Chrome

Chrome 64 Beta Adds Sitewide Audio Muting, Pop-Up Blocker, Windows 10 HDR Video (9to5google.com) 41

Chrome 64 is now in beta and it has several new features over version 63. In addition to a stronger pop-up blocker and support for HDR video playback when Windows 10 is in HDR mode, Chrome 64 features sitewide audio muting to block sound when navigating to other pages within a site. 9to5Google reports: An improved pop-up blocker in Chrome 64 prevents sites with abusive experiences -- like disguising links as play buttons and site controls, or transparent overlays -- from opening new tabs or windows. Meanwhile, as announced in November, other security measures in Chrome will prevent malicious auto-redirects. Beginning in version 64, the browser will counter surprise redirects from third-party content embedded into pages. The browser now blocks third-party iframes unless a user has directly interacted with it. When a redirect attempt occurs, users will remain on their current page with an infobar popping up to detail the block. This version also adds a new sitewide audio muting setting. It will be accessible from the permissions dropdown by tapping the info icon or green lock in the URL bar. This version also brings support for HDR video playback when Windows 10 is in HDR mode. It requires the Windows 10 Fall Creator Update, HDR-compatible graphics card, and display. Meanwhile, on Windows, Google is currently prototyping support for an operating system's native notification center. Other features include a new "Split view" feature available on Chrome OS. Developers will also be able to take advantage of the Resize Observer API to build responsive sites with "finger control to observe changes to sizes of elements on a page."
Mozilla

Mozilla Slipped a 'Mr. Robot'-Promo Plugin Into Firefox and Users Are Pissed (gizmodo.com) 276

MarcAuslander shares a report from Gizmodo: Mozilla sneaked a browser plugin that promotes Mr. Robot into Firefox -- and managed to piss off a bunch of its privacy-conscious users in the process. The extension, called Looking Glass, is intended to promote an augmented reality game to "further your immersion into the Mr. Robot universe," according to Mozilla. It was automatically added to Firefox users' browsers this week with no explanation except the cryptic message, "MY REALITY IS JUST DIFFERENT THAN YOURS," prompting users to worry on Reddit that they'd been hit with spyware. Without an explanation included with the extension, users were left digging around in the code for Looking Glass to find answers. Looking Glass was updated for some users today with a description that explains the connection to Mr. Robot and lets users know that the extension won't activate without explicit opt-in.

Mozilla justified its decision to include the extension because Mr. Robot promotes user privacy. "The Mr. Robot series centers around the theme of online privacy and security," the company said in an explanation of the mysterious extension. "One of the 10 guiding principles of Mozilla's mission is that individuals' security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy."

AI

Google Is Shutting Down Project Tango (androidpolice.com) 35

Google announced that it is ending support for Project Tango, the company's first attempt to bring a solid augmented-reality experience to the average user. The project used an array of cameras and sensors to accurately map 3D areas, causing the devices support Tango to be relatively large and expensive. Android Police reports: The first Tango device put into production was the "Peanut" phone, which was given to early access partners in 2014. Then came the "Yellowstone" 7-inch tablet, which was initially sold for $1,024 before a massive price drop to $512. The only other devices with Project Tango were the Lenovo Phab2 Pro, which wasn't a very good phone to start off with, and the ZenFone AR. This move isn't entirely surprising, now that Google is working on a software-only solution called ARCore. Not only is ARCore similar to Tango in functionality, but it doesn't require specialized hardware like Tango does.
Microsoft

Microsoft Considers Adding Python As an Official Scripting Language in Excel (bleepingcomputer.com) 170

An anonymous reader writes: Microsoft is considering adding Python as one of the official Excel scripting languages, according to a topic on Excel's feedback hub opened last month. Since it was opened, the topic has become the most voted feature request, double the votes of the second-ranked proposition. "Let us do scripting with Python! Yay! Not only as an alternative to VBA, but also as an alternative to field functions (=SUM(A1:A2))," the feature request reads, as opened by one of Microsoft's users.

The OS maker responded yesterday by putting up a survey to gather more information and how users would like to use Python inside Excel. If approved, Excel users would be able to use Python scripts to interact with Excel documents, their data, and some of Excel's core functions, similar to how Excel currently supports VBA scripts. Python is one of the most versatile programming languages available today. It is also insanely popular with developers. It ranks second on the PYPL programming languages ranking, third in the RedMonk Programming Language Rankings, and fourth in the TIOBE index.

Security

Fortinet VPN Client Exposes VPN Creds; Palo Alto Firewalls Allow Remote Attacks (bleepingcomputer.com) 32

An anonymous reader shares a report: It's been a bad week for two of the world's biggest vendors of enterprise hardware and software -- Fortinet and Palo Alto Networks. The worst of the bunch is a credentials leak affecting Fortinet's FortiClient, an antivirus product provided by Fortinet for both home and enterprise-level clients. Researchers from SEC Consult said in an advisory released this week that they've discovered a security issue that allows attackers to extract credentials for this VPN client. The second major security issue disclosed this week affects firewall products manufactured by Palo Alto Networks and running PAN-OS, the company's in-house operating system. Security researcher Philip Pettersson discovered that by combining three vulnerabilities together, he could run code on a Palo Alto firewall from a remote location with root privileges.
Security

Author of BrickerBot Malware Retires, Says He Bricked 10 Million IoT Devices (bleepingcomputer.com) 148

An anonymous reader writes: The author of BrickerBot -- the malware that bricks IoT devices -- has announced his retirement in an email to Bleeping Computer, also claiming to have bricked over 10 million devices since he started the "Internet Chemotherapy" project in November 2016. Similar to the authors of the Mirai malware, the BrickerBot developer dumped his malware's source code online, allowing other crooks to profit from his code. The code is said to contain at least one zero-day. In a farewell message left on hundreds of hacked routers, the BrickerBot author also published a list of incidents (ISP downtimes) he caused, while also admitting he is likely to have drawn the attention of law enforcement agencies. "There's also only so long that I can keep doing something like this before the government types are able to correlate my likely network routes (I have already been active for far too long to remain safe). For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.
Security

Maker of Sneaky Mac Adware Sends Security Researcher Cease-and-Desist Letters (zdnet.com) 86

Zack Whittaker, writing for ZDNet: The maker of a sneaky adware that hijacks a user's browser to serve ads is back with a new, more advanced version -- one that can gain root privileges and spy on the user's activities. News of the updated adware dropped Tuesday in a lengthy write-up by Amit Serper, principal security researcher at Cybereason. The adware, dubbed OSX.Pirrit, is still highly active, infecting tens of thousands of Macs, according to Serper, who has tracked the malware and its different versions for over a year. Serper's detailed write-up is well worth the read. [...] TargetingEdge sent cease-and-desist letters to try to prevent Serper from publishing his research. "We've received several letters over the past two weeks," Serper told ZDNet. "We decided to publish anyway because we're sick of shady 'adware' companies and their threats."
Android

Andy Rubin's Essential Phone Considered Anything But (theregister.co.uk) 149

An anonymous reader shares a report: Andy Rubin's ambitions to create a new consumer electronics ecosystem are floundering at base camp. Sales of Essential's phone, which forms a key part of the strategy, are tepid. Google Play reports a mere 50,000 download of Essential's Camera app so far, the Android Police blog notes. This doesn't paint the full picture, but it can be assumed a fairly complete one, barring a few brush strokes. Essential launched in the US with support from Sprint, at a recommended SIM-free retail price of $699. After reported sales of just five thousand in the first month, this was slashed to $499 and could be grabbed for $399 in the post-Thanksgiving sales. As devices from different manufacturers proliferate in the home, Rubin has alluded to "a new operating system so it can speak all those protocols and it can do it securely and privately." But rather than launching a new software platform he's had to launch hardware.
Microsoft

Microsoft Releases Free Preview of Its Quantum Development Kit (zdnet.com) 31

Microsoft is releasing a free preview version of its Quantum Development Kit. "The kit includes the Q# programming language and compiler and a local quantum computing simulator, and is fully integrated with Visual Studio," reports ZDNet. "There's also an Azure-based simulator that allows developers to simulate more than 40 logical qubits of computing power, plus documentation libraries, and sample programs, officials said in their December 11 announcement." From the report: Quantum computers are designed to process in parallel, thus enabling new types of applications across a variety of workloads. They are designed to harness the physics of subatomic particles to provide a different way to store data and solve problems compared to conventional computers, as my ZDNet colleague Tony Baer explains. The result is that quantum computers could solve certain high-performance-computing problems more efficiently. Microsoft officials have said applications that developers create for use with the quantum simulator ultimately will work on a quantum computer, which Microsoft is in the process of developing. Microsoft's goal is to build out a full quantum computing system, including both the quantum computing hardware and the related full software stack.
Python

Did Programming Language Flaws Create Insecure Apps? (bleepingcomputer.com) 99

Several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks, according to research presented at the Black Hat Europe 2017 security conference. An anonymous reader writes: The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi, who says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.

Fuzzing involves providing invalid, unexpected, or random data as input to a software application. The researcher created his own fuzzing framework named XDiFF that broke down programming languages per each of its core functions and fuzzed each one for abnormalities. His work exposed severe flaws in all five languages, such as a hidden flaw in PHP constant names that can be abused to perform remote code execution, and undocumented Python methods that can be used for OS code execution. Arnaboldi argues that attackers can exploit these flaws even in the most secure applications built on top of these programming languages.

Toys

Ask Slashdot: Are There Any Good Smartwatches Or Fitness Trackers? 251

"What's your opinion on the current state of smartwatches?" asks long-time Slashdot reader rodrigoandrade. He's been researching both smartwatches and fitness trackers, and shares his own opinions: - Manufacturers have learnt from Moto 360 that people want round smartwatches that actually look like traditional watches, with a couple of glaring exceptions....

- Android Wear 2.0 is a thing, not vaporware. It's still pretty raw (think of early Android phones) but it works well. The LG Sport Watch is the highest-end device that supports it.

- LTE-enabled smartwatches finally allow you to ditch your smartphone, if you wish. Just pop you nano SIM in it and party on. The availability is still limited to a few SKUs in some countries, and they're ludicrously expensive, but it's getting there.

Keep reading for his assessment of four high-end choices -- and share your own opinions in the comments.
Intel

Intel's ME May Be Massively Infringing on Minix3's Free Software License (ipwatchdog.com) 250

Software engineer (and IP Watchdog contributor) Fredrik Ohrstrom (a.k.a. Slashdot reader anjara) writes: Almost all Free Software licenses (BSD, MIT, GPL...) require some sort of legal notice (legal attribution) given to the recipient of the software, both when the software is distributed in source and in binary forms. The legal notice usually contains the copyright holder's name and the license text. This means that it's not possible to hide and keep secret the existence of Free Software that you have stuck into your product that you distribute. If you do so, then you are not complying with the Free Software license and you are committing a copyright infringement!

This is exactly what Intel seems to have done with the Intel ME. The Minix3 operating system license requires a legal notice, but so far it seems like Intel has not given the necessary legal notices. (Probably because they want to keep the inside of the ME secret.) Thus not only is Minix3 the most installed OS on our recent x86 CPUs -- but it might also the most pirated OS on our recent x86 CPUs!

Debian

Updated Debian Linux 9.3 and 8.10 Released (debian.org) 49

An anonymous reader writes: The Debian project is pleased to announce the third update of its stable distribution Debian 9 (codename stretch). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. The Debian project also announces the tenth update of its oldstable distribution Debian 8 (codename jessie).

Please note that the point release does not constitute a new version of Debian 9 or 8 but only updates some of the packages included. There is no need to throw away old jessie or stretch DVD/CD media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. This stable update adds a few important corrections to packages. New installation images will be available soon at the mirrors. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. One can use the apt command or apt-get command to apply updates. A step-by-step update guide is posted here.

Security

Zero-Day iOS HomeKit Vulnerability Allowed Remote Access To Smart Accessories Including Locks (9to5mac.com) 39

Apple has issued a fix to a vulnerability that allowed unauthorized control of accessories, including smart locks and garage door openers. "Our understanding is Apple has rolled out a server-side fix that now prevents unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality," reports 9to5Mac. From the report: The vulnerability, which we won't describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs. The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated to 9to5Mac. The issue was not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies. The vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple's mobile operating system, connected to the HomeKit user's iCloud account; earlier versions of iOS were not affected.
Android

Google Puts Android Accessibility Crackdown On Hold (slashgear.com) 28

Last month, Google issued a warning to Android app developers that they will no longer be able to access Android accessibility service functions in their apps, unless they can demonstrate that those functions are specifically used to help users with "disabilities." Since a lot of password managers use the Accessibility API, as well as poplar apps like Tasker automation and Greenify battery saver, there was a large amount of backlash from developers and users alike. According to SlashGear, Google is putting the Android accessibility crackdown on hold. From the report: Google has now sent another email that basically says "we'll think about it." It is evaluating "responsible and innovative use" of those services on a case to case basis. It is also requiring developers to explicitly inform users why they are asking for accessibility permissions rather than just informing them. This, of course, puts a heavier burden on Google, as it has to be more involved in the screening of apps rather than just rely on good ol' machine learning and automation. Developers and users probably won't mind, if it means still having access to those features that make Android a platform above all the rest.
Android

Android 8.0 Oreo For Android Wear Released (9to5google.com) 9

According to a Google developer, Android 8.0 Oreo is rolling out to Android Wear devices starting today. The developer said "timing is determined by each watch's manufacturer." 9to5Google notes that there are "no major redesigns with Oreo for the wearable platform," but there are some useful tweaks. From the report: There is a new option to disable touch-to-wake called "Touch lock" in Settings that Google positions as being useful in wet conditions. Google has added the ability to control the strength of vibrations for incoming notifications. Referred to as the "Vibration pattern," options include Normal, Long, and Double. Meanwhile, there is now a toggle to manually enable the "Battery saver," instead of having to wait until the device hits a low charge. This mode disables Vibration, Location services, Wi-Fi & mobile usage, Data & app updates, and the Always-on display. Meanwhile, the update includes notification channels for apps that should provide more granular user control. Google also shared that Wear is now available in seven new countries and languages: Belgium (Dutch), Czech Republic (Czech), El Salvador (Spanish), Honduras (Spanish), Nigeria (English), Paraguay (Spanish), and Portugal (Portuguese).
Bitcoin

Bank of America Wins Patent For Crypto Exchange System (coindesk.com) 52

New submitter psnyder shares a report from CoinDesk: [The patent] outlined a potential cryptocurrency exchange system that would convert one digital currency into another. Further, this system would be automated, establishing the exchange rate between the two currencies based on external data feeds. The patent describes a potential three-part system, where the first part would be a customer's account and the other two would be accounts owned by the business running the system. The user would store their chosen cryptocurrency through the customer account. The second account, referred to as a "float account," would act as a holding area for the cryptocurrency the customer is selling, while the third account, also a float account, would contain the equivalent amount of the cryptocurrency the customer is converting their funds to. That third account would then deposit the converted funds back into the original customer account for withdrawal. The proposed system would collect data from external information sources on cryptocurrency exchange rates, and use this data to establish its own optimal rate. The patent notes this service would be for enterprise-level customers, meaning that if the bank pursues this project, it would be offered to businesses.
Operating Systems

ReactOS 0.4.7 Released (reactos.org) 94

jeditobe writes: OSNews reports that the latest version of ReactOS has been released: "ReactOS 0.4.7 has been released, and it contains a ton of fixes, improvements, and new features. Judging by the screenshots, ReactOS 0.4.7 can run Opera, Firefox, and Mozilla all at once, which is good news for those among us who want to use ReactOS on a more daily basis. There's also a new application manager which, as the name implies, makes it easier to install and uninstall applications, similar to how package managers on Linux work. On a lower level, ReactOS can now deal with Ext2, Ext3, Ext4, BtrFS, ReiserFS, FFS, and NFS partitions." General notes, tests, and changelog for the release can be found at their respective links. A less technical community changelog for ReactOS 0.4.7 is also available. ISO images are ready at the ReactOS Download page.
Chrome

Google Wants Progressive Web Apps To Replace Chrome Apps (androidpolice.com) 154

An anonymous reader quotes a report from Android Police: The Chrome Web Store originally launched in 2010, and serves a hub for installing apps, extensions, and themes packaged for Chrome. Over a year ago, Google announced that it would phase out Chrome apps on Windows, Mac, and Linux in 2018. Today, the company sent out an email to developers with additional information, as well as news about future Progressive Web App support. The existing schedule is mostly still in place -- Chrome apps on the Web Store will no longer be discoverable for Mac, Windows, and Linux users. In fact, if you visit the store right now on anything but a Chromebook, the Apps page is gone. Google originally planned to remove app support on all platforms (except Chrome OS) entirely by Q1 2018, but Google has decided to transition to Progressive Web Apps:

"The Chrome team is now working to enable Progressive Web Apps (PWAs) to be installed on the desktop. Once this functionality ships (roughly targeting mid-2018), users will be able to install web apps to the desktop and launch them via icons and shortcuts; similar to the way that Chrome Apps can be installed today. In order to enable a more seamless transition from Chrome Apps to the web, Chrome will not fully remove support for Chrome Apps on Windows, Mac or Linux until after Desktop PWA installability becomes available in 2018. Timelines are still rough, but this will be a number of months later than the originally planned deprecation timeline of 'early 2018.' We also recognize that Desktop PWAs will not replace all Chrome App capabilities. We have been investigating ways to simplify the transition for developers that depend on exclusive Chrome App APIs, and will continue to focus on this -- in particular the Sockets, HID and Serial APIs."

Intel

System76 Will Disable Intel Management Engine On Its Linux Laptops (liliputing.com) 149

System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.

Slashdot Top Deals