Android 14 blocks all modification of system certificates, even as root

We’ve come a long way since then, steadily retreating from openness & user control of devices, and shifting towards a far more locked-down vendor-controlled world. The next step of Android’s evolution is Android 14 (API v34, codename Upside-Down Cake) and it takes more steps down that path. In this new release, the restrictions around certificate authority (CA) certificates become significantly tighter, and appear to make it impossible to modify the set of trusted certificates at all, even on fully rooted devices. If you’re an Android developer, tester, reverse engineer, or anybody else interested in directly controlling who your device trusts, this is going to create some new challenges. The walls are slowly but surely closing in on Android.

Microsoft’s results of major technical investigations for Storm-0558 key acquisition

On July 11, 2023, Microsoft published a blog post which details how the China-Based threat actor, Storm-0558, used an acquired Microsoft account (MSA) consumer key to forge tokens to access OWA and Upon identifying that the threat actor had acquired the consumer key, Microsoft performed a comprehensive technical investigation into the acquisition of the Microsoft account consumer signing key, including how it was used to access enterprise email. Our technical investigation has concluded. As part of our commitment to transparency and trust, we are releasing our investigation findings. Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected). We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected). After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key. That is one hell of a unique string of unfortunate events.

Cars are the worst product category we have ever reviewed for privacy

Car makers have been bragging about their cars being “computers on wheels” for years to promote their advanced features. However, the conversation about what driving a computer means for its occupants’ privacy hasn’t really caught up. While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines. Machines that, because of their all those brag-worthy bells and whistles, have an unmatched power to watch, listen, and collect information about what you do and where you go in your car. All 25 car brands we researched earned our *Privacy Not Included warning label — making cars the official worst category of products for privacy that we have ever reviewed. Much to the surprise of nobody.

Source: Google Pixel 8 will get more OS updates with longer lifespan than Samsung

While the Pixel 6 ushered in three years of major Android OS version updates and an additional two for security patches, that’s still nowhere near the longevity of the iPhone. Google hopes to change that on the Pixel 8 and 8 Pro with noticeably more OS updates. Looking at the mobile Android landscape, three years of OS updates – which was also the case on Qualcomm-powered Pixel phones from 2017-2021 – is less than Samsung’s promise of four, which started last year with the Galaxy S21, S22, Flip 3, and Fold 3 and continued through devices released this year, including some of the company’s more affordable releases. From what we’re hearing, Pixel 8’s update promise should surpass Samsung’s current policy on flagships and meaningfully match the iPhone. Of course, the devil is in the details, especially in those later years. For example, the Galaxy line has, in the past, adopted a quarterly approach towards the end. Even a bump to just five years of OS updates for Pixel would be enough and let the Google phone be at the top of the ecosystem, with anything beyond that squarely going after the iPhone’s record. The situation has definitely been improving – finally – but I’d still like this to be platform-wide, and not just individual manufacturers making promises. To reduce e-waste, make devices more secure and ensure longer lifespans, I’d like to see 10 years of full software support. The tech industry has a long history of garbage support and low quality – especially when it comes to software – that we would not tolerate from any other industry. It’s time the tech industry grew up and joined other industries that offer far longer and more comprehensive support.

China bans iPhone use for government officials at work

China ordered officials at central government agencies not to use Apple’s iPhones and other foreign-branded devices for work or bring them into the office, people familiar with the matter said. In recent weeks, staff were given the instructions by their superiors in workplace chat groups or meetings, the people said. The directive is the latest step in Beijing’s campaign to cut reliance on foreign technology and enhance cybersecurity, and comes amid a campaign to limit flows of sensitive information outside of China’s borders. The move by Beijing could have a chilling effect for foreign brands in China, including Apple. Apple dominates the high-end smartphone market in the country and counts China as one of its biggest markets, relying on it for about 19% of its overall revenue. iPhones are, for all intents and purposes, a Chinese product. It seems odd they are afraid of a device that’s entirely built by Chinese people in Chinese factories owned by Chinese companies run by the Chinese government. An iPhone is about as American as a MAGA hat with a Made in China label, so why ban its use by Chinese government officials? The answer is obvious: because the west is banning the use of Huawei and other devices – even though those are made by the same Chinese people in the same Chinese factories owned by the same Chinese companies run by the same Chinese government as iPhones are. This is a tug of war between two superpowers, and western companies heavily reliant on China, such as Apple, is going to be facing some serious consequences.

Digital Markets Act: Commission designates six gatekeepers

The European Commission has today designated, for the first time, six gatekeepers – Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft – under the Digital Markets Act (DMA). In total, 22 core platform services provided by gatekeepers have been designated. The six gatekeepers will now have six months to ensure full compliance with the DMA obligations for each of their designated core platform services. Following their designation, gatekeepers now have six months to comply with the full list of do’s and don’ts under the DMA, offering more choice and more freedom to end users and business users of the gatekeepers’ services. However, some of the obligations will start applying as of designation, for example, the obligation to inform the Commission of any intended concentration. It is for the designated companies to ensure and demonstrate effective compliance. To this end, they have  6 months to submit a detailed compliance report in which they outline how they comply with each of the obligations of the DMA. The EC also notes that due to submissions from Apple and Microsoft arguing that iMessage and Bing, Edge, and Microsoft Advertising respectively, do not qualify to be subject to the DMA, the EC has opened four market investigations into these four services to further assess the situation. On top of that, for Gmail, and the Samsung Internet Browser, the EC has concluded that their owners have successfully argued they should not fall under the DMA. This is one of the biggest pieces of legislation to hit powerful corporations in a long time – especially in tech, which basically has been a wild west free-for-all regulation-wise – and it’s going to have some massive consequences for all of us.

Gizmodo fires Spanish staff amid switch to AI translator

From Ars Technica: As both a translator and a tech writer, this article touches upon a lot of aspects of my professional life. As a translator with a master’s degree in translation and over 13 years of experience, I can confidently say these AI-translated articles won’t be anywhere near the quality of a professional translation, let alone that of original content written in Spanish. Computers are actually not that great at language, and every time I play around with machine translation tools – they tend to be integrated into the various translation software suites I use – it’s barely passable as coherent text. There are things you can do to increase the success rate of machine translation. It’s crucial to write the source text in a very formulaic manner, using short sentences with basic sentence structure any primary schooler can easily follow. Avoid complicated clauses, literary devices, sayings and wordplay, and words that can carry multiple meanings. To further increase the success rate, make sure your writers reuse the same formulaic sentences in different articles, so the machine translation software can learn from earlier corrections. By the time you instilled all this and more into your writing staff, not only will they quit because writing in such a way is not engaging at all, it will also tank your SEO – something the kind of people who would fire translators to rely exclusively on machine translation would care about – into the ground. It wouldn’t feel natural, and nobody will enjoy reading it but computers. …it’s going to end up as AIs writing for other AIs.

Aero: a UNIX-like operating system in Rust

Speaking of operating systems written in Rust – a popular activity as of late – one of the SoC contributors to Redox is also writing their own operating system in rust, called Aero. Aero is a new modern, experimental, unix-like operating system written in Rust. Aero follows the monolithic kernel design and it is inspired by the Linux Kernel. Aero supports modern PC features such as Long Mode, 5-level paging, and SMP (multicore), to name a few. Open source, of course, licensed under the GPL, version 3.

Redox Summer of Code 2023 Wrapup

This year’s Redox Summer of Code program has seen us add some exciting capabilities to Redox. Our three interns each came up with their own project proposals, and delivered major new functionality. In addition to our paid internships, our volunteer contributors also made major strides this summer. This year’s projects include VirtIO drivers, the project to use Linux drivers on Redox that we talked about earlier, and on-demand paging and other memory management improvements. There’s also a long list of other improvements outside of SoC.

Amiga systems programming in 2023

I’ve always loved building tools and platforms, and have long been fascinated with the world of operating systems. Apart from reading through the source code (where that’s legally available, of course…) I think there’s no better way to explore and understand a system – and the mindset that produced it – than to develop for it. What follows is a brain-dump of what I’ve learned about developing for the AmigaOS, both on classic 68k-powered hardware to modern PowerPC systems like the X5000. I’ll cover development environments, modern workflows like CI builds on containerised infrastructure, distribution of packages and even a look back in time before C existed, thanks to AmigaDOS’s odd heritage. If you want to develop for Amiga OS – and you should, because the more people develop for alternative and classic platforms, even if only as an occassional side project, the better – this is a great place to start.

Apple and Microsoft fight Brussels over ‘gatekeeper’ label for iMessage and Bing

Apple and Microsoft have argued with Brussels that some of their services are insufficiently popular to be designated as “gatekeepers” under new landmark EU legislation designed to curb the power of Big Tech. Brussels’ battle with the two US companies over Apple’s iMessage chat app and Microsoft’s Bing search engine comes ahead of Wednesday’s publication of the first list of services to be regulated by the Digital Markets Act. Microsoft’s argument seems to make sense. Microsoft was unlikely to dispute the designation of its Windows operating system, which dominates the PC industry, as a gatekeeper, these people said. But it has argued that Bing has a market share of just 3 per cent and further legal scrutiny would put it at a greater disadvantage. I guess the validity of Microsoft’s argument hinges on if that 3% equates to the number of users requirements set by the European Union, but I guess we’ll find out tomorrow. Apple’s argument, though, seems more precarious. Separately, Apple argued that iMessage did not meet the threshold of user numbers at which the rules applied and therefore should not comply with obligations that include opening the service to rival apps such as Meta’s WhatsApp, said the two people. Analysts have estimated that iMessage, which is built into every iPhone, iPad and Mac, has as many as 1bn users globally, but Apple has not disclosed any figures for several years. The decision is likely to hinge on how Apple and the EU define the market in which iMessage operates. One billion users worldwide is most definitely going to mean it exceeds the minimums set by the DSA. Apple, you’re going to have to open up iMessage, and allow competitors and newcomers to interoperate with it. Using messaging services as lock-in is outdated, anti-consumer, and harmful to competition. And if you don’t like it – as they say on the Isle of Man, a boat leaves in the morning.

Former Huawei executive claims that HarmonyOS for PC will release next year

In 2019, the US Department of Commerce put Huawei on an “Entity List”, which banned it from dealing with any US company. The move led Google to revoke Huawei’s Android license, among other repercussions. Then, Huawei developed its own OS, HarmonyOS, for phones, tablets. Wang Chenglu, former Huawei executive and now CEO of Shenzhen Kaihong Digital Industry Development, recently revealed on Weibo (Chinese social media) that HarmonyOS will be coming to PCs. When someone had asked if a PC version of Hongmeng will be released next year, Chenglu responded with a “Yes” to indicate that a HarmonyOS PC variant is planned for 2024. It is worth noting that HarmonyOS is called Hongmeng in China, and OpenHarmony for PC is available to some testers. HarmonyOS is an interesting beast in that it’s much more than just “a modified Android”, as its Wikipedia page details. Even if it never gains a foothold in the west, its potential in China is massive, and big enough to become a serious contender regardless of what we here in the west think of it. I love the gusto of bringing it to the PC, too, and aside from reservations I have about using an operating system developed by one of the many extensions of the Chinese government, I’m actually quite interested in using one of the HarmonyOS smartphones.

SiFive’s P870 takes RISC-V further

ARM had a slow start on its way to move beyond microcontrollers and enter the high performance market. ARM Ltd made the Cortex A9, their first out-of-order core, in 2007. Throughout the 2010s, they gradually made bigger, higher power, and higher performance cores. Pushing performance boundaries isn’t easy, but today, ARM’s cores can be a viable alternative to Intel and AMD’s offerings in the server market. RISC-V started much later, but has seen faster growth. Berkerly’s BOOM core had grown into a sizeable out-of-order design by 2016. Now, SiFive’s P870 looks a lot like ARM’s Cortex X series in terms of reordering capacity, core width, and execution units. It might not be a match for ARM’s best, since the load/store queues look a bit small and vector execution throughput is a bit weak. But from looking at P870, SiFive’s ambitions are clear. They want a chunk of ARM’s pie. RISC-V is getting better and better at a rapid pace. The software side of the story still has a long way to go, but that, too, is getting better. Exciting.

Is macOS’s new XProtect behavioural security preparing to go live?

A third XProtect was discovered in Ventura, this time observing potentially malicious behaviour such as attempts to access private data for browsers and messaging apps. This XProtect Behaviour Service (XBS) has used a set of Bastion rules embedded in the strings in syspolicyd to record behaviours in a new database, but so far has been an observer and hasn’t blocked such behaviours. Security researchers have already been able to discover its records of novel malicious code, and Chris Long has documented how to access its database, but so far syspolicyd has only watched and recorded. Recent descriptions of Bastion rules have identified four, last updated in syspolicyd in macOS 13.5 on 24 July 2023. Those changed on 8 August, when Apple released its first update to the Bastion rules, and again a month later on 1 September, when they changed again. There’s now a fifth Bastion rule, and XBS appears to be getting ready to fly for the first time. If you had told me in 2005 or so, when I was a fervent Mac user, that one day, macOS would come with an extensive set of antivirus and antimalware tools that ran silently in the background, checking everything you do on your computer – I’d have thought you were crazy. But here we are.

I think Ubuntu 23.10 is making a mistake

The next version of the world’s most popular desktop Linux operating system (that’s Ubuntu, for those playing dumb) comes with fewer apps available out-of-the-box. Daily builds of Ubuntu 23.10 now ship with just a super-slim set of default software. These are designed to cover basic computing needs only. For anything else, the idea is that we, the user, fire up the Software Store (though the new one isn’t included in daily builds yet) and install what we want for ourselves. As an idea, it’s not without merit. But in practice, I think it’s a potential misstep. Basically, Ubuntu will no longer ship with LibreOffice, an email client, Shotwell, or a host of other applications and tools. While there’s certainly a market for slim distributions that install a lean and mean base installation for the user to expand into exactly the installation they desire, I doubt users opting for such an approach are interested in using Ubuntu, of all distributions (use Void. It’s the only Linux distribution with the official OSNews Seal of Approval™). In other words, this seems like an odd choice for a distribution aimed at relative newcomers to the Linux world. But then again, Fedora is a better choice for those people anyway.

Wayland and screen savers

Adding screen savers to Wayland is not simply a matter of “port the XScreenSaver daemon”, because under the Wayland model, screen blanking and locking should not be a third-party user-space app; much of the logic must be embedded into the display manager itself. This is a good thing! It is a better model than what we have under X11. But that means that accomplishing that task means not just writing code, but engaging with whatever passes for a standards body or design committee in the Wayland world, and that is… how shall I put this… not something that I personally feel highly motivated to do. However, as I am the world’s foremost expert on screen savers on Unix-like operating systems, here are a few simple admonitions for young and old. Jamie Zawinski imparts his wisdom.


The other day I had a pressing “need” to examine the behavior of Adaptec 154x and compatible SCSI HBAs and their DOS drivers. I found the hard way that the AHA-154xB does not work with Adaptec’s last DOS drivers from circa 1999. That includes the drivers still available for download (ASPI4DOS.SYS version 3.36), as well as the driver shipped with OEM versions of Windows 98SE (ASPI4DOS.SYS version 3.36S). The error message is far from enlightening; effectively the driver acts as if there were no HBA at all. It turns out it’s an incredibly interesting story.

GNOME 45 to break extensions more than usual

GNOME is going to change the way extensions are loaded in GNOME 45, and that’s going to be a bit of a nuisance for both users and developers. Extensions that target older GNOME versions will not work in GNOME 45. Likewise, extensions that are adapted to work with GNOME 45 will not work in older versions. You can still support more than one GNOME version, but you will have to upload different versions to for pre- and post-45 support. I guess the upgrade from GNOME 44 to 45 is going to be even more of a hassle than GNOME upgrades normally are due to broken extensions. Outstanding.

Everything I know about floppy disks

Floppy disk drives are curious things. We know them as the slots that ingest those small almost-square plastic “floppy disks” and we only really see them now in Computer Museums. But there’s a lot going on in that humble square of plastic and I wanted to write down what I’ve learned so far. Exactly what it says on the tin.

Hacking the Timex m851

Take a look at this watch, it’s just some boring watch for runners, right? Nope, I think this might be the best ultra-low power consumer digital watch ever produced! Let me explain… This device certainly should entice some of you.