Category Archives: ArcaOS

ArcaOS 5.0.2 Bootable USB Stick Image 2018-02-12 Package Released

AOSBoot USB stick Arca Noae is pleased to announce the immediate availability of our new ArcaOS Bootable USB Stick Image 2018-02-12 Package.

This package follows onto the included USB stick creation utility shipped with ArcaOS 5.0.2, allowing you to create a bootable USB ArcaOS 5.0.2 installation stick without a running OS/2 system. The package includes native binaries to restore the stick image from Windows, Mac, and Linux, as well as OS/2. Once the image is restored, eject, re-insert, and simply copy your personalized ISO (separately downloaded) to the stick per the included directions, which are also detailed in the ArcaOS support wiki. The stick may then be inserted into any USB 2.0-controlled port in the target system, which is then booted into the ArcaOS installer.

If you are still running OS/2 and/or eComStation systems and haven’t yet moved up to ArcaOS, this is a great time to do so. It’s never been easier to install any OS/2-based operating system.

ArcaOS 5.0.2 now available

Arca Noae is pleased to announce the immediate availability of ArcaOS 5.0.2, the second maintenance release of ArcaOS 5.0 (Blue Lion).

ArcaOS 5.0.2 is the result of many hours of collaborative work to update and refine ArcaOS 5.0. Post-install fixes are included, and these will be made available for separate download as part of the ArcaOS 5.0 Support & Maintenance subscription shortly. In the meantime, a full download of the refreshed media image is required to obtain these fixes and updates.

ArcaOS 5.0.2 includes well over 60 updates and fixes since 5.0.1, and introduces for the first time ever available, the ability to boot an OS/2-based operating system from USB stick media and perform an installation. This new facility – AltBoot – should enable ArcaOS to be installed on many systems where traditional DVD-based booting has not been possible.

A bootable ArcaOS 5.0.2 USB stick may be created from any major operating system at hand (Windows, Linux, MacOS, and of course, OS/2, eComStation, and ArcaOS). The USB stick image package will be made available as a separate download.

If everything is working in your current installation, it may be prudent to wait for the subscription content to become available, as Arca Noae has not classified any of the 5.0.2 updates as critical.

If you have experienced difficulty installing ArcaOS 5.0.1, the fixes and updates included in 5.0.2 may address your issue(s).

For a complete list of updates in this release, see the ArcaOS wiki.

To download your fresh ISO, simply visit your customer portal page, select the Orders & Subscriptions link on the navigation panel to the left, then click on the order for your ArcaOS license. Once there, click the download link to request a fresh ISO, and wait for your notification email.

Policy statement concerning Spectre and Meltdown exploits

Spectre and Meltdown are terms used to describe two potential exploits in a class of security attacks commonly termed “timing attacks” because they access data which may be sensitive in nature (passwords and other information) from areas of memory which may only be available at specific times (either moved elsewhere or removed entirely at other times). They belong to the more general class termed “side-channel attacks,” because they exploit the hardware itself, rather than breaking encryption or utilizing a software flaw. For more technical information regarding these exploits, please refer to the links section, below.

Arca Noae engineers are monitoring the situation, and while there is still much contradictory information crossing the internet at this time, we believe we have been able to assess at least some of the risk and provide some guidance to users of the OS/2 platform (OS/2 Warp, eComStation, and ArcaOS). As further reliable information becomes available, this post will be updated to reflect any change in Arca Noae’s position and any actions we may plan to take.

General information

In order to gain access to any information in privileged memory using one of these exploits, a user-level application must be launched on the specific machine to be compromised. This means that presently, an OS/2 executable must be used as the attack vector. As of this writing, we are not aware of any such code which executes on the OS/2 platform.

Browser-based attacks (running JavaScript) appear to require greater precision in a high-resolution timer than is currently available on OS/2, making such exploits more difficult than on other platforms, if not altogether impossible. It should also be noted that any such JavaScript-based attack would have to also be specifically designed to handle access to memory regions as managed by OS/2 (in other words, a malicious JavaScript program must be written for OS/2 and specifically to run in the OS/2 browser version in which it is running; a JavaScript program written for Windows or Linux will not work on OS/2). Realistically, the chance of this level of coding detail is extremely small.

Risks – virtual installations vs bare metal

By far, virtualized environments (running OS/2 as a guest under some other more vulnerable platform) are at the greatest risk, because the host system may rightly have access to the guest’s memory and virtualized processor. A host running a vulnerable operating system with an exploitable CPU which remains unpatched is the greatest concern. Arca Noae believes bare metal installations of OS/2-based operating systems are at much less risk.

Arca Noae’s current strategy

To date, we have not identified a need for a kernel patch to mitigate the risk of any hypothetical Spectre or Meltdown attack against OS/2-based systems. We continue to monitor the available information and will adjust our strategy as conditions require.

Arca Noae’s current recommendations

For virtualized and bare metal installations, Arca Noae recommends only running software obtained from trusted sources. Per stand practice, reasonable security precautions should be taken when accessing the internet, particularly when visiting unfamiliar or untrusted sites, and browser cache should be cleared regularly. The use of a NAT firewall is also encouraged (either a separate one, as built into a broadband router or at a minimum, a software firewall running on the local OS/2 system, such as InJoy Firewall).

Because a malicious application designed to utilize one of these exploits would have to be downloaded or copied to the target OS/2 system and then executed locally, normal malware protections remain the best first line of defense.

For virtualized installations, Arca Noae recommends applying to the host system whatever patches are made available and recommended by the developer of the host operating system.

Updates

2019-02-14: Security researchers apparently conclude in this whitepaper that Spectre cannot be entirely mitigated at the software level.

2019-10-07: Intel engineers have proposed (official/latest Intel PDF, here) a new memory type, speculative-access protected memory (SAPM), to mitigate a common factor in side-channel attacks which access cache/memory.

Links

Spectre CVEs:

Meltdown CVE:

Mozilla Security Blog

CERT: CPU hardware vulnerable to side-channel attacks

Intel: Facts about side-channel analysis and Intel products

AMD: An update on AMD processor security

Our first ever Black Friday Sale!

Arca Noae is launching our first ever Black Friday Sale!

If you’ve been waiting to get an ArcaOS license, either as a return to OS/2 after a long absence or because you’ve heard the buzz about the breakthrough Blue Lion distribution, or even if you’re a current ArcaOS licensee and want an additional license or two — or three — for some other systems, now is the time.

ArcaOS 5.0 personal edition licenses are on sale for just $109 from now through the end of 2017. Personal edition licenses include six months of support and updates, and after that, annual support renewals are available for a great price.

ArcaOS 5.0 commercial edition licenses are on sale for just $195 from now through the end of 2017, and include a full year of support and updates.

Get your ArcaOS licenses while they’re available at these great discounts!

ArcaOS 5 included Support & Maintenance Subscription length

We have recently become aware of some possible confusion surrounding the amount of time (term) of included support for personal vs commercial edition licenses of ArcaOS 5. It therefor seemed appropriate to review our website content, and to our surprise, we find that we really have not done a good enough job of making this particular — though critical — issue very clear. Hopefully, this post will set the record straight.

In an earlier post, we discussed the process for renewing subscriptions, and mentioned that it was renewal season for early adopters of ArcaOS 5. That reference was to those who purchased personal edition licenses for ArcaOS 5 six (6) months ago.

ArcaOS 5.0 personal edition includes six (6) months of Support & Maintenance.

ArcaOS 5.0 commercial edition includes twelve (12) months (one full year) of Support & Maintenance.

Renewal reminders are normally sent one month prior to expiration, one week prior, and finally on the day of expiration.

Although the personal and commercial editions of ArcaOS 5 are code-equivalent (there is no difference in the operating system or kernel itself, e.g., both support up to 32 processor cores and an unlimited number of connections, with the same storage volume types and capacities and included device drivers and applications), there are other differences between the two, namely the level of support and the term (length of time) of the included subscription. The commercial edition includes prioritized support for twelve months (one year), whereas the personal edition includes standard support for six months.

Support renewals for both editions are for one year. For example, a personal edition license purchased June 1, 2017 will be due for a Support & Maintenance subscription renewal on or before November 30, 2017 and the renewal will extend the support a full year until November 30, 2018. A commercial edition license purchased the same day (June 1, 2017) will be due for a Support & Maintenance subscription renewal on or before May 31, 2018 and the renewal will extend the support for a full year until May 31, 2019.

If you miss the deadline for a timely renewal of your included Support & Maintenance subscription, you may still “renew” your subscription at the regular price. Missed the deadline because you didn’t receive your reminder emails for some reason? No problem. Just contact us or open a customer service ticket, and we will be glad to help make things right. That’s our commitment to you as an ArcaOS licensee.

Finally, for those of you with existing OS/2 & eCS Drivers & Software subscriptions, concerned about the differences between the two subscription “tracks,” we have a handy table which compares the two, available here.

We believe there are compelling reasons to move up to ArcaOS 5, and to keep in force a Support & Maintenance subscription, ensuring regular updates and the availability of technical assistance for the operating system as a whole. While there is no requirement to renew Support & Maintenance to continue using ArcaOS 5, doing so ensures uninterrupted access to updates, refreshed installation ISOs, and support.

Please review this post for the specifics on how to renew your existing subscription.

New subscription renewal process

It’s renewal season for early adopters of ArcaOS 5, and with that, comes a new renewal process for all subscriptions.

As expiration dates approach, renewal reminders will be emailed. In each reminder is a link to the original order as well as a link to add the renewal to the shopping cart. Be sure to log in first before clicking the links. Reminders are sent one month before expiration, one week before, and on the day of expiration. A renewal extends ArcaOS support and maintenance for one full year.

The original order will also have a handy renewal link, so there is no need to wait for a reminder. Just log into your customer portal at Arca Noae and access your order for ArcaOS to add it to your cart. (Renewals for other subscriptions are now handled the same way.)

ArcaOS Support & Maintenance subscriptions renewed before expiration qualify for a 10% discount, too. Note that the full price will be reflected in the cart but the discount will be shown at checkout. It is still possible to renew an expired ArcaOS Support & Maintenance subscription after it has expired, but without the renewal discount.

Be sure to order the correct subscription! The OS/2 & eCS Drivers & Software subscription is for non-ArcaOS systems, and does not include support or updates for ArcaOS. Likewise, the ArcaOS Support & Maintenance subscription is only for ArcaOS systems, and is not available for purchase without an ArcaOS license.

If you currently have an active OS/2 & eCS Drivers & Software subscription as well as an ArcaOS license, and you no longer need to maintain OS/2 Warp or eComStation systems, you may trade in your subscription for additional time or a discount on your ArcaOS Support & Maintenance subscription. See the Subscription Trade-Up Request form for details.

Handy links:

Subscription comparison table
Subscription Trade-Up Request
Frequently Asked Questions
ArcaOS Wiki

October 2017 happenings

ArcaOS 5.0.2 in the works

We are hard at work finalizing the last bits to be included in ArcaOS 5.0.2. Among the enhancements and features are a few bug fixes, updates to included RPM packages, updated Samba client, and the new ability to install from an ArcaOS bootable USB stick (or local partition). We call this new feature AltBoot, and it is a milestone for OS/2. This should assist those with USB 2.0 capability but no optical drives in getting ArcaOS installed and running.

Arca Noae experimental YUM repository access now restricted

In an effort to better ensure the integrity of packages provided by Arca Noae in our release and subscription channels, we have now restricted access to the arcanoae-exp repository to developers and the test team only.

Rest assured, any software which you may have installed from the experimental repository will continue to function just as it did before. However, we strongly urge that if you have installed the arcanoae-exp RPM to configure the experimental repository in Arca Noae Package Manager (ANPM) or YUM, you uninstall that package. It will be withdrawn from the Netlabs stable repository shortly.

Firefox 45.9 RPM coming soon to an Arca Noae YUM repository near you

Firefox 45.9 GA should be arriving soon for installation via ANPM as part of the subscription content for ArcaOS licensees with active support and maintenance and Drivers & Software subscribers. This new packaging should ease the burden of upgrades by managing dependencies and better ensuring a successful installation. More details will be provided in an upcoming post. (Of course Firefox is free for all to download as zip from Netlabs. There is no requirement to maintain a subscription with Arca Noae in order to get the latest Firefox for OS/2.)

If you are still running OS/2 and/or eComStation systems and haven’t yet purchased a software subscription, this is a great reason to do so now. It may also be a good time to consider moving up to ArcaOS.

A Note about Third-Party Components in ArcaOS

You may be aware of the recent massive Equifax security breach and the Company’s explanation surrounding a vulnerability in Apache Struts (CVE-2017-5638) disclosed by US CERT in early March 2017. Some reports have implied that the company has somehow blamed Apache Software Foundation for the breach, specifically by not moving quickly enough to address the security flaw. Apache has responded to these allegations clearly and concisely. In light of this incident, we thought this a good opportunity to help provide some clarity concerning third-party work and open source components, in general, as they pertain to ArcaOS and Arca Noae’s position regarding their fitness for use, and who is ultimately responsible to maintain his or her or, in the case of enterprise use, its own systems.

Arca Noae includes several components in ArcaOS developed by reputable third parties, including IBM, Apple, and others. Some of these components are open source, as well, meaning that the code for compiling these components into machine-readable form is freely available to the public. Open source software is often more secure than proprietary software, by nature of the fact that many (sometimes thousands) of developers around the world contribute to the code. This (often massive) group effort allows such projects to react quickly when flaws are discovered, and to work to constantly monitor and maintain the software. However, whether proprietary or open source, Arca Noae may have no control whatsoever over these components, inherent flaws, or as-yet-undisclosed security issues.

It is Arca Noae’s position that each ArcaOS licensee (whether an individual or an enterprise) bears the sole responsibility to consider his or her or its own interests and security. While we do what is within the realm of reasonable possibility to stay abreast of current trends and vulnerability disclosures (CVEs), we cannot guarantee that all issues will be identified and/or reported to our users by us. Thus, best practices dictate that each user remain vigilant and aware of the connected ecosystem in which we live and to take steps to mitigate his or her or its own risks.

Arca Noae welcomes reports from our users of disclosed and non-disclosed vulnerabilities. While we normally encourage our users to avail themselves of our Mantis ticketing system to report issues, those of a sensitive nature (such as an as-yet-undisclosed or little-known security flaw in a bundled component) should be reported through our contact page.

We would also like to take this opportunity to remind all of our ArcaOS licensees that ArcaOS does not utilize telemetry of any kind to communicate with us. We firmly believe that when a user licenses a copy of ArcaOS, his or her or its data should remain on the system as directed by the user, shared only by the user, and with the user’s full knowledge and consent.

The next exciting update to ArcaOS 5.0 is in the making, too. Watch the Arca Noae blog for a release announcement in the coming weeks.

Have an enterprise Windows XP application and can’t upgrade Windows?

Talk to us about the possibility of wrapping that Windows XP (or 2000 or even NT 4) app and running it under Odin32. Similar to running an application in a container under Linux, the application itself is the only thing running in a Windows-compatibility environment, while the rest of the system is not subject to Windows security vulnerabilities on the LAN or on the internet. In this configuration, the only user training required is getting the system booted, authenticating to the network, and clicking the program object to start the same Windows application with which your users are already familiar.

Have a Windows application which requires LAN transport, but the version of Windows now in use is too outmoded for the latest file transport security? No problem. Applications running under Odin32 on ArcaOS which need to access network shares may do so using the integrated Samba 4 networking in ArcaOS, which appears to the application to be a local drive. All authentication, security, and transport encryption (if so configured) happens at the ArcaOS level, outside the Windows environment.

Maintain your critical applications on OS/2, DOS, or 16 or 32-bit Windows, on modern hardware or virtualized, while running on a secure, stable, maintained platform: ArcaOS 5.

Note: Any application accessing the public internet may be at risk. ArcaOS itself cannot defend a Windows application running under it against such exploits, if that application is vulnerable to attack.

Last days of introductory pricing for ArcaOS 5.0 personal edition

The 90-day introductory period for ArcaOS 5.0 is drawing to a close, and with it, the sale price for ArcaOS 5.0 personal edition. There is still time – through August 15 – to get your license(s) for ArcaOS 5.0 personal edition at a $30 discount. That’s a savings of more than 23%.

ArcaOS 5.0 has been extremely well received by the press, developers, engineers, and users alike. More great features are in the works, and a license for 5.0 today ensures a great discount on 5.1, anticipated late 2018.