Category Archives: News

Article note: JFC google. An elementary error a linter should catch that completely breaks login made it through the QA process, in what is nominally a computers-for-the-computer-illiterate product line.

Enlarge (credit: Bloomberg / Getty Images)

Google says it has fixed a major Chrome OS bug that locked users out of their devices. Google's bulletin says that Chrome OS version 91.0.4472.165, which was briefly available this week, renders users unable to log in to their devices, essentially bricking them.

Chrome OS automatically downloads updates and switches to the new version after a reboot, so users who reboot their devices are suddenly locked out them. The go-to advice while this broken update is out there is to not reboot.

The bulletin says that a new build, version 91.0.4472.167, is rolling out now to fix the issue, but it could take a "few days" to hit everyone. Users affected by the bad update can either wait for the device to update again or "powerwash" their device—meaning wipe all the local data—to get logged in. Chrome OS is primarily cloud-based, so if you're not doing something advanced like running Linux apps, this solution presents less of an inconvenience than it would on other operating systems. Still, some users are complaining about lost data.

Article note: "We've had first COVID, yes, but what about second COVID."

Article note: I've made the "Kubernetes is hilariously over-complicated for almost every task to which it is applied" argument a bunch of times, but I like the analogy to Multics. It implies that it's wasting a bunch of smart devs' time, and that there is likely a way out.

Article note: The windows one is a straightforward "wrong default permissions" thing...but that Linux exploit really is something. A valid 1GB path name is like a million inodes on most FSes (like 5GB of junk), so it wouldn't be small or quiet, and it's just to get one semi-controlled out-of-bounds write to break the EBPF security model and run an exploit sequence from there.

Enlarge

The world woke up on Tuesday to two new vulnerabilities—one in Windows and the other in Linux—that allow hackers with a toehold in a vulnerable system to bypass OS security restrictions and access sensitive resources.

As operating systems and applications become harder to hack, successful attacks typically require two or more vulnerabilities. One vulnerability allows the attacker access to low-privileged OS resources, where code can be executed or sensitive data can be read. A second vulnerability elevates that code execution or file access to OS resources reserved for password storage or other sensitive operations. The value of so-called local privilege escalation vulnerabilities, accordingly, has increased in recent years.

Breaking Windows

The Windows vulnerability came to light by accident on Monday when a researcher observed what he believed was a coding regression in a beta version of the upcoming Windows 11. The researcher found that the contents of the security account manager—the database that stores user accounts and security descriptors for users on the local computer—could be read by users with limited system privileges.

Article note: Every one I know who has worked there has been convinced it was grift all the way up.

Article note: This is ugly funding incentives above and beyond the usual story of perverse incentives ruining science. A bullshitter can emit more, fancier sounding bullshit than a good actor can ever hope to match, and challenging bullshit is difficult (time consuming, unrewarded, and actively politically opposed). Plus, bullshitting that benefits commercial actors attracts money, which also advances careers. So the bullshitters become entrenched, and the standards become calibrated to their bullshit, locking out anyone who isn't complicit, and challenging bullshit gets even harder via mass complicitcy, and ... now you broke science.

Article note: As usual in modern optimization deep dives; the traditional growth order barely matters, it's all about not causing caches or speculation to miss, with a sprinkling of clever use of architectural features like it's the CISC era again but with even more foot cannons.

Article note: Huh. Industry consolidation continuing apace? GlobalFoundries being a failure mop (AMD dumped their fabs to start it, then IBM _paid them_ $1.5B to take theirs after they decided to get out of the game when the 14nm plans fell through, and are still unsatisfied with the result.) Buying Foundry service knowledge/infrastructure/customer base? Is it an antitrust concern?

Article note: Well, that's a neat gadget. I recently sprung for an RG351p handheld and I see the appeal of one with a full-on computer in it. ...Also, holy shit, SteamOS 3 is ArchLinux-derived.

• 

  The Steam Deck, from Valve. [credit: Valve ]

On Thursday, Valve took the wraps off its new Switch-like portable PC, now dubbed the Steam Deck, confirming that it is indeed the hardware Ars Technica wrote about earlier this year. The device will begin shipping later this year at a starting price of $399.

The hefty-looking console, which is 11.7 inches long (compared to 9.4 inches for the default Switch with Joy-Cons), will launch at three price points, differentiated by built-in storage capacity, higher SSD speed ratings (jumping from default eMMC storage to a pricier NVMe protocol), and differently tempered glass on its screen. Those upgraded versions will cost $529 (256GB) and $649 (512GB, "anti-glare etched glass"). Both pricier bundles include a carrying case.

All models will have the same AMD-powered combination of a four-core Zen 2 CPU and a RDNA 2 GPU, which Valve describes as a "custom" APU. Each model also includes 16GB of LPDDR5 RAM, a 40 Whr battery (guaranteeing "2-8 hours of gameplay" on a single charge), and a 7-inch, 1280x800 touchscreen LCD.

Article note: Nice. TIL: https://sfdora.org/ That's a good program to try to realign incentives.