Thom Holwerda Archive

System hardening in Android 11

In Android 11 we continue to increase the security of the Android platform. We have moved to safer default settings, migrated to a hardened memory allocator, and expanded the use of compiler mitigations that defend against classes of vulnerabilities and frustrate exploitation techniques. An overview of the security-related changes in Android 11.

Ampere’s product list: 80 cores, up to 3.3 GHz at 250 W; 128 core in Q4

With the advent of higher performance Arm based cloud computing, a lot of focus is being put on what the various competitors can do in this space. We’ve covered Ampere Computing’s previous eMag products, which actually came from the acquisition of Applied Micro, but the next generation hardware is called Altra, and after a few months of teasing some high performance compute, the company is finally announcing its product list, as well as an upcoming product due for sampling this year. Ampere’s Altra is a realized version of Arm’s Neoverse N1 enterprise core, much like Amazon’s Graviton2, but this time in an 80-core arrangement. Where Graviton2 is designed to suit Amazon’s needs for Arm-based instances, Ampere’s goal is essentially to supply a better-than-Graviton2 solution to the rest of the big cloud service providers (CSPs). Of the companies that have committed to an N1 based design, so far on paper Ampere is publically the biggest and fastest on the books. Can we have these in workstations please? I know they’re not designed for my kinds of uses, but damn if these aren’t awesome.

Haiku monthly activity report for May and June

After the release of the second beta a few weeks ago, Haiku continues its steady pace of improvements and fixes. A few highlights from the work done since the beta release: Korli also worked on improving support for modern x86 CPUs, including the xsave instruction, and enabling use of AVX which requires saving more CPU registers during context switches. A new version of HaikuWebKit has finally been released after help from KapiX and X512 to fix the remaining bugs. It uses a lot less memory, crashes less often, and has better support for modern website. There is ongoing work for further updates and improvements. There’s a lot more in there, so if you have beta 2 running, be sure to update it.

The 25 greatest Java apps ever written

What follows is a list of the 25 most ingenious and influential Java apps ever written, from Wikipedia Search to the US National Security Agency’s Ghidra. The scope of these applications runs the gamut: space exploration, video games, machine learning, genomics, automotive, cybersecurity, and more. It’s posted by Oracle and thus it makes me feel dirty to link to it, but I guess it’s still an interesting list – albeit with one obvious, huge, giant, inescapable elephant of an mission.

Microsoft removes manual deferrals from Windows Update by IT pros ‘to prevent confusion’

Microsoft is removing the ability for business users to defer manually Windows 10 feature updates using Windows Update settings starting with the Windows 10 2004/May Update. Microsoft seemingly made this change public with a change in its Windows 10 2004 for IT Pros documentation on June 23. I’ve read the article three times and I still don’t quite understand what’s going on.

Symbian won

I was working in the mobile phone industry just as smartphones were taking off. I saw the Palm Pilot rise and fall. I witnessed NEC and Sagem and a host of companies launch smartphones and then disappear. But the greatest tragedy of them all was Nokia and their Symbian Operating System. Symbian was, for its time, a brilliant OS. It ran 3D games smoothly, had terrific hardware support, a decent ecosystem for developers. And it was bloody annoying for users. Every few minutes, Symbian would interrupt you to ask “Are you sure you want this app to connect to the Internet?” His final paragraph has a point.

Microsoft Defender ATP for Linux is now generally available

To meet our customers where they are and relieve customer challenges in managing multiple security solutions to protect their unique range of platforms and products, we have been working to extend the richness of Microsoft Defender ATP to non-Windows platforms. Today we are excited to announce general availability of Microsoft Defender Advanced Threat Protection (ATP) for Linux! Adding Linux into the existing selection of natively supported platforms by Microsoft Defender ATP marks an important moment for all our customers. It makes Microsoft Defender Security Center a truly unified surface for monitoring and managing security of the full spectrum of desktop and server platforms that are common across enterprise environments (Windows, Windows Server, macOS, and Linux). Defender ATP is an enterprise product, so this news doesn’t mean the end-user program that ships with Windows is coming to Linux. Still, seeing Microsoft embracing Linux left, right, and centre is still a weird sight for someone who still hasn’t forgiven Microsoft for their role in killing any chances of BeOS catching on. I’m still bitter over that one.

iPhone 6S getting iOS 14 is like the Galaxy S6 getting Android 11. Imagine that.

At this point, saying Android has a serious problem when it comes to phones receiving reliable Android upgrades is getting old. We’ve written about it a lot — even I, specifically, have written about it a lot. You’ve told us your thoughts. We all get it. Even with all that, though, the latest announcement of iOS 14 really sends the message home. This week, Apple officially confirmed that the 2020 iteration of iOS will land on every iPhone since the iPhone 6S. That’s a phone that came out in September 2015, which is nearly five years ago. Meanwhile, the flagship Android device from 2015 was the Samsung Galaxy S6. The most recent official version of Android that phone received was Android 7 Nougat, which dropped in 2016. Of course, it was well into 2017 before the Galaxy S6 actually got it. Since then: nothing. Apple deserves praise for being pretty much the only smartphone manufacturer supporting its devices for this long. Despite years of attempts and failed promises, Android devices still barely get two years of updates, and even if, they arrive with major delays.

Is WebP really better than JPEG?

If you have used tools like Google’s PageSpeed Insights, you probably have run into a suggestion to use “next-gen image formats”, namely Google’s WebP image format. Google claims that their WebP format is 25 – 34% smaller than JPEG at equivalent quality. I think Google’s result of 25-34% smaller files is mostly caused by the fact that they compared their WebP encoder to the JPEG reference implementation, Independent JPEG Group’s cjpeg, not Mozilla’s improved MozJPEG encoder. I decided to run some tests to see how cjpeg, MozJPEG and WebP compare. I also tested the new AVIF format, based on the open AV1 video codec. AVIF support is already in Firefox behind a flag and should be coming soon to Chrome if this ticket is to be believed. Spoiler alert: WebP doesn’t really provide any benefits, and since websites generally use JPEG as a fallback anyway, you end up with having to store two images at the same time, defeating the purpose entirely.

About the Rosetta translation environment

Rosetta is a translation process that allows users to run apps that contain x86_64 instructions on Apple silicon. Rosetta is meant to ease the transition to Apple silicon, giving you time to create a universal binary for your app. It is not a substitute for creating a native version of your app. To the user, Rosetta is mostly transparent. If an executable contains only Intel instructions, macOS automatically launches Rosetta and begins the translation process. When translation finishes, the system launches the translated executable in place of the original. However, the translation process takes time, so users might perceive that translated apps launch or run more slowly at times. A short overview of Rosetta 2, the translation layer that allows 64bit x86 applications to run on the upcoming ARM-based Macs.

Apple unveils macOS 11

The era of macOS 10 is over, and we’re entering the next era of macOS’s life cycle. This is going to be a massive update, and aside from the transition to ARM, it can be summed up as “macOS: iOS Edition”: the entire graphical user interface has been redesigned to resemble iOS, including massive amounts of whitespace, touch-friendly design, and very white roundrect icons. The new operating system brings the biggest redesign since the introduction of macOS 10, according to Apple. Big Sur borrows a number of elements from Apple’s iOS, including a customizable Control Center, where you can change brightness and toggle Do Not Disturb, and a new notification center, which groups related notifications together. Both interfaces are translucent, like their iOS counterparts. A number of apps have received streamlined new redesigns, including Mail, Photos, Notes, and iWork. Apple has introduced a new search feature to Messages (which organizes results into links, photos, and matching terms), as well as inline replies for group chats, a new photo-selection interface, and Memoji stickers. There’s a new version of Maps for Mac that borrows features from the iOS app, including custom Guides, 360-degree location views, cycling and electric vehicle directions (which you can send directly to an iPhone), and indoor maps. Apple introduced a number of new Catalyst apps as well. I’m not entirely sure about the look, especially since it feels very much like a touch UI that won’t work and feel as well when using a mouse of a trackpad – it looks like a 1:1 copy of the iPad Pro’s iPadOS user interface, for better or worse. Still, judging a GUI by mere screenshots and short videos is a folly, so let’s reserve final judgment until we get to use it. That being said, if you want to try the new GUI now, you can just load up any GNOME-based distribution and apply any of the countless iOS-inspired themes found on Gnome-Look.org. An additional massively important feature is that the upcoming ARM-based Macs will be able to run iOS and iPadOS application unmodified, as-is, much like how Chrome OS can run Android applications. This further underlines how despite years of Apple and its advocates poo-pooing Windows for combining cursor and touch-based interfaces, Apple is now pretty much past any idea of combining the two, and has instead just opted to make everything touch-first, whether you use a mouse or not. Lastly, macOS 11 will come with Rosetta 2, which will allow x86 applications to run unmodified on ARM-based Macs. That’s definitely good news for early adopters, but performance will obviously be a concern with emulation technology such as this.

Apple transitions the Mac to its own ARM processors

Building on its industry-leading A-series chips for iPhones and iPads, Apple wants Macs with its custom silicon to have the highest performance with lower power usage. Apple says the vast majority of Mac apps can be quickly updated to be “universal” with support for both Intel-based Macs and those with Apple’s custom silicon. Starting today, developers will be able to apply for a Mac mini with an A12Z chip inside to help prepare their apps for Apple’s custom silicon. The special Mac mini will be running the macOS Big Sur beta and the latest version of Xcode. The news everyone knew was coming. The transition will take roughly two years, and the first consumer device will become available later this year.

iOS 14 has a new home screen with widgets, a redesigned Siri view, and more

Apple has announced iOS 14 onstage at WWDC 2020, giving the first (official) look at the latest version of its software for the iPhone, and it’s bringing the biggest change to the iOS home screen in years: widgets. Widgets come in a variety of sizes and can still be viewed in the Today view, but in iOS 14, Apple allows widgets to be added to the main Home screen to live right alongside your apps. To add them, there’s a new “widget gallery” where users can easily add and customize widgets. There’s also a new “Smart Stack” widget that automatically shows relevant apps based on the time of day. iOS 14 will be a big update, but a lot of it is catching up to features other platforms have had for a decade now, such as the above-mentioned widgets, which look virtually identical to live tiles on Windows Phone. It also comes with an application drawer (like Android), divided into various application categories (like the Palm OS launcher), and the ability to set your own default browser and email application (like every other operating system since the dawn of time). There’s more, of course, such as picture-in-picture support, something called App Clips where parts of applications can be displayed for quick access (Android has had a similar features for a few years now), and a number of other, smaller things. All in all, it seems like a decent update, bringing a number of features to iOS that most of the world’s smartphone users have been enjoying for a decade or more now. Good news for iOS users, I suppose, but nothing groundbreaking.

The Open Book Project

As a society, we need an open source device for reading. Books are among the most important documents of our culture, yet the most popular and widespread devices we have for reading — the Kobo, the Nook, the Kindle and even the iPad — are closed devices, operating as small moving parts in a set of giant closed platforms whose owners’ interests are not always aligned with readers’. The Open Book aims to be a simple device that anyone with a soldering iron can build for themselves. The Open Book should be comprehensible: the reader should be able to look at it and understand, at least in broad strokes, how it works. It should be extensible, so that a reader with different needs can write code and add accessories that make the book work for them. It should be global, supporting readers of books in all the languages of the world. Most of all, it should be open, so that anyone can take this design as a starting point and use it to build a better book. Whenever someone asks what “putting your money where your mouth is” means, just link them to the Open Book.

Samsung Blu-ray players are rebooting in a loop and nobody knows why

Thousands of users across the internet are reporting severe issues with their Samsung Blu-ray players, home theater, and home cinema systems. A more realistic explanation is that the issues are being caused by an expired SSL certificate that the Samsung Blu-ray players were using to connect to Samsung servers via HTTPS. I kept thinking about smart locks stuck in reboot loops.

Plundering of crypto keys from ultrasecure SGX sends Intel scrambling again

For the past two years, modern CPUs—particularly those made by Intel—have been under siege by an unending series of attacks that make it possible for highly skilled attackers to pluck passwords, encryption keys, and other secrets out of silicon-resident memory. On Tuesday, two separate academic teams disclosed two new and distinctive exploits that pierce Intel’s Software Guard eXtension, by far the most sensitive region of the company’s processors. The new SGX attacks are known as SGAxe and CrossTalk. Both break into the fortified CPU region using separate side-channel attacks, a class of hack that infers sensitive data by measuring timing differences, power consumption, electromagnetic radiation, sound, or other information from the systems that store it. The assumptions for both attacks are roughly the same. An attacker has already broken the security of the target machine through a software exploit or a malicious virtual machine that compromises the integrity of the system. While that’s a tall bar, it’s precisely the scenario that SGX is supposed to defend against. Is this ever going to stop?

Time to upgrade your monitor

I am a programmer. I do not deal with digital painting, photo processing, video editing. I don’t really care for wide gamut or even proper color reproduction. I spend most of my days in a text browser, text editor and text terminal, looking at barely moving letters. So I optimize my setup to showing really, really good letters. A good monitor is essential for that. Not nice to have. A MUST. And in “good” I mean, as good as you can get. These are my thoughts, based on my own experience, on what monitors work best for programming. There’s a lot of good advice in here. We all know higher pixel densities make our user interfaces and text crisper, but a surprising number of people still don’t seem to know just how much of a gamechanger high refresh rates can be. If you’re shopping around for a new monitor, and you have to choose between higher pixel count or a high refresh rate, you should 100% without a doubt go for the higher refresh rate. The difference 120Hz or 144Hz will make in just how smooth and responsive a UI can be is astonishing. I think the sweet spot is 1440p at 144Hz, preferably with FreeSync or Gsync. Both Windows and Linux support high refresh rates out of the box, but as the linked article notes, macOS basically has no clue anything above 60Hz exists, and you’ll have to be very careful about what display you buy, and be willing to jump through annoying hoops every time you load up macOS just to enable high refresh rates.

Google brings Microsoft Office to Chrome OS through Parallels

Hidden deep in a blog post full of PR speak, Google has announced that it’s bringing Microsoft Office to Chrome OS through a partnership with Parallels. At Google, we recognize the modern way of working as being a cloud worker—on a browser and browser-based apps for the vast majority of the work day (you’re reading this in one, right?), untethered because the devices you use are mobile-friendly and cloud-native. We’ve long been saying that almost any business role can be a cloud worker, and COVID-19 has dramatically made this point.  As a result, the Chrome OS team is working on new ways to make sure every company can benefit from the velocity created by supporting a cloud workforce. For example, our new partnership with Parallels brings legacy application support—which includes Microsoft Office desktop apps—to Chromebooks.  More to come on this over the coming months. The Verge has more details on how, exactly, this is going to work, and the gist is that Parallels will be integrated with Chrome OS to allow Microsoft Office to run locally on the device. While Chrome OS has long supported Windows desktop apps that are streamed via the cloud through a Parallels Remote Application Server, this new partnership means the apps will run virtualized on Chromebooks instead. The new feature is set to be available this fall for Chrome Enterprise customers. Parallels Desktop will be integrated natively into Chrome OS, improving performance and enabling offline access for these applications on Chromebooks. It’s a surprising, but welcome move that will mean Chrome OS will be able to support both Android apps and Windows apps in the future. This is an interesting move, and I hope it will become available to regular, non-enterprise consumers, too.