You do know that Terry was extremely mentally ill? This comment comes across as insensitive to him condition and to others that dare to participate in society with mental illness.
With all respect for Terry and being fully aware that the outrageous parts of behavior were almost definitely a result of his mental illness - no one in their right mind would intentionally try to associate their product with him in marketing.
It isn't about "how dare he participate in society" (which is irrelevant, as he is, sadly, not alive anymore). You just simply dont associate your product in public with someone who talks about "cia glowies in a van outside of my house, trying to bait me with a handgun and an underage child" or records a video of themselves calling a black person outside an N-word with hard "r" (and then gets hit by that person).
Again, sad story for Terry, and I genuinely feel compassion for the man. He clearly had a brilliant mind trapped in his head, but his mental illness took over it entirely. To the point where he became literally about as marketable as the Unabomber, and probably even less. It isn't insensitive to say that his behavior (regardless of the mental illness) makes it impossible to attach his likeness to your product in a positive way.
I have plenty of empathy for Terry as a person, and I think what happened to him is a tragedy. As someone who had been following his journey with TempleOS for quite a long time, I genuinely feel for his circumstance. He had a brilliant mind and probably would have went onto achieve quite a few impressive things, if it wasn't for his mental illness.
However, none of that would make him more "advertising-friendly" and override the perception caused by his public outbursts (which were driven by his illness). People were "canceled" for way less. That's just the reality. No amount of empathy on my end would make someone saying the n-word (with a hard "r") n a derogatory way towards a black person and recording it on video any more advertising-friendly.
My insensitivity to what? "People assaulting african-american people in public and yelling n-word with hard r at them as an insult are not marketing-friendly material" is not an opinion or a position, it is a fact. Do you disagree with this and believe that this type of behavior is marketing-friendly? Is merely stating it in the relevant context insensitive? Because I didn't just throw it in there, it was directly relevant to my argument for why SparrowOS name was unrelated to TempleOS.
I feel like i am being gaslighted pretty hard right now , and the passive-aggressive "be better than that" isn't helping.
The article mentions this but there are 2 main components that are not Google owned. SeL4 microkernel and the antimicro simulator. The git repo mentions that KataOS is the system services on SeL4. It is possible there is significant overlap with katacontainers.
Actually, this is an engineer-driven project in research, not a PM driven project. The team and I have quite a lot of passion for this project and are doing everything we can to fight that kind of thing from happening, which is why we open sourced it.
And Android, and the associated real-time bits that run underneath Android (lk? The thing that provides fastboot), and Chrome OS, and whatever internal Debian modifications they're running. Google is apparently quite capable of maintaining at least three or four operating systems developments at once; what's 2-3 more?
Based on my skimming, I think Fuchsia is aimed more towards being an Android/ChromeOS replacement, while KataOS/Sparrow looks like it's more aimed towards low-power embedded systems and IoT.
Actually, yes. We ported the seL4 crate to the latest kernel and modified it to better fit our needs. It's part of the OSS release, and we're hoping we can contribute it back to that project once we've done some more polishing to it.
Someone should build an extension to filter all of the low-effort "haha when will this one be shut down" garbage below every single news post about a Google product. It's getting a little tiresome.
It's the most relevant feature to speculate about for any non-ad-targeted product Google introduces, so I don't begrudge people for commenting on it.
It's to the point I just ignore any Google product launch, at least in terms of consideration for my own use. 5-10 years is an incredibly short lifespan, and there's usually no off-ramp. The product just dies off.
It's Google's own fault that anything new they launch these days has a meme status. I don't see anything wrong in pointing this out.
Similarly, many people avoid watching Netflix shows until they survive to season 3 at least because it's not worth investing your time in something that's likely to get cancelled after a season or two.
It's their own doing and mocking it is fully deserved
Maybe, just maybe more shows should be built around being a single season long with fewer rear end pulls. I'm so sick of these multiseason shows that just do nothing or don't answer questions.
This is already totally besides the point, but I fully agree. If writers know the show has a limited lifespan, they can build an actually coherent and interesting story. If they have to write season 5 out of X, it's going to be just disappointing and more of the same old. For this reason I rarely watch any shows these days.
I don't disagree with you, but it's the volume of the "pointing it out" that is tiresome. I was hoping to see an interesting technical discussion of the new OS, but instead any that might exist is drowned out with an avalanche of dumb. It's not a verboten thing to say, but it is very low effort and uninteresting, and when it makes up 90% of the comments on an otherwise pretty interesting announcement...
No, it's the most important aspect for any new Google product announcement. It's not up to commenters to behave better, it is up to Google.
The comments cannot be considered garbage, since they ask the most pertinent question: why is this announcement worth talking about?
And yes, Google created this situation itself. And now it has to justify each new product's life span. Because we don't trust that at all. Unlike startups, Google can easily afford to run a product at a loss for years.
Yet we trust them less than startups with only a few months of runway.
We're on a forum for startups. 99% of them get shutdown.
This is not a product, it's a free and open source OS, a gift to the world. You cannot shut down open source--if it matters so much to you then maintain it yourself.
It's a rare for-profit company that releases anything significant from pure niceness so I can't read it as a gift. It's part of a corporate strategy; don't confuse it with largesse.
I mostly agree with your comment. However I'll also say that Google, far more than any of the other tech titans, has a very long history of deeply supporting and embracing open source. It's part of the ethos, not just lip service.
TL for KataOS here. Yes, the actual point of the announcement is to get the word out about the project. We want to make it as open as possible, and while we have some hurdles with getting the entire system out in a collaborative fashion, we're doing our darndest to do so. This release actually reflects the hard-won efforts of several engineers on the team to get this out.
Respect to you + your engineers, I was not having a go at you all, and I genuinely thank you for your work. I was merely objecting to some commenter describing it in a way I felt was misleading. Keep it up!
> It's a rare for-profit company that releases anything significant from pure niceness so I can't read it as a gift.
Philosophically speaking, do most people do something out of pure altruism? I personally don't believe so. Everyone has an agenda - be it to feel better, to score brownie points, to make people like them, etc. Why should we expect for-profit corps to be altruistic? We should remember their for-profit motives and also accept they can do good deed for non-altruistic reasons.
It may be a cultural thing, I'm a brit, you're like from the US, but yes over here there is a culture of altruism to a degree that may be greater than in the US (eg. over here we donate blood for free). I'm talking monetary compensation thought. On a personal level I try to help because another's happiness becomes mine.
> The comments cannot be considered garbage, since they ask the most pertinent question: why is this announcement worth talking about?
I disagree. Google's habit of killing projects off is interesting/annoying/frustrating but I don't think a trove of shallow "I wonder when google will kill this? lol" comments on every google product announcement add to the discussion.
They're a bit much, but in this case, they've clearly added to the discussion. It helped to show the distrust and skepticism around product announcements by Google. It also helps us question whether it's worth it for us to invest time, money and/or effort into a project.
The problem is that (HN) sentiment is generally lagging behind reality -- usually many-many years. There are still tons of comments on HN that refer to the evil Micro$oft as if 2022 MS was the same as the 1991 MS (while it is 'just' a large enterprise cloud company), etc. When anti-<some company> comments peak on HN then the company is usually already very different.
So if you're betting on a product / service, then relying on Internet sentiment is generally a bad idea.
Analogy: the best time to buy a car from a specific manufacturer is when everyone knows that the manufacturer is only producing crappy cars. Because that's when they're likely doing everything they can to rectify their reputation. (And the other way around.) Examples: French cars manufactured around 2010 have really good quality (especially the PSA models), because they produced crap around 2000 so by 2008 everyone knew that they should not buy a Citroen. BMW's from 2008 have incredibly many quality issues as BMW's reputation peaked around that era, so they reaped the profits that they could (and this was all based on the all-around great cars from a decade earlier).
> Analogy: the best time to buy a car from a specific manufacturer is when everyone knows that the manufacturer is only producing crappy cars. Because that's when they're likely doing everything they can to rectify their reputation.
Maybe—or maybe they’re still in the stage when they’re producing crappy cars, and unwilling to commit to the serious changes that would ultimately lead to a better product and better reputation.
Microsoft get schtick from people who know what they are talking about not because of their previous monopoly-abusing, security-insensitive ways, but because of their _current_ privacy-invading, data-harvesting, lowest-common-denominator-accepting approaches to everything. No amount of contributions to other projects is going to overcome that, nor should it, since it is possible to do some things well and others poorly.
The (awful) analogy certainly doesn't even hold: my late-2009 BMW is still going strong without a hint of anything beyond routine maintenance, yet according to this screed it should be crap...
As a car enthusiast, I have to disagree with your car analogy. Most carmakers deserve their reputation. While some Land Rovers were even more unreliable when they used BMW engines, and certain models were more reliable because they had more Ford parts, in general, all Land Rovers are unreliable.
Has BMW ever been reliable? Yes in the 90s and before, since then? No. They just don't care, they're sold as lease vehicles to people who care about having the newest stuff for 3 years and then move on.
I'm not sure that Google is in a similar place to carmakers. There are maybe 3 or 4 major carmakers, and their primary business is cars (well, maybe vans trucks etc too). If they stop selling those, the business is dead. There is really just one Google, which has range of quite different products, and it seems they can afford to fail in a lot of markets, but they'll still survive as a company despite that.
> So if you're betting on a product / service, then relying on Internet sentiment is generally a bad idea.
Well, as the TL for this engineer-driven research prject, I have to say it's quite demotivating to read these sorts of comments.
As an engineer, I don't get much say in what other parts of the company do, but unfortunately, I have to bear the brunt of the blowback every time it happens, in social forums like this one, and in B2B interactions. It's quite frustrating, actually.
Well then, I hope that perhaps you and similarly-minded engineers can channel that frustration into pressuring your incompetent leadership to alter their policy of mindlessly killing products.
I work for an automotive OEM, and when a car has a serious recall, I don’t get to say “gee it’s frustrating to see the whole of my company get smeared for one engineering mistake I wasn’t a part of.” There’s no reason for customers or the public to try and figure out exactly what part of the company failed. It’s a systemic failure of the entire company, and it reflects negatively on all of us.
Same for you. You either need to fix Google’s long term support issues from the inside, or expect more of the same.
> It’s a systemic failure of the entire company, and it reflects negatively on all of us.
> [...] You either need to fix Google’s long term support issues from the inside, or expect more of the same.
Some of us knowingly work for organizations that, in the aggregate, are crap.
We stay and do the best we can.
If somebody put that bullcrap of fixing our entire system on me, I'd laugh. Pretend you did that to me -- I would think that you have a poor understanding of the systemic issues causing the problems that bother you.
To me there isn't a clear line from "present" to "desirable future", and simplistic approaches ("antitrust disassemble google") to complex problems aren't actually going to work (all IMO).
Sometimes you do the best you can, help the people you can help, and feel sorry for the rest... but leaving isn't going to make it better, it's going to make it worse, because your work is above average.
Actually, I guess the parent knows this since the are still working in the automobile industry but for others - perhaps what's needed is just a thicker hide, and a willingness to say "yep, it's gonna get killed at some point, good thing we MADE IT OPEN SOURCE so others can carry it forward."
Second, I feel for you. This can't be fun, and it's not your fault.
Third, although I think I'm pretty squarely in your "target audience", if you will (Rust & SEL4!? Yes please!), my first reaction was "Oh well, too bad it will be cancelled before it goes anywhere."
Google has done this to themselves. There is a massive undertow against adopting anything Google makes. (I still sting from Reader, still, years later.) Stadia? Etc. Why bother?
Which brings me to my fourth and final point: Y U Googler? What I mean is, on the one hand no one is forcing you to work at Google? On the other hand when (sorry) IF they cancel this project are you going to continue to support it yourself? What is your personal stake in this project?
I'm willing to give you jtgans a break, but not Google.
I totally relate. I previously worked for Red Hat and got a lot of hate for decisions I had absolutely nothing to do with and in some cases was vehemently opposed to them (but I had no power to change it).
Overall I love the HN community and think it is the best one on the internet, but it still has a vocal shallow-minded pocket of people who:
1. Seem to forget that they're talking to a fellow human being rather than a username, and don't engage any of their manners that normally filter out unproductive rudeness
2. Feel strong emotions toward big companies and think life is just as simple as telling a single engineer to "fix the company" as though that is even remotely reasonable.
3. Don't seem to understand how big corporate systems work. Suggesting that a single engineer (even if they are a team lead) is to blame for business decisions that get made almost entirely against what the engineers want, is absurd.
Good for you for speaking up though. It won't make a difference to the people you were commenting to, but overall it provides the masses with a reminder that there's a human on the other side of this.
We're all better off when smart people can build something new, that advances the frontier of what's possible, and release it to the world for free, without committing to support it forever.
It's nauseating when lazy commenters parrot the same, worn-out arguments to tear down legitimate innovation.
Maybe it’s low effort but it’s actually the first thing that came to my mind when reading the headline, and it’s the same for lots of people. It’s natural that this comment comes a lot and it represents what people here think. Google brought it on itself.
This is a reason I’ll never use a new Google product ever again. I’m still stuck with Gmail and Android TV for now but that’s about it, and I’m working on that too. I slowly switch my accounts to a custom domain email, and plan on switching to Plex because they decided to start showing ads on the TV I paid $2000 for.
Seriously, I don't get it because startups fail all the time.
Google quite explicitly has a startup mentality in trying to launch lots of things and see what sticks, and shut down what doesn't stick. A "fail fast" mentality that is very hacker-y.
Apple is the polar opposite -- they do oodles of internal testing and iteration and feedback and don't launch something until they're super-super-sure they've got a hit on their hands. Microsoft is closer to Apple but more willing to experiment.
So people hate on Google when they cancel products, but nobody hates on all the startups that simply go out of business. To the contrary, they say congrats on trying, hope you try again!
It's a bizarre double standard that I'll never understand.
Yes, Reader was cancelled, but if Google didn't have this "launch and see what sticks" mentality Reader never would have been created in the first place. Products like Gmail and Google News supposedly started as similar 20% products.
Why is HN so supportive of startups that try and fail, but not when Google does it?
>As the foundation for this new operating system, we chose seL4 as the microkernel because it puts security front and center; it is mathematically proven secure, with guaranteed confidentiality, integrity, and availability.
>KataOS provides a verifiably-secure platform that protects the user's privacy because it is logically impossible for applications to breach the kernel's hardware security protections and the system components are verifiably secure.
The wording seems quite confident, maybe it could use some additional "at least according to its specification".
This approach doesn't protect against hardware bugs and side-channel attacks.
Especially when one thinks of unexpected attacks like Rowhammer, there is probably no way to include them in a formal systems model beforehand.
I mean, it does also claim to be "almost entirely written in Rust", which is true if you ignore almost the entire OS part of the OS (the kernel and the minimal seL4 runtime).
TL from the project here: you're right, the changes to the kernel are not yet formally verified, but that's on the roadmap -- there's quite a lot of work that has been done here, and tons more to come. The vast majority of changes we have made have involved lots of conversations with folks on the seL4 mailing list including Gernot Heiser and video conferences to work out the best way to do what we're doing.
I realize the blog post comes out pretty strongly on this topic, and that's my oversight -- I let my aspirations leak out instead of tempering them (this is not your typical PM-driven project) properly.
Please understand that this is an engineer-driven project in Research with a very small team where we're doing our hardest to do the right thing, so please bear with us.
Okay, then you should fix your mistake and edit the post or issue a new post that does not call or imply that “KataOS provides a verifiably-secure platform” since it does not. You have achieved that when any new readers of the post do not mistakenly believe that it is currently verifiably-secure.
Don't sweat it, this is just a blip. I for one have wanted an SEL4 + Rust based OS for a long time, really cool that someone is finally doing it. It's clear what the aspiration is, just keep working toward it.
> protects the user's privacy because it is logically impossible for applications to breach the kernel's hardware security protections and the system components are verifiably secure.
Notice also that they're doing the traditional Google trick of pretending that it respects the user's privacy because it's secure, while ignoring the fact that most of the users privacy will be destroyed by things they designed the operating system to intentionally do in its security model.
It protects the user's privacy against attackers other than Google.
To be fair, this is an entirely reasonable threat model for a lot of people. For instance, if you're a reporter in an authoritarian country, Google is almost certainly not colluding with the attackers who are literally trying to kill you, and using a Chromebook and Gmail is probably the best option out there. Your threat model is "Don't die," not "Don't be subject to surveillance capitalism."
But it's also something we should collectively be pushing back on. The motivating example for these products is "intelligent ambient systems," i.e., things like Nest hubs and doorbells that capture audio/video all the time. These products probably shouldn't exist at all, and to the extent they do, they should process data locally and discard it as soon as they can.
Google sucks up a lot of data, and is in a position to do a lot of bad stuff with it, but historically they have never told my spouse about my affair, my government about my accounts in the caymans, or leaked my nude pictures to my grandma. (I don't actually have any of these!)
I really don't care how much data of mine they have while they limit their evil they use it for to deciding if they should show an ad for baseball or football shirts...
And I trust them not to accidentally leak it far more than I trust my government or any smaller/less techy company.
Because of hypocrisy? They pretend to be not in ads business with your data
So now everyone is doing the same thing so called value the 'privacy' (aka only they could collect the data for themselves to do personalized ads). So in the end you pick the one who hoard ur data and show the ads. What's the difference again?
Apple's "cooperation" with authoritarian governments tends to only go so far as it needs to in order for the next iPhone to come out on time and in sufficient supply. Otherwise Apple bends heaven and earth to engineer their devices to be as secure as they can make them, even against state authorities.
That said, if you live in China, you probably don't want to sync your stuff to iCloud. Not because Apple doesn't want to protect your data, but more because you can't trust anything in any data centers that are physically on Chinese soil.
But let's get real. If you're in mainland China and the authorities decide they need to confiscate your phone, you're already fscked.
> Apple's "cooperation" with authoritarian governments tends to only go so far as it needs to in order for the next iPhone to come out on time and in sufficient supply
That statement is kind of information-free. If China knows they have Apple completely over the barrel, why wouldn't they demand a lot?
But for how they cooperate, Apple's own transparency report shows they give information on Apple customers to Chinese authorities thousands of times per year, and accept the vast majority of requests: https://www.apple.com/legal/transparency/cn.html
Digging through the link the other commentator posted, Apple complied with 88% of Russia's requests for information and 94% of China's with over 1000 requests from each of those nations...
Versus Google which has avoided giving information to or censoring search results in both countries and as a result is mostly banned.
With Apple leaving Russia and removing government-affiliated apps from App Store with no way to side-load them, the only other option is Android now and blocking Google completely will probably render most smartphones useless, as most Android phones rely on Google services to function. I think that's why it's not banned yet.
>If you're in mainland China and the authorities decide they need to confiscate your phone, you're already fscked.
Funny how you specifically mention China, as if it worked differently in USA - the country where you can get four years of jail time for talking back to police.
Google, being US-based company, is legally obliged to provide all the data they have to three letter agencies, without any real oversight. They can’t refuse even if they wanted.
Regardless, I care less about the US government having my info than, say, Russia (especially being part Ukrainian, having Ukrainian friends and family, etc...).
Absolutely agree, but how do you do that in practice?
Do you self-host your services on some Linux distro? How many FAANG employees have upload access to that distro or maintain its infrastructure?
(Or maybe you audited everything yourself and you're 100% confident in your audit, somehow, and you've turned off automatic updates. How many FAANG employees are working on fuzzers to automatically find new exploitable security vulnerabilities and scale out those fuzzers on their employers' infrastructure?)
This 100x. Of all the companies/entities that have had some sort of data of mine over the years Google feels by far the most trustworthy.
My country's agencies (Canada) have leaked more data than Google, and MS can claim they're secure all they want, I've had accounts on MS services hacked but never Gmail or Google services...
Lol. Selling your data to the government is one of the ways they make money. BigTech and BigBrother have been in cahoots for more than 2-3 decades now. Read https://en.wikipedia.org/wiki/PRISM for more info.
This is true now, but once they have those data you can't know what they will use them for in the future. Maybe they will keep using them in the same way as now, maybe not. Also don't forget the recent case of users that got reported to the police by Google because they took pictures of their children for medical reasons.
It's actually spelled '"Auto-Deletion" of data' since you can't prove it's been deleted.
Google and other US tech companies have no right to be trusted after PRISM. Not to mention the US government's complete abdication of public oversight under the guise of national security, with secret courts, secret rulings, and national security letters compelling silence from these same organizations while complying with whatever demands they make.
You realize many tech companies responded to PRISM by making their data centers and private fiber more secure against domestic state sponsored hacking, right?
Unfortunately, I believe that there were 2 possible outcomes in a post-PRISM world:
1) Tech companies increased their security, but it wasn't enough, and security services still have a feed of nearly all data, through a combination of software/hardware/algorithmic flaws.
2) Tech companies did manage to mostly stem the flow of information into security services. However, security services simply sent secret letters to all the big players demanding an API/backdoor and requiring them not to talk about it.
My lukewarm take is that it is possible to construct your company/infra in such a way that functionally, any employee can audit that (2) is not the case, and that Google comes very close to doing this.
If you take security and specifically insider threats seriously, you can't privilege or hide any subsystem, or it becomes a threat of its own, so the same processes that prevent an attacker from creating a shadow-system in your infrastructure also prevent you from doing the same thing.
> Google sucks up a lot of data, and is in a position to do a lot of bad stuff with it, but historically they have never told my spouse about my affair, my government about my accounts in the caymans, or leaked my nude pictures to my grandma. (I don't actually have any of these!)
"""It's unclear how widespread Barksdale's abuses were, but in at least four cases, Barksdale spied on minors' Google accounts without their consent, according to a source close to the incidents. In an incident this[2010] spring involving a 15-year-old boy who he'd befriended, Barksdale tapped into call logs from Google Voice, Google's Internet phone service, after the boy refused to tell him the name of his new girlfriend, according to our source. After accessing the kid's account to retrieve her name and phone number, Barksdale then taunted the boy and threatened to call her. [...]"""
Fwiw that was 12 years ago, and a lot of the Google infra has changed quite a bit since then to make looking at user data much harder and track access more explicitly.
Ie. I want them to commit to "No human who works at Google will ever see your email or photos without you knowing about it". And then splash that statement all over TV ads.
Set up some system so every time an engineer sees user data, the owner of that data is sent a notification (and there are legit reasons for that, like investigating a bug a user has reported). It doesn't need to be for every kind of user data, just the super sensitive ones like the text of emails.
> historically they have never told my spouse about my affair
Have we forgotten Google Buzz? Google changed GMail to publicly list the people you email most. In one case, this de-anonymized a woman's blog and enabled her abusive ex-husband to stalk her. https://fugitivus.wordpress.com/2010/02/11/fuck-you-google/
This is IMO the most likely way that "bad stuff" will happen: not maliciously, but through privacy-invading misfeatures connected to pushing people to share more.
Thats 12 years old... I think it's a real testament to Googles privacy behaviour that amongst their 2 Billon+ users over 11 years, there are no fresher news stories that come to mind.
Compare with facebook/instagram, where it seems every other week someone messes up the privacy settings and posts something to an audience they didn't intend because the product is deliberately designed to encourage accidental oversharing.
I chose Google's mesh routers because I have more trust in their security than any competitor. I would feel pretty safe with PFSense, but my needs are way too simple to bother with that.
I know a lot of techies opt for prosumer, small business gear for their home networks, but most of those vendors have crap security trackrecords. Ubiquiti, seems to be the sole standout in this space, but I don't trust them any more than google to produce secure hardware.
Have you seen Krebs on Security most recent update. He pretty much disavowed his reporting on the Ubiquity breach.
Everybody has security breaches. I'm not out there counting CVEs, but anecdotally, it seems that Netgear, TP-Link, microtik have seem to have much worse reputations.
I don't pay attention to the market for high end networking (Cisco, Juniper).
Security is not privacy though. If I had a piece of information that could kill, I would trust Google with safeguarding it. What I don't trust them, is not to use information they got. Or rather, I expect them to use it (but safeguard it from others, because that's how they make money: by being the only ones allowed access to private information).
This is a research project. There are no users and probably won’t be in this form. If it makes it into a real product, it might not even be done by Google (since they’re open sourcing it.)
So nobody is being tricked. It just too early to say what real products will do.
It's either verifiably secure or it isn't, and that makes an enormous difference. Also, the issue of hardware bugs purports to be addressed by verifiably secure CPU designs.
Of course that leaves the multitude of programmable peripheral devices. But starting with hardware and software that are implemented to be provably secure is a big change. It is table stakes for systems to be vastly harder to penetrate.
Absolutely, and this is specifically why I chose to start with seL4 and use Rust for the userland we built. seL4 has a verification framework already in place, so we can use it to ensure our system design and implementation is good. We've spent this time working with the seL4 guys to find a good middle ground in these changes, and we're going to see about verifying the design as we go, but we wanted to get these things out sooner rather than waiting because it affords more chances for feedback and collaboration. My only regret is not being able to open the entire source tree at once yet. We'll get there, but this is a good start in the meantime.
We do not have our changes formally verified yet, but that is definitely on our roadmap -- otherwise, what's the point of starting from this set of options? Likewise, this is why we chose Rust -- there are several projects already in progress to produce formal verification tools for Rust, so we can hopefully use those as additional proofs.
are there any formally verified CPUs that support any of the constructs needed for anything more than microcontrollers? Like, I have not yet found a formally verified CPU which supports virtual memory or caching
TL from the project here: yeah, I should have done more work on the wording -- we locked the content too fast, and I pushed a tad too hard at getting the post out. :P
Side-channel attacks are out of scope for the security model of both seL4 and our KataOS project, so bear that in mind for sure.
XMAS comes early as far as I'm concerned... A rust os & risc-v implementation is sorely needed & I expect to begin experimenting on private cloud frankenwulfs immediately. I can see why you rushed, this in my humble opinion is bigger than the release of the go programming lang ;)
Thank you very much for putting all the effort into this project. It is a great step towards more secure computing in general, and you earned respect for that.
I do not quite get it: seL4 is verified. Is the rest of the code as well? I understand that verification of Rust is just starting to gain traction (compared to C, Java or Ada), or did they make major progress here?
I've always said that computer science has a PR problem.
Formally verified applications is such a foreign concept to people that when you say "verified correct" they get skeptical and mistrust the whole concept.
Saying something is "secure" when it has been formally verified will be received with a grain of salt, but it is much easier to say than:
"we wrote a detailed specification that define the whole system via algebra, and then we let a theorem prover run all possible permutations of the specification It has now tested a billion edge-cases and we have reached a state where it no longer finds any deviation from the specification."
At least it is provable better than someone saying "it is secure because we think it is".
Rust gaurantees (except in unsafe code) that off-by-one errors will never lead to reading or writing from outside of safe memory bounds. You can still call `unwrap` on a out-of-bounds vector index and get a panic (panics are considered safe since they are memory safe), although you should not be using unwrap in ways that can panic in production code.
It can’t stop me from accessing index 1 when I meant 0 on a 3d array, so I think the claim doesn’t make much sense. Rust can stop me from accessing index N+1 though, which is useful for security. Of course almost every language also has support for bounds checked arrays either in their core or their standard library, and some for of array iterators, so I don’t think that’s a particularly compelling reason to choose Rust.
I'll admit I don't have the stats in front of me, but I can practically for guarantee code using std::vector in the wild that [] usage outnumbers .at() usage, probably at least 10 (or even 100) to 1.
C also doesn't have .at(). Considering C and C++ are the most obvious and direct competitors to Rust, bounds checking would be a significant upgrade if Rust paradigms cause it to be used more often.
It does, but as I mentioned, Red-Hat and Android ship with bounds checking enabled via FORTIFY.
C was already a bad option in the mid-90's compared with the alternatives, it is due to the unfortunate adoption of GNU manifesto and POSIX systems that we got where we are.
Hence why the ultimate solution is to have hardware memory tagging for bounds checking, Solaris has been doing it for a decade, ARM is following along, including a collaboration with CHERI, only Intel borked their MPX design, and it seems not to be on RISC-V's radar.
Note that while defaults matter, and given the option one should rather use a safe systems language, if there are ways to do unbound accesses, there will always be some folks going that route because reasons.
> It does, but as I mentioned, Red-Hat and Android ship with bounds checking enabled via FORTIFY.
I was under the impression FORTIFY only checked bounds with specific functions (mostly those starting with "mem" or "str"), and not on general pointer arithmetic. Thus, an OOB array access would not be caught. Am I wrong on this? Online sources seem to agree with my understanding: https://zatoichi-engineer.github.io/2017/10/06/fortify-sourc...
Additionally, FORTIFY does not work on variable length arrays (like std::vector), only those which have a size known at compile time.
> Hence why the ultimate solution is to have hardware memory tagging for bounds checking, Solaris has been doing it for a decade, ARM is following along, including a collaboration with CHERI, only Intel borked their MPX design, and it seems not to be on RISC-V's radar.
Unfortunately, Intel and ARM are the only relevant vendors here (at least in 2022, but for the record I wish the others the best of luck), so Intel's implementation sucking is a huge blow.
The point being made, if we scroll way back up this thread, is that Rust (supposedly, I have maybe 30 mins of experience with it) has these protections built into the language, and doesn't require compiler flags with "DEBUG" in their name to get them.
If this is true, for new projects, such as the experimental OS we're all talking about, Rust (or any language with a similar feature) could be a better choice.
std::vector, with dynamic memory allocation, is not necessarily safe for embedded applications. It seems like Rust provides bounds checks at a primitive level.
Ahh, that's unfortunate. Naming things is hard. If I had realized that was onenof the projects' prior names, I probably wouldn't have gone with that name. TBH, I have huge respect for LoseTHos / SparrowOS / TempleOS's creator Terry. He accomplished something very unique and made it flourish in the hardest of situations.
208 comments
[ 3.5 ms ] story [ 79.7 ms ] threadIt isn't about "how dare he participate in society" (which is irrelevant, as he is, sadly, not alive anymore). You just simply dont associate your product in public with someone who talks about "cia glowies in a van outside of my house, trying to bait me with a handgun and an underage child" or records a video of themselves calling a black person outside an N-word with hard "r" (and then gets hit by that person).
Again, sad story for Terry, and I genuinely feel compassion for the man. He clearly had a brilliant mind trapped in his head, but his mental illness took over it entirely. To the point where he became literally about as marketable as the Unabomber, and probably even less. It isn't insensitive to say that his behavior (regardless of the mental illness) makes it impossible to attach his likeness to your product in a positive way.
However, none of that would make him more "advertising-friendly" and override the perception caused by his public outbursts (which were driven by his illness). People were "canceled" for way less. That's just the reality. No amount of empathy on my end would make someone saying the n-word (with a hard "r") n a derogatory way towards a black person and recording it on video any more advertising-friendly.
I feel like i am being gaslighted pretty hard right now , and the passive-aggressive "be better than that" isn't helping.
I’m only aware of one other attempt to secure the entire stack: Oxide Computing (focused more on data centers I think.)
Please bear with us.
Does that mean that it hasn't been approved yet at the highest level?
This is like a really dumb version of the 90s era MS competing teams nonsense. All I can see is it burning out a lot of really talented engineers.
It's to the point I just ignore any Google product launch, at least in terms of consideration for my own use. 5-10 years is an incredibly short lifespan, and there's usually no off-ramp. The product just dies off.
Similarly, many people avoid watching Netflix shows until they survive to season 3 at least because it's not worth investing your time in something that's likely to get cancelled after a season or two.
It's their own doing and mocking it is fully deserved
But what would be the point?
For one, as some people said, it's secure but whatever it does will certanily pass information through Google, and you can't trust them.
And two, as some other people said, Google projects don't survive if they get less than 100 million users.
The comments cannot be considered garbage, since they ask the most pertinent question: why is this announcement worth talking about?
And yes, Google created this situation itself. And now it has to justify each new product's life span. Because we don't trust that at all. Unlike startups, Google can easily afford to run a product at a loss for years. Yet we trust them less than startups with only a few months of runway.
This is not a product, it's a free and open source OS, a gift to the world. You cannot shut down open source--if it matters so much to you then maintain it yourself.
Philosophically speaking, do most people do something out of pure altruism? I personally don't believe so. Everyone has an agenda - be it to feel better, to score brownie points, to make people like them, etc. Why should we expect for-profit corps to be altruistic? We should remember their for-profit motives and also accept they can do good deed for non-altruistic reasons.
There you go, so you help others to feel happiness yourself. In which case, its not purely altruistic.
Why do people like you seem determined that nothing good can exist in other people. Your tribe turns everything to shit.
I disagree. Google's habit of killing projects off is interesting/annoying/frustrating but I don't think a trove of shallow "I wonder when google will kill this? lol" comments on every google product announcement add to the discussion.
So if you're betting on a product / service, then relying on Internet sentiment is generally a bad idea.
Analogy: the best time to buy a car from a specific manufacturer is when everyone knows that the manufacturer is only producing crappy cars. Because that's when they're likely doing everything they can to rectify their reputation. (And the other way around.) Examples: French cars manufactured around 2010 have really good quality (especially the PSA models), because they produced crap around 2000 so by 2008 everyone knew that they should not buy a Citroen. BMW's from 2008 have incredibly many quality issues as BMW's reputation peaked around that era, so they reaped the profits that they could (and this was all based on the all-around great cars from a decade earlier).
Maybe—or maybe they’re still in the stage when they’re producing crappy cars, and unwilling to commit to the serious changes that would ultimately lead to a better product and better reputation.
The (awful) analogy certainly doesn't even hold: my late-2009 BMW is still going strong without a hint of anything beyond routine maintenance, yet according to this screed it should be crap...
Has BMW ever been reliable? Yes in the 90s and before, since then? No. They just don't care, they're sold as lease vehicles to people who care about having the newest stuff for 3 years and then move on.
> So if you're betting on a product / service, then relying on Internet sentiment is generally a bad idea.
I don't disagree with this tho.
As an engineer, I don't get much say in what other parts of the company do, but unfortunately, I have to bear the brunt of the blowback every time it happens, in social forums like this one, and in B2B interactions. It's quite frustrating, actually.
Same for you. You either need to fix Google’s long term support issues from the inside, or expect more of the same.
> [...] You either need to fix Google’s long term support issues from the inside, or expect more of the same.
Some of us knowingly work for organizations that, in the aggregate, are crap.
We stay and do the best we can.
If somebody put that bullcrap of fixing our entire system on me, I'd laugh. Pretend you did that to me -- I would think that you have a poor understanding of the systemic issues causing the problems that bother you.
To me there isn't a clear line from "present" to "desirable future", and simplistic approaches ("antitrust disassemble google") to complex problems aren't actually going to work (all IMO).
Sometimes you do the best you can, help the people you can help, and feel sorry for the rest... but leaving isn't going to make it better, it's going to make it worse, because your work is above average.
Actually, I guess the parent knows this since the are still working in the automobile industry but for others - perhaps what's needed is just a thicker hide, and a willingness to say "yep, it's gonna get killed at some point, good thing we MADE IT OPEN SOURCE so others can carry it forward."
Talk to your management about it or switch company, don’t whine about it to the users. These comments are a symptom, not the disease.
Second, I feel for you. This can't be fun, and it's not your fault.
Third, although I think I'm pretty squarely in your "target audience", if you will (Rust & SEL4!? Yes please!), my first reaction was "Oh well, too bad it will be cancelled before it goes anywhere."
Google has done this to themselves. There is a massive undertow against adopting anything Google makes. (I still sting from Reader, still, years later.) Stadia? Etc. Why bother?
Which brings me to my fourth and final point: Y U Googler? What I mean is, on the one hand no one is forcing you to work at Google? On the other hand when (sorry) IF they cancel this project are you going to continue to support it yourself? What is your personal stake in this project?
I'm willing to give you jtgans a break, but not Google.
Overall I love the HN community and think it is the best one on the internet, but it still has a vocal shallow-minded pocket of people who:
1. Seem to forget that they're talking to a fellow human being rather than a username, and don't engage any of their manners that normally filter out unproductive rudeness
2. Feel strong emotions toward big companies and think life is just as simple as telling a single engineer to "fix the company" as though that is even remotely reasonable.
3. Don't seem to understand how big corporate systems work. Suggesting that a single engineer (even if they are a team lead) is to blame for business decisions that get made almost entirely against what the engineers want, is absurd.
Good for you for speaking up though. It won't make a difference to the people you were commenting to, but overall it provides the masses with a reminder that there's a human on the other side of this.
We're all better off when smart people can build something new, that advances the frontier of what's possible, and release it to the world for free, without committing to support it forever.
It's nauseating when lazy commenters parrot the same, worn-out arguments to tear down legitimate innovation.
This is a reason I’ll never use a new Google product ever again. I’m still stuck with Gmail and Android TV for now but that’s about it, and I’m working on that too. I slowly switch my accounts to a custom domain email, and plan on switching to Plex because they decided to start showing ads on the TV I paid $2000 for.
Google quite explicitly has a startup mentality in trying to launch lots of things and see what sticks, and shut down what doesn't stick. A "fail fast" mentality that is very hacker-y.
Apple is the polar opposite -- they do oodles of internal testing and iteration and feedback and don't launch something until they're super-super-sure they've got a hit on their hands. Microsoft is closer to Apple but more willing to experiment.
So people hate on Google when they cancel products, but nobody hates on all the startups that simply go out of business. To the contrary, they say congrats on trying, hope you try again!
It's a bizarre double standard that I'll never understand.
Yes, Reader was cancelled, but if Google didn't have this "launch and see what sticks" mentality Reader never would have been created in the first place. Products like Gmail and Google News supposedly started as similar 20% products.
Why is HN so supportive of startups that try and fail, but not when Google does it?
>KataOS provides a verifiably-secure platform that protects the user's privacy because it is logically impossible for applications to breach the kernel's hardware security protections and the system components are verifiably secure.
The wording seems quite confident, maybe it could use some additional "at least according to its specification". This approach doesn't protect against hardware bugs and side-channel attacks.
Especially when one thinks of unexpected attacks like Rowhammer, there is probably no way to include them in a formal systems model beforehand.
> and the kernel modifications to seL4 that can reclaim the memory used by the rootserver.
MMMMMMMMMMMkkkkkk. So you then have to ask: were these changes also formally verified? There's a metric ton of kernel changes here: https://github.com/AmbiML/sparrow-kernel/commits/sparrow but I don't see a fork of https://github.com/seL4/l4v anywhere inside AmbiML.
I mean, it does also claim to be "almost entirely written in Rust", which is true if you ignore almost the entire OS part of the OS (the kernel and the minimal seL4 runtime).
I realize the blog post comes out pretty strongly on this topic, and that's my oversight -- I let my aspirations leak out instead of tempering them (this is not your typical PM-driven project) properly.
Please understand that this is an engineer-driven project in Research with a very small team where we're doing our hardest to do the right thing, so please bear with us.
Notice also that they're doing the traditional Google trick of pretending that it respects the user's privacy because it's secure, while ignoring the fact that most of the users privacy will be destroyed by things they designed the operating system to intentionally do in its security model.
To be fair, this is an entirely reasonable threat model for a lot of people. For instance, if you're a reporter in an authoritarian country, Google is almost certainly not colluding with the attackers who are literally trying to kill you, and using a Chromebook and Gmail is probably the best option out there. Your threat model is "Don't die," not "Don't be subject to surveillance capitalism."
But it's also something we should collectively be pushing back on. The motivating example for these products is "intelligent ambient systems," i.e., things like Nest hubs and doorbells that capture audio/video all the time. These products probably shouldn't exist at all, and to the extent they do, they should process data locally and discard it as soon as they can.
I really don't care how much data of mine they have while they limit their evil they use it for to deciding if they should show an ad for baseball or football shirts...
And I trust them not to accidentally leak it far more than I trust my government or any smaller/less techy company.
So now everyone is doing the same thing so called value the 'privacy' (aka only they could collect the data for themselves to do personalized ads). So in the end you pick the one who hoard ur data and show the ads. What's the difference again?
That said, if you live in China, you probably don't want to sync your stuff to iCloud. Not because Apple doesn't want to protect your data, but more because you can't trust anything in any data centers that are physically on Chinese soil.
But let's get real. If you're in mainland China and the authorities decide they need to confiscate your phone, you're already fscked.
That statement is kind of information-free. If China knows they have Apple completely over the barrel, why wouldn't they demand a lot?
But for how they cooperate, Apple's own transparency report shows they give information on Apple customers to Chinese authorities thousands of times per year, and accept the vast majority of requests: https://www.apple.com/legal/transparency/cn.html
Likewise in Russia: https://www.apple.com/legal/transparency/ru.html
Versus Google which has avoided giving information to or censoring search results in both countries and as a result is mostly banned.
https://www.reuters.com/technology/google-is-fined-390-mln-r...
Google's given up on business there but still puts their sites out there (as they should).
Funny how you specifically mention China, as if it worked differently in USA - the country where you can get four years of jail time for talking back to police.
Regardless, I care less about the US government having my info than, say, Russia (especially being part Ukrainian, having Ukrainian friends and family, etc...).
Do you self-host your services on some Linux distro? How many FAANG employees have upload access to that distro or maintain its infrastructure?
(Or maybe you audited everything yourself and you're 100% confident in your audit, somehow, and you've turned off automatic updates. How many FAANG employees are working on fuzzers to automatically find new exploitable security vulnerabilities and scale out those fuzzers on their employers' infrastructure?)
My country's agencies (Canada) have leaked more data than Google, and MS can claim they're secure all they want, I've had accounts on MS services hacked but never Gmail or Google services...
You can set up auto-deletion of data every 3 months.
Google and other US tech companies have no right to be trusted after PRISM. Not to mention the US government's complete abdication of public oversight under the guise of national security, with secret courts, secret rulings, and national security letters compelling silence from these same organizations while complying with whatever demands they make.
1) Tech companies increased their security, but it wasn't enough, and security services still have a feed of nearly all data, through a combination of software/hardware/algorithmic flaws.
2) Tech companies did manage to mostly stem the flow of information into security services. However, security services simply sent secret letters to all the big players demanding an API/backdoor and requiring them not to talk about it.
(or some mix of the two)
If you take security and specifically insider threats seriously, you can't privilege or hide any subsystem, or it becomes a threat of its own, so the same processes that prevent an attacker from creating a shadow-system in your infrastructure also prevent you from doing the same thing.
You've been lucky, then: https://www.gawker.com/5637234/gcreep-google-engineer-stalke...
"""It's unclear how widespread Barksdale's abuses were, but in at least four cases, Barksdale spied on minors' Google accounts without their consent, according to a source close to the incidents. In an incident this[2010] spring involving a 15-year-old boy who he'd befriended, Barksdale tapped into call logs from Google Voice, Google's Internet phone service, after the boy refused to tell him the name of his new girlfriend, according to our source. After accessing the kid's account to retrieve her name and phone number, Barksdale then taunted the boy and threatened to call her. [...]"""
Ie. I want them to commit to "No human who works at Google will ever see your email or photos without you knowing about it". And then splash that statement all over TV ads.
Set up some system so every time an engineer sees user data, the owner of that data is sent a notification (and there are legit reasons for that, like investigating a bug a user has reported). It doesn't need to be for every kind of user data, just the super sensitive ones like the text of emails.
Have we forgotten Google Buzz? Google changed GMail to publicly list the people you email most. In one case, this de-anonymized a woman's blog and enabled her abusive ex-husband to stalk her. https://fugitivus.wordpress.com/2010/02/11/fuck-you-google/
This is IMO the most likely way that "bad stuff" will happen: not maliciously, but through privacy-invading misfeatures connected to pushing people to share more.
Compare with facebook/instagram, where it seems every other week someone messes up the privacy settings and posts something to an audience they didn't intend because the product is deliberately designed to encourage accidental oversharing.
I know a lot of techies opt for prosumer, small business gear for their home networks, but most of those vendors have crap security trackrecords. Ubiquiti, seems to be the sole standout in this space, but I don't trust them any more than google to produce secure hardware.
Everybody has security breaches. I'm not out there counting CVEs, but anecdotally, it seems that Netgear, TP-Link, microtik have seem to have much worse reputations.
I don't pay attention to the market for high end networking (Cisco, Juniper).
So nobody is being tricked. It just too early to say what real products will do.
Of course that leaves the multitude of programmable peripheral devices. But starting with hardware and software that are implemented to be provably secure is a big change. It is table stakes for systems to be vastly harder to penetrate.
We do not have our changes formally verified yet, but that is definitely on our roadmap -- otherwise, what's the point of starting from this set of options? Likewise, this is why we chose Rust -- there are several projects already in progress to produce formal verification tools for Rust, so we can hopefully use those as additional proofs.
Side-channel attacks are out of scope for the security model of both seL4 and our KataOS project, so bear that in mind for sure.
Formally verified applications is such a foreign concept to people that when you say "verified correct" they get skeptical and mistrust the whole concept.
Saying something is "secure" when it has been formally verified will be received with a grain of salt, but it is much easier to say than:
"we wrote a detailed specification that define the whole system via algebra, and then we let a theorem prover run all possible permutations of the specification It has now tested a billion edge-cases and we have reached a state where it no longer finds any deviation from the specification."
At least it is provable better than someone saying "it is secure because we think it is".
How so? OBO is a logic error isn't it?
ex: Bounds::Excluded
and iterators like the other commenter mentioned.
As such, checks for operator[]() are usually only enabled in debug builds, although Android and Red-Hat ship with them enabled into production.
Additionally, before C++ got a standard library, the frameworks that were shipped alongside compilers always had those checks enabled by default.
C also doesn't have .at(). Considering C and C++ are the most obvious and direct competitors to Rust, bounds checking would be a significant upgrade if Rust paradigms cause it to be used more often.
C was already a bad option in the mid-90's compared with the alternatives, it is due to the unfortunate adoption of GNU manifesto and POSIX systems that we got where we are.
Hence why the ultimate solution is to have hardware memory tagging for bounds checking, Solaris has been doing it for a decade, ARM is following along, including a collaboration with CHERI, only Intel borked their MPX design, and it seems not to be on RISC-V's radar.
Note that while defaults matter, and given the option one should rather use a safe systems language, if there are ways to do unbound accesses, there will always be some folks going that route because reasons.
I was under the impression FORTIFY only checked bounds with specific functions (mostly those starting with "mem" or "str"), and not on general pointer arithmetic. Thus, an OOB array access would not be caught. Am I wrong on this? Online sources seem to agree with my understanding: https://zatoichi-engineer.github.io/2017/10/06/fortify-sourc...
Additionally, FORTIFY does not work on variable length arrays (like std::vector), only those which have a size known at compile time.
> Hence why the ultimate solution is to have hardware memory tagging for bounds checking, Solaris has been doing it for a decade, ARM is following along, including a collaboration with CHERI, only Intel borked their MPX design, and it seems not to be on RISC-V's radar.
Unfortunately, Intel and ARM are the only relevant vendors here (at least in 2022, but for the record I wish the others the best of luck), so Intel's implementation sucking is a huge blow.
You use it alongside other compiler flags to enable them like _GLIBCXX_DEBUG, and FORTIFY levels.
It is not perfect, but since there are domains that won't stop using C and C++ past our lifetimes, that is better than nothing.
If this is true, for new projects, such as the experimental OS we're all talking about, Rust (or any language with a similar feature) could be a better choice.
https://www.youtube.com/watch?v=Raej8C2yIEc
I think your new OS needs realistic elephants.
turns out google does have support minions, providing one way support for google (under duress).
https://antmicro.com/blog/2022/08/running-rust-programs-in-s...
More about Rust and the architecture. I know Renode of its RISC-V meetup presentations, can't say I was impressed favorably.