RISC OS Open Ltd (ROOL) are hugely proud to announce that we will be working with RISC OS Developments (ROD), following their recent acquisition of the RISC OS intellectual property through the purchase of Castle Technology Ltd (Castle), in the next phase of the mission to reinvigorate the RISC OS market.
ROD will be working alongside community maintainers ROOL to republish the source code to this popular niche operating system under the Apache 2.0 License, in a move aimed at removing existing barriers to entry for developers from the open source community and enabling free-of-charge use in commercial products for the first time in RISC OS’s history.
Great news for the RISC OS community, and I hope this ensures RISC OS will remain available to play and hack with for years and years to come.
FWIW, the previous license was an interesting one – copyleft, non-commercial, with an automatic unlimited license of any derivative works back to Castle (so you could fork, but Castle could get your fork’s work and incorporate it into their tree and sell it commercially).
Not open source, but not closed either.
How long until it’s cross-platform, running on a 32-bit PC or an Amiga? Does anyone have an idea how much work would be involved to port RiscOS to other, non-ARM hardware architectures?
Depends a lot on the modularity of the OS. MMU is certainly most time consuming. Followed by device drivers and here GFX is certainly the most challenging one.
But how long …
I’d expect it to be a lot of work. I’ve not done much development on RISC OS for a long time, so things may have changed (and there are no doubt people round here who know much better than I do), but large swathes of RISC OS are written in ARM assembly language. Getting this compiled for another architecture would presumably require a lot of work. Here’s a random piece of source I picked out from the Filer, for example: https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Desktop…
On top of that, if I understand correctly this news is more about a change in licensing than source availability. It’s been possible to build a complete RISC OS image from source for years already. This just moves it from a shared source licence to an open source licence.
As a long-time and historical user of RISC OS, I’m really pleased to see the code go fully open source.
I know enough about ARM and RISC OS to believe that, given that RISC OS leans heavily on the SWI mechanism provided by the ARM CPU architecture, it would likely be very hard indeed to port to a different architecture.
From what I understand additionally a great deal of RISC OS is written in assembler, and that too would create some serious barriers to porting.
The obvious question is what would the value be?
A port to a different CPU architecture would not allow any existing software to run. Many original RISC OS applications relied heavily on ARM code for performance (such as Impression, Xara, Sibelius) – even if their source code were available they could not be re-compiled to run on a different architecture without extensive rewrites. Even BBC BASIC would be problematic – after all what does one do about the inbuilt assembler?
Hi folks.
Today I received a spam-mail to the email-address I use only for osnews.
I have received the same spam to my public addresses several times, so no news there…
The interesting thing is that this mail included not only the email-address I use here, but also the password I use exclusively for this site.
I’m used to someone else getting a hold of the email-address I use for osnews (it happend 3-4 times already), but the password?
Thom, are they stored in the clear here?!?!?
I don’t know anything about the technical aspects of the site – I contacted those who do about your comment – but I know our passwords are properly hashed and all that – as far as I know, there is literally no way for anyone to figure out your password based on the hashes we store.
But again – I know nothing of this stuff. As said, I’ve immediately contacted the people responsible for the code and DB, and they’ll know more.
It’s probably not OSAlert that got exploited, but another site that got exploited and the attacker is banking on password reuse to scare people. I got a similar email about my SDF account, but the password didn’t match, since I use a different password for accounts I don’t particularly care about.
I got the same emails. The “passwords” the hacker indicated were keywords available in my many online profiles & was stale/inaccurate. Contacted my mail servers admin at my hosting (small rural ISP). My server was clean, but were both puzzled. A lot of these ransom-phishes are going around; verbatim. Just dunno. I wonder how many “Fish” actually pay this cretin. Obviously, the “passwords”, though inaccurate in my case, were harvested somehow.!? Anybody else experienced this? Bottom line: it^aEURTMs NOT OS News site.
jholton,
It’s hard to know if it is or not without a thorough investigation. If osnews were compromised, I’d sort of expect more people to be reporting these emails, and I didn’t see one. But attackers might not necessarily blast out the emails to everyone, that would actually prompt a quicker response from sysadmins who are still in “wait and see” mode.
Many attacks I’ve seen hijack CRM functionality to upload a PHP file that escalates their access to the server. These typically show up searching for modified files “find -mtime -30”. Also, these are often self encrypted using cryptic php eval statements, which is rarely used in legitimate code “grep -ri eval”.
Another kind of attack is SQL injection, which doesn’t require separate PHP files, but often leaves traces as unexpected query strings used to modify the SQL statements. Searching logs for “union” or “select” could lead to clues.
Some attackers have tools that scan for vulnerabilities, their activity gets recorded by many 404 errors in the logs for administrative links that never existed. I see these attempts all the time.
Has anyone here setup a honey pot or tripwire? It’s something I’ve wanted to try, but haven’t done it yet.
I kind of doubt its an osnews leak, its also possible you have a virus recording key strokes and or you are mistaken and the email/password has been used on a different compromised system.
Similar scams have been increasing in popularity recently.
https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-…
See https://www.reddit.com/r/Scams/comments/8gsjba/the_blackmail_email_s… its just a scam email
You have malware on your computer. There is a possibility that all your accounts are compromised. Since it is unknown which of your devices are affected, you may want to check all your devices for malware.
You’re not alone and it’s not just OSAlert affected,
see here: https://amigaworld.net/modules/newbb/viewtopic.php?topic_id=42863&fo…
It’s quite possible also your router is compromised with one of the latest hacks, they are quite sophisticated and take a factory reset of the router to get rid. Info on such hacks is plentiful around the net.
Which also drives home the fact that osnews doesn’t force https, which means that passwords may as well be stored in plaintext.
What? How does that follow?
I’ve come across this multiple times with customers now; it’s not likely to be the exact site in question that’s been compromised, but rather a mass mail that uses passwords stolen from other breaches and makes the assumption that it’s the right password — after all those who would react to the mail are instances where it looks more legitimate because it happened to guess right.
I doubt OSAlert has failed here, I’ve seen the code and DB and know that the passwords are hashed.
Unfortunately, not much you can do but go around changing passwords.
Kroc,
That’s true, but if the original exploit isn’t corrected, then chances are the new password will remain just as vulnerable as the old one.
Edited 2018-10-23 17:02 UTC
I went to gromweb and was astonished. But it is a hoax. It is obvious it cheats!
*Anything* where the hash is obtained in that page can be immediately dehashed. But if you generate the SHA1 hash anywhere else, then it fails. For instance, generate the hash for something like ‘aNameALastname’ (not super common – I tried with ‘ArmandoMurga’) in sha1-online.com; copy the result into gromweb, and most likely it will fail do be reversed. Now generate the hash in gromweb (the result should be the same), and sure enough, it is unhashed immediately.
Not saying SHA1 is safe, but gromweb is crap. Oh, don’t do it with anything like real passwords you use.
Lobotomik,
Maybe it should be explained better, but it’s not a hoax. You are right they use the submitted values to populate the database, but this is how reverse hash dictionaries work, they’re not able to reverse a hash until the forward hash is computed.
I merely linked it to be illustrative since the database concept is easy to understand and it’s useful for looking up common plain text values. Dedicated hash cracking software use something more sophisticated called rainbow tables, which is conceptually similar to the database but uses a very clever algorithm to compress very long chains of reverse hashes into a highly compact format.
http://kestas.kuliukas.com/RainbowTables/
Gromweb only has 135 million entries, but brute forced rainbow tables can be much larger than that. I’ve found some publicly available datasets containing 13,759 trillion reverse hash entries, which easily fit on a terabyte hard drive…
https://freerainbowtables.com/
http://kestas.kuliukas.com/RainbowTables/
I suspect the NSA’s rainbow tables would blow our minds with their $10B/year operation.
Anyways, to get back on point, websites that don’t use salted hashes are at risk of having lots of accounts compromised by reverse hashing be it by database or rainbow tables. Salt won’t stop brute forcing, but it does impede the use of a precomputed database to lookup the plaintext values.
So, how do the criminals spend it / exchange bitcoin to real money without getting caught?
So when is that OSAlert RISC OS review (that you sort of announced few times in the past) coming? Do you finally have a RaspberryPi that runs it succesfully?
1. Denial
2. Anger
3. Bargaining
4. Depression
5. Acceptance
6. Open Source
Some month ago I wrote in a discussion in the RISCOS forum, that the license is a real problem for the future of RISCOS. I didn’t expect that they will change the license anytime soon. Open sourcing RISCOS is awesome!