Programming

40 years of Turbo Pascal: Memories of the Coding Dinosaur that Revolutionized IDEs (theregister.com) 113

TechSpot remembers that Turbo Pascal "stands out as one of the first instances of an integrated development environment (IDE), providing a text-based interface through which developers could write their code, compile it, and finally link it with runtime libraries." The early IDE, written in Assembly, eschewed the use of floppies, instead building the code directly in RAM for an unprecedented performance boost.

The language demonstrated superior speed, greater convenience, and a more affordable price compared to its competition. Philippe Kahn, Borland's CEO who initially conceptualized turning the new language into an all-in-one product, decided to sell the software via mail orders for just $49.95, establishing a market presence for the then-newly founded company.

It was called "Turbo" because its use of RAM made it considerable faster, adds the Register: Anders Hejlsberg, who would later go on to join Microsoft as part of the C# project, is widely credited as creator of the language, with Borland boss Philippe Kahn identifying the need for the all-in-one tool...

Version 1 had limitations. Source code files, for example, were limited to 64 KB. It would only produce .COM executable files for DOS and CP/M — although other architectures and operating systems were supported. It would also run from a single floppy disk, saving users from endless swapping in a world where single drives were the norm and a hard disk seemed impossibly exotic — and expensive... However, it was with version 4, in 1987, that Turbo Pascal changed dramatically. For one, support for CP/M and CP/M-86 was dropped, and the compiler would generate .EXE executables under DOS, lifting the .COM restrictions...

For this writer, 1989's version 5.5 was peak Turbo Pascal. Object-oriented programming features turned up, including classes and inheritance, and a step-by-step debugger. Version 6 and 7 brought in inline assembly and support for the creation of Windows executables and DLLs respectively, but version 7 also marked the end of the line as far as Borland was concerned. Turbo Pascal for Windows would turn up, but was eventually superseded by Delphi.

However, the steamroller of tools such as Visual Basic 3 ensured that Borland never had the same success in Windows that it enjoyed under DOS. As for Turbo Pascal, several versions were eventually released by Borland as freeware including version 1 for DOS, 5.5, and 7.

I once took a computer programming course taught entirely in Pascal. (Functions, subroutines, and procedures...)

Any Slashdot readers have their own memories to share about Pascal?
Programming

Go Programmers Surveyed: Most Use Linux or MacOS (go.dev) 29

The Go team conducted a survey of Go Developers in August — and has just released the results. Among the findings: "90% of survey respondents saying they felt satisfied while working with Go during the prior year," while 6% said they were dissastified. Further, the number of people working with Go continues to increase; we see evidence of this from external research like Stack Overflow's Developer Survey (which found 14% of professional developers worked with Go during the past year, a roughly 15% year-over-year increase), as well as analytics for go.dev (which show an 8% rise in visitors year-over-year). Combining this growth with a high satisfaction score is evidence that Go continues to appeal to developers, and suggests that many developers who choose to learn the language feel good about their decision long afterwards...

As in prior years, the majority of survey respondents told us they work with Go on Linux (63%) and macOS (58%) systems... We do continue to see that newer members of the Go community are more likely to be working with Windows than more experienced Go developers. We interpret this as a signal that Windows-based development is important for onboarding new developers to the Go ecosystem, and is a topic our team hopes to focus on more in 2024...

While x86-compatible systems still account for the majority of development (89%), ARM64 is also now used by a majority of respondents (56%). This adoption appears to be partly driven by Apple Silicon; macOS developers are now more likely to say they develop for ARM64 than for x86-based architectures (76% vs. 71%). However, Apple hardware isn't the only factor driving ARM64 adoption: among respondents who don't develop on macOS at all, 29% still say they develop for ARM64.

The most-preferred code editors among the surveyed Go programmers were VS Code (44%), GoLand (31%), Vim/Neovim (16%), and Emacs (3%). 52% of the survey's respondents actually selected "very satisfied" for their feelings about Go — the highest possible rating.

Other interesting findings:
  • " The top requests for improving toolchain warnings and errors were to make the messages more comprehensible and actionable; this sentiment was shared by developers of all experience levels, but was particularly strong among newer Go developers."
  • "Three out of every four respondents work on Go software that also uses cloud services; this is evidence that developers see Go as a language for modern, cloud-based development."
  • The experimental gonew tool (which offers predefined templates for instantiating new Go projects) "appears to solve critical problems for Go developers (especially developers new to Go) and does so in a way that matches their existing workflows for starting a new project. Based on these findings, we believe gonew can substantially reduce onboarding barriers for new Go developers and ease adoption of Go in organizations."
  • And when it comes to AI, "Go developers said they are more interested in AI/ML tooling that improves the quality, reliability, and performance of code they write, rather than writing code for them."

Windows

Notepad On Windows 11 Is Finally Getting a Character Count (theverge.com) 47

Microsoft's Notepad app on Windows 11 is getting a character count at the bottom of the window. "When text is selected, the status bar shows the character count for both the selected text and the entire document," explains Microsoft's Windows Insider team in a blog post. "If no text is selected, the character count for the entire document is displayed, ensuring you always have a clear view of your document's length." The Verge reports: This is the latest addition in a line of changes to Notepad this year, with the app recently getting a new autosave option that lets you close it without seeing the pop-up save prompt every time. Microsoft has also added tabs to Notepad, a dark mode, and even a virtual fidget spinner.

Alongside the Notepad changes in this latest Windows 11 test build, the widgets section of the OS is also getting some improvements. You'll soon be able to just show widgets and hide the feed of news and articles that appear inside the widgets screen.

Linux

New systemd Update Will Bring Windows' Infamous Blue Screen of Death To Linux (arstechnica.com) 154

An anonymous reader quotes a report from Ars Technica: Windows' infamous "Blue Screen of Death" is a bit of a punchline. People have made a hobby of spotting them out in the wild, and in some circles, they remain a byword for the supposed flakiness and instability of PCs. To this day, networked PCs in macOS are represented by beige CRT monitors displaying a BSOD. But the BSOD is supposed to be a diagnostic tool, an informational screen that technicians can use to begin homing in on the problem that caused the crash in the first place; that old Windows' BSOD error codes were often so broad and vague as to be useless doesn't make the idea a bad one. Today, version 255 of the Linux systemd project honors that original intent by adding a systemd-bsod component that generates a full-screen display of some error messages when a Linux system crashes.

The systemd-bsod component is currently listed as "experimental" and "subject to change." But the functionality is simple: any logged error message that reaches the LOG_EMERG level will be displayed full-screen to allow people to take a photo or write it down. Phoronix reports that, as with BSODs in modern Windows, the Linux version will also generate a QR code to make it easier to look up information on your phone.

Microsoft

Microsoft Readies 'Groundbreaking' AI-focused Windows Release 69

What's next for Windows? Microsoft plans next-gen Windows AI release in 2024, plus details on recent changes to the Windows roadmap. From a report: According to my sources, the new Windows bosses are now returning to an annual release cycle for major versions of the Windows platform, meaning Windows is going back to having just one big feature update a year instead of multiple smaller ones throughout. Microsoft may still use Moment updates sparingly, but they will no longer be the primary delivery vehicle for new features going forward.

These changes are said to take effect after Hudson Valley launches in 2024, so I'm still expecting at least one more Moment update for the current version of Windows 11, which sources say will ship in the February or March time frame early next year. [...] According to my sources, Microsoft's blockbuster new feature will be the introduction of an AI-powered Windows Shell, enhanced with an "advanced Copilot," that's able to constantly work in the background to enhance search, jumpstart projects or workflows, understand context, and much more.

Sources say these AI features will be "groundbreaking." The company is working on a new history/timeline feature that will let users scroll back in time through all the apps and websites that Copilot has remembered, which can be filtered based on a user's specific search criteria. For example, you could type "FY24 earnings" and every instance where that term was on-screen will reappear for you to see and open. AI will also enhance search in Windows, with the ability to use natural language to find things that you've previously opened or seen on your PC.
Bug

Nearly Every Windows and Linux Device Vulnerable To New LogoFAIL Firmware Attack (arstechnica.com) 69

"Researchers have identified a large number of bugs to do with the processing of images at boot time," writes longtime Slashdot reader jd. "This allows malicious code to be installed undetectably (since the image doesn't have to pass any validation checks) by appending it to the image. None of the current secure boot mechanisms are capable of blocking the attack." Ars Technica reports: LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux. The vulnerabilities are the product of almost a year's worth of work by Binarly, a firm that helps customers identify and secure vulnerable firmware. The vulnerabilities are the subject of a coordinated mass disclosure released Wednesday. The participating companies comprise nearly the entirety of the x64 and ARM CPU ecosystem, starting with UEFI suppliers AMI, Insyde, and Phoenix (sometimes still called IBVs or independent BIOS vendors); device manufacturers such as Lenovo, Dell, and HP; and the makers of the CPUs that go inside the devices, usually Intel, AMD or designers of ARM CPUs. The researchers unveiled the attack on Wednesday at the Black Hat Security Conference in London.

As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment. "Once arbitrary code execution is achieved during the DXE phase, it's game over for platform security," researchers from Binarly, the security firm that discovered the vulnerabilities, wrote in a whitepaper. "From this stage, we have full control over the memory and the disk of the target device, thus including the operating system that will be started." From there, LogoFAIL can deliver a second-stage payload that drops an executable onto the hard drive before the main OS has even started. The following video demonstrates a proof-of-concept exploit created by the researchers. The infected device -- a Gen 2 Lenovo ThinkCentre M70s running an 11th-Gen Intel Core with a UEFI released in June -- runs standard firmware defenses, including Secure Boot and Intel Boot Guard.
LogoFAIL vulnerabilities are tracked under the following designations: CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, and CVE-2023-40238. However, this list is currently incomplete.

"A non-exhaustive list of companies releasing advisories includes AMI (PDF), Insyde, Phoenix, and Lenovo," reports Ars. "People who want to know if a specific device is vulnerable should check with the manufacturer."

"The best way to prevent LogoFAIL attacks is to install the UEFI security updates that are being released as part of Wednesday's coordinated disclosure process. Those patches will be distributed by the manufacturer of the device or the motherboard running inside the device. It's also a good idea, when possible, to configure UEFIs to use multiple layers of defenses. Besides Secure Boot, this includes both Intel Boot Guard and, when available, Intel BIOS Guard. There are similar additional defenses available for devices running AMD or ARM CPUs."
Open Source

Veteran Editors Notepad++ and Geany Hit Milestone Versions (theregister.com) 21

Liam Proven reports via The Register: One of the best FOSS text editors for Windows, Notepad++, is turning 20, while cross platform Geany just hit version 2.0 as it turns 18 years old. Notepad++'s version 8.6 is the twentieth anniversary release of one of the go-to FOSS text editors for Windows. [...] If you use an Arm-powered Windows machine, such as the ThinkPad X13S, there is now a native Arm64 version. It still supports x86-32 as well, and there are portable versions which work without being installed locally -- handy if you don't have admin rights. There is even a usefully recent version for Windows XP if you are still using that geriatric OS. This release adds multi-select, allowing you to manipulate multiple instances of the same text at once, which looks confusing but very powerful.

It is a staple on all of the Reg FOSS desk's Windows partitions, thanks to its inclusion in the essential Windows post-install setup tool Ninite. Ninite will install -- and update -- a whole swath of FOSS and freeware tools for Windows, making setup of a new machine doable in just a couple of clicks. And if you keep the Ninite installer file around, you can re-run it later and it will update everything it installed first time around. Ninite does offer other programmers' editors, such as Eclipse and Microsoft Visual Studio Code -- but they are behemoths by comparison. VSCode is implemented as an Electron app, meaning that it's huge, embeds an entire copy of Chromium, and scoffs RAM like it's going out of fashion. Notepad++ is a native Win32 app, making it tiny and fast: the download is less than 5MB, one twentieth the size of VSCode.

Sluggish, bloated editors are not just a problem on Windows. Gargantuan Electron apps are distressingly prevalent on Linux and macOS as well. This vulture is guilty of using some, and even recommending them -- because some of them can do things that nothing else can. That's not true in the case of plain text editors, though. You don't have to put up with apps that take a good fraction of a gigabyte for this. Geany is a good example. It straddles the line between a text editor and an IDE: it can manage multi-project files, automatically call out to compilers and suchlike, and parse their output to highlight errors. We last mentioned it nearly a decade ago but the project recently reached voting age -- at least for humans -- and after this milestone in maturity its developers called the latest release version 2.0. It has better support for dark mode, a new tree view in its sidebar, adds a bunch of new supported file types, and can detect if the user changes the type of a file and re-do its syntax highlighting to match.

Windows

Windows 10 Gets Three More Years of Security Updates, If You Can Afford Them (arstechnica.com) 80

An anonymous reader quotes a report from Ars Technica: Windows 10's end-of-support date is October 14, 2025. That's the day that most Windows 10 PCs will receive their last security update and the date when most people should find a way to move to Windows 11 to ensure that they stay secure. As it has done for other stubbornly popular versions of Windows, though, Microsoft is offering a reprieve for those who want or need to stay on Windows 10: three additional years of security updates, provided to those who can pay for the Extended Security Updates (ESU) program.

The initial announcement, written by Windows Servicing and Delivery Principal Product Manager Jason Leznek, spends most of its time encouraging users and businesses to upgrade to Windows 11 rather than staying on 10, either by updating their current computers, upgrading to new PCs or transitioning to a Windows 365 cloud-based PC instead. But when Leznek does get to the announcement of the ESU program, the details are broadly similar to the program Microsoft offered for Windows 7 a few years ago: three additional years of monthly security updates and technical support, paid for one year at a time. The company told us that "pricing will be provided at a later date," but for the Windows 7 version of the ESU program, Microsoft upped the cost of the program each year to encourage people to upgrade to a newer Windows version before they absolutely had to; the cost was also per-seat, so what you paid was proportional to the number of PCs you needed updates for.

One difference this time is that Microsoft told us it would be offering Windows 10 ESU updates to individuals, though the company didn't offer particulars. More details should be available on Windows 10's lifecycle support page soon. Leznek reiterated that Windows 10 22H2 would be the final version of Windows 10 and that the operating system would not receive any additional features during the ESU period.

Bug

A Windows Update Bug Is Renaming Everyone's Printers To HP M101-M106 (xda-developers.com) 55

An anonymous reader quotes a report from XDA Developers: A few days ago, we spotted that the HP Smart App was being installed on people's PCs without their consent. Even worse, the app would reappear if users tried to uninstall it or clean-installed Windows. Now, the cause has finally been identified: a recent Windows 10 and 11 update is renaming everyone's printers to "HP LaserJet M101-M106" regardless of what model it actually is. As reported on Windows Latest, the latest update for Windows 10 and 11 seems to think that people's printers are an HP LaserJet model, regardless of their actual brand. It's believed that the bug appeared after HP pushed its latest metadata to Windows Update, but something went awry in the code and caused other printers to be labeled as HP LaserJet printers.

This explains why the HP Smart App has been sneaking onto people's computers without their consent. A key part of Windows Update is keeping third-party drivers and devices updated, including downloading any apps that the devices depend on. After the printer metadata incorrectly identified everyone's printers as HP LaserJet printers, Windows installed all the software needed for an HP printer to work smoothly, including the HP Smart App. Fortunately, the bug only affects the metadata for the printer. While the printer may show up with a different name on your system, you should still be able to send print jobs to it. Microsoft has since removed the fault metadata from Windows Update, so anyone performing a clean install from now on should get their original printer's name back and stop the HP Smart App from re-downloading.
Further reading: HP Exec Says Quiet Part Out Loud When It Comes To Locking in Print Customers
Open Source

NotePad++ 20th Anniversary Edition Includes New 'Multi-Edit' Feature (notepad-plus-plus.org) 56

The free open-source text editor Notepad++ is celebrating its 20th anniversary, the blog OMG! Ubuntu reported this week, "with a new release filled with some neat new features." In Notepad++ 8.6 (the 238th release since 2003, for those keeping count) the Windows-based code tool [which can also be used on Linux] adds to its extensive feature set with an improved multi-edit feature.

A few 3rd-party Notepad++ plugins have offered similar functionality for a while, including BetterMultiSelection. And a bug report requesting to ability to "transform the column mode to multi-caret on HOME/END/Arrow keys" led to this native addition.

Their blog post includes an animated GIF of Notepad++ multi-edit in action.

"You can install Notepad++ on Ubuntu straight from the Ubuntu Software/App Center app (it's a Snap Store). Alternatively, install the Windows build via WINE/CrossOver or, if you got the l33t skillz, build it by hand, from source."
HP

HP Printer Software Turns Up Uninvited on Windows Systems 51

Windows users are reporting that Hewlett Packard's HP Smart application is appearing on their systems, despite them not having any of the company's hardware attached. From a report: While Microsoft has remained tight-lipped on what is happening, folks on various social media platforms noted the app's appearance, which seems to afflict both Windows 10 and Windows 11. The Windows Update mechanism is used to deploy third-party applications and drivers as well as Microsoft's updates, and we'd bet someone somewhere has accidentally checked the wrong box.

Up to now, the response from affected users has been one of confusion. One noted on Reddit: "I thought that was just me. I didn't install it, it just appeared on new apps in start menu out of nowhere." Another said: "I just checked and I had it installed too. Checking the event log for the Microsoft Store shows that it installed earlier today, but I definitely did [not] request or initiate it because I do not have any devices from HP." And, of course, there was the inevitable: "Would it be that hard for Microsoft to just provide an operating system without needless bloat?" To be clear, not all users are affected.
Android

Microsoft Phone Link May Soon Let You Use Your Android Phone As a Webcam (androidauthority.com) 35

Microsoft Phone Link, previously known as Microsoft Your Phone, lets you control your Android phone from your computer. Now, the company appears to be working on letting you use your Android phone as a webcam with Windows computers, similar to how you can use your iPhone as a webcam on Mac. Android Authority reports: Microsoft's Link to Windows v1.23102.190.0 for Android app includes code that suggests that the company is working on letting your Android phone provide a video stream to your Windows PC. This would effectively allow it to be used as a webcam. [...] These strings indicate that once Microsoft's Phone Link app is working on both connected devices, users would be able to start a camera stream that lets their phone's camera be available to their Windows PC. The strings do not explicitly mention "webcam," but other clues indicate that the feature would be related to video calls in some ways.

Phone Link can already access your camera and video conferencing apps, but this is just mirroring apps running on your phone. What you see on your phone screen is what you see on the computer. If you record a video, it gets saved to your phone as typical video recordings do. With the new functionality spotted above, Phone Link could potentially compete against Apple's Continuity Camera features. With Continuity Camera, users can mount their iPhone to their Mac and then use the iPhone's camera and microphone for FaceTime or other camera apps.

Transportation

Traffic Pollution Can Cause Rise In Blood Pressure, Study Finds (theguardian.com) 22

An anonymous reader quotes a report from The Guardian: Air pollution from traffic can cause a significant rise in blood pressure that can last up to 24 hours, according to a study via the University of Washington. The spike is comparable to the effect of a high-sodium diet and can contribute to cardiovascular problems. Long-term exposure to vehicle exhaust has been widely linked with respiratory problems such as asthma, especially in children. "Traffic air pollution increases blood pressure within an hour of being in traffic and it stays elevated a day later," said author of the study Joel Kaufman, a physician and professor of environmental and occupational health sciences at the University of Washington.

Sixteen healthy people between the ages of 22 and 45 underwent three separate drives as passengers through Seattle rush hour. Two of those drives were "unfiltered," meaning the road air was allowed to enter the car, as is the case for many drivers on the road today. On the third drive, a Hepa (high efficiency particulate absorbing) filter was installed in the car, with participants unaware which drive had filtration. The researchers measured the blood pressure of the passengers before, during and after the two-hour drive. Breathing unfiltered air resulted in blood pressure increase of more than 4.5mm Hg (millimeters of mercury) compared to filtered air. Most of the pollution came from tailpipe exhaust or the fossil fuel combustion, as well as brake and tire wear. The filters were most effective in reducing ultrafine particles (86% decrease), black carbon, which is mostly from diesel (86%), and PM2.5 (60%) while gasses like carbon dioxide and nitrogen oxide were unaffected.
"The clue here is that these tiniest particles are probably what's responsible for blood pressure difference," Kaufman said.

"If you live in an area that has heavy traffic-related air pollution, you want to keep your windows closed and have air filtration capability in your home."
Programming

BBC BASIC Is Back In a Big Way (hackaday.com) 134

An anonymous reader quotes a report from Hackaday: The BBC has a long history of teaching the world about computers. The broadcaster's name was proudly displayed on the BBC Micro, and BBC Basic was the programming language developed especially for that computer. Now, BBC Basic is back and running on a whole mess of modern platforms. BBC Basic for SDL 2.0 will run on Windows, MacOS, x86 Linux, and even Raspberry Pi OS, Android, and iOS. Desktop versions of the programming environment feature a BASIC editor that has syntax coloring for ease of use, along with luxury features like search and replace that weren't always available at the dawn of the microcomputer era. Meanwhile, the smartphone versions feature a simplified interface designed to work better in a touchscreen environment.

It's weird to see, but BBC Basic can actually do some interesting stuff given the power of modern hardware. It can address up to 256 MB of memory, and work with far more advanced graphical assets than would ever have been possible on the original BBC Micro. If you honed your programming skills on that old metal, you might be impressed with what they can achieve with BBC Basic in a new, more powerful context.

Windows

Samsung Expands In-house Web Browser To Windows (sammobile.com) 39

An anonymous reader shares a report: The biggest benefit Samsung Internet on a desktop operating system will provide is the syncing of browsing data between your phone and PC, the lack of which has prevented many users from using Samsung Internet as their primary browser app on their phones and tablets. Unfortunately, Samsung hasn't yet implemented full-fledged sync support on Samsung Internet for Windows. While you can log in with your Samsung account, only browsing history, bookmarks, saved pages and open tabs can be synced at this time. Password syncing is not available, which hopefully won't remain the case for long.

The first time you run Samsung Internet on Windows, you can import browsing history, bookmarks/favorites, and search engines from other browsers, including Google Chrome and Microsoft Edge. You can also import bookmarks using an HTML file. As for other features, Samsung Internet on Windows has ad blocker support, a secret (incognito) mode, extension support, light and dark mode themes, and a few others. Since Samsung Internet is based on the open-source Chromium project like Chrome and Microsoft Edge, it should support extensions and add-ons that work on those browsers.

It's funny.  Laugh.

Microsoft's Ugly Sweater For 2023 is Windows XP's Iconic Default Wallpaper (arstechnica.com) 36

Microsoft is returning to the Bliss hill once again with this year's entry in its now-traditional ugly retro-computing sweater series. From a report: Blue hemming at the bottom and on the sleeves evokes Windows XP's bright-blue taskbar, and in case people don't immediately recognize Bliss as "a computer thing," there's also a giant mouse pointer hovering over it. The sweater is available from size small up to a 3XL, and costs $70 regardless of which version you buy. All sizes are currently expected to arrive sometime between December 2 and 6.
Security

Researchers Figure Out How To Bypass Fingerprint Readers In Most Windows PCs (arstechnica.com) 25

An anonymous reader quotes a report from Ars Technica: [L]ast week, researchers at Blackwing Intelligence published an extensive document showing how they had managed to work around some of the most popular fingerprint sensors used in Windows PCs. Security researchers Jesse D'Aguanno and Timo Teras write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft's own Surface Pro Type Covers. These are just three laptop models from the wide universe of PCs, but one of these three companies usually does make the fingerprint sensor in every laptop we've reviewed in the last few years. It's likely that most Windows PCs with fingerprint readers will be vulnerable to similar exploits.

Blackwing's post on the vulnerability is also a good overview of exactly how fingerprint sensors in a modern PC work. Most Windows Hello-compatible fingerprint readers use "match on chip" sensors, meaning that the sensor has its own processors and storage that perform all fingerprint scanning and matching independently without relying on the host PC's hardware. This ensures that fingerprint data can't be accessed or extracted if the host PC is compromised. If you're familiar with Apple's terminology, this is basically the way its Secure Enclave is set up. Communication between the fingerprint sensor and the rest of the system is supposed to be handled by the Secure Device Connection Protocol (SCDP). This is a Microsoft-developed protocol that is meant to verify that fingerprint sensors are trustworthy and uncompromised, and to encrypt traffic between the fingerprint sensor and the rest of the PC.

Each fingerprint sensor was ultimately defeated by a different weakness. The Dell laptop's Goodix fingerprint sensor implemented SCDP properly in Windows but used no such protections in Linux. Connecting the fingerprint sensor to a Raspberry Pi 4, the team was able to exploit the Linux support plus "poor code quality" to enroll a new fingerprint that would allow entry into a Windows account. As for the Synaptic and ELAN fingerprint readers used by Lenovo and Microsoft (respectively), the main issue is that both sensors supported SCDP but that it wasn't actually enabled. Synaptic's touchpad used a custom TLS implementation for communication that the Blackwing team was able to exploit, while the Surface fingerprint reader used cleartext communication over USB for communication. "In fact, any USB device can claim to be the ELAN sensor (by spoofing its VID/PID) and simply claim that an authorized user is logging in," wrote D'Aguanno and Teras.
"Though all of these exploits ultimately require physical access to a device and an attacker who is determined to break into your specific laptop, the wide variety of possible exploits means that there's no single fix that can address all of these issues, even if laptop manufacturers are motivated to implement them," concludes Ars.

Blackwing recommends all Windows Hello fingerprint sensors enable SCDP, the protocol Microsoft developed to try to prevent this exploit. PC makers should also "have a qualified expert third party audit [their] implementation" to improve code quality and security.
HP

HP Chief Throws About AI Fairy Dust in Hopes of Reviving Slumbering PC Giant (theregister.com) 45

HP CEO Enrique Lores is betting a sprinkle of AI dust can regenerate the flagging PC market -- and with shipments still in decline across the industry, he can't afford to tease Wall Street. From a report: The world's second largest seller of desktop computing hardware has reported a 15 percent year-on-year decline in revenue to $53.7 billion for fiscal 2023 ended 31 October. Profit before tax was $2.93 billion versus $4.32 billion in the prior year.

[...] Orders picked up in recent months. Analyst data indicates the rate of decline is slowing after resellers began clearing inventory they'd amassed in the latter stage of the pandemic, when the frenzied buying patterns seen in prior years vanished. For Q4, HP reported revenue of $13.8 billion, down 6.5 percent year-on-year. Personal Systems was down 8 percent to $9.4 billion and Printing was down 3 percent to $4.4 billion. Profit before tax was $852 million, better than the $647 million brought in a year earlier, helped by a reduction in structural costs. HP expects business PC refresh cycles to kick in next year, with more corporate customers shifting their estate to Windows 11 -- yet it is the advent of the AI PC that Lores thinks signal better times.

Microsoft

Microsoft's Windows Hello Fingerprint Authentication Has Been Bypassed (theverge.com) 53

Microsoft's Windows Hello fingerprint authentication has been bypassed on laptops from Dell, Lenovo, and even Microsoft. From a report: Security researchers at Blackwing Intelligence have discovered multiple vulnerabilities in the top three fingerprint sensors that are embedded into laptops and used widely by businesses to secure laptops with Windows Hello fingerprint authentication. Microsoft's Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers provided their findings in a presentation at Microsoft's BlueHat conference in October.

The team identified popular fingerprint sensors from Goodix, Synaptics, and ELAN as targets for their research, with a newly-published blog post detailing the in-depth process of building a USB device that can perform a man-in-the-middle (MitM) attack. Such an attack could provide access to a stolen laptop, or even an "evil maid" attack on an unattended device. A Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X all fell victim to fingerprint reader attacks, allowing the researchers to bypass the Windows Hello protection as long as someone was previously using fingerprint authentication on a device. Blackwing Intelligence researchers reverse engineered both software and hardware, and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor. The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols.

Firefox

Firefox 120 Ready With Global Privacy Control, WebAssembly GC On By Default (phoronix.com) 32

Firefox 120 will be available tomorrow, bringing support for the Global Privacy Control "Sec-GPC" request header to indicate whether a user consents to a website or service selling or sharing their personal information with third parties. It's also enabling the WebAssembly GC extension by default, opening up new languages like Dart and Kotlin to run in the browser. Phoronix's Michael Larabel highlights some of the other features included in this release: - Ubuntu Linux users now have the ability to import data from Chromium when both are installed as Snap packages. - Picture-in-Picture mode now supports corner snapping on Windows and Linux.
- Support for the light-dark() CSS color function that allows setting of colors for both light and dark without needing to use the prefers-color-scheme media feature. This allows conveniently specifying the preferred light color theme value followed by the dark color theme value.
- CSS support for the lh and rlh line height units.

Slashdot Top Deals