Windows 95 defenses against installers that overwrite a file with an older version 26 Mar 2026, 11:01 pm

I’ll never grow tired of reading about the crazy tricks the Windows 95 development team employed to make the user experience as seamless as they could given the constraints they were dealing with. During the 16bit Windows days, application installers could replace system components with newer versions if such was necessary. Installers were supposed to do a version check, but many of them didn’t follow this guidance. When moving to Windows 95, this meant installers ended up replacing Windows 95 system components with Windows 3.x versions, which wasn’t exactly a goods thing.

So, they came up with a solution.

Windows 95 worked around this by keeping a backup copy of commonly-overwritten files in a hidden C:\Windows\SYSBCKUP directory. Whenever an installer finished, Windows went and checked whether any of these commonly-overwritten files had indeed been overwritten. If so, and the replacement has a higher version number than the one in the SYSBCKUP directory, then the replacement was copied into the SYSBCKUP directory for safekeeping. Conversely, if the replacement has a lower version number than the one in the SYSBCKUP directory, then the copy from SYSBCKUP was copied on top of the rogue replacement.

↫ Raymond Chen

All of this happened entirely silently, and neither the installers nor the user had any idea this was happening. The Windows 95 team tried other solutions, like just making it impossible to replace system components with older versions entirely, but that caused many installers to break. Some installers apparently even went rogue and would create a batch file that would replace the system components upon a reboot, before Windows 95 could perform its silent fixes. Wild.

I used Windows 95 extensively, and had no idea this was a thing.

US regulator bans imports of new foreign-made routers, citing security concerns 26 Mar 2026, 10:41 pm

The U.S. Federal Communications Commission said on Monday it was banning the import of all ​new foreign-made consumer routers, the latest crackdown on Chinese-made electronic gear over ‌security concerns.

China is estimated to control at least 60% of the U.S. market for home routers, boxes that connect computers, phones, and smart devices to the internet.

↫ David Shepardson at Reuters

I’m sure the American public will be thrilled to find out yet another necessity has drastically increased in price.

Apple discontinues the Mac Pro with no plans for future hardware 26 Mar 2026, 10:34 pm

It’s the end of an era: Apple has confirmed to 9to5Mac that the Mac Pro is being discontinued. It has been removed from Apple’s website as of Thursday afternoon. The “buy” page on Apple’s website for the Mac Pro now redirects to the Mac’s homepage, where all references have been removed.

Apple has also confirmed to 9to5Mac that it has no plans to offer future Mac Pro hardware.

↫ Chance Miller at 9To5Mac

If a Mac Pro falls in the back of the Apple Store and there’s no one around to hear it, does it make a sound?

The reports of age verification in Linux are greatly exaggerated, for now 25 Mar 2026, 9:07 pm

Several US states, the country of Brazil, and I’m sure other places in the world have enacted or are planning to enact laws that would place the burden of age verification of users on the shoulders of operating system makers. The legal landscape is quite fragmented at this point, and there’s no way to tell which way these laws will go, with tons of uncertainties around to whom these laws would apply, if it targets accounts for application store access or the operating system as a whole, what constitutes an operating system in the first place, and many more. Still, these laws are already forcing major players like Apple to implement sharing self-reported age brackets with application developers (at least in iOS), so there’s definitely something happening here.

In recent weeks, the open source world has also been confronted with the first consequences of these laws, as both systemd and xdg-desktop-portal have responded to operating system-level age verification laws in, among other places, California and Colorado, by adding birthDate to userdb (on systemd’s side) and developing an age verification portal (on xdg-desktop-portal’s side) for use by Flatpaks. The age verification portal would then use the value set in usrdb’s birthDate as its data source. The value in birthDate would only be modifiable by an administrator, but can be read by users, applications, and so on.

Crucially, this field is entirely optional, and distributions, desktop environments, and users are under zero obligation to use it or to enter a truthful value. In fact, contrary to countless news items and comments about these additions, nothing about this even remotely constitutes as “age verification”, as nothing – not the government, not the distribution or desktop environments, not the user – has to or even can verify anything. If these changes make it to your distribution, you don’t have to suddenly show your government ID, scan your face, or link your computer to some government-run verification service, or even enter anything anywhere in the first place.

Furthermore, while the xdg-desktop-portal’s proposals are still fluid and subject to change, consensus seems to be to only share age brackets with applications, instead of full birth dates or specific ages – assuming anything has even been entered in the birthDate field in the first place. Even if your Linux distribution and/or desktop environment implements everything needed to support these changes and expose them to you in a nice user interface, everything about it is optional and under your full control. The field is of the same type as the existing fields emailAddress, realName, and location, which are similarly entirely optional and can be left empty if desired.

Taken in isolation, then, as it currently stands, there’s really not much meat to these changes at all. The primary reason to implement these changes is to minimally comply with the new laws in California, Colorado, Brazil, and other places, and it’s understandable why the people involved would want to do so. If they do not, they could face lawsuits, fines, or worse, and I don’t know about you, but I wouldn’t want to be on the receiving end of the western world’s most incompetent justice system. Aside from that, these changes make it possible to build robust parental controls, which isn’t mentioned in the original commits to systemd, but is clearly the main focal point of xdg-desktop-portal’s proposal.

This all seems well and good, but given today’s political climate in the United States, as well as the course of history, that “as it currently stands” is doing a lot of heavy lifting. Rightfully so, a lot of people are worried about where this could lead. Sure, today these are just inconsequential, optional changes in response to what seems to be misguided legislation, but what happens once these laws are tightened, become more demanding, and start requiring a lot more than just a self-reported age bracket?

In Texas, for instance, H.B. 1131 requires any commercial entity, including websites, that contains more than one-third “sexual material harmful to minors” to implement age verification tools using things like government-issued IDs or bank transaction data to verify visitors’ ages before allowing them in. The UK has a similar law on the books, too. It’s not difficult to imagine how some other law will eventually shift this much stricter, actual age verification from websites and applications into operating systems instead. What will systemd’s and xdg-desktop-portal’s developers do, then? Will they comply as readily then as they do now?

This is a genuine worry, especially if you already belong to a group targeted by the current US administration, or were face-scanned by ICE at a protest. Large groups of especially religious extremists consider anything that’s LGBTQ+ to be “sexual material harmful to minors”, even if it’s just something normal like a gay character in a TV show. It’s not hard to imagine how age verification laws, especially if they force age verification at the operating system level, can become weaponised to target the LGBTQ+ community, other minorities, and people protesting the Trump regime.

You may think this won’t affect you, since you’re using an open source operating system like desktop Linux or one of the BSDs, and surely they are principled enough to ignore such dangerous laws and simply not comply at all, right? Sadly, here’s where the idealism and principles of the open source world are going to meet the harsh boot of reality; while open source software has a picturesque image of talented youngsters hacking away in their bedrooms, the reality is that most of the popular open source operating systems are actually hugely complex operations that require a ton of funding, and that funding is often managed by foundations. And guess where most popular Linux distributions’ and BSD variants’ foundations are located?

Developers from all over the world may contribute to Debian, but all of its financials and trademarks are managed by Software in the Public Interest, domiciled in New York State. Fedora is part of Red Hat, owned by IBM, and we all know IBM. Arch Linux’ donations are also managed by Software in the Public Interest. The Gentoo Foundation is domiciled in New Mexico. The FreeBSD Foundation is domiciled in Boulder, Colorado. The NetBSD Foundation is domiciled in Delaware. Ubuntu is a Canonical product, a company headquartered in London, UK, a country with strict age verification laws for websites and applications. Hell, even Haiku, Inc. is domiciled in New York State. I could go on, but you get the gist: all of these projects manage their donations, financials, trademarks, and related issues in the United States (or the UK for Ubuntu).

It’s relatively easy for these projects to take a principled stance against the relatively limited age verification laws that exist today, but what about if and when these laws are expanded to infiltrate the very operating systems we use? It’s easy to resist the boot when it’s pressing down on some porn website or a sex worker’s OnlyFans page, but once that same boot is pressing down on your own throat? That’s a whole different story. Will Debian, FreeBSD, or Fedora still stand their ground when the organisations managing their donations, finances, and trademarks become the target of lawsuits or the US justice system, because they refuse to implement age verification?

I sincerely doubt it.

And this is why I am of two minds about this issue. On the one hand, I fully understand that the various developers involved with these efforts want to make sure they follow the law and avoid getting fined – or worse – especially since compliance requires so little at this time. On top of that, these changes make it possible to implement a fairly robust set of parental controls in a centralised way, keeping the data involved where it makes sense, so it also brings a number of benefits for users. There really isn’t anything to worry about when looking at these changes in isolation.

On the other hand, though, I also understand the fears and worries from people who see these changes as the first capitulation to age verification, nicely making the bed for much stricter age verification laws I’m sure certain parts of the political compass are already dreaming about. With so many Linux distributions, BSD variants, and even alternative operating systems having their legal domiciles in the United States, it’s not unreasonable to assume they’re going to fold under any possible legal pressure that comes with such laws.

I’m not rushing to replace my Fedora KDE installations with something else at this point, but I’m definitely going to explore my options on at least one of my machines and go from there, so I at least won’t be caught with my pants down in the future. The world isn’t ending, age verification hasn’t come to Linux, but we’d all do well to remain skeptical and prepare for when it does make its way into our open source operating systems.

Windows native application development is a mess 23 Mar 2026, 3:13 pm

Usually, when developers or programmers write articles about their experiences developing for a platform they have little to no experience with, the end result usually comes down to “they do things differently, therefor it is bad actually”, which is deeply unhelpful. This article, though, is from a longtime Windows user and developer, but one who hasn’t had to work on native Windows development for a long time now. When he decided to write his own native Windows application to scratch a personal itch, it wasn’t a great experience.

While I followed the Windows development ecosystem from the sidelines, my professional work never involved writing native Windows apps. (Chromium is technically a native app, but is more like its own operating system.) And for my hobby projects, the web was always a better choice. But, spurred on by fond childhood memories, I thought writing a fun little Windows utility program might be a good retirement project.

Well. I am here to report that the scene is a complete mess. I totally understand why nobody writes native Windows applications these days, and instead people turn to Electron.

↫ Domenic Denicola

Denicola decided to try and use the latest technologies and best practices from Microsoft regarding Windows development, and basically came away aghast at just how shot of an experience it really is. I’m not a developer, but you don’t need to be to grasp the severity of the situation after following his development timeline and reading about his struggles.

If this is truly representative of the Windows application development experience, it’s really no surprise just how few new, quality Windows applications there are, and why even Microsoft’s own Windows developers resort to things like React for the Start menu to enabler faster and easier iteration.

This is a complete dumpster fire.

Java Sun SPOTs (Small Programable Object Technology) 23 Mar 2026, 2:52 pm

These were Sun microcontrollers that run Squawk Java ME directly on metal with gc and all the bells and whistles, created by Sun Microsystems in 2005.

The feature mesh networking and tcp/ip and multitasking. Even the drivers are java just like Java OS.

They run a command and control server by default and there’s graphical network builders and deployment managers (Solarium) they also do some more esoteric stuff like process migration.

↫ Penny

I have no use for these but I want them. They would’ve made an excellent addition to my Sun article. There’s still a detailed tutorial and informational website up about these things, too.

The OpenBSD init system and boot process 23 Mar 2026, 2:44 pm

In recent weeks, systemd has both embraced slopcoding and laid the groundwork for age verification built right into systemd-based Linux distributions, there’s definitely been an uptick in people talking about alternative init systems. If you want to gain understanding in a rather classic init system, OpenBSD’s is a great place to start.

OpenBSD has a delightfully traditional init system, which makes it a great place to start learning about init systems. It’s simple and effective. There’s a bit of a counter movement in the IT and FOSS worlds rebelling against hyperscaler solutions pushing down into everyone’s practices. One of the rallying cries I’ve been seeing is to remind people that You Can Just Do Things™ on the computer. The BSD init system, and especially OpenBSD’s is something of a godparent to this movement. init(8) just runs a shell script to start the computer, and You Can Just Do Things™ in the script to get them to happen on boot.

↫ Overeducated-Redneck.net

My main laptop is currently in for warranty repairs, but once it returns, I intend to set it up with either OpenBSD or a Linux distribution without systemd (most likely Void) to see how many systems I can distance from systemd without giving myself too much of a headache (I’m guessing my gaming machine will remain on systemd-based Fedora). I’m not particularly keen on slopcoding and government-mandated age verification inside my operating systems, and I’m definitely feeling a bit of a slippery slope underneath my feet.

I have my limits.

Microsoft finally makes a few concrete promises about Windows 11 improvements 20 Mar 2026, 11:02 pm

Earlier this year, Microsoft openly acknowledged the sorry state of Windows 11, and made vague promises about possible improvements somewhere in the near future, but stayed away from making any concrete promises. Today, the company published a blog post with some more details, including some actual concrete, tangible changes it’s going to implement over the coming two months.

In coming builds, you’ll be able to move the taskbar to any side of the screen, instead of it being locked to the bottom, thereby reintroducing a feature present since Windows 95. They’re also scaling back their obsession with ramming “AI” in every corner of Windows, and will be removing Copilot integrations from Snipping Tool, Photos, Widgets, and Notepad. Furthermore, and this is a big one among Windows users I’m sure, Windows Update will be placed under user control once again, allowing them to ignore updates, postpone them indefinitely, reboot without applying updates, and so on. These are the tangible improvements we’ll be able to point to and say the company kept their word, and they all feel like welcome changes.

There’s also a few promises that feel far more vague and less tangible, like the ever-present, long-running promise to “improve File Explorer”. I feel like Microsoft’s been promising to fix their horrible file manager for years now, without much to show for it, so I hope this time will be different. The company also wants to improve Widgets, the Windows Insider Program, and the Feedback Hub application. These all feel less tangible, and will be harder to quantify and benchmark.

Beyond these first round of improvements that we’re supposed to be seeing over the coming two months, Microsoft also promises to implement wider improvements across the board, with the usual suspects like better performance, quicker application launches, improved reliability, lower memory usage, and so on. They also promise to move more core Windows user interface components to WinUI 3, including the Start menu, which is currently written in React. Windows Search is another common pain point among Windows users, and here, Microsoft promises to improve its performance and clearly separate local from online results (but no word on making search exclusively local).

There’s some more details in the blog post, but overall, it sounds great. However, words without actions are about as meaningful as a White House statement on the war with Iran, so seeing is believing.

Google to introduce overly onerous hoops to prevent “sideloading” 19 Mar 2026, 11:51 pm

When Google said they were going to require verification from every single Android developer that would end the ability to install applications from outside of the Play Store (commonly wrongfully referred to as “sideloading”), it caused quite a backlash. The company then backtracked a little bit, and said they would come up with an “advanced flow” to make sure installing applications from outside of the Play Store remained possible. Well, Google has detailed this “advanced flow”, and as everyone expected, it’s such a massive list of onerous hoops to jump through they might as well just lock Android down to the Play Store and get it over with.

First, if a developer is verified, you can download their applications to your device and install them the same way you can do now. Second, developers with “limited distribution accounts”, such as students or hobby projects, can share their applications with up to 20 devices without verification. Third, and this is where the fun starts, we have unverified developers – basically what all Android developers sharing applications outside of the Play Store are now.

Here’s the full “advanced flow” as described by Google to allow you to install an application from an unverified developer:

• Enable developer mode in system settings: Activating this is simple. This prevents accidental triggers or “one-tap” bypasses often used in high-pressure scams.

• Confirm you aren’t being coached: There is a quick check to make sure that no one is talking you into turning off your security. While power users know how to vet apps, scammers often pressure victims into disabling protections.

• Restart your phone and reauthenticate: This cuts off any remote access or active phone calls a scammer might be using to watch what you’re doing.

• Come back after the protective waiting period and verify: There is a one-time, one-day wait and then you can confirm that this is really you who’s making this change with our biometric authentication (fingerprint or face unlock) or device PIN. Scammers rely on manufactured urgency, so this breaks their spell and gives you time to think.

• Install apps: Once you confirm you understand the risks, you’re all set to install apps from unverified developers, with the option of enabling for 7 days or indefinitely. For safety, you’ll still see a warning that the app is from an unverified developer, but you can just tap “Install Anyway.”

↫ Matthew Forsythe at the Android Developers Blog

Setting aside the fact that developer verification is, in and of itself, a massive problem, I’m kind of okay with a few scary warnings, a disclaimer, and perhaps a single reboot to enable installing applications outside of the Play Store – a few things to make normal people shrug their shoulders and not bother. However, adding enabling developer mode and a goddamn 24-hour waiting period is batshit insanity, and clearly has the intention of discouraging everyone, effectively locking Android to the Play Store.

Android is already basically an entirely locked-down, closed-source platform, and once this “advanced flow” comes into force, there’s virtually no difference between iOS and Android, especially for us Europeans who get similarly onerous anti-user nonsense when trying to install alternative application stores on iOS. I see no reason to buy Android over iOS at this point – might as well get the faster phone with better update support.

You can make Linux syscalls in a Windows application, apparently 19 Mar 2026, 9:10 pm

What happens if you make a Linux syscall in a Windows application?

So yeah, you can make Linux syscalls from Windows programs, as long as they’re running under Wine. Totally useless, but the fact that such a Frankenstein monster of a program could exist is funny to me.

↫ nicebyte at gpfault.net

The fact that this works is both surprising and unsurprising at the same time.

GNOME 50 released 18 Mar 2026, 10:23 pm

The GNOME team has released GNOME 50, the latest version of what is probably the most popular open source desktop environment. It brings fine-grained parental controls, and the groundwork for web filtering so that in future releases, parents and guardians can set content filters for children. Our own kids are still way too young to have access to computers and the internet, but I’m not sure I’ll ever resort to these kinds of tools when the time comes. I didn’t have any such controls imposed upon me as a child on the early internet, but then, you can’t really compare the ’90s internet to that of today.

The Orca screen reader received a lot of attention in GNOME 50, with a new preference window, both global and per-application settings, and much more. There’s also a brand new reduced motion setting, which will tame the animations in the user interface. Document annotation has been overhauled and modernised, and the file manager has been optimised across the board for better performance and lower memory usage.

Remote Desktop also saw a lot of work in GNOME 50. It’s now hardware-accelerated using VA-API and Vulkan, and thanks to HiDPI support, the session will properly adapt to the screen being used. Kerberos Authentication support has been added, and you can now use the remote webcam locally. There’s way more here, like improved support for variable-refresh rates and fractional scaling, HDR screen sharing, fixes for weird NVIDIA driver nonsense, and much, much more.

As always, GNOME 50 will find its way to your distribution soon enough.

Introducing Duranium: an immutable variant of postmarketOS 18 Mar 2026, 9:14 pm

PosrtmarketOS, the Linux ‘distribution’ for mobile devices, now also has an immutable variant, called Duranium.

Duranium is an immutable variant of postmarketOS, built around the idea that your device should just work, and keep working. You shouldn’t need to know what a terminal is to keep your device running.

“Immutable” means the core operating system is read-only and can’t be modified while it’s running. System updates are applied as complete, verified images rather than individual packages. Either the new image works, or the system falls back to the previous one automatically. No partially-applied state. No debugging audio when you need to make a phone call and no fussing with a broken web browser when you just want to doomscroll cat photos. It also means developers can reproduce the exact state of a user’s device, making it much easier to track down and fix issues.

↫ Clayton Craft on the postmarketOS blog

Duranium is built around the various functionalities and tooling provided by systemd, meaning the project didn’t have to reinvent the wheel. It works similarly to other immutable distributions, in that images for the base are downloaded and installed as a whole, with the preferred application installation method being Flatpak. Security-wise, Duranium uses dm-verity to protect /usr, cryptographically verifying data as it’s read. The image simply won’t boot if anything’s been tampered with. LUKS2 is used to encrypt mutable user and operating system data and configuration on the root file system.

Duranium is still under heavy development, but it makes sense to implement something like this now, since in the world of mobile devices, this has become the norm. I’m glad postmarketOS is taking these steps, and I sincerely hope I’ll eventually be able to use a postmarketOS device with KDE’s Plasma mobile shell at some point in the near future in my day-to-day life. This requires both postmarketOS to improve as well as for the regulatory landscape to break the duopoly on banking and government applications held by Android and iOS, and with the state of the US government as it is, this might actually be something Europe’s interested in achieving.

Sudo ported to DOS 18 Mar 2026, 9:01 pm

DOS didn’t have sudo yet. This gross oversight has been addressed.

SUDO examines the environment for the COMSPEC variable to find the default command interpreter, falling back to C:\COMMAND.COM if not set. The interpreter is then executed in unprotected real mode for full privileges.

↫ SUDO for DOS’ Codeberg page

A vital tool, for sure.

Meta and TikTok let harmful content rise after evidence outrage drove engagement, say whistleblowers 18 Mar 2026, 7:42 pm

Once again, social media giants Facebook and TikTok have been caught red-handed.

More than a dozen whistleblowers and insiders have laid bare how the companies took risks with safety on issues including violence, sexual blackmail and terrorism as they battled for users’ attention.

An engineer at Meta, which owns Facebook and Instagram, described how he had been told by senior management to allow more “borderline” harmful content – which includes misogyny and conspiracy theories – in user’s feeds to compete with TikTok.

“They sort of told us that it’s because the stock price is down,” the engineer said.

↫ Marianna Spring and Mike Radford at the BBC

Meta, TikTok, and Twitter are criminal enterprises, and their executives should be trembling in court instead of scheming on yachts. Their role in legitimising far-right extremism will eventually catch up to them, and once that happens, no yacht is going to keep them safe.

How kernel anti-cheats work: a deep dive into modern game protection 18 Mar 2026, 2:38 pm

Modern kernel anti-cheat systems are, without exaggeration, among the most sophisticated pieces of software running on consumer Windows machines. They operate at the highest privilege level available to software, they intercept kernel callbacks that were designed for legitimate security products, they scan memory structures that most programmers never touch in their entire careers, and they do all of this transparently while a game is running. If you have ever wondered how BattlEye actually catches a cheat, or why Vanguard insists on loading before Windows boots, or what it means for a PCIe DMA device to bypass every single one of these protections, this post is for you.

↫ Adrián Díaza

I hate that we need proprietary rootkits just to play competitive multiplayer games – we can chalk this up to a few sad people ruining the experience for everyone else, as so often happens. I have a dedicated parts bin Windows box just to play League of Legends (my one vice alright, nobody’s perfect) so I don’t really care if it has a proprietary rootkit running in the background as there’s not a single bit of valuable data on that machine, but for most people, that’s not realistic.

Virtually every League of Legends player hands over control of their entire computer to a proprietary rootkit developed and deployed by a company from China, whereas players of other popular online multiplayer games must install rootkits from companies from the United States. If anyone inside the governments of these countries ever wants to implement a backdoor in dozens (hundreds?) of millions of Windows machines, this is the way to go.

It’s an absolutely bizarre situation.

Tribblix m39 released 17 Mar 2026, 10:09 pm

Tribblix, the Illumos distribution focused on giving you a classic UNIX-style experience, has released a new version.

There are several noticeable version updates in this release. The graphical libraries libtiff and OpenEXR have been updated, retaining the old shared library versions for now. OpenSSL is now from the 3.5 series with the 3.0 api by default. Bind is now from the 9.20 series. OpenSSH is now 10.2, and you may get a Post-Quantum Cryptography warning if connecting to older SSH servers.

↫ Tribblix m39 release notes

If you’re already running Tribblix, updating is easy, and if you want to try it out, head on over to the downloads page. Rests me to say that Tribblix is a treasure, and it must be protected at all costs. It’s rare to see a passion project like this maintain such a steady pace.