Category Archives: General

Policy statement concerning Spectre and Meltdown exploits

Spectre and Meltdown are terms used to describe two potential exploits in a class of security attacks commonly termed “timing attacks” because they access data which may be sensitive in nature (passwords and other information) from areas of memory which may only be available at specific times (either moved elsewhere or removed entirely at other times). They belong to the more general class termed “side-channel attacks,” because they exploit the hardware itself, rather than breaking encryption or utilizing a software flaw. For more technical information regarding these exploits, please refer to the links section, below.

Arca Noae engineers are monitoring the situation, and while there is still much contradictory information crossing the internet at this time, we believe we have been able to assess at least some of the risk and provide some guidance to users of the OS/2 platform (OS/2 Warp, eComStation, and ArcaOS). As further reliable information becomes available, this post will be updated to reflect any change in Arca Noae’s position and any actions we may plan to take.

General information

In order to gain access to any information in privileged memory using one of these exploits, a user-level application must be launched on the specific machine to be compromised. This means that presently, an OS/2 executable must be used as the attack vector. As of this writing, we are not aware of any such code which executes on the OS/2 platform.

Browser-based attacks (running JavaScript) appear to require greater precision in a high-resolution timer than is currently available on OS/2, making such exploits more difficult than on other platforms, if not altogether impossible. It should also be noted that any such JavaScript-based attack would have to also be specifically designed to handle access to memory regions as managed by OS/2 (in other words, a malicious JavaScript program must be written for OS/2 and specifically to run in the OS/2 browser version in which it is running; a JavaScript program written for Windows or Linux will not work on OS/2). Realistically, the chance of this level of coding detail is extremely small.

Risks – virtual installations vs bare metal

By far, virtualized environments (running OS/2 as a guest under some other more vulnerable platform) are at the greatest risk, because the host system may rightly have access to the guest’s memory and virtualized processor. A host running a vulnerable operating system with an exploitable CPU which remains unpatched is the greatest concern. Arca Noae believes bare metal installations of OS/2-based operating systems are at much less risk.

Arca Noae’s current strategy

To date, we have not identified a need for a kernel patch to mitigate the risk of any hypothetical Spectre or Meltdown attack against OS/2-based systems. We continue to monitor the available information and will adjust our strategy as conditions require.

Arca Noae’s current recommendations

For virtualized and bare metal installations, Arca Noae recommends only running software obtained from trusted sources. Per stand practice, reasonable security precautions should be taken when accessing the internet, particularly when visiting unfamiliar or untrusted sites, and browser cache should be cleared regularly. The use of a NAT firewall is also encouraged (either a separate one, as built into a broadband router or at a minimum, a software firewall running on the local OS/2 system, such as InJoy Firewall).

Because a malicious application designed to utilize one of these exploits would have to be downloaded or copied to the target OS/2 system and then executed locally, normal malware protections remain the best first line of defense.

For virtualized installations, Arca Noae recommends applying to the host system whatever patches are made available and recommended by the developer of the host operating system.

Updates

2019-02-14: Security researchers apparently conclude in this whitepaper that Spectre cannot be entirely mitigated at the software level.

2019-10-07: Intel engineers have proposed (official/latest Intel PDF, here) a new memory type, speculative-access protected memory (SAPM), to mitigate a common factor in side-channel attacks which access cache/memory.

Links

Spectre CVEs:

Meltdown CVE:

Mozilla Security Blog

CERT: CPU hardware vulnerable to side-channel attacks

Intel: Facts about side-channel analysis and Intel products

AMD: An update on AMD processor security

October 2017 happenings

ArcaOS 5.0.2 in the works

We are hard at work finalizing the last bits to be included in ArcaOS 5.0.2. Among the enhancements and features are a few bug fixes, updates to included RPM packages, updated Samba client, and the new ability to install from an ArcaOS bootable USB stick (or local partition). We call this new feature AltBoot, and it is a milestone for OS/2. This should assist those with USB 2.0 capability but no optical drives in getting ArcaOS installed and running.

Arca Noae experimental YUM repository access now restricted

In an effort to better ensure the integrity of packages provided by Arca Noae in our release and subscription channels, we have now restricted access to the arcanoae-exp repository to developers and the test team only.

Rest assured, any software which you may have installed from the experimental repository will continue to function just as it did before. However, we strongly urge that if you have installed the arcanoae-exp RPM to configure the experimental repository in Arca Noae Package Manager (ANPM) or YUM, you uninstall that package. It will be withdrawn from the Netlabs stable repository shortly.

Firefox 45.9 RPM coming soon to an Arca Noae YUM repository near you

Firefox 45.9 GA should be arriving soon for installation via ANPM as part of the subscription content for ArcaOS licensees with active support and maintenance and Drivers & Software subscribers. This new packaging should ease the burden of upgrades by managing dependencies and better ensuring a successful installation. More details will be provided in an upcoming post. (Of course Firefox is free for all to download as zip from Netlabs. There is no requirement to maintain a subscription with Arca Noae in order to get the latest Firefox for OS/2.)

If you are still running OS/2 and/or eComStation systems and haven’t yet purchased a software subscription, this is a great reason to do so now. It may also be a good time to consider moving up to ArcaOS.

Arca Noae’s support of open source projects: Ports and more by bww bitwise works GmbH

Following our last installment in this series which focused on Arca Noae’s commitment to Firefox development, we thought that pulling back the focus a little to give a broader perspective might be a good idea.

Development of various open source ports by our strategic partner, bww bitwise works, GmbH, enables building Firefox, Thunderbird, SeaMonkey, and many, many other modern and useful applications and components. While the Ports project is hosted at Netlabs, the bulk of the heavy lifting is done by bww bitwise works, with the resulting work product made available free of charge to everyone.

These packages are installable via YUM and RPM at the command line or via the free, easy-to-use, native OS/2 Arca Noae Package Manager (ANPM), straight from the OS/2 desktop.

Similarly, the Samba for OS/2 and OS/2-based systems project allows OS/2 to stay connected to the rest of the world – all for free, and this is just one more example of the great things this team is doing.

Sponsoring this critical work helps to ensure that new releases of Firefox, Thunderbird, SeaMonkey, and other cutting edge technologies are available on OS/2. If you utilize any of these technologies, and wish to see new ports, continuing maintenance for existing ports, or just want to say “thanks,” please visit our store and sponsor them.

Arca Noae’s support of open source projects: Firefox

Did you know that Arca Noae provides ongoing funding for continued Firefox development and maintenance on the OS/2 platform? Firefox development by our strategic partner, bww bitwise works, GmbH, enables building Thunderbird and SeaMonkey, too, as well as many ancillary components which are used by other programs, so like the space program, there are other technologies which grow out of this work and allow OS/2 users to get more out of their investment.

Sponsoring this important work helps to ensure that new releases of Firefox, Thunderbird, and SeaMonkey are available to all. The Mozilla for OS/2 Project aims to keep relatively close to the official Extended Support Release (ESR) cycle for Firefox as outlined by Mozilla, with additional components released as they are ported and/or developed along the way.

Who’s speaking at Warpstock Europe?

There will be plenty of information on hand at this year’s Warpstock Europe event. Here’s a sampling of what to expect from Arca Noae:

Saturday, David Azarewicz will be presenting on device driver progress and plans for the future (Blue Lion will be a milestone, but not the end of the road, by any means).

Also on Saturday, Lewis Rosenthal will be discussing what to expect in the Blue Lion package. While all of the details have not been set, we have a pretty good idea of what will be included.

Later in the afternoon, Steven Levine will pick up on Arca Noae SNAP. Learn what is coming next for this accelerated video driver.

We will return on Sunday with an update on YUM and RPM and how these technologies play an important role in Blue Lion by Lewis Rosenthal, as well as future plans for the well-received Arca Noae Package Manager.

Arca Noae’s last presentation on Sunday will be from Alex Taylor via Skype, discussing printing and fonts.

Between Arca Noae staff and the other presenters, there should be something for everyone. Arca Noae is the exclusive source for Warpstock Europe tickets. If you haven’t yet purchased your tickets, please visit our store today.

Arca Noae at Warpstock Europe 2016

Arca Noae principals David Azarewicz and Lewis Rosenthal will be on hand at this year’s Warpstock Europe event to discuss some of the great offerings from Arca Noae, including latest driver development and the upcoming Blue Lion release.

Expect more details in the coming days, and be sure to visit the event page for general information and the Arca Noae store to register and purchase your tickets.

Effect of Colorado’s Sales & Use Tax on purchases from Arca Noae

If you are a resident of Colorado, or your business is located in Colorado, a recent Tenth Circuit decision concerning the requirement for out-of-state retailers to notify you of your responsibility to report and remit use tax to the State may have caught your eye. The Court has held that this requirement is constitutional and remanded further proceedings to a lower court. (See more, here.)

While it is not Arca Noae’s position to provide any kind of tax advice, we can provide links to various Colorado Department of Revenue documents to help clarify the nature of transactions between Arca Noae and you.

FYI Sales 89 defines standardized computer software as:

Computer software, including prewritten upgrades that is not designated or developed to the specifications of a specific purchaser.
Computer software designed and developed to the specifications of a specific purchaser but then sold to another purchaser.
Software that is modified or enhanced even if such modification or enhancement is designed and developed to the specification of a purchaser.

This would generally describe software offerings provided by Arca Noae as available from our online store. Further, the above FYI states:

SALES TAX ON COMPUTER SOFTWARE ON OR AFTER JULY 1, 2012
Computer software will be subject to sales or use tax if it meets all of the following criteria:
The software is pre-packaged for repeated sale or license;
The use of the software is governed by a tear-open non-negotiable license agreement;
The software is delivered to the customer in a tangible medium. Software is not delivered to the customer in a tangible medium if it is provided through an application service provider, delivered by electronic software delivery, or transferred by load and leave software delivery.
Mandatory maintenance agreements. Charges for maintenance agreements that the retailer requires buyers to purchase as part of their purchase of taxable computer software are subject to sales tax, regardless of whether the charge for the maintenance agreement is separately stated on the customer’s invoice or maintenance contract.
Optional maintenance agreements. Charges for maintenance agreements that the buyer has the option to purchase as part of a purchase of taxable computer software are not subject to tax if the maintenance charges are separately stated on the customer’s invoice. […]

Currently, all Arca Noae software and subscription content licensing sold through our online store is delivered by electronic software delivery, only, and not on tangible media. As of this writing, Arca Noae does not ship physical goods anywhere in the world.

Further concerns should be directed toward either the Colorado Department of Revenue or your tax professional.

EU-US Privacy Shield – Status Report

If you are a resident of the European Union and a customer of ours, chances are you have been watching (or at least are aware of) the situation regarding data transfer policy between the EU and the US.

On October 6, 2015, the Court of Justice of the European Union (the “CJEU”) invalidated the European Commission’s Decision on the EU-US Safe Harbor arrangement, determining that the Commission’s finding that Safe Harbor was adequate was, in fact, inadequate. More on this decision may be found here.

On February 2, the US and the EU reached an agreement in principle to construct a framework to replace Safe Harbor and to reconcile differences between the laws of both governments. That framework has been named the EU-US Privacy Shield. In response to the agreement, the US Department of Commerce released a fact sheet, which we are making available as a pdf, here.

As the new framework promises to have farther reaching implications for how personally identifiable data is handled by third parties, we have contacted both of our current payment processors (Stripe and PayPal) for their comments. While we are still awaiting comment from PayPal, Stripe has responded that they, too, are monitoring the situation, but have not yet made any changes to their policies or procedures, pending more concrete guidance.

We want you to know that we take the privacy concerns of our customers very seriously, and we will continue to monitor this and any other legislation which may have an impact on doing business with us, whether you are located within the US or anywhere in the world. We believe that our current privacy policy remains in accord with the spirit of the new EU-US Privacy Shield as we anticipate it, but we will keep you apprised of the situation and will make adjustments as necessary.

More information and commentary on the EU-US Privacy Shield may be found on these sites:

Digital Media, Technology & Privacy Alert >> Agreement on EU-U.S. Privacy Shield to Replace Safe Harbor Faces Hurdles, Kibel, Gary A, Partner (Digital Media, Technology & Privacy), Davis & Gilbert, LLP, February 4, 2016.

Article 29 Working Party Reacts to the U.S.-EU Privacy Shield Agreement, Tielemans, Jetty and Steinhardt, Ezra (Data Privacy and Cybersecurity group), Covington & Burling LLP, February 2, 2016.

Checked your disk lately?

Mysterious boot problems can be caused by a variety of things from failing hardware to software misconfiguration. Besides regular file backups, saving your disk partitioning can be a big help during recovery (or reconstruction onto a new drive). Fixing an odd problem, such as the once-in-a-lifetime file with an impossible character in the name which just won’t delete, is also possible with a good disk tool. Moving to a new disk to gain more space? You’ll need something to carve that room into something useful and transfer your data.

Luckily, we have just the thing: DFSee, the Swiss Army knife of disk utilities. DFSee runs on a variety of platforms, so if you need to boot from “something else” to fix your OS/2 system, you may. (Likewise, you may boot from OS/2 or eCS to fix your other OS.)

DFSee, now at version 13, now has full support for GPT partitioning schemes, compatible with current systems on the market today. It has an amazing array of features, including:

View, analyze, edit and fix partition tables
Support for GPT partitioning schemes (as mentioned above), including move, copy, and resize
Browse, analyze and fix various filesystems
Undelete files
Replacement for FDISK and LVM (Logical Volume Manager) tools
Clone, backup and restore partitions or filesystems
Split large images in smaller pieces suitable for burning to CD or DVD
Hex editor
Scriptable recovery

and, of course, that world-famous support from the developer, Jan van Wijk and Fsys Software.

DFSee is installable to a local partition or may be run from a bootable CD or USB stick, which makes it especially handy for real rescue operations.

If you’ve never licensed a copy of DFSee, now is the time to do so. If you have an older version (even a very old version), an upgrade is only a few clicks away, and if you have a license for version 12, we have an even better deal on an upgrade.

Don’t wait until it’s too late. Review the full feature list at DFSee.com, and stop into our store to license your copy today.

Still running mature software? Arca Noae can help

There was some news made recently when Orly Airport in Paris, France suffered some apparent downtime of its Windows 3.1-based DECOR system which provides Runway Visual Range (RVR) information to pilots. Tech news media was abuzz with ridicule for any enterprise still running what it termed as such “antiquated” systems (referring to both DECOR and Windows 3.1, and in several instances, referring to Windows XP and “UNIX” as similarly antiquated (see here, here, and here for examples).

Unfortunately, what many of these news outlets don’t understand is that after all of the years in service, it simply may not make economic sense to replace a working system simply because there’s a new OS or application version available (likely with new and unknown flaws and potential pitfalls). Perhaps a newer version of a critical application did away with what is to that customer a must-have feature, or perhaps the application has been orphaned altogether, and nothing else currently available seems to be able to do as efficient a job as what is already in place.

Arca Noae understands the value of these systems. OS/2 still provides “a better DOS than DOS and a better [16-bit] Windows than Windows” due to its preemptive multitasking capabilities and crash protection, so multiple Windows 3.1 and/or DOS sessions may be started and run independently of one another, where a critical application is less likely to be brought down simply because some other application crashed in a different session.

If you have a need to run mature applications on OS/2, Windows 3.1, or DOS, Arca Noae can help extend the life of your investment in those platforms and those applications. Our OS/2 & eCS Drivers and Software package subscription – available now – can assist in running OS/2 or eComStation on newer hardware. Our upcoming OS/2 release, codenamed Blue Lion, is being designed to provide an installable solution to deploy new systems with an updated OS/2, fully capable of handling those mature DOS and Windows 3.1 applications, as well as native OS/2 applications and ported Linux applications on modern hardware or in a virtualized environment.

Perhaps you need expertise in handling such a transition or in maintaining your mature infrastructure. Arca Noae’s experienced engineers and consultants can provide those services, as well, practically anywhere in the world. Need us? Contact us.