The Pixel 4 is shipping with a face-unlock security issue that's not expected to get fixed for quite some time. "Unlike the iPhone's FaceID (and Google's earlier face-unlock system on Android 4.1), the Pixel 4's face unlock doesn't look for the user's eyes, so the phone could be pointed at a sleeping or unconscious owner and unlocked without their consent," reports Ars Technica. Google said in a statement that a fix requiring a user's eyes to be looking at the device "will be delivered in a software update in the coming months." Ars Technica reports: The Pixel 4 was announced last week, and instead of including a fingerprint reader like most Android phones do, the Pixel 4 features Google's newly developed face-unlock system as the only biometric option. Google is clearly chasing the iPhone here, and the Pixel 4's face unlock works just like Apple's Face ID system: an IR dot projector blasts a grid of invisible dots onto the user's face, and a camera (a pair of cameras, in the case of the Pixel 4) reads the user's face in 3D. As part of the many pre-release Pixel 4 leaks, screenshots of pre-release builds of the Pixel 4's software showed an option to "require eyes to be open." So we know Google hasn't been completely blindsided by this problem; the fix just wasn't ready in time for launch.

Microsoft today announced a new initiative to combat threats specifically targeted at the firmware level and data stored in memory: Secured-core PCs. From a report: Microsoft partnered with chip and computer makers to apply "security best practices of isolation and minimal trust to the firmware layer, or the device core, that underpins the Windows operating system." Secured-core PCs will be available from Dell, Dynabook, HP, Lenovo, Panasonic, and Surface. Microsoft hasn't released a full list of Secured-core PCs, but two examples include HP's Elite Dragonfly and Microsoft's Surface Pro X.

Firmware is used to initialize the hardware and other software on the device. The firmware layer runs underneath the OS, where it has more access and privilege than the hypervisor and kernel. Firmware is thus emerging as a top target for attackers since the malicious code can be hard to detect and difficult to remove, persisting even with an OS reinstall or a hard drive replacement. Microsoft points to the National Vulnerability Database, which shows the number of discovered firmware vulnerabilities growing each year. As such, Secured-core PCs are designed for industries like financial services, government, and healthcare. They are also meant for workers who handle highly sensitive IP, customer, or personal data that poses higher-value targets for nationstate attackers.

An anonymous reader quotes Engadget: If you've been using Linux on DeX (aka Linux on Galaxy) to turn your Samsung phone into a PC, you'll need to make a change of plans. Samsung is warning users that it's shutting down the Linux on DeX beta program, and that its Android 10 update won't support using the open source OS as a desktop environment. The company didn't explain why it was shutting things down, but it did note that the Android 10 beta is already going without the Linux option...

Samsung is still committed to DeX, and recently enabled its desktop-style space on Macs and Windows PCs. However, it's clear that the dreams of fully replacing a PC with your Galaxy phone will have to wait, at least for now.

Forbes senior contributor Jason Evangelho dedicated a whole article to a coming update for one Chinese-domestic Linux distribution: If you haven't been paying attention to a little Linux desktop distribution called Deepin, it's time to put it on your radar. Nevermind that Huawei chose Deepin to ship on their MateBook laptop lineup. Nevermind that Deepin Cloud Sync [for system settings] is a killer, forward-thinking feature that every Linux distro needs to adopt. Nevermind that its slide-out control center resembles something sexy and sensible straight out of the future. But looking toward 2020, Deepin is poised to be absolutely stunning.

This is without question the most beautiful desktop environment I've ever laid eyes on... For me, the UX is more intuitive and more enjoyable than macOS and Windows 10. And fortunately, a quick setting can also transform Deepin to resemble the traditional Windows or macOS desktop paradigms you're already comfortable with. Hell, even the installer is a breath of fresh air.

But let's take a peek at what's coming next. This week, the Deepin Linux Youtube channel quietly released a preview of its Deepin v20 Launcher (just one component of the forthcoming OS), and it's bound to turn some heads. Take a look [YouTube video]. It's merely a tease ahead of this November's expected Deepin v20 beta release, but the Deepin developers have apparently devoted most of 2019 working on the upcoming version. From the category-driven app browser and animations, to the basic desktop layout we see in the teaser video, things appear quite polished already.
The article points out that Deepin is also a stand-alone desktop environment for any current Linux distribution -- and that it's one of the 248 operating systems available for online testing at DistroTest.net.

Long-time Slashdot reader Kekke shared this article from Ars Technica: A potentially serious vulnerability in Linux may make it possible for nearby devices to use Wi-Fi signals to crash or fully compromise vulnerable machines, a security researcher said.

The flaw is located in the RTLWIFI driver, which is used to support Realtek Wi-Fi chips in Linux devices. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is within radio range of a malicious device. At a minimum, exploits would cause an operating-system crash and could possibly allow a hacker to gain complete control of the computer. The flaw dates back to version 3.10.1 of the Linux kernel released in 2013...

The vulnerability is tracked as CVE-2019-17666. Linux developers proposed a fix on Wednesday that will likely be incorporated into the OS kernel in the coming days or weeks. Only after that will the fix make its way into various Linux distributions.

Nico Waisman, who is a principal security engineer at Github [and discovered the bug] said he has not yet devised a proof-of-concept attack that exploits the vulnerability in a way that can execute malicious code on a vulnerable machine. "I'm still working on exploitation, and it will definitely... take some time (of course, it might not be possible)," he wrote in a direct message. "On paper, [this] is an overflow that should be exploitable. Worst-case scenario, [this] is a denial of service; best scenario, you get a shell."
The article notes that the flaw "can't be triggered if Wi-Fi is turned off or if the device uses a Wi-Fi chip from a different manufacturer."

Following the beta period, one of the best and most popular Linux-based desktop operating systems reaches a major milestone -- you can now download Ubuntu 19.10! Code-named "Eoan Ermine", the distro is better and faster then ever. From a report: By default, Ubuntu 19.10 comes with one of the greatest desktop environments -- GNOME 3.34. In addition, users will be delighted by an all-new optional Yaru light theme. There is even baked-in support for the Raspberry Pi 4. The kernel is based on Linux 5.3 and comes with support for AMD Navi GPUs. There are plenty of excellent pre-installed programs too, such as LibreOffice 6.3, Firefox 69, and Thunderbird 68. While many users will be quick to install Google Chrome, I would suggest giving Firefox a try -- it has improved immensely lately. "With GNOME 3.34, Ubuntu 19.10 is the fastest release yet with significant performance improvements delivering a more responsive and smooth experience, even on older hardware. App organization is easier with the ability to drag and drop icons into categorized folders, while users can select light or dark Yaru theme variants depending on their preference or for improved viewing accessibility. Native support for ZFS on the root partition is introduced as an experimental desktop installer option. Coupled with the new zsys package, benefits include automated snapshots of file system states, allowing users to boot to a previous update and easily roll forwards and backwards in case of failure," says Canonical.

If Chrome for Android users visit a site where they enter passwords, Chrome will isolate that site from all the other tabs in a separate Android process, keeping the user's data safe from Spectre-like attacks, Google said today. From a report: Furthermore, Site Isolation, which has been available for desktop users since July 2018, has also been expanded for Windows, Mac, Linux, and Chrome OS users, which now receive protection against more attacks than the original Meltdown and Spectre vulnerabilities. Site Isolation is a Chrome security feature that Google started developing as a way to isolate each website from one another, so malicious code running on one site/tab couldn't steal data from other websites/tabs. Site Isolation was developed to act as a second layer of protection on top of Same Origin Policy (SOP), a browser feature that prevents websites from accessing each other's data. Google developed Site Isolation because browser bugs often allowed sites to jump the SOP barrier and steal user data stored in the browser, created by other sites.

intensivevocoder writes: Fedora -- as a Linux distribution -- will celebrate the 15th anniversary of its first release in November, though its technical lineage is much older, as Fedora Core 1 was created following the discontinuation of Red Hat Linux 9 in favor of Red Hat Enterprise Linux (RHEL). Five years after the start of Fedora.next, the distribution is on the right track -- stability has improved, and work on minimizing hard dependencies in packages and containers, including more audio/video codecs by default, flicker-free boot, and lowering power consumption for notebooks, among other changes, have greatly improved the Fedora experience, while improvements in upstream projects such as GNOME and KDE have likewise improved the desktop experience. In a wide-ranging interview with TechRepublic, Fedora project leader Matthew Miller discussed lessons learned from the past, popular adoption and competing standards for software containers, potential changes coming to Fedora, as well as hot-button topics, including systemd.

exomondo shares a report from The Hacker News: A vulnerability has been discovered in Sudo -- one of the most important, powerful, and commonly used utilities that comes as a core command installed on almost every UNIX and Linux-based operating system. The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the "sudoers configuration" explicitly disallows the root access. Sudo, stands for "superuser do," is a system command that allows a user to run applications or commands with the privileges of a different user without switching environments -- most often, for running commands as the root user.

The vulnerability, tracked as CVE-2019-14287 and discovered by Joe Vennix of Apple Information Security, is more concerning because the sudo utility has been designed to let users use their own login password to execute commands as a different user without requiring their password. What's more interesting is that this flaw can be exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295." That's because the function which converts user id into its username incorrectly treats -1, or its unsigned equivalent 4294967295, as 0, which is always the user ID of root user. The vulnerability affects all Sudo versions prior to the latest released version 1.8.28, which has been released today.

An anonymous reader quotes a report from Ars Technica: Google's October 15 hardware event is fast approaching, and in addition to the launch of the Pixel 4, Google Home Mini 2, Google WI-Fi 2, and a new pair of Pixel Buds, the show should usher in a new Pixelbook. We've known the new Pixelbook would be called the "Pixelbook Go," but other than a few details from Chrome OS commits, the device has mostly been a mystery. Google takes its title as "least secretive device manufacturer" very seriously, though, and recently 9to5Google managed to just get a Pixelbook Go ahead of the event. They took a bunch of pictures and video. Unlike the fairly unique design of the original Pixelbook and the Pixel Slate, the Pixelbook Go mostly just looks like a MacBook. 9to5Google got that vibe from the device in person, too, writing: "We can't fathom that this laptop won't immediately be labeled 'Google's MacBook.'" The one unique design aspect is the bottom, which is a brightly colored, ribbed pad that covers the entire bottom of the device. This device is a near-final prototype, with placeholder logos and product names.

9to5Google reports that the keyboard is "just as good or better than the first Pixelbook" and it "feels great to type on." The trackpad is "a traditional "diving board" trackpad and seemed sufficiently responsive and "clicky." There are single USB-C ports on the left and right side of the laptop, along with LEDs indicating the device's charging status. Like with past Pixelbooks, it seems like you can charge the device from either port. On the right side is also a headphone jack. Other specifications include: Intel Core m3, i5, and i7 configurations; Either 8GB or 16GB RAM; 64GB, 128GB, or 256GB storage; 2 front-firing speakers; 2MP front-facing camera -- 1080p at 60fps; Titan C chip; 13.3-inch touchscreen; and 16:9 aspect ratio, both Full HD or 4K "Molecular Display" options.

You can watch 9to5Google's hands-on video here.

System76, the Denver-based Linux PC manufacturer and developer of Pop OS, has some stellar news for those who prefer their laptops a little more open. Later this month the company will begin shipping two of their laptop models with its Coreboot-powered open source firmware. From a report: Beginning today, System76 will start taking pre-orders for both the Galago Pro and Darter Pro laptops. The systems will ship out later in October, and include the company's Coreboot-based open source firmware which was previously teased at the 2019 Open Source Firmware Conference. (Coreboot, formerly known as LinuxBIOS, is a software project aimed at replacing proprietary firmware found in most computers with a lightweight firmware designed to perform only the minimum number of tasks necessary to load and run a modern 32-bit or 64-bit operating system.) What's so great about ripping out the proprietary firmware included in machines like this and replacing it with an open alternative? To begin with, it's leaner. System76 claims that users can boot from power off to the desktop 29% faster with its Coreboot-based firmware.

[...] Both of these laptops can be kitted out with 10th-Generation Intel CPUs (specifically the i5-10210U and the i7-10510U), and both have glare-resistant matte 1080p IPS displays. Beginning at $949, the Galago Pro features an all-aluminum chassis, a wealth of connectivity options including HDMI, DisplayPort to USB-C and Thunderbolt, and can be configured with up to 32GB of RAM and up to 6TB of storage space. The Darter Pro, meanwhile, can be built out with 32GB of RAM and up to 2TB of storage, and features up to 10 hours of battery life.

Brian Fagioli, writing for BetaNews: Beginning with the upcoming version 31 of the operating system, i686 32-bit processor support is being dropped by the Fedora Project. "The i686 architecture essentially entered community support with the Fedora 27 release. Unfortunately, there are not enough members of the community willing to do the work to maintain the architecture. Don't worry, though -- Fedora is not dropping all 32-bit packages. Many i686 packages are still being built to ensure things like multilib, wine, and Steam will continue to work," says Justin Forbes of Fedora Project. Forbes further explains, "While the repositories are no longer being composed and mirrored out, there is a koji i686 repository which works with mock for building 32-bit packages, and in a pinch to install 32-bit versions which are not part of the x86_64 multilib repository. Of course, maintainers expect this will see limited use. Users who simply need to run a 32-bit application should be able to do so with multilib on a 64-bit system."

Collapse OS is a new open-source operating system built specifically for use during humanity's darkest days. According to its creator, software developer Virgil Dupras, Collapse OS is what the people of the future will need to reconfigure their scavenged iPhones. For now, though, he's hosting the project on GitHub and looking for contributors. Motherboard reports: According to the Collapse OS site, Dupras envisions a world where the global supply chain collapses by 2030. In this possible future -- kind of a medium-apocalypse -- populations won't be able to mass produce electronics anymore, but they'll still be an enormous source of political and social power. Anyone who can scavenge electronics and reprogram them will gain a huge advantage over those who don't. Dupras believes that the biggest problem for tech savvy post-apocalyptic people will be microcontrollers -- tiny computers embedded in circuit boards that control the functions of computer systems.

Collapse OS will work with Z80 8-bit microprocessors. Though less common today than 16- and 32-bit components, the 8-bit Z80 can be found in desktop computers, cash registers, musical instruments, graphing calculators, and everything in between. In a Reddit Q&A, Dupras explained that the Z80 was chosen "because it's been in production for so long and because it's been used in so many machines, scavenger have good chances of getting their hands on it." According to the product page, Collapse OS currently can run on a homebrew Z80-based computer called the RC2014, and on Reddit Dupras said it could theoretically run on a Sega Genesis console.

An anonymous reader quotes a report from ZDNet: At the 2019 Linux Plumbers Conference, I talked to Linus Torvalds and several other of the Linux kernel's top programmers. They universally agreed Microsoft wants to control Linux, but they're not worried about it. That's because Linux, by its very nature and its GPL2 open-source licensing, can't be controlled by any single third-party. Torvalds said: "The whole anti-Microsoft thing was sometimes funny as a joke, but not really. Today, they're actually much friendlier. I talk to Microsoft engineers at various conferences, and I feel like, yes, they have changed, and the engineers are happy. And they're like really happy working on Linux. So I completely dismissed all the anti-Microsoft stuff."

But that doesn't mean the Microsoft leopard can't change its spots. Sure, he hears, "This is the old Microsoft, and they're just biding their time." But, Torvalds said, "I don't think that's true. I mean, there will be tension. But that's true with any company that comes into Linux; they have their own objectives. And they want to do things their way because they have a reason for it." So, with Linux, "Microsoft tends to be mainly about Azure and doing all the stuff to make Linux work well for them," he explained. Torvalds emphasized this is normal: "I mean, that's just being part of the community." James Bottomley, an IBM Research Distinguished Engineer and top Linux kernel developer, sees Microsoft as going through the same process as all other corporate Linux supporters: "This is a thread that runs through Linux. You can't work on the kernel to your own proprietary advantage. A lot of companies, as they came in with the proprietary business model, assumed they could. They have to be persuaded that, if you want something in Linux, that will assist your business -- absolutely fine. But it has to go through an open development process. And if someone else finds it useful, you end up cooperating or collaborating with them to produce this feature." That means, to get things done, even Microsoft is "eventually forced to collaborate with others."

Bottomley concluded: "So it doesn't matter if Microsoft has a competing agenda to Red Hat or IBM or anybody else. Developers are still expected to work together in the Linux kernel with a transparent agenda."

Fast Company highlights some of the "privacy nightmares" surrounding low-cost Android smartphones, which can be very attractive for those on a tight budget. One example is the MYA2 MyPhone: According to an analysis by the advocacy group Privacy International, a $17 Android smartphone called MYA2 MyPhone, which was launched in December 2017, has a host of privacy problems that make its owner vulnerable to hackers and to data-hungry tech companies. First, it comes with an outdated version of Android with known security vulnerabilities that can't be updated or patched. The MYA2 also has apps that can't be updated or deleted, and those apps contain multiple security and privacy flaws. One of those pre-installed apps that can't be removed, Facebook Lite, gets default permission to track everywhere you go, upload all your contacts, and read your phone's calendar. The fact that Facebook Lite can't be removed is especially worrying because the app suffered a major privacy snafu earlier this year when hundreds of millions of Facebook Lite users had their passwords exposed.

Philippines-based MyPhone said the specs of the MYA2 limited it to shipping the phone with Android 6.0, and since then it says it has "lost access and support to update the apps we have pre-installed" with the device. Given that the MYA2 phone, like many low-cost Android smartphones, runs outdated versions of the Android OS and can't be updated due to their hardware limitations, users of such phones are limited to relatively light privacy protections compared to what modern OSes, like Android 10, offer today. The MYA2 is just one example of how cheap smartphones leak personal information, provide few if any privacy protections, and are incredibly easy to hack compared to their more expensive counterparts.

It's happening a little later in the season than usual, but Apple's latest version of macOS is available to download today. From a report: Catalina arrives on the heels of iOS 13, which saw several back-to-back updates after an initially rough launch. For what it's worth, I've been using successive versions of the Catalina beta as my daily driver for months now and can assure you that the latest build is stable enough to safely install. [...] Speaking of games, today also marks the first time that Catalina beta users will have been able to play Apple Arcade games. If you're wondering how the heck you'll play those titles from your Mac, it's worth a reminder that many Arcade games support Xbox and PlayStation controllers.

Also new in this release: As you browse episodes in the podcast app, you'll see avatars for guests and hosts. Apple also says it's made some small usability tweaks to Sidecar, the feature that allows you to use an iPad as a secondary Mac display. You'll also notice more promotional Apple TV+ material in the new TV app, which makes sense -- the streaming service launches November 1st. It'll cost $4.99 a month, but Apple is offering a free year with the purchase of a new Mac, iPhone, iPad or Apple TV. Further reading: Apple's MacOS Catalina Opens Up To iPad Apps; Apple Will Permanently Remove Dashboard In macOS Catalina; Apple Replaces Bash With Zsh as the Default Shell in macOS Catalina; and Apple Finally Kills iTunes.

Mike Bouma shares a post from MorphZone, detailing the latest update to the AmigaOS-like computer operating system known as MorphOS: The MorphOS development team is proud to announce the public release of MorphOS 3.12. This new version introduces brand new dual-monitor capabilities to various Powerbook laptops as well as G5 desktop systems, and features improved thermal management, fan control and dynamic CPU frequency switching, which provide increased energy efficiency and reduced noise levels. Additionally, the Helios Firewire stack has been fully integrated into the core OS and we added support for hundreds of modern printers and scanners. The installation and troubleshooting guides should be carefully read prior to installation. You can download MorphOS 3.12 here.

An anonymous reader quotes a report from Ars Technica: Monday, AMD announced Ryzen Pro 3000 desktop CPUs would be available in Q4 2019. This of course raises the question, "What's a Ryzen Pro?" The business answer: Ryzen Pro 3000 is a line of CPUs specifically intended to power business-class desktop machines. The Pro line ranges from the humble dual-core Athlon Pro 300GE all the way through to Ryzen 9 Pro 3900, a 12-core/24-thread monster. The new parts will not be available for end-user retail purchase and are only available to OEMs seeking to build systems around them.

From a more technical perspective, the answer is that the Ryzen Pro line includes AMD Memory Guard, a transparent system memory encryption feature that appears to be equivalent to the AMD SME (Secure Memory Encryption) in Epyc server CPUs. Although AMD's own press materials don't directly relate the two technologies, their description of Memory Guard -- "a transparent memory encryption (OS and application independent DRAM encryption) providing a cryptographic AES encryption of system memory" -- matches Epyc's SME exactly. AMD Memory Guard is not, unfortunately, available in standard Ryzen 3000 desktop CPUs. If you want to build your own Ryzen PC with full memory encryption from scratch, you're out of luck for now.

Microsoft today announced Windows 10X, a new flavor of Windows 10 designed for dual-screen PCs. Windows 10X will power dual-screen PCs from Asus, Dell, HP, Lenovo, and of course Microsoft. From a report: But we won't see them until holiday 2020. Microsoft teased the Surface Neo running Windows 10X at its event today. Lenovo unveiled what it called "the world's first foldable PC" earlier this year. Windows 10X will support devices that have either two different panels with a hinge or one foldable piece of glass. The only requirement is that the device's two screens must each measure more than 9 inches diagonally. Windows 10X devices available next year will come with varying screen sizes, but the smallest will be 9 inches. Dual-screen PCs aside, Microsoft has been working to modularize Windows 10 for years. After all, the company's HoloLens, Surface Hub, and Xbox One all run a form of Windows 10. Adding support for the dual-screen PC form factor into Windows 10 has also been a multi-year journey. Further reading: Microsoft Announces the Surface Duo, a Dual-Screen Android Phone.

An anonymous reader quotes a report from ZDNet: Docker, the technology, is the poster child for containers. But it appears Docker, the business, is in trouble. In a leaked memo, Docker CEO Rob Bearden praised workers -- despite the "uncertainty [which] brings with it significant challenges" and "persevering in spite of the lack of clarity we've had these past few weeks." Lack of clarity about what? Sources close to the company say it's simple: Docker needs more money.

Indeed, Bearden opened by saying: "We have been engaging with investors to secure more financing to continue to execute on our strategy. I wanted to share a quick update on where we stand. We are currently in active negotiations with two investors and are working through final terms. We should be able to provide you a more complete update within the next couple of weeks." Docker has already raised $272.9 million, but the company hasn't been profitable. It's venture-capitalist supporters -- ME Cloud Ventures, Benchmark, Coatue Management, Goldman Sachs, and Greylock Partners -- which have seen it through Series E financing, can't be happy, that after almost six-years, Docker still isn't close to an IPO. While the previous CEO, Steve Singh, promised in May 2019 that Docker would be cash-flow positive by the end of this fiscal year, that appears not to have been the case. Otherwise, Docker wouldn't need to seek additional capital. ZDNet's Steven J. Vaughan-Nichols says the reason has to do with Docker's lack of a viable business plan.

"That's in part because Docker had hoped to make container orchestration, with Docker Swarm, its profit center," writes Vaughan-Nichols. "Then along came Kubernetes, and that was the end of that. Kubernetes has become the container orchestration of choice, leaving little room for others. And, indeed, Docker has adopted Kubernetes as well."