Security and software development company Quarkslab played around with Google's new Fuchsia operating system, which could one day replace Android on smartphones and Chrome OS on laptops. The researchers "decided to give a quick look at Fuchsia, learn about its inner design, security properties, strengths and weaknesses, and find ways to attack it." Here's what they concluded: Fuchsia's micro kernel is called Zircon. It is written in C++. [...] Contrary to every other major OS, it appears rather difficult to target the Zircon kernel directly. A successful RCE (Remote Code Execution) on the world-facing parts of the system (USB, Bluetooth, network stack, etc) will only give you control over the targeted components, but they run in independent userland processes, not in the kernel. From a component, you then need to escalate privileges to the kernel using the limited number of syscalls you can access with the handles you have. Overall, it seems easier to target other components rather than the kernel, and to focus on components that you can talk to via IPC and that you know have interesting handles.

Overall, Fuchsia exhibits interesting security properties compared to other OSes such as Android. A few days of vulnerability research allowed us to conclude that the common programming bugs found in other OSes can also be found in Fuchsia. However, while these bugs can often be considered as vulnerabilities in other OSes, they turn out to be uninteresting on Fuchsia, because their impact is, for the most part, mitigated by Fuchsia's security properties. We note however that these security properties do not -- and in fact, cannot -- hold in the lowest layers of the kernel related to virtualization, exception handling and scheduling, and that any bug here remains exploitable just like on any other OS. All the bugs we found were reported to Google, and are now fixed.

Again, it is not clear where Fuchsia is heading, and whether it is just a research OS as Google claims or a real OS that is vowed to be used on future products. What's clear, though, is that it has the potential to significantly increase the difficulty for attackers to compromise devices.

This year Stack Overflow's Developer Survey of 65,000 programmers found that Rust was their most-loved programming language -- for the fifth year in a row. To understand why, they interviewed the top contributor to the site's Rust topic. ("The short answer is that Rust solves pain points present in many other languages, providing a solid step forward with a limited number of downsides...") But Stack Overflow also reached out to the Rust core team, including Berlin-based developer Erin Power, asking about any barriers to entry, and why they think Rust was the survey's most-loved language. ("I think it's because Rust makes big promises, and delivers on them...")

And finally, they got responses from Stack Overflow users in their Rust chatroom and forums, noting "Rust users are a passionate bunch, and I got some fascinating insights along with some friendly debates..." Many current programming discussions revolve around whether to use a fast, low-level language that lets you handle memory management or a higher-level language with greater safety precautions. For fans of Rust, they like that it does both.... While some languages just add polish and ease to existing concepts, several users feel that Rust is actually doing new things with a programming language. And it's not doing new things just to be showy; they feel these design choices solve hard problems with modern programming...

Stack Overflow user janriemer: "A quote from Chris Dickinson, engineer at npm, sums it up perfectly for me, because I have thought the same, without knowing the quote at that time: 'My biggest compliment to Rust is that it's boring, and this is an amazing compliment.' Rust is a programming language that looks like it has been developed by user experience designers. They have a clear vision (a why) of the language and carefully choose what to add to the language and what to rework, while listening to what the community really wants. There are no loose ends, it's all a coherent whole that perfectly supports a developer's workflow."
Stack Overflow's post also quotes Jay Oster, a software architect at the infrastructure-as-a-service company PubNub, who argues Rust "ticks all the boxes":

• Memory safe

• Type safe

• Data race-free

• Ahead-of-time compiled

• Built on and encourages zero-cost abstractions

• Minimal runtime (no stop-the-world garbage collection, no JIT compiler, no VM)

• Low memory footprint (programs run in resource constrained-environments like small microcontrollers)

• Targets bare-metal (e.g. write an OS kernel or device driver; use Rust as a 'high level assembler')"

He also describes Rust as "akin to wandering around in complete darkness for an entire career, and suddenly being enlightened to two facts:

• You are not perfect. You will make mistakes. Those mistakes will cause you a lot of problems.

• It doesn't have to be this way.

An anonymous reader quotes Engadget: Texas Instruments' graphing calculators have a reputation as hobbyist devices given their program support, but they just lost some of their appeal. Cemetech has learned (via Linus Tech Tips) that Texas Instruments is pulling support for assembly- and C-based programs on the TI-84 Plus CE and its French counterpart, the TI-83 Premium CE. Install the latest firmware for both (OS 5.6 and OS 5.5 respectively) and you'll not only lose access to those apps, but won't have a way to roll back.

The company explained the move as an effort to "prioritize learning and minimize any security risks." It's to reduce cheating, to put it another way... While this could please teachers worried that students will use apps to cheat during exams, enthusiasts are unsurprisingly mad. This reduces the amount of control programmers have over their calculator apps.

An anonymous reader writes: Hackers have gained access to the core infrastructure of LineageOS, a mobile operating system based on Android, used for smartphones, tablets, and set-top boxes. The intrusion took place on Saturday night at around 8 pm (US Pacific coast), and was detected before the attackers could do any harm, the LineageOS team said in a statement published less than three hours after the incident. The LineageOS team said the operating system's source code was unaffected, and so were any operating system builds, which had been already paused since April 30, because of an unrelated issue. Signing keys, used to authenticate official OS distributions, were also unaffected, as these hosts were stored separately from the LineageOS main infrastructure. LineageOS developers said the hack took place after the attacker used an unpatched vulnerability to breach its Salt installation.

Microsoft is confirming today that it's planning to refocus Windows 10X on single-screen devices. "The world is a very different place than it was last October when we shared our vision for a new category of dual-screen Windows devices," explains Panos Panay, Microsoft's Windows and devices chief. From a report: "With Windows 10X, we designed for flexibility, and that flexibility has enabled us to pivot our focus toward single-screen Windows 10X devices that leverage the power of the cloud to help our customers work, learn and play in new ways." Microsoft isn't saying exactly when single-screen devices like laptops will support Windows 10X, nor when dual-screen devices will launch with the OS. However, Windows 10X will launch on single-screen devices first. "We will continue to look for the right moment, in conjunction with our OEM partners, to bring dual-screen devices to market," says Panay. Microsoft is reprioritizing Windows 10X for laptops and single-screen devices because of the coronavirus pandemic. The software maker has seen a 75 percent year-over-year increase in the time spent in Windows 10. More people are turning to using their laptops or PCs instead of a smartphone or tablet during the lockdowns we've seen worldwide to work or study.

joestar writes: Fairphone, the European manufacturer of mobile phones with a reduced environmental impact, has announced a partnership to offer /e/OS, the most "de-Googled" and pro-privacy Android OS, on their latest model Fairphone 3. An interesting move that reminds me of the recent introduction of the Google-free Huawei Mate 30. A pithy explainer of its "privacy by design ecosystem" -- and the point of "Android without Google" -- further notes: "We have removed many pieces of code that send your personal data to remote servers without your consent. We don't scan your data in your phone or in your cloud space, and we don't track your location a hundred times a day or collect what you're doing with your apps."

According to TechCrunch, the e/OS variant of the Firephone 3 ships from May 6, priced at just under 480 euros -- "a 30 euro premium on the Googley flavor of Android you get on the standard Fairphone 3." The report adds that existing owners of the Fairphone 3 can manually install /e/OS gratis via an installer on its website.

Today, Fedora 32 becomes available for download. From a report: It comes with GNOME 3.36 which you can read more about here. If you don't like GNOME, it isn't the end of the world -- you can instead choose KDE Plasma, Cinnamon, MATE, and more. There is even a special ARM variant of Fedora 32 that will work with Raspberry Pi devices. "Fedora 32 includes new features aimed at addressing issues facing modern developers and IT teams. Highlights include key updates to Fedora's desktop-focused edition, Fedora 32 Workstation, and a new computational neuroscience lab image, aimed at bringing those working in science fields to open source software. Each Fedora edition is designed to address specific use cases for modern developers and IT teams with Fedora Workstation and Fedora Server providing open operating systems built to meet the needs of forward-looking developers and server projects," says The Fedora Project development team.

Security updates are reaching Android users faster and more reliably than in previous years. In research published this month, German cyber-security firm SRLabs said the Android patch gap has gone down from 44 days in 2018 to 38 days today. From a report: The term Android patch delay, or patch gap, refers to the time from when Google formally publishes a security update on its website, and until a smartphone vendor (OEMs, or original equipment manufacturers) integrates the patch into its firmware. SRLabs says it collected information on patches delays using its SnoopSnitch security scanner app installed on more than 500,000 Android smartphones. While the company reported that the patch delay has gone down by 15% in the last two years, the patch gap varied wildly across smartphone vendors, with some better than others at integrating the Google-provided security patches into their customized Android OS versions. Researchers said Google, Nokia, and Sony were the fastest at integrating the monthly Android Android security updates into their customized customized Android OS releases, while Xiaomi, HTC, and Vivo were the vendors lagging behind the most.

Liam Tung writing via ZDNet: Google says two million developers have used its Flutter user-interface (UI) framework for building apps targeting mobile, desktop, and the web since declaring it production ready at Google I/O 2018. Flutter is on the rise, according to Google's Tim Sneath, who said Flutter use grew 10% in March compared with February -- despite COVID-19 coronavirus pandemic impediments. He added that the UI framework now has "nearly half a million" developers who use it on a monthly basis. Most of them are also building on Windows, with 60% of Flutter users developing on Windows 10 PCs, 27% on macOS, and 13% on Linux. Google says over a third of Flutter users work at a startup, while 26% are developers working in the enterprise, 19% are self-employed, and 7% work for design agencies. There are also now 50,000 Flutter-built Android apps on the Google Play Store, and 10,000 of those were uploaded in the past month, according to Sneath.

Google is also updating the release process for Flutter to improve the stability and predictability of its releases. Google found that Flutter contributors and developers didn't understand when a release would be built and what code it would contain. Another issue is a lack of testing for branches, which means sporadic hotfix releases to address regressions or bugs, which also run the risk of introducing new bugs. Google is now moving to a branching model for Flutter, which commences with the April release and includes a "stabilization period" for the beta and stable releases to address key bugs that have been selected by reviewers. Google will also align the Flutter and Dart release processes and channels. This means Dart now has a beta channel, and it will be aligned with the Flutter beta channel.

The popular anti-malware software MalwareBytes is releasing a new Windows VPN service called Malwarebytes Privacy. The company says it plans on offering Mac, iOS, Android, and ChromeOS versions in the future. Bleeping Computer reports: During our tests yesterday, you could select from 10 states in the USA and 30 countries around the world. [...] Malwarebytes told BleepingComputer that this is not a white-label service, but rather one they developed themselves. A trusted-third party built the network infrastructure, and Malwarebytes developers created the app and other components. Malwarebytes Privacy is using the modern WireGuard VPN implementation that was recently integrated into the Linux kernel.

Unfortunately, not much is known about Malwarebytes Privacy's logging and data retention policies. According to Malwarebytes' product page, "Malwarebytes Privacy does not log your online activities, whether it's browsing or accessing any websites." This is what most people want, but it would be good to get more specific language in a dedicated data retention policy or language in their privacy policy.

macOS and iOS software developers will soon be able to code on an iPad or even iPhone, if an unconfirmed report is correct. iPadOS 14 and the iPhone equivalent will reportedly include support for Xcode, Apple's software development environment. Cult of Mac reports: This report comes from Jon Prosser, founder of YouTube channel Front Page Tech, who recently correctly predicted the launch date of the 2020 iPhone SE. On Monday, Prosser said via Twitter "XCode is present on iOS / iPad OS 14. The implications there are HUGE." Whenever anyone suggests that iPads have become as powerful as MacBooks, someone always asks, "Does it do Xcode?" The implication is that iPads are just toys -- only Macs are real computers. But if Prosser is correct, then devs will be able to use iPad or Mac, whichever they prefer. This is part of Apple steadily upgrading the capabilities of its tablets over years, especially the iPad Pro line. These now have USB-C ports, support for accessing external media, mouse support, etc. And top-tier iPad processors as powerful as Apple laptops.

The web-based Apple Music experience that launched in beta last September is now available at music.apple.com. MacRumors reports: The previous beta.music.apple.com address automatically forwards to the newly launched version. Once you're signed into the web version of Apple Music with your Apple ID that has an associated Apple Music subscription, you'll have access to all of your library and playlist content, as well as the same personal mixes and recommendations you'll see in the Music apps for iOS, Mac, and Android. Apple Music content plays right in the web browser, providing access for an array of devices and platforms that don't have native Music app support, include Windows 10, Linux, and Chrome OS.

Hackers are selling two critical vulnerabilities for the video conferencing software Zoom that would allow someone to hack users and spy on their calls, Motherboard reported Wednesday. From the report: The two flaws are so-called zero-days, and are currently present in Zoom's Windows and MacOS clients, according to three sources who are knowledgeable about the market for these kinds of hacks. The sources have not seen the actual code for these vulnerabilities, but have been contacted by brokers offering them for sale. Zero-day exploits or just zero-days or 0days are unknown vulnerabilities in software or hardware that hackers can take advantage of to hack targets. Depending on what software they're in, they can be sold for thousands or even millions of dollars.

Last week, Motherboard reported that there was an increased interest in zero-days for Zoom as millions of people, including employees and executives at big companies around the world, moved onto the platform for sensitive or confidential meetings, due to the coronavirus pandemic. "From what I've heard, there are two zero-day exploits in circulation for Zoom. [...] One affects OS X and the other Windows," said Adriel Desautels, the founder of Netragard, a company that used to sell and trade zero-days. "I don't expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered."

Microsoft's relatively new Chromium-based Edge browser is going to be retired in mid-2021. Softpedia reports: News of Microsoft supporting Edge on Windows 7 until at least July 2021 first surfaced earlier this year, but now the software giant has updated its official documentation with more specifics about this date. "We will continue to support Microsoft Edge on Windows 7 and Windows Server 2008 R2 until July 15, 2021. These operating systems are out of support and Microsoft recommends you move to a supported operating system such as Windows 10," the company explains. "While Microsoft Edge helps keep you more secure on the web, your PC may still be vulnerable to security risks. In order for IE mode to be supported on these operating systems the devices will need to have the Extended Security Updates for Windows 7. Without the Windows 7 Extended Security updates Internet Explorer functionality will be vulnerable to security risks. Additionally, IE mode functionality may cease to work without the continued servicing through the extended security updates."

Paul Cormier became Red Hat's new CEO this week -- while the entire company was working from home. He had to make his inaugural address to over 12,000 employees around the world using BlueJeans videoconferencing tools, reports a North Carolina newspaper: In some ways, Red Hat was well prepared to work through the disruptions of coronavirus. For years, the company has encouraged and accepted employees who have wanted to work from home. It's been a big part of its recruiting efforts, Cormier said. "Especially in engineering, our strategy has always been hire the best person, we don't care where they are."

That doesn't mean it has been unscathed. The company has had to change its sales and product conference this year into a virtual event and social isolation obviously puts a strain on relationships with customers. And while the company wouldn't give out an exact number of employees who have be infected by COVID-19, a spokeswoman for Red Hat said, "We have cases around the globe -- people who are presumed to be sick, people who are sick and, happily, people who have recovered."

Cormier said he's committed to taking care of the thousands of employees affected by work-from-home orders across the globe. Red Hat, he said, will pay all of its employees during this time regardless of whether "you're 140% productive or 40% productive."
Cormier also emphasized he's committed to keeping Red Hat a "totally, totally separate company" from IBM, saying that was agreed upon from the beginning with IBM's new CEO Arvind Krishna. "If we're not independent, then the other cloud guys won't feel safe working with us... Intel, for example, shares their road map, which is super top secret, with us five years in advance, because we have to build the OS to support all their features...." He also noted that Red Hat's finance, legal, communications and human resources teams are all separate from IBM. "IBM doesn't set our road map. We set our road map," he said.

Where the company has seen a lot of success together, though, is in combining sales efforts. In its last earnings call, IBM said Red Hat was seeing an increase in large deals worth more than $10 million after joining IBM. One of them was with Verizon, for example.

Microsoft is setting internal expectations that it won't deliver any Windows 10X devices in calendar 2020, ZDNet reports. From a report: This isn't really surprising, given what's going on externally with the COVID-19 coronavirus pandemic. But for enthusiasts who were looking forward to dual-screen Surface Neo devices this holiday season, the reality is taking root. My contacts say that Chief Product Officer Panos Panay informed some of his team internally today, April 8, that Microsoft wouldn't be delivering its own Surface Neo dual-screen 10X devices this calendar year. In addition, Microsoft also won't be enabling third-party dual-screen Windows devices to ship with 10X in calendar 2020, I hear.

Tail OS, an operating system optimized for privacy and anonymity, has released version 4.5 this week, the first version that supports a crucial security feature named UEFI Secure Boot. From a report: Secure Boot works by using cryptographic signatures to verify that firmware files loaded during a computer's boot-up process are authentic and have not been tampered. If any of the firmware checks fail, Secure Boot has the authority to stop the boot process, preventing the operating system from launching. The feature has been available as part of the UEFI specification for almost two decades but is rarely used. The reason is because not all firmware vendors cryptographically sign their files, leaving the door open to verification errors that -- when Secure Boot is enabled -- block many operation systems from launching.

Deep learning algorithms can diagnose, triage, and monitor coronavirus cases from lung images. Next, can they predict who will need a ventilator? From a report: AI-powered analysis of chest scans has the potential to alleviate the growing burden on radiologists, who must review and prioritize a rising number of patient chest scans each day, experts say. And in the future, the technology might help predict which patients are most likely to need a ventilator or medication, and which can be sent home. "That's the brass ring," says Matthew Lungren, a pediatric radiologist at Stanford University Medical Center and co-director of the Stanford Center for Artificial Intelligence in Medicine and Imaging. "That would be the killer app for this." Some companies are selling their tools, others have released free online versions, and various groups are organizing large crowdsourced repositories of medical images to generate new algorithms. "The system we designed can process huge amounts of CT scans per day," says Hayit Greenspan, a professor at Tel-Aviv University and chief scientist of RADLogics, a healthcare software company that recently announced one such AI-based system. "The capability for quickly covering a huge population is there."

An anonymous reader quotes a report from Wired: Apple has a well-earned reputation for security, but in recent years its Safari browser has had its share of missteps. This week, a security researcher publicly shared new findings about vulnerabilities that would have allowed an attacker to exploit three Safari bugs in succession and take over a target's webcam and microphone on iOS and macOS devices. Apple patched the vulnerabilities in January and March updates. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely.

The bugs Pickren found all stem from seemingly minor oversights. For example, he discovered that Safari's list of the permissions a user has granted to websites treated all sorts of URL variations as being part of the same site, like https://www.example.com, http://example.com and fake://example.com. By "wiggling around," as Pickren puts it, he was able to generate specially crafted URLs that could work with scripts embedded in a malicious site to launch the bait-and-switch that would trick Safari. A hacker who tricked a victim into clicking their malicious link would be able to quietly launch the target's webcam and microphone to capture video, take photos, or record audio. And the attack would work on iPhones, iPads, and Macs alike. None of the flaws are in Apple's microphone and webcam protections themselves, or even in Safari's defenses that keep malicious sites from accessing the sensors. Instead, the attack surmounts all of these barriers just by generating a convincing disguise.

The U.S. Federal Aviation Administration has ordered Boeing 787 operators to switch their aircraft off and on every 51 days to prevent what it called "several potentially catastrophic failure scenarios" -- including the crashing of onboard network switches. The Register reports: The airworthiness directive, due to be enforced from later this month, orders airlines to power-cycle their B787s before the aircraft reaches the specified days of continuous power-on operation. The power cycling is needed to prevent stale data from populating the aircraft's systems, a problem that has occurred on different 787 systems in the past. According to the directive itself, if the aircraft is powered on for more than 51 days this can lead to "display of misleading data" to the pilots, with that data including airspeed, attitude, altitude and engine operating indications. On top of all that, the stall warning horn and overspeed horn also stop working.

This alarming-sounding situation comes about because, for reasons the directive did not go into, the 787's common core system (CCS) -- a Wind River VxWorks realtime OS product, at heart -- stops filtering out stale data from key flight control displays. That stale data-monitoring function going down in turn "could lead to undetected or unannunciated loss of common data network (CDN) message age validation, combined with a CDN switch failure." Solving the problem is simple: power the aircraft down completely before reaching 51 days. It is usual for commercial airliners to spend weeks or more continuously powered on as crews change at airports, or ground power is plugged in overnight while cleaners and maintainers do their thing.