Several times in the last couple of decades, Microsoft has released source code for the original MS-DOS operating system that kicked off its decades-long dominance of consumer PCs. This week, the company has reached further back than ever, releasing "the earliest DOS source code discovered to date" along with other documentation and notes from its developer.

Today's source release is so old that it predates the MS-DOS branding, and it includes "sources to the 86-DOS 1.00 kernel, several development snapshots of the PC-DOS 1.00 kernel, and some well-known utilities such as CHKDSK," write Microsoft's Stacey Haffner and Scott Hanselman in their co-authored post about the release.

To understand the context, here's a very brief history of what would become MS-DOS: Programmer Tim Paterson originally created 86-DOS (previously known as QDOS, for "quick and dirty operating system") for an Intel 8086-based computer kit sold by Seattle Computer Products. Microsoft, on the hook to provide an operating system for the still-in-development IBM PC 5150, licensed 86-DOS and hired Paterson to continue developing it, later buying the rights to 86-DOS outright. Microsoft then licensed this operating system to IBM as PC-DOS while retaining the ability to sell the operating system to other companies. The version sold by Microsoft was called MS-DOS, and the proliferation of third-party IBM PC clones over the '80s and '90s made it the version of the operating system that most people ended up using.

This source code is old enough that it hadn't been stored digitally. "A dedicated team of historians and preservationists led by Yufeng Gao and Rich Cini," calling itself the "DOS Disassembly Group," painstakingly transcribed and scanned in code from paper printouts provided by Paterson. This process was made even more difficult because modern OCR software struggled with the quality of the decades-old printout.

Microsoft has also open-sourced several of its other early software projects. In 2014 (and again in 2018), the company open-sourced MS-DOS versions 1.25 and 2.0. It followed that up in 2024 with the oddball MS-DOS 4.0 release. Those versions are all available in the same GitHub repo. Other open-sourced projects include the game Zork and its sequels and 1995's Microsoft 3D Movie Maker (plans to modernize this app and add new features have largely gone nowhere). The open source remake of the old MS-DOS Editor isn't actually the same app as the old EDIT.COM, but its heart is in the right place.

For students of early PC history, this isn't even the first piece of 86-DOS history that has been newly rediscovered this decade. Just two years ago, the earliest known version of 86-DOS was rediscovered and uploaded to the Internet Archive.

Read full article

Comments

The Resident Evil film franchise has grossed over $1.2 billion worldwide since the first film debuted in 2002, but an attempt to reboot it a few years ago floundered. Sony Pictures is trying again, this time tapping Zach Cregger—who wrote, produced, and directed last year's Oscar-winning horror hit Weapons—for the project. The studio showed the first teaser for Cregger's Resident Evil during CinemaCon and just released it to the wider public.

When the first Resident Evil game debuted in 1996, it was an immediate commercial and critical success, spawning several sequel games, comics, novels, and a very lucrative film franchise directed by Paul W.S. Anderson and starring Milla Jovovich. But those films were only loosely based on the games, keeping a few primary characters and the basic concept, but little else. Reviews were mixed, despite the films' massive box office success.

Work on the first reboot started in 2017, eventually producing 2021's Resident Evil: Welcome to Raccoon City. Director Roberts Johannes wanted to bring a very different tone to his film. He wanted to stay closer to the Resident Evil and Resident Evil 2 games—even employing the same fixed angles of Spencer Mansion in the first game. Alas, Welcome to Raccoon City was critically panned and had a disappointing box office showing, grossing just $42 million globally against its $25 million budget. The studio nixed its plans for a direct sequel, and a 2022 Netflix series was also canceled after a less-than-stellar first season.

But now it's Cregger's turn. According to Cregger, this new film is not a direct game adaptation, but an original story with original characters set in the same fictional universe. He told the audience at CinemaCon that his film will have “no narrative acrobatics, time jumps or disorienting chapter things,” preferring his audience to be “locked in with a protagonist on a foot journey through a world hell-bent on destroying them.” Nor will it be like Weapons; Craggler's Resident Evil vision, he said, is closer to Evil Dead II. But it would, he said, be "true to the spirit of the games."

Per the official logline: "Resident Evil follows Bryan (Austin Abrams), a medical courier who unwittingly finds himself in a nonstop race for survival as one fateful, horrifying night collapses around him in chaos." Joining Abrams (who also appeared in Weapons) in the main cast are Paul Walter Hauser as Carl; Zach Cherry as Dave; Kali Reis as Pauline; and Johnno Wilson as Max.

The new Resident Evil hits theaters on September 18, 2026.

Read full article

Comments

Publicly released exploit code for an effectively unpatched vulnerability that gives root access to virtually all releases of Linux is setting off alarm bells as defenders scramble to ward off severe compromises inside data centers and on personal devices.

The vulnerability and exploit code that exploits it were released Wednesday evening by researchers from security firm Theori, five weeks after privately disclosing it to the Linux kernel security team. The team patched the vulnerability in versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254) but few of the Linux distributions had incorporated those fixes at the time the exploit was released.

A single script hacks all distros

The critical flaw, tracked as CVE-2026-31431 and the name CopyFail, is a local privilege escalation, a vulnerability class that allows unprivileged users to elevate themselves to administrators. CopyFail is particularly severe because it can be exploited with a single piece of exploit code—released in Wednesday’s disclosure—that works across all vulnerable distributions with no modification. With that, an attacker can, among other things, hack multi-tenant systems, break out of containers based on Kubernetes or other frameworks, and create malicious pull requests that pipe the exploit code through CI/CD work flows.

"'Local privilege escalation’ sounds dry, so let me unpack it,” researcher Jorijn Schrijvershof wrote Thursday. “It means: an attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root. From there they can read every file, install backdoors, watch every process, and pivot to other systems.”

Schrijvershof added that the same Python script Theori released works reliably for Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12. The researcher continued:

Why does that matter on shared infrastructure? Because "local" covers a lot of ground in 2026: every container on a shared Kubernetes node, every tenant on a shared hosting box, every CI/CD job that runs untrusted pull-request code, every WSL2 instance on a Windows laptop, every containerised AI agent given shell access. They all share one Linux kernel with their neighbours. A kernel LPE collapses that boundary.

The realistic threat chain looks like this. An attacker exploits a known WordPress plugin vulnerability and gets shell access as www-data. They run the copy.fail PoC. They are now root on the host. Every other tenant is suddenly reachable, in the way I walked through in this hack post-mortem. The vulnerability does not get the attacker onto the box; it changes what happens in the next ten seconds after they land there.

The vulnerability stems from a "straight-line" logic flaw in the kernel’s crypto API. Many exploits exploiting race conditions and memory corruption flaws don’t consistently succeed across kernel versions or distributions, and sometimes even on the same machine. Because the code released for CopyFail exploits a logic flaw, “reliability isn’t probabilistic, and the same script works across distributions, researchers from Bugcrowd wrote. “No race window, no kernel offset.”

CopyFail gets its name because the authencesn AEAD template process (used for IPsec extended sequence numbers) doesn't actually copy data when it should. Instead, it “uses the caller's destination buffer as a scratch pad, scribbles 4 bytes past the legitimate output region, and never restores them,” Theori said. “The ‘copy’ of the AAD ESN bytes ‘fails’ to stay inside the destination buffer.”

The worst Linux vuln in years

Other security experts echoed the perspective that CopyFail poses a serious threat, with one saying it’s the “worst make-me-root vulnerabilities in the kernel in recent times.”

The most recent such Linux vulnerability was Dirty Pipe from 2022 and Dirty Cow in 2016. Both of those vulnerabilities were actively exploited in the wild.

Linux distributors frequently stick with older kernel versions and backport fixes into them. There’s no indication in the disclosure deadline that Theori ever contacted the distributors. With the exploit available before fixed distributions were available, the disclosure amounts to something very similar to a zero-day vulnerability being dropped, although the stiffer term is probably "zero-day patch gap."

"The org doing the disclosure… did an absolutely terrible job of vulnerability coordination,” Will Dormann, a senior principal vulnerability analyst at Tharros Labs, said in an interview. "What is mind boggling to me is that in their writeup they both: A) list 4 affected vendors, and B) tell readers to apply vendor patches. But before firing away with the publication, they didn't bother to see if ANY of the vendors that they list ACTUALLY HAVE PATCHES. (None do).”

Theori representatives did not respond when asked to comment.

Distributions known to have patched the vulnerability included Arch Linux and RedHat Fedora. Those known to have released mitigation guidance at the time this post went live include:

• SUSE
• RedHat
• Ubuntu

People seeking the status of other distributions should check with the respective vendors.

Theori said that it discovered the vulnerability after its researcher, Taeyang Lee, found surface area in the crypto subsystem (specifically, splice() hands page-cache pages and scatterlist page provenance) had been underexplored. Using its AI-powered Xint code security tool, the researchers then found the bug after about an hour of scan time. The company said it has also developed an exploit that uses CopyFail to break out of Kubernetes containers.

The severity of the threat posed by CopyFail and the likelihood of active exploitation is high enough to warrant all Linux users to investigate their systems immediately. Individual distributors provide useful mitigation guidance, as does the post by Schrijvershof linked above.

Read full article

Comments

From watching too much Nordic noir, I have learned the key lessons to Scandinavian safety: Stay out of the deep woods, avoid all "rustic villagers," flee every solstice or equinox ritual, and run screaming from any creature (human or otherwise) wearing antlers in the wrong anatomical location.

But assuming you can avoid pagan magic and the "old gods," Nordic countries do well on many other measures of human development. In the most recent World Happiness Report, for example, Finland tops the list while Iceland, Denmark, Sweden, and Norway are all in the top six. (Costa Rica is the non-Nordic exception here, taking the fourth spot.)

These countries are also near the top in global average life expectancy.

They also happen to have the most press freedom on the planet.

Reporters Without Borders (or RSF, to use the initialism for its French name, Reporters Sans Frontières) today released the 2026 version of its venerable World Press Freedom Index, and Norway continues its decade-long run atop the leaderboard. Finland, Sweden, Denmark, and Estonia are also in the top 10 spots. Looking at the report's global map, the Nordic region stands out as the freest spot on Earth for journalists; it is the only area of the map to be marked in green.

Unfortunately, overall press freedom has declined. According to RSF, for the first time in its history, "over half of the world’s countries now fall into the 'difficult' or 'very serious' categories for press freedom. In 25 years, the average score of all 180 countries and territories surveyed in the Index has never been so low."

Negative changes have been pronounced in the Americas, where "the situation has evolved significantly." The US is now in 64th place globally, falling seven spots in one year. The US ranks behind Namibia (23), South Africa (21), Costa Rica (38), and Canada (20). It has fallen below even war-torn countries like Ukraine (55), which managed to improve its own position by seven places in one year. From the report:

In the United States (which ranks 64th out of 180 countries and territories) journalists who were already fighting against economic headwinds and dealing with a crisis of public trust—among other challenges—now also contend with President Donald Trump’s systematic weaponisation of state institutions, including funding cuts to public broadcasters such as NPR and PBS, political interference in media ownership, and politically motivated investigations targeting disfavoured journalists and media outlets.

Since his return to office, journalists have also been targeted on the ground during protests, reflecting a broader deterioration that amounts to one of the most severe crises for press freedom in modern US history.

Asia is the one continent where full-on press repression is basically a fact of life, with most countries colored deep red on the RSF map. Apart from a few smaller states—South Korea, Japan, and Taiwan, in particular—the Asia-Pacific region is "one of the most repressive regions in the world—and the situation continues to deteriorate," says RSF.

Due to its size and the scale/quality of its repression, China stands out here. It ranks 178 out of 180 countries for press freedom and is "the world’s largest jailer of journalists, with more than 100 currently detained," RSF says.

To further silence journalists, it accuses them of “espionage,” “subversion,” or “picking quarrels and provoking trouble,” three "pocket crimes," a term used by Chinese law experts to describe offences that are so broadly defined that they can be applied to almost any activity. Independent journalists can also be legally placed in solitary confinement for six months under “Residential Surveillance at a Designated Location” (“RSDL”) in China’s “black prisons,” where they are deprived of legal representation and may be subjected to torture.

In order for Chinese journalists to renew their state-sanctioned press cards, they must also "download the Study Xi, Strengthen the Country propaganda application that can collect their personal data."

The only countries worse are North Korea and Eritrea.

How to help

As journalists ourselves, reports like this hit hard, especially when they show a world sliding further into humanity-denying autocracy. If you feel similarly, this might be a good moment to donate to those press organizations that are making a difference around the world.

• Subscribe to local outlets that matter to you, especially newspapers backed by nonprofits rather than private equity, like the Philadelphia Inquirer, the Chicago Sun-Times, or the Pittsburgh Post-Gazette.
• Subscribe or donate to global journalists who help you understand the world better and who hold the powerful accountable. (I have found the Kyiv Independent to be a terrific resource for understanding Ukraine, for instance, and they don't shy away from investigations of political corruption or problems within the Ukrainian army.)
• Donate to press freedom groups like RSF or Reporters Committee for Freedom of the Press.
• And if you have anything left over, consider subscribing to Ars Technica. For just $25/year, you can read Ars without tracking and without ads, supporting our writers, editors, and copyedit team as we attempt to report with both fairness and flair on a world being changed inexorably by technology.

Read full article

Comments

The new biopic Michael, about the tortured King of Pop, had a record-breaking opening weekend — despite the fact that the film celebrates the musical legacy of Michael Jackson, a man credibly accused of sexually abusing multiple children. 

After the success of the 2019 documentary Leaving Neverland, it was tempting to think that there was a permanent asterisk next to Jackson’s name. Advertisers stopped using his music, and The Simpsons pulled his episode from syndication. Now, however, Leaving Neverland has been wiped from HBO after legal finagling from Jackson’s estate, and Michael is an enormous hit. We have clear proof that audiences are ready to put that unpleasantness behind them and instead embrace Jackson’s inarguable musical genius.

Some audience members have doubtless made the calculation that with Jackson long dead, the accusations against him are distant, too, leaving them with no particular ethical reasons to deprive themselves of the pleasure of seeing a Michael Jackson concert recreation on the big screen. (“Forget what the ‘professional’ critics are saying theyve completely missed the mark on this one,” begins one audience review on Rotten Tomatoes. “If you want to experience the magic of the King of Pop, this movie delivers.”)

Other Jackson defenders have decided that Jackson was innocent. TikTok is full of videos laying out the basics of the case and asking “Guilty or innocent?”, with the majority of commenters saying “innocent.” “The world owes Michael an apology” is a sentiment that pops up a lot. 

Then there’s a variation on that defense, rooted in the long, ugly history of racism in the criminal justice system in America. Some of his defenders — including Michael director Antoine Fuqua — believe that Jackson was unfairly smeared by a system looking to bring down a successful Black man, in the same way that so many other Black men have been wrongly accused and maligned before.

“When I hear things about us — Black people in particular, especially in a certain position — there’s always pause,” Fuqua told the New Yorker. He added that an early cut of Michael showed Jackson brutalized by the police over the course of their investigation, “being stripped naked, treated like an animal, a monster,” before it was excised from the film for legal reasons. According to the New Yorker, he doubts the intentions of some of the accusers’ parents and says he doesn’t know whether the allegations are true or not. 

“This may sound like an excuse, but what many don’t understand is how hard it is for older generations to square what has so often happened in the past — the fear that society is just tearing down another good Black man — with the reality that these men could have been, or are convicted of having been, harmful,” wrote Nadira Goffe for Slate, in an article about Jackson’s loyal older Black fandom. 

Talking about Michael, then, requires pitting two marginalized groups against each other: Black men and abused children, neither of whom is served by the American justice system. It makes discussing the case even sadder and harder than it already is.

To be clear, the case against Michael Jackson really is extraordinarily strong. At least 10 people have publicly accused Jackson of sexually abusing them as children, in remarkably consistent and detailed stories. Only one accusation resulted in a criminal trial, in 2005, and Jackson was found not guilty. That, however, is par for the course when it comes to child sex abuse cases, even those in which the accused adult doesn’t have millions of dollars to spend in their defense. A 2019 study shows that fewer than one in five of all child sex abuse cases lead to prosecution. Of those, about half result in a conviction. 

On the rare occasion that there is a trial, it is almost always a bad experience for the child at its center. There are persistent myths about how child sexual abuse — that children will always have physical injuries, that they will immediately tell an adult, that they can be manipulated into lying about accusations — that affect how their allegations are perceived. A 2017 study of defense tactics in child sex abuse cases found that “just as women are met with doubt when they report sexual assault, the justice system remains skeptical of children’s testimony.” Their mothers are often blamed for allowing the abuse to happen. In Jackson’s 2005 trial, his defense lawyer sarcastically referred to Jackson’s child accusers as “these little lambs,” suggesting that they were involved in “the biggest con of their careers” against Jackson. 

At the same time, there’s a reason that a story about the American state attempting to take down a Black man at the top of his game resonates so deeply. It’s based on the real problem of how our criminal justice system treats Black people: unjustly. 

According to the ACLU, Black people in the United States are incarcerated in state prisons at nearly five times the rate of white Americans, while one in 81 Black adults in the US is serving time in state prison. There is also a long, long history in this country of Black men being falsely accused of sex crimes. That was the stated reason for the unjust imprisonment of the Scottsboro Boys and the Central Park Five, the racist murder of Emmett Till, and thousands of monstrous lynchings. You can understand why someone would look at this history and cry foul.

But boys and children of color — the alleged victim in the Jackson case that made it to trial in 2005 is Latino — face unique barriers when they are sexually assaulted. “As Black and racially minoritised children are located at the intersection of multiple, overlapping structural inequalities, their specific experiences of victimisation are still largely overlooked in the criminological literature,” writes Aisha K. Gill, a professor of criminology and co-editor of the book Child Sexual Abuse in Black and Minoritised Communities. Both racism and culture affect whether they are believed and the support they receive.

All of these numbers and statistics and sad moments in American history represent groups of people whom the justice system bludgeons with the law as though it were a weapon, who are routinely humiliated and rarely protected. To put them in opposition to each other is a dark and uncomfortable thing. It is far, far easier to watch a glorified concert film of Jackson’s greatest hits and bask in the glee of it. But an honest reckoning with Jackson’s legacy would require facing the strength of the evidence against him, darkness and all, and not looking away from it.

Almost three years ago, sudo-rs was announced to the world. Just last week, it became the default sudo implementation in the Ubuntu LTS release Resolute Raccoon. Now is a good time to reflect.