its design follows the “Less, but better” philosophy. It is intended as a system for “mere mortals”, welcoming to switchers from the Mac. FreeBSD is used as the core operating system. With PC-BSD gone, it’s nice to see others step in to fill the void. This particular project was founded by Simon Peter, who also started AppImage and PureDarwin, so there’s quite a bit of pedigree here. It’s still in development and not yet ready for general use.
You think you can escape my ire today, Google? You’re no better than Apple. Case in point: Google is in hot water after banning the Google account of Andrew Spinks, the lead developer of the hit indie game Terraria. The YouTube account of Spinks’ game dev company, Re-Logic, was hit with some kind of terms-of-service violation, resulting in Google banning Spinks’ entire Google account, greatly disrupting his company’s ability to do business. After three fruitless weeks of trying to get the situation fixed, Spinks announced that his company will no longer do business with Google and that the upcoming Stadia version of Terraria is canceled. “I will not be involved with a corporation that values their customers and partners so little,” Spinks said. “Doing business with you is a liability.” This is, sadly, a very common occurrence. Google has a long history of blocking accounts for no reason at all, without giving the affected people any recourse since the company effectively has no customer service department. These cases can be absolutely devastating, causing people to lose photos, emails, access to their business financials, and god knows what else. We at OSNews use what was once called Google Apps for Your Domain (launched in 2006), only for us to be grandfathered into GSuite, which is now called Workplaces, which has led to a lot of frustration for me since GSuite accounts are locked out of a ton of Google services for no particular reason, and there’s no way to convert an existing Google account from one type to another. We were never asked if we wanted to be converted to the much more limited GSuite accounts. Google just did it. In any event, I have been pondering if we should switch to something else, but it’d be a lot of work I’d be putting on the plate of someone else – OSNews’ owner.
Mobile app developer Kosta Eleftheriou has a new calling that goes beyond software development: taking on what he sees as a rampant scam problem ruining the integrity of Apple’s App Store. Eleftheriou, who created the successful Apple Watch keyboard app FlickType, has for the last two weeks been publicly criticizing Apple for lax enforcement of its App Store rules that have allowed scam apps, as well as apps that clone popular software from other developers, to run rampant. These apps enjoy top billing in the iPhone marketplace, all thanks to glowing reviews and sterling five-star ratings that are largely fabricated, he says. I’ve been saying it for ten years: the application store model is fundamentally broken, because the owner of the application store benefits from people gaming and cheating the system. In this case, Apple profits from every scam application or subscription sold, and since the App Store constitutes a huge part of Apple’s all-important services revenue, Apple has no incentive to really tackle issues like this. Here’s what going to happen, based on my immutable pattern recognition skills: there will be more press outcry over this developer’s specific issue until Apple eventually sends out a public apology statement and sort-of addresses this specific issue. American tech media – which are deeply embedded in Apple’s ecosystem and depend on being in Apple’s good graces – will praise Apple’s response, and claim the situation has been resolved. Their next batch of review units and press invites from Apple are on their way. And a few weeks or months later, another developer suffers from the same or similar issues, rinse, repeat. The problem is not individual App Store rules or App Store reviewers having a bad day – the paradigm itself is fundamentally broken, and until the tech industry and us as users come to terms with that, these repetitive stories will keep popping up, faux press outrage and all.
Another month, another Haiku activity report. January was a busy month for OSNews’ favourite operating system project, with a lot of love sent the way of the various ports to other architectures. Work has been done on the ARM and RISC-V ports, but also on platforms you might not expect in this day and age: SPARC and PowerPC. While some may question putting any effort into these alternative platforms at all, that’s a shortsighted position – work on other platforms often aides in uncovering and fixing bugs in the code for your main platform. It also prevents code from becoming more platform-dependent than it needs to be. Amid the long list of other improvements, the one that stands out is merging support for SD/MMC cards. The SD/MMC drivers are merged. It is now possible to read and write SD and SDHC cards using controllers compatible with the SDHCI specification. This is one of those things that will make it easier to transfer files to and from your Haiku installation.
In addition to the establishing of the seL4 Foundation and adding the open-source RISC-V architecture as one of their primary architectures, the seL4 micro-kernel has been seeing a lot of work and also research into future work. Among the ambitious research goals is to create a “truly secure, general-purpose OS”. This multi-server OS would be secure, support a range of use-cases and security policies, and perform comparable to monolithic systems. Be sure to flip through the slides of the presentation in question for more information.
The Linux kernel’s floppy driver dates back to the original days of the kernel back in 1991 and is still being maintained thirty years later with the occasional fix. Somewhat surprisingly, a patch was sent in to the Linux kernel’s block subsystem ahead of the Linux 5.12 merge window around the floppy code. Floppies are awesome and I’m sure there’s tons of older machines out there – especially in corporate settings – that are still rocking a floppy drive for backwards compatibility reasons. Might as well keep the code up to snuff.
The legacy version of the Microsoft Edge, which is set to be discontinued in March, will be removed from Windows 10 with the release of Patch Tuesday updates in April. As we reported recently, Windows 10 currently comes with three different web browsers – Legacy Edge (hidden), Chromium Edge (default), and Internet Explorer (enabled). In an attempt to reduce clutter and improve security, Microsoft is removing the older browsers from the OS. I mean, on the one hand it seems like this is a reasonably move – there’s a new version of Edge, so an update will remove the old one. On the other hand, though, these are really two entirely different applications that happen to share a name, and it seems grotesque and user-hostile to just remove an entire application without even giving users the option to keep it. Sure, this concerns an outdated browser nobody uses, and that makes it easy to handwave this away, but what if this happens to an application you actually like and use?
Google is exploring an alternative to Apple Inc.’s new anti-tracking feature, the latest sign that the internet industry is slowly embracing user privacy, according to people with knowledge of the matter. Internally, the search giant is discussing how it can limit data collection and cross-app tracking on the Android operating system in a way that is less stringent than Apple’s solution, said the people, who asked not to be identified discussing private plans. Of course it’s going to be less stringent than Apple’s solution. Can’t limited ad tracking too much if ad tracking is how you make money.
The key difference between regular Ubuntu and Ubuntu Core is the underlying architecture of the system. Traditional Linux distributions rely mostly on traditional package systems—deb, in Ubuntu’s case—while Ubuntu Core relies almost entirely on Canonical’s relatively new snap package format. Ubuntu Core also gets a full 10 years of support from Canonical rather than the five years traditional Ubuntu LTS releases get. But it’s a bit more difficult to get started with, since you need an Ubuntu SSO account to even log in to a new Ubuntu Core installation in the first place. Ars takes a look at this rather unusual Ubuntu variant.
Here we go. Wayland is not ready as a 1:1 compatible Xorg replacement just yet, and maybe never will. Hence, if you are interested in existing applications to “just work” without the need for adjustments, then you may be better of not using Wayland at this point. Wayland solves no issues I have but breaks almost everything I need. And usually it stays broken, because the Wayland folks only seem to care about Gnome, and alienating everyone else in the process. DO NOT INSTALL WAYLAND! Let Wayland not destroy everything and then have other people fix the damage it caused. Or force more Red Hat/Gnome components (glib, Portals, Pipewire) on everyone! I’ll save you a read and summarise the ‘article’ so you can do something more productive, like I don’t know, cleaning your floors with a toothpick or something: “my tools and components written specifically for X and its APIs do not work under Wayland, therefore Wayland is garbage and shit”. Wayland is not X.org. Let me repeat that. Wayland is not X.org. If you need the functionality that X.org delivers, then you shouldn’t be using Wayland. This is like buying a Mac and complaining your Windows applications don’t work.
Bedrock Linux is a meta Linux distribution which allows users to mix-and-match components from other, typically incompatible distributions. Bedrock integrates these components into one largely cohesive system. You think you’ve seen everything the Linux world has to offer and nothing can you surprise you anymore, and then you run into something like this. I wonder how well this works if a Bedrock Linux installation holds up over time.
Remember HarmonyOS, the operating system Huawei claimed it had written from the ground-up? Yeah it’s just Android 10. After getting access to HarmonyOS through a grossly invasive sign-up process, firing up the SDK and emulator, and poring over the developer documents, I can’t come to any other conclusion: HarmonyOS is essentially an Android fork. The way that Huawei describes the OS to the press and in developer documents doesn’t seem to have much to do with what the company is actually shipping. The developer documents appear almost purposefully written to confuse the reader; any bit of actual shipping code to which you hold up a magnifying glass looks like Android with no major changes. The phrase “fake it till you make it” is often given as motivational advice, but I’ve never seen it applied to OS development before. If you’ve ever seen a modern Huawei Android phone, HarmonyOS is largely the same thing… with a few strings changed. So while there’s not much new to see, we can at least dissect HarmonyOS and debunk some of Huawei’s claims about its “brand-new” operating system. So nothing new under the sun here.
The first step in my crazy experiment to see if you can turn a Sun SPARC server into a workstation has been completed. Thanks to an incredibly generous donation by Jon Rushton, a reader from the UK, I’m now in possession of a SunFire V245 server (I did pay for shipping, of course). The machine has some serious specifications: Two UltraSPARC IIIi 1.5Ghz processors 8 GB of DDR1 RAM Two SAS hard drives (73GB and 140GB) Sun Raptor GFX graphics card (to be replaced by a Sun Quadro FX 3450) The machine has plenty of room for expansion, as well as the usual server features like dual power supplies, lots and lots of fans that no doubt will be incredibly loud, hot-swappable drive bays, remote management ports, and so on. Since I’m still waiting on a few more accessories I needed to purchase in order to setup and use the server – a USB serial console cable and the aforementioned more powerful GPU – I can’t turn it on and use it quite yet. While we wait on those accessories to be delivered, I figured I might as well post a story in the meantime with a bunch of photos of the server. I have a lot of learning to do here, since the server world is not a place I have ever really visited. I’m going to make stumbles along the way, but the end goal is for this server to be a usable workstation – most likely running either Linux or BSD. I can’t wait to get started.
The macOS Big Sur 11.2 kernel (XNU) source has been released here: source, tarball. My previous post on building XNU for macOS 11.0.1 described the method for compiling open source XNU for Intel Macs. This post details how to compile XNU for both Intel and Apple Silicon Macs, and how to boot the custom kernel on both platforms. Note that it is not possible to build or boot a custom XNU on Apple Silicon Macs before macOS 11.2. I doubt many people compile and run their own XNU kernels, but the fact that you can is still cool.
