| ||||||||||||||||||
|
Android's security team published a blog post this week about their experience using Rust. Its title? "Move fast and fix things."
Last year, we wrote about why a memory safety strategy that focuses on vulnerability prevention in new code quickly yields durable and compounding gains. This year we look at how this approach isn't just fixing things, but helping us move faster. The 2025 data continues to validate the approach, with memory safety vulnerabilities falling below 20% of total vulnerabilities for the first time. We adopted Rust for its security and are seeing a 1000x reduction in memory safety vulnerability density compared to Android's C and C++ code. But the biggest surprise was Rust's impact on software delivery. With Rust changes having a 4x lower rollback rate and spending 25% less time in code review, the safer path is now also the faster one... Data shows that Rust code requires fewer revisions. This trend has been consistent since 2023. Rust changes of a similar size need about 20% fewer revisions than their C++ counterparts... In a self-reported survey from 2022, Google software engineers reported that Rust is both easier to review and more likely to be correct. The hard data on rollback rates and review times validates those impressions. Historically, security improvements often came at a cost. More security meant more process, slower performance, or delayed features, forcing trade-offs between security and other product goals. The shift to Rust is different: we are significantly improving security and key development efficiency and product stability metrics. With Rust support now mature for building Android system services and libraries, we are focused on bringing its security and productivity advantages elsewhere. Android's 6.12 Linux kernel is our first kernel with Rust support enabled and our first production Rust driver. More exciting projects are underway, such as our ongoing collaboration with Arm and Collabora on a Rust-based kernel-mode GPU driver. [They've also been deploying Rust in firmware for years, and Rust "is ensuring memory safety from the ground up in several security-critical Google applications," including Chromium's parsers for PNG, JSON, and web fonts.] 2025 was the first year more lines of Rust code were added to Android than lines of C++ code... |
|
|
Valve has unveiled a new Steam Machine console, taking a second shot at living room gaming a decade after its 2015 Steam Machine initiative failed. The 6-inch cube runs Linux-based SteamOS but plays Windows games through Proton, a compatibility layer built on Wine that translates Microsoft graphical APIs. Valve spent over a decade working on SteamOS and ways to run Windows games on Linux after the original Steam Machines failed. The device promises six times the performance of the Steam Deck handheld using AMD's 2022-2023 technology. In an interaction with The Verge, Valve demonstrated Cyberpunk 2077 running at settings comparable to PS5 Pro or beyond on a 4K television. The console updates games in the background and includes automatic HDMI television control that Valve tested against a warehouse of home entertainment equipment. The system navigates entirely through gamepad controls and resumes games instantly from sleep mode. Valve said pricing will be "comparable to a PC with similar specs" rather than subsidized like traditional consoles. PCs with similar GPUs have cost roughly $1,000 or more. Linux currently plays Windows games better than Windows in side-by-side tests. |
|
|
A maintainer of Debian's Advanced Package Tool (APT) "has announced plans to introduce hard Rust dependencies into APT starting May 2026," reports the blog It's FOSS.
The integration targets critical areas like parsing .deb, .ar, and tar files plus HTTP signature verification using Sequoia. [APT maintainer Julian Andres Klode] said these components "would strongly benefit from memory safe languages and a stronger approach to unit testing." He also gave a firm message to maintainers of Debian ports: "If you maintain a port without a working Rust toolchain, please ensure it has one within the next 6 months, or sunset the port." The reasoning is straightforward. Debian wants to move forward with modern tools rather than being held back by legacy architecture... Debian ports running on CPU architectures without Rust compiler support have six months to add proper toolchains. If they can't meet this deadline, those ports will need to be discontinued. As a result, some obscure or legacy platforms may lose official support. For most users on mainstream architectures like x86_64 and ARM, nothing changes. Your APT will simply become more secure and reliable under the hood. It's FOSS argues that "If done right, this could significantly strengthen APT's security and code quality." And the blog Linuxiac also supports the move. "By embedding Rust into APT, the distro joins a growing number of major open-source projects, such as the Linux kernel, Firefox, and systemd, that are gradually adopting Rust. And if I had to guess, I'd say this is just one of the first steps toward even deeper Rust integration in this legendary distribution, which is a good thing." |
|
|
concertina226 shares a report from The Register: [A massive power outage in April left tens of millions across Spain, Portugal, and parts of France without electricity for hours due to cascading grid failures, exposing how fragile and interconnected Europe's energy infrastructure is. The incident, though not a cyberattack, reignited concerns about the vulnerability of aging, fragmented, and insecure operational technology systems that could be easily exploited in future cyber or ransomware attacks.] This headache is one the European Commission is focused on. It is funding several projects looking at making electric grids more resilient, such as the eFort framework being developed by cybersecurity researchers at the independent non-profit Netherlands Organisation for Applied Scientific Research (TNO) and the Delft University of Technology (TU Delft).
TNO's SOARCA tool is the first ever open source security orchestration, automation and response (SOAR) platform designed to protect power plants by automating the orchestration of the response to physical attacks, as well as cyberattacks, on substations and the network, and the first country to demo it will be the Ukraine this year. At the moment, SOAR systems only exist for dedicated IT environments. The researchers' design includes a SOAR system in each layer of the power station: the substation, the control room, the enterprise layer, the cloud, or the security operations centre (SOC), so that the SOC and the control room work together to detect anomalies in the network, whether it's an attacker exploiting a vulnerability, a malicious device being plugged into a substation, or a physical attack like a missile hitting a substation. The idea is to be able to isolate potential problems and prevent lateral movement from one device to another or privilege escalation, so an attacker cannot go through the network to the central IT management system of the electricity grid. [...] The SOARCA tool is underpinned by CACAO Playbooks, an open source specification developed by the OASIS Open standards body and its members (which include lots of tech giants and US government agencies) to create standardized predefined, automated workflows that can detect intrusions and changes made by malicious actors, and then carry out a series of steps to protect the network and mitigate the attack. Experts largely agree the problem facing critical infrastructure is only worsening as years pass, and the more random Windows implementations that are added into the network, the wider the attack surface is. [...] TNO's Wolthuis said the energy industry is likely to be pushed soon to take action by regulators, particularly once the Network Code on Cybersecurity (NCCS), which lays out rules requiring cybersecurity risk assessments in the electricity sector, is formalized. |
|
|
An anonymous reader shares a report: The Content Overseas Distribution Association (CODA), an anti-piracy organization representing Japanese IP holders like Studio Ghibli and Bandai Namco, released a letter last week asking OpenAI to stop using its members' content to train Sora 2, as reported by Automaton. The letter states that "CODA considers that the act of replication during the machine learning process may constitute copyright infringement," since the resulting AI model went on to spit out content with copyrighted characters. Sora 2 generated an avalanche of content containing Japanese IP after it launched on September 30th, prompting Japan's government to formally ask OpenAI to stop replicating Japanese artwork. This isn't the first time one of OpenAI's apps clearly pulled from Japanese media, either -- the highlight of GPT-4o's launch back in March was a proliferation of "Ghibli-style" images. Altman announced last month that OpenAI will be changing Sora's opt-out policy for IP holders, but CODA claims that the use of an opt-out policy to begin with may have violated Japanese copyright law, stating, "under Japan's copyright system, prior permission is generally required for the use of copyrighted works, and there is no system allowing one to avoid liability for infringement through subsequent objections." |
|
|
"During the past two years or so I have been slow-rolling an effort to port the Linux kernel to WebAssembly," reads a surprising post on the Linux kernel mailing list.
I'm now at the point where the kernel boots and I can run basic programs from a shell. As you will see if you play around with it for a bit, it's not very stable and will crash sooner or later, but I think this is a good first step.
Wasm is not necessarily only targeting the web, but that's how I have
been developing this project... This is Linux, booting in your browser tab, accelerated by Wasm. Phoronix warns that "there are stability issues and it didn't take me long either to trigger crashes for this Linux kernel WASM port when running within Google Chrome." |
|
|
"It finally happened," writes the GamingOnLinux site:
Linux gamers on Steam as of the Steam Hardware & Software Survey for October 2025 have crossed over the elusive 3% mark. The trend has been clear for sometime, and with Windows 10 ending support, it was quite likely this was going to be the time for it to happen as more people try out Linux... Overall, 3% might not seem like much to some, but again — that trend is very clear and equates to millions of people. The last time Valve officially gave a proper monthly active user count was in 2022, and we know Steam has grown a lot since then, but even going by that original number would put monthly active Linux users at well over 4 million. Additional details from Phoronix: The only time Steam on Linux use was close to the 3% mark was when Steam on Linux initially debuted a decade ago and at that time the overall Steam user-base was much smaller than it is today. Long story short, thanks to the ongoing success of Valve's Steam Deck and other handhelds plus Steam Play (Proton) working out so well, these October numbers are the best yet... a hearty 0.41% increase to Linux... landing its overall marketshare at 3.05%. Windows meanwhile was at 94.84% (falling below 95% for the first time in a while) and macOS at 2.11%. For comparison, in October 2024 Steam on Linux was at 2.00%. The Linux-specific data shows SteamOS commanding around 27% of all the Linux installs at large. SteamOS most notably being on the Steam Deck hardware. |
|
|
Microsoft shipped its first Xbox handheld nearly two weeks ago. The $600 white Xbox Ally cannot reliably sleep, wake, or hold a charge while asleep. Neither Microsoft nor Asus would admit there's a problem or offer a timeline to fix it after repeated requests by The Verge. Asus said it needs more time to test. Installing Bazzite, a Linux-based operating system, solves the problems, the publication reports. The same hardware runs games up to 30% faster than Windows and beats the Steam Deck in all but one benchmark. Steam runs more responsively without Windows bloat. The device can be used like a Nintendo Switch, pausing games with the power button and resuming hours or days later. Bazzite initially had sleep issues but fixed them two days after programmer Antheas Kapenekakis obtained the hardware and consulted with two AMD contacts. The black Xbox Ally X, which doesn't have as many sleep issues, gets a similar speed boost with Bazzite. Two Xbox Ally units tested on Windows repeatedly woke themselves at random intervals. One lost 10% battery after 12 hours of supposed sleep, the other 23%. After another 12 hours, both had only 30% battery remaining. One tried to apply a Windows Update while asleep. Both units refused to wake from sleep at times and required hard resets. Many users have reported similar issues on Reddit with both Xbox Ally versions. Further reading: Microsoft's Next Xbox Will Run Full Windows and Eliminate Multiplayer Paywall, Report Says. |
|
|
Humanity has failed to limit global heating to 1.5C and must change course immediately, the secretary general of the UN has warned. From a report: In his only interview before next month's Cop30 climate summit, Antonio Guterres acknowledged it is now "inevitable" that humanity will overshoot the target in the Paris climate agreement, with "devastating consequences" for the world. He urged the leaders who will gather in the Brazilian rainforest city of Belem to realise that the longer they delay cutting emissions, the greater the danger of passing catastrophic "tipping points" in the Amazon, the Arctic and the oceans. "Let's recognise our failure," he told the Guardian and Amazon-based news organisation Sumauma. "The truth is that we have failed to avoid an overshooting above 1.5C in the next few years. And that going above 1.5C has devastating consequences. Some of these devastating consequences are tipping points, be it in the Amazon, be it in Greenland, or western Antarctica or the coral reefs. He said the priority at Cop30 was to shift direction: "It is absolutely indispensable to change course in order to make sure that the overshoot is as short as possible and as low in intensity as possible to avoid tipping points like the Amazon. We don't want to see the Amazon as a savannah. But that is a real risk if we don't change course and if we don't make a dramatic decrease of emissions as soon as possible." |
|
|
Thursday the Washington Post profiled "the people who dare to say no to AI," including a 16-year-old high school student in Virginia says "she doesn't want to off-load her thinking to a machine and worries about the bias and inaccuracies AI tools can produce..." "As the tech industry and corporate America go all in on artificial intelligence, some people are holding back." Some tech workers told The Washington Post they try to use AI chatbots as little as possible during the workday, citing concerns about data privacy, accuracy and keeping their skills sharp. Other people are staging smaller acts of resistance, by opting out of automated transcription tools at medical appointments, turning off Google's chatbot-style search results or disabling AI features on their iPhones. For some creatives and small businesses, shunning AI has become a business strategy. Graphic designers are placing "not by AI" badges on their works to show they're human-made, while some small businesses have pledged not to use AI chatbots or image generators... Those trying to avoid AI share a suspicion of the technology with a wide swath of Americans. According to a June survey by the Pew Research Center, 50% of U.S. adults are more concerned than excited about the increased use of AI in everyday life, up from 37% in 2021. The Post includes several examples, including a 36-year-old software engineer in Chicago who uses DuckDuckGo partly because he can turn off its AI features more easily than Google — and disables AI on every app he uses. He was one of several tech workers who spoke anonymously partly out of fear that criticisms could hurt them at work. "It's become more stigmatized to say you don't use AI whatsoever in the workplace. You're outing yourself as potentially a Luddite." But he says GitHub Copilot reviews all changes made to his employer's code — and recently produced one review that was completely wrong, requiring him to correct and document all its errors. "That actually created work for me and my co-workers. I'm no longer convinced it's saving us any time or making our code any better." And he also has to correct errors made by junior engineers who've been encouraged to use AI coding tools. "Workers in several industries told The Post they were concerned that junior employees who leaned heavily on AI wouldn't master the skills required to do their jobs and become a more senior employee capable of training others." |