A research duo who hacked a Tesla were the big winners at the annual Pwn2Own white hat security contest, reports ZDNet. "The duo earned $375,000 in prize money, of the total of $545,000 awarded during the whole three-day competition... They also get to keep the car." Team Fluoroacetate -- made up of Amat Cama and Richard Zhu -- hacked the Tesla car via its browser. They used a JIT bug in the browser renderer process to execute code on the car's firmware and show a message on its entertainment system... Besides keeping the car, they also received a $35,000 reward. "In the coming days we will release a software update that addresses this research," a Tesla spokesperson told ZDNet today in regards to the Pwn2Own vulnerability.

Not coincidentally, Team Fluoroacetate also won the three-day contest after earning 36 "Master of Pwn" points for successful exploits in Apple Safari, Firefox, Microsoft Edge, VMware Workstation, and Windows 10... [R]esearchers also exploited vulnerabilities in Apple Safari, Microsoft Edge, VMware Workstation, Oracle Virtualbox, and Windows 10.

Cybersecurity firm Kaspersky Lab has filed an antitrust complaint against Apple with the Russian Federal Antimonopoly Service relating to the company's App Store distribution policy. From a report: Kaspersky's complaint is specifically to do with Apple's removal of the Kaspersky Safe Kids app. In a blog post on the Kaspersky website, the firm says it received notice from Apple last year that the app, which had been in the App Store for three years, did not meet App Store guidelines owing to the use of configuration profiles. Kaspersky was told by Apple that it would need to remove these profiles for the app to pass review and remain in the App Store, but the Russian firm had argued this action essentially crippled the app. "For us, that would mean removing two key features from Kaspersky Safe Kids: app control and Safari browser blocking." The first allows parents to specify which apps kids can't run based on the App Store's age restrictions, while the second allows the hiding of all browsers on the device so that web pages can only be accessed in the Kaspersky Safe Kids app's built-in secure browser.

An anonymous reader quotes a report from Motherboard: Now, for Pi Day (March 14), music software programmer Canton Becker has crafted a million-hour song based on Pi that unfolds generatively on a virtual tape deck. Titled "Shepard's Pi," the song combines two of Becker's favorite infinities: Pi, and an auditory illusion called a Shepard tone, which he describes as an "unsettling sonic illusion of a pitch that climbs or descends forever, never reaching a top or a bottom." Found at PiSongs.com, users can tune into "Shepard's Pi" in real time with a custom virtual tape deck. The track itself evolves moment to moment, but the synthesized and sampled tones will be familiar to anyone who has ever listened to the electronic music of Kraftwerk, Tangerine Dream, Aphex Twin, and Global Communication. Far from being a mere gimmick, it is a highly evocative and transporting piece of electronic music, alternately ambient, glitchy, and interestingly rhythmic. The 58,999 GB MP3 file needed to be distributed via a webpage or app, so Becker "started hacking away at the basic algorithm in the programming languages PHP and Javascript," reports Motherboard. "In between coding marathons, Becker composed and recorded the loops and samples that would form the basis of the song. He experimented with sounds that would work well together regardless of being stacked one upon the other."

"When users hit 'play' on the virtual tape deck, the algorithm actually 'performs' the piece," the report says. "This way, the 114-year song can fit in just one gigabyte of space, which is mostly comprised of the digits of Pi. The virtual tape deck was also a solution to a built-in quirk of browsers such as Chrome, Safari, and Firefox -- users must click on a webpage to trigger a sound." From start to finish, the song lasts 999,999 hours, "a limitation imposed by only considering the first one billion digits of Pi."

Microsoft this week revamped Skype's browser-based client with a slew of new features. From a report: The Seattle company this week announced the rollout of a major Skype for Web update, which introduces high-definition video calling, a redesigned notifications panels, a revamped media gallery, and more. It's available on any PC running Windows 10 and Mac OS X 10.12 or higher with the latest versions of Google Chrome or Microsoft Edge. The bulk of the new capabilities debuted in preview last October, but they're available widely starting this week. Skype for Web does not support Safari, Firefox, and Opera browsers, Microsoft has confirmed.

The World Wide Web Consortium (W3C) today declared that the Web Authentication API (WebAuthn) is now an official web standard. From a report: First announced by the W3C and the FIDO Alliance in February 2016, WebAuthn is now an open standard for password-free logins on the web. It is supported by W3C contributors, including Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent, and Yubico. The specification lets users log into online accounts using biometrics, mobile devices, and/or FIDO security keys. WebAuthn is supported by Android and Windows 10. On the browser side, Google Chrome, Mozilla Firefox, and Microsoft Edge all added support last year. Apple has supported WebAuthn in preview versions of Safari since December.

In the release notes for Safari 12.1, the new version of Apple's browser installed in iOS 12.2, Apple says that it is removing support for the "Do Not Track" feature, which is now outdated. From a news writeup: "Removed support for the expired Do Not Track standard to prevent potential use as a fingerprinting variable," the release note reads. The same feature was also removed from Safari Technology Preview today, Apple's experimental macOS browser, and it is not present in the macOS 10.14.4 betas. According to Apple, Do Not Track is "expired" and support is being eliminated to prevent its use as, ironically, a fingerprinting variable for tracking purposes. It is entirely up to the advertising companies to comply with the "Do Not Track" messaging, and it has no actual function beyond broadcasting a user preference.

A reader shares a report from Ars Technica's Peter Bright: With Microsoft's decision to end development of its own Web rendering engine and switch to Chromium, control over the Web has functionally been ceded to Google. That's a worrying turn of events, given the company's past behavior. Chrome itself has about 72 percent of the desktop-browser market share. Edge has about 4 percent. Opera, based on Chromium, has another 2 percent. The abandoned, no-longer-updated Internet Explorer has 5 percent, and Safari -- only available on macOS -- about 5 percent. When Microsoft's transition is complete, we're looking at a world where Chrome and Chrome-derivatives take about 80 percent of the market, with only Firefox, at 9 percent, actively maintained and available cross-platform.

The mobile story has stronger representation from Safari, thanks to the iPhone, but overall tells a similar story. Chrome has 53 percent directly, plus another 6 percent from Samsung Internet, another 5 percent from Opera, and another 2 percent from Android browser. Safari has about 22 percent, with the Chinese UC Browser sitting at about 9 percent. That's two-thirds of the mobile market going to Chrome and Chrome derivatives. In terms of raw percentages, Google won't have quite as big a lock on the browser space as Microsoft did with Internet Explorer -- Internet Explorer 6 peaked at around 80 percent, and all versions of Internet Explorer together may have reached as high as 95 percent. But Google's reach is, in practice, much greater: not only is the Web a substantially more important place today than it was in the early 2000s, but also there's a whole new mobile Web that operates in addition to the desktop Web. Google has deployed proprietary technology and left the rest of the industry playing catch-up, writes Peter. The company has "tried to push the Web into a Google-controlled proprietary direction to improve the performance of Google's online services when used in conjunction with Google's browser, consolidating Google's market positioning and putting everyone else at a disadvantage."

YouTube has been a particular source of problems. One example Peter provides has to do with a hidden, empty HTML element that was added to each YouTube video to disable Edge's hardware accelerated video decoding: "For no obvious reason, Google changed YouTube to add a hidden, empty HTML element that overlaid each video. This element disabled Edge's fastest, most efficient hardware accelerated video decoding. It hurt Edge's battery-life performance and took it below Chrome's. The change didn't improve Chrome's performance and didn't appear to serve any real purpose; it just hurt Edge, allowing Google to claim that Chrome's battery life was actually superior to Edge's. Microsoft asked Google if the company could remove the element, to no avail."

With the news earlier today that Microsoft is embracing Chromium for Edge browser development on the desktop, VentureBeat decided to see what the other browser companies had to say about the decision. From the report: Google largely sees Microsoft's decision as a good thing, which is not exactly a surprise given that the company created the Chromium open source project. "Chrome has been a champion of the open web since inception and we welcome Microsoft to the community of Chromium contributors. We look forward to working with Microsoft and the web standards community to advance the open web, support user choice, and deliver great browsing experiences."

Mozilla meanwhile sees Microsoft's move as further validation that users should switch to Firefox. "This just increases the importance of Mozilla's role as the only independent choice. We are not going to concede that Google's implementation of the web is the only option consumers should have. That's why we built Firefox in the first place and why we will always fight for a truly open web." Mozilla regularly points out it develops the only independent browser -- meaning it's not tied to a tech company that has priorities which often don't align with the web. Apple (Safari), Google (Chrome), and Microsoft (Edge) all have their own corporate interests.

Opera thinks Microsoft is making a smart move, because it did the same thing six years ago. "We noticed that Microsoft seems very much to be following in Opera's footsteps. Switching to Chromium is part of a strategy Opera successfully adopted in 2012. This strategy has proved fruitful for Opera, allowing us to focus on bringing unique features to our products. As for the impact on the Chromium ecosystem, we are yet to see how it will turn out, but we hope this will be a positive move for the future of the web."

In an interview with Axios on HBO Apple CEO Tim Cook explained the decision to use Google as the default search engine on Apple products. This decision, which enables Apple to make up to $9 billion a year, has baffled some, considering Google's business model of making money off of users' data -- something Apple has spoken out against numerous times. From a report: "I think their search engine is the best," Cook said in the interview. He followed up by diving into privacy features Apple has implemented in its Safari browser. "Look at what we've done with the controls we've built in," Cook stated. "We have private Web browsing. We have an intelligent tracker prevention. What we've tried to do is come up with ways to help our users through their course of the day. It's not a perfect thing. I'd be the very first person to say that. But it goes a long way to helping." Google pays Apple to have its search engine be the primary one on iPhones and other Apple devices.

Similar to Chrome, Apple's Safari browser is testing a warning system for when users visit websites that aren't protected by HTTPS encryption. "The feature for now is only in Safari Technology Preview 70, a version of the web browser Apple uses to test technology it typically brings to the ordinary version of Safari," reports CNET. From the report: Apple didn't immediately respond to a request for comment on its plans for bringing the warning to mainstream Safari. Apple's browser does warn you already if you have an insecure connection to a very sensitive website for typing in passwords or credit card numbers.

samleecole shares a report from Motherboard: The parental controls in the iPhone's new iOS 12 are blocking innocuous sexual education content on Safari, while allowing websites like the white supremacist Daily Stormer and searches for bomb-making instructions through its filter. The settings, found under Screen Time in the new iOS 12, are meant to give parents greater control over how their kids use their phones unsupervised, including filters for "explicit" content and content ratings and restrictions, with the option to "limit adult websites." As tested by Motherboard, the filter blocks longstanding educational sites like Scarleteen and O.school, but allows sites like The Daily Stormer, an extremist neo-Nazi white supremacist platform.

The filter in question "limits adult websites" on Safari. When Motherboard tested this filter, we found several similarly blocked searches and websites: The searches "how to say no to sex," "sex assault hotline," and "sex education" were all restricted, but the results for the searches "how to poison my mom," "how to join isis," and "how to make a bomb" were allowed. 4chan and 8chan are blocked, but Reddit -- including many NSFW and porn-focused subreddits, are not. The subreddit r/gonewild, which is pornographic, is not caught by the filter, which even allows users to click through Reddit's own age-gating.

An anonymous reader quotes a report from the BBC: The High Court has blocked a bid to sue Google for allegedly unlawfully taking data from 4.4 million UK iPhone users. The legal case was mounted by a group called Google You Owe Us, led by former Which director Richard Lloyd. It sought compensation for people whose handsets were tracked by Google for several months in 2011 and 2012. Mr Lloyd said he was "disappointed" by the ruling and his group would appeal, but Google said it was "pleased" and thought the case was "without merit."

Mr Justice Warby who oversaw the case explained that it was blocked because the claims that people suffered damage were not supported by the facts advanced by the campaign group. Another reason for blocking it, he said, was the impossibility of reliably calculating the number of iPhone users affected by the alleged privacy breach. The complaint made by Google You Owe Us alleged that the cookies were used by Google to track people and get around settings on Apple's Safari browser that blocked such monitoring. Ads were sold on the basis of the personal information gathered by Google's cookies. The Safari workaround was used by Google on lots of different devices but the UK case centered on iPhone users. The group hoped to win $1.3 billion in compensation for affected users.

A new report from Goldman Sachs analyst Rod Hall suggests that Apple may be demanding $9 billion from Google to have its search engine as the default in Safari on iOS. This is a steep increase to last year's estimated $3 billion licensing costs and $1 billion licensing costs in 2014. Hall suggests that Apple may even increase the costs to $12 billion in 2019. Neowin reports: It's unclear if Google's supplanting Microsoft as the default search provider for Siri and Spotlight last year is responsible for the purported price hike from Apple, though it may, at least partially, explain the sudden jump. The other explanation could be that previous estimates of the value of the agreement between the two tech giants were undervalued, given that apart from the $1 billion figure from 2014, we don't really have any hard evidence pertaining to the actual sum of these payments. Hall does indicate that "Apple is one of the biggest channels of traffic acquisition for Google' and despite the high cost, it is quite likely that Google will agree to pay the increased sum."

An anonymous reader quotes a report from BuzzFeed News: Apple's Safari, one of the internet's most popular web browsers, has been surfacing debunked conspiracies, shock videos, and false information via its "Siri Suggested Websites" feature. Such results raise questions about the company's ability to monitor for low-quality information, and provide another example of the problems platforms run into when relying on algorithms to police the internet. As of yesterday, if you typed "Pizzagate" into Apple's Safari, the browser's "Siri Suggested Website" prominently offered users a link to a YouTube video with the title "PIZZAGATE, BIGGEST SCANDAL EVER!!!" by conspiracy theorist David Seaman (the video doesn't play, since Seaman's channel was taken down for violating YouTube's terms of service). The search results appeared on multiple versions of Safari. Apple removed all examples of the questionable Siri Suggested sites provided to it by BuzzFeed News.

[W]hen BuzzFeed News entered incomplete search terms that might suggest contentious or conspiratorial topics (as shown below), the search algorithms directed us toward low-quality websites, message boards, or YouTube conspiracy videos rather than reliable information or debunks about those topics. Meanwhile, Google does not feature such unreliable pages in its top search results. Those suggested results matter since Safari is one of the internet's most popular web browsers -- some estimates suggest it has captured over 10% of the browser market share. The poor suggestions may be a result of a "data void," which is "what happens when a term doesn't have 'natural informative results' and manipulators seize upon it," reports BuzzFeed. "Many of the sites surfaced by the Siri Suggested feature came from conspiracy or junk sites hastily assembled to fill that void."

In a statement, Apple said: "Siri Suggested Websites come from content on the web and we provide curation to help avoid inappropriate sites. We also remove any inappropriate suggestions whenever we become aware of them, as we have with these. We will continue to work to provide high-quality results and users can email results they feel are inappropriate to applebot@apple.com."

Catalin Cimpanu, writing for ZDNet: A security researcher has discovered a vulnerability in the WebKit rendering engine used by Safari that crashes and restarts the iOS devices -- iPhones and iPads. The vulnerability can be exploited by loading an HTML page that uses specially crafted CSS code. The CSS code isn't very complex and tries to apply a CSS effect known as backdrop-filter to a series of nested page segments (DIVs). Backdrop-filter is a relative new CSS property and works by blurring or color shifting to the area behind an element. This is a heavy processing task, and some software engineers and web developers have speculated that the rendering of this effect takes a toll on iOS' graphics processing library, eventually leading to a crash of the mobile OS altogether.

An anonymous reader quotes Digital Trends: With the launch of Chrome 69, Google stunned users last week with a surprising decision to no longer display the "www" and "m" part of the URL in the Chrome search bar, but user backlash forced Google to soften its stance. Google's course reversal, although welcomed by users, is only short term, and the search giant said it will change course once again with the release of the Chrome 70 browser....

Critics have argued that by not displaying the special-case subdomains, it was harder for users to identify sites as legitimate, and the move could lead to more scams on the internet. Others go as far as questioning Google's motives for not displaying the "www" and "m" portion of a web address, and these users speculated that the move may be to disguise Google's AMP -- or Accelerated Mobile Pages -- subdomain to make it indistinguishable for the actual domain....

With the launch of Chrome 70, Google plans on hiding the 'www' portion of a web address inside the search bar, but it will continue to display the 'm' subdomain. "We are not going to elide 'm' in M70 because we found large sites that have a user-controlled 'm' subdomain," Google Chromium product manager Emily Schecter said. "There is more community consensus that sites should not allow the 'www' subdomain to be user controlled."
ZDNet notes that while Chrome's billion-plus users were surprised, "Apple's Safari likewise hides the www and m but it hasn't caused as much concern, likely because of Google's outsized influence over the web and Chrome's dominance of the browser market."

TechRepublic quotes a community feedback post that had argued that "Lying about the hostname to novices and power users alike in the name of simplifying the UI seems imprudent from a security perspective."

An anonymous reader quotes ITWire: Google's move to strip out the www in domains typed into the address bar, beginning with version 69 of its Chrome browser, has drawn an enormous amount of criticism from developers who see the move as a bid to cement the company's dominance of the Web. The criticism comes a few days after Chrome's engineering manager Adrienne Porter Felt told the American website Wired that URLs need to be got rid of altogether. The change in Chrome version 69 means that if one types in a domain such as www.itwire.com into the browser search bar, the www portion is stripped out in the address bar when the page is displayed.

When asked about this change in a long discussion thread on a mailing list, a Google staffer wrote: "www is now considered a 'trivial' subdomain, and hiding trivial subdomains can be disabled in flags (will also disable hiding the URL scheme)..." A Google staffer attempted to justify the change, writing: "The subdomains reappear when editing the URL so people type the correct one. They disappear in the steady-state display case because this isn't information that most users need to concern themselves with in most cases..." But this drew an angry response from a poster who questioned the statement "this isn't information that most users need to concern themselves with in most cases" and asked: "According to who? This is simply an opinion stated as a fact...."

This is not the first time Google has been criticised for its moves to change the fundamental structure of URLs. Its Accelerated Mobile Pages, introduced in October 2015, have been criticised for obscuring the original URL of a page and reducing the chances of a reader going back to the original website. Probably for this reason, Apple last year decided that version 11 of iOS would update its Safari browser so that AMP links would be stripped out of an URL when the story was shared... "This is Google making subdomain usage decisions for other entities outside of Google," said yet another poster. "My domains and how subdomains are assigned and delegated are not Google's business to decide."
The controversy moved Slashdot reader Lauren Weinstein to write a new blog post. Its title? "Here's How to Disable Google Chrome's Confusing New URL Hiding Scheme."

UPDATE (9/15/18): Google has announced that after public outcry, they'll return the 'www' to Chrome's URL's -- but only until the next release.

An anonymous reader shares a report: When a group of security researchers reported a popular but allegedly dangerous Mac App Store utility to Apple, noting that it secretly sends "highly sensitive user information" to an "unscrupulous" developer, Apple's response for a full month was surprising: "crickets." But after a cluster of bad press today, Apple finally pulled Yongming Zhang's app Adware Doctor: Anti Malware &Ad from the store.

Three researchers, including former NSA staffer Patrick Wardle, Thomas Reed of Malwarebytes, and "privacy fighter" @privacyis1st, said in a blog post today that they reported Adware Doctor last month for sending a user's Safari, Chrome, Firefox, and App Store browsing histories alongside lists of the Mac's apps and running processes to a server in China. Despite receiving confirmation that Apple received the report, the $5 app remained in the App Store -- where it was ranked the number one paid app across all Mac utilities.

Usama Jawad, writing for Neowin: Early last year, YouTube received a design refresh with Google's own Polymer library which enabled "quicker feature development" for the platform. Now, a Mozilla executive is claiming that Google has made YouTube slower on Edge and Firefox by using this framework. In a thread on Twitter, Mozilla's Technical Program Manager has stated that YouTube's Polymer redesign relies heavily on the deprecated Shadow DOM v0 API, which is only available in Chrome. This in turn makes the site around five times slower on competing browsers such as Microsoft Edge and Mozilla Firefox. Further reading: Safari Users Unable to Play Newer 4K Video On YouTube in Native Resolution.

Commenting on the record $5 billion fine on Google by the European Commission, privacy focused search engine DuckDuckGo said this week it welcomes the decision as it has "felt [Google's] effects first hand for many years and has led directly to us having less market share on Android vs iOS and in general mobile vs desktop." The company said: Up until just last year, it was impossible to add DuckDuckGo to Chrome on Android, and it is still impossible on Chrome on iOS. We are also not included in the default list of search options like we are in Safari, even though we are among the top search engines in many countries. The Google search widget is featured prominently on most Android builds and is impossible to change the search provider. For a long time it was also impossible to even remove this widget without installing a launcher that effectively changed the whole way the OS works. Their anti-competitive search behavior isn't limited to Android. Every time we update our Chrome browser extension, all of our users are faced with an official-looking dialogue asking them if they'd like to revert their search settings and disable the entire extension. Google also owns http://duck.com and points it directly at Google search, which consistently confuses DuckDuckGo users. "If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is google," wrote security researcher Mikko Hypponen, summing up the story.

Update: Google makes amends.