The following report appeared on Yahoo! Finance: Privacy-focused browser Brave was found to autocomplete several websites and keywords in its address bar with an affiliate code. Shortly after a user published his findings, Brave CEO and co-founder Brendan Eich addressed the incident and called it "a mistake we're correcting." Eich said that while Brave is a Binance affiliate [a cryptocurrency exchange], the browser's autocompleting feature should not have added any new affiliate codes.

"The autocomplete default was inspired by search query clientid attribution that all browsers do, but unlike keyword queries, a typed-in URL should go to the domain named, without any additions," Eich wrote in the thread. "Sorry for this mistake — we are clearly not perfect, but we correct course quickly," he added.
Android Police reports the mistake occured more than 10 weeks ago — and that referrer codes were also included for other cryptocurrency-related sites: The browser's GitHub repository reveals the functionality was first added on March 25th, and the current list of sites includes Binance, Coinbase, Ledger, and Trezor. Brave Software receives a kickback for purchases/accounts made with those services — for example, Coinbase says that when you refer a new customer to the service, you can earn 50% of their fees for the first three months.

The nature of these affiliate programs also allows the referrer — in this case, Brave Software — to view some amount of data about the customers who sign up with the code. Coinbase's program provides "direct access to your campaign's performance data," while Trezor offers a "detailed overview of purchases."
Brave CEO and co-founder Brendan Eich (who also created the JavaScript programming language) tweeted, "For what it's worth there's a setting to disable the autocomplete defaults that add affiliate codes, in brave://settings first page. Current plan is to flip default to off as shown here. You can disable ahead of our release schedule if you want to.

"Good to hear from supporters who'll enable it."

Many high school students around the country completed Advanced Placement tests online last week but were unable to submit them at the end because the testing portal doesn't support HEIC images -- the default format on iOS devices and some newer Android phones. The Verge reports: For the uninitiated: AP exams require longform answers. Students can either type their response or upload a photo of handwritten work. Students who choose the latter option can do so as a JPG, JPEG, or PNG format according to the College Board's coronavirus FAQ. But the testing portal doesn't support the default format on iOS devices and some newer Android phones, HEIC files. HEIC files are smaller than JPEGs and other formats, thus allowing you to store a lot more photos on an iPhone. Basically, only Apple (and, more recently, Samsung) use the HEIC format -- most other websites and platforms don't support it. Even popular Silicon Valley-based services, such as Slack, don't treat HEICs the same way as standard JPEGs.

[Nick Bryner, a high school senior in Los Angeles] says many of his classmates also tried to submit iPhone photos and experienced the same problem. The issue was so common that his school's AP program forwarded an email from the College Board to students on Sunday including tidbits of advice to prevent submission errors. "What's devastating is that thousands of students now have an additional three weeks of stressful studying for retakes," Bryner said. The email Bryner received doesn't mention the HEIC format, though it does link to the College Board's website, which instructs students with iPhones to change their camera settings so that photos save as JPEGs rather than HEICs. The company also linked to that information in a tweet early last week. In a statement emailed to The Verge, the College Board said that "the vast majority of students successfully completed their exams" in the first few days of online testing, "with less than 1 percent unable to submit their responses." The company also noted that "We share the deep disappointment of students who were unable to submit responses."

As predicted, the proprietary locking system Apple rolled out with its 2018 MacBook Pros is hurting independent repair stores, refurbishers, and electronics recyclers. A combination of secure software locks, diagnostic requirements, and Apple's new T2 security chip are making it hard to breathe new life into old MacBook Pros that have been recycled but could be easily repaired and used for years were it not for these locks. From a report: It's a problem that highlights Apple's combative attitude towards the secondhand market and the need for national right to repair legislation. "The irony is that I'd like to do the responsible thing and wipe user data from these machines, but Apple won't let me," John Bumstead, a MacBook refurbisher and owner of the RDKL INC repair store, said in a tweet with an attached picture of two "bricked" MacBook Pros. "Literally the only option is to destroy these beautiful $3,000 MacBooks and recover the $12/ea they are worth as scrap."

As Motherboard has reported previously, without official Apple diagnostic software, newer MacBooks cannot be repaired or reset. "By default you can't get to recovery mode and wipe the machine without a user password, and you can't boot to an external drive and wipe that way because it's prohibited by default," Bumstead told Motherboard in an email. "Because T2 machines have no removable hard drive, and the drive is simply chips on the board, this default setting means that a recycler (or anyone) can't wipe or reinstall a T2 machine that has default settings unless they have the user password."

According to an exclusive report from Forbes, cybersecurity researcher Gabi Cirlig discovered that his Xiaomi Redmi Note 8 smartphone was watching much of what he was doing and sending that data to remote servers hosted by Chinese tech giant Alibaba, which were ostensibly rented by Xiaomi. From the report: The seasoned cybersecurity researcher found a worrying amount of his behavior was being tracked, whilst various kinds of device data were also being harvested, leaving Cirlig spooked that his identity and his private life was being exposed to the Chinese company. When he looked around the Web on the device's default Xiaomi browser, it recorded all the websites he visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, and every item viewed on a news feed feature of the Xiaomi software. That tracking appeared to be happening even if he used the supposedly private "incognito" mode.

The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page. All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing. Meanwhile, at Forbes' request, cybersecurity researcher Andrew Tierney investigated further. He also found browsers shipped by Xiaomi on Google Play -- Mi Browser Pro and the Mint Browser -- were collecting the same data. Together, they have more than 15 million downloads, according to Google Play statistics. Cirlig thinks that the problems affect many more models than the one he tested. In response to the findings, Xiaomi said, "The research claims are untrue," and "Privacy and security is of top concern," adding that it "strictly follows and is fully compliant with local laws and regulations on user data privacy matters." A spokesperson did however confirm it was collecting browsing data, claiming the info was anonymized and users had consented to it.

Cirlig and Tierney pointed out that Xiaomi "was also collecting data about the phone, including unique numbers for identifying the specific device and Android version," reports Forbes. "Cirlig said such 'metadata' could 'easily be correlated with an actual human behind the screen.'"

The researchers also say they found their Xiaomi apps to be sending data to domains that appeared to reference Sensor Analytics, which Xiaomi says "provides a data analysis solution for Xiaomi," adding that that the collected anonymous data "are stored on Xiaomi's own servers and will not be shared with Sensor Analytics, or any other third-party companies."

XXongo writes: Monitoring parolees released from prison by an app on their smartphone sounds like a good idea, right? The phone has facial recognition and biometric ID, and a GPS system that knows where it is. But what if the app doesn't work? In a story on Gizmodo, the [Telmate Guardian] app's coding is "sloppy" and "irresponsible" and its default privacy settings are wildly invasive, asking for "excessive permissions" to access device data. And the app isn't even accurate on recognizing parolees, nor on knowing location, with one parolee noting that the app set off the high-pitched warning alarm and sent a notification to her parole officers telling him that she was not at home multiple times in the middle of the night, when she was in fact at home and in bed. The device also serves as a covert surveillance bug, with built-in potential to covertly record ambient audio from the phone, even in standby mode -- a feature which is not even legal in many states. "But there's nothing you can do," according to one parolee. "If you don't accept it, then you go back to prison. You're considered their property. That's how they see it."

As cities across the United States continue shelter-in-place orders due to the COVID-19 pandemic, some in-person court proceedings are now taking place over Zoom. "It's an unprecedented moment for the justice system, which is typically slow to adapt to new technology," writes Zoe Schiffer from The Verge. "No one is sure if that's a good thing." From the report: Critics worry the change has made it more difficult for the public to access court proceedings. Court watchers -- volunteers who monitor hearings to hold judges and prosecutors accountable -- say their access has evaporated during the pandemic. There's also concern that remote hearings can unfairly advantage fancy law firms that can pay for good lighting and stable internet connections. Zoom has also had major security flaws, including default settings that didn't include meeting passwords (a problem the company has now fixed) and a misleading definition of end-to-end encryption. (The company claimed meetings were end-to-end encrypted; they are not.) But supporters say going online is critical for protecting public health. For those in detention, postponing a hearing means potentially spending more time in jail, while appearing in person could put the individual and those around them at risk.

[Judge Vince Chhabria said] that while conducting remote trials makes sense during the pandemic, he's wary of extending this beyond the crisis. "So much of trying a case from the lawyers' perspective is having a feel for the courtroom and for the people in the courtroom and what is interesting to them," he says. "So much of presiding over a trial, as a judge, has to do with feel. I think it would be unfortunate if the new normal became too reliant on remote proceedings." His concern is echoed by Alan Rupe, [employment lawyer at Lewis Brisbois]. "A lot of what I do involves witness credibility," he says. "When you're assessing someone's credibility you have to be in the same room as them."

Google is temporarily lowering the video quality of its Nest security cameras to "conserve internet resources" during the COVID-19 pandemic. "The adjustment is rolling out over the next few days, and Google says anyone who has their quality settings adjusted will get a notification in the Nest app," reports TechCrunch. From the report: While Nest cameras aren't inherently using more bandwidth right now than they otherwise might, each camera already used a good amount of bandwidth day to day. A Nest Cam IQ, for example, uses roughly 400GB of data per month at its highest settings; cutting this down to medium high shaves that down to 300GB. Google confirmed their plans with TechCrunch, with a Google spokesperson adding: "To answer the global call to prioritize internet bandwidth for learning and working, in the next few days we're going to be making a few changes. We believe these changes have the potential to help make it easier for communities to keep up with school, work, and everything in between."

While they're automatically making the change on behalf of the user (a move some owners are complaining is an overstep), Google notes that you're able to bump your cameras back up to their highest settings should you see fit. They're not capping the quality, instead just lowering settings by default -- so if you've got a camera in a setting where every pixel counts, know that you're going to need to adjust accordingly.

Ghacks writes: Observant Firefox users on Windows who have updated the web browser to Firefox 75 may have noticed that the upgrade brought along with it a new scheduled tasks. The scheduled task is also added if Firefox 75 is installed on a Windows device. The task's name is Firefox Default Browser Agent and it is set to run once per day...
Mozilla says:

• "We're collecting information related to the system's current and previous default browser setting, as well as the operating system locale and version. This data cannot be associated with regular profile based telemetry data..."
• "We'll respect user configured telemetry opt-out settings by looking at the most recently used Firefox profile."
• "We'll respect custom Enterprise telemetry related policy settings if they exist. We'll also respect policy to specifically disable this task."

"Collecting telemetry is one way we're able to ensure we can understand default browser trends in a way that helps us improve Firefox. It's our hope that by better understanding more about our users and their choices around browser preferences, we can continue to build a better Firefox."

Long-time Slashdot reader AmiMoJo writes, "Opting out can be done via the Privacy & Security section of the preferences screen. You can view collected telemetry and view your current settings at about:telemetry."

Bleeping Computer also notes that by default, "For some time, Firefox has been collecting telemetry data about how you use the browser, such as the number of web pages you visit, safebrowsing information, the number of open tabs and windows, what add-ons are installed, and more. This telemetry data is kept for 13 months and IP addresses listed in server logs are deleted every 30 days.

"On my computer, Firefox has collected over 400KB of information."

An anonymous reader writes: We keep seeing stories about how providers are slowing down their streaming speed to reduce bandwidth usage during this period when many are being asked to stay at home... But it seems that many are totally ignoring a very obvious way to reduce usage significantly, and that is by disabling autoplay on their web sites and in their apps.

To give an example, a couple of days ago I was watching a show on Hulu, and either I was more sleepy than I thought or the show was more boring than I had expected (probably some combination of both), but I drifted off to sleep. Two hours later I awoke and realize that Hulu had streamed two additional episodes that no one was watching. I searched in vain for a way to disable autoplay of the next episode, but if there is some way to do it I could not find it.

What I wonder is how many people even want autoplay? I believe Netflix finally gave their users a way to disable it, but they need to affirmatively do so via a setting somewhere. But many other platforms give their users no option to disable autoplay. That is also true of many individual apps that can be used on a Roku or similar device. If conserving bandwidth is really that important, then my contention is that autoplaying of the next episode should be something you need to opt in for, not something enabled by default that either cannot be disabled or that forces the user to search for a setting to disable.
"Firefox will disable autoplay," writes long-time Slashdot user bobs666 (adding "That's it use Firefox.") And there are ways to disable autoplay in the user settings on Netflix, YouTube, Hulu, and Amazon Prime.

But wouldn't it make more sense to disable autoplay by default -- at least for the duration of this unusual instance of peak worldwide demand?

I'd be interested in hearing from Slashdot's readers. Do you use autoplay -- or have you disabled it? And do you think streaming companies should turn it off by default?

"The deployment of connected home security cameras that allow footage to be queried centrally are simply not compatible with a free society," wrote Amazon software developer Max Eliaser (as part of last week's Medium post from "Amazon Employees For Climate Justice.")

"The privacy issues are not fixable with regulation and there is no balance that can be struck. Ring should be shut down immediately and not brought back."

Inc. columnist Chris Matyszczyk describes what happened next: Amazon released a new control center for Ring. It instituted a few more privacy-conscious settings. One of its new features involves the ability to "opt out of receiving video request notifications when local police seek information related to an investigation."

That, to some eyes, may be a start -- or even a swift reaction to Eliaser's comments. Many might want to believe that an employee's strong words could bring some positive reaction.

Sadly, this new control center only gives customers the option to opt out, rather than have the default set the other way around. It does, though, at least inform customers which police departments have joined the Ring Neighbors app and therefore are more likely to make requests.

Ring did insist that "this is just the beginning. Future versions of Control Center will provide users the ability to view and control even more privacy and security features."
The new control center also lets Ring's users see if two-factor authentication is enabled, add and remove Shared Users, and view and remove all devices and third-party services authorized to log into their account.

Amazon's blog post about the changes adds that not only security but also privacy "have always been our top priority."

An anonymous reader quotes a report from Ars Technica: Serious vulnerabilities have recently come to light in three WordPress plugins that have been installed on a combined 400,000 websites, researchers said. InfiniteWP, WP Time Capsule, and WP Database Reset are all affected. The highest-impact flaw is an authentication bypass vulnerability in the InfiniteWP Client, a plugin installed on more than 300,000 websites. It allows administrators to manage multiple websites from a single server. The flaw lets anyone log in to an administrative account with no credentials at all. From there, attackers can delete contents, add new accounts, and carry out a wide range of other malicious tasks.

The critical flaw in WP Time Capsule also leads to an authentication bypass that allows unauthenticated attackers to log in as an administrator. WP Time Capsule, which runs on about 20,000 sites, is designed to make backing up website data easier. By including a string in a POST request, attackers can obtain a list of all administrative accounts and automatically log in to the first one. The bug has been fixed in version 1.21.16. Sites running earlier versions should update right away. Web security firm WebARX has more details.

The last vulnerable plugin is WP Database Reset, which is installed on about 80,000 sites. One flaw allows any unauthenticated person to reset any table in the database to its original WordPress state. The bug is caused by reset functions that aren't secured by the standard capability checks or security nonces. Exploits can result in the complete loss of data or a site reset to the default WordPress settings. A second security flaw in WP Database Reset causes a privilege-escalation vulnerability that allows any authenticated user -- even those with minimal system rights -- to gain administrative rights and lock out all other users. All site administrators using this plugin should update to version 3.15, which patches both vulnerabilities. Wordfence has more details about both flaws here.

Following in Mozilla's footsteps, Google announced today plans to hide notification popup prompts inside Chrome starting next month, February 2020. ZDNet reports: According to a blog post published today, Google plans to roll out a "quieter notification permission UI that reduces the interruptiveness of notification permission requests." The change is scheduled for Google Chrome 80, scheduled for release on February 4, next month.

Starting with Chrome 80 next month, Google's browser will also block most notification popups by default, and show an icon in the URL bar, similar to Firefox. When Chrome 80 launches next month, a new option will be added in the Chrome settings section that allows users to enroll in the new "quieter notification UI." Users can enable this option as soon as Chrome 80 is released, or they can wait for Google to enable it by default as the feature rolls out to the wider Chrome userbase in the following weeks. According to Google, the new feature works by hiding notification requests for Chrome users who regularly dismiss notification prompts. Furthermore, Chrome will also automatically block notification prompts on sites where users rarely accept notifications.

Microsoft quietly released some new documentation recently, detailing how the company plans to launch its new Chrome-based Microsoft Edge browser. From a report: The company has been working on this new browser for a little while, and we are less than a month away from the public release. [...] The changes here are pretty obvious, but it is still important to understand exactly how Microsoft is going to replace the older Edge browser on a technical level. Microsoft says it has already made changes to Windows 10 and the older Edge browser to support the migration.

All start menu pins, tiles, and shortcuts for the current version of Microsoft Edge will migrate to the next version of Microsoft Edge.
All taskbar pins and shortcuts for the current version of Microsoft Edge will migrate to the next version of Microsoft Edge.
The next version of Microsoft Edge will be pinned to the taskbar. If the current version of Microsoft Edge is already pinned, it will be replaced.
The next version of Microsoft Edge will add a shortcut to the desktop. If the current version of Microsoft Edge already has a shortcut, it will be replaced.
Most protocols that Microsoft Edge handles by default will be migrated to the next version of Microsoft Edge.
Current Microsoft Edge will be hidden from all UX surfaces in the OS, including settings, all apps, and any file or protocol support dialogs.
All attempts to launch the current version of Microsoft Edge will redirect to the next version of Microsoft Edge.

Apple is overhauling how it tests software after a swarm of bugs marred the latest iPhone and iPad operating systems, Bloomberg reported Thursday. From the report: Software chief Craig Federighi and lieutenants including Stacey Lysik announced the changes at a recent internal "kickoff" meeting with the company's software developers. The new approach calls for Apple's development teams to ensure that test versions, known as "daily builds," of future software updates disable unfinished or buggy features by default. Testers will then have the option to selectively enable those features, via a new internal process and settings menu dubbed Flags, allowing them to isolate the impact of each individual addition on the system. When the company's iOS 13 was released alongside the iPhone 11 in September, iPhone owners and app developers were confronted with a litany of software glitches.

Apps crashed or launched slowly. Cellular signal was inconsistent. There were user interface errors in apps like Messages, system-wide search issues and problems loading emails. Some new features, such as sharing file folders over iCloud and streaming music to multiple sets of AirPods, were either delayed or are still missing. This amounted to one of the most troubled and unpolished operating system updates in Apple's history. The new development process will help early internal iOS versions to be more usable, or "livable," in Apple parlance. Prior to iOS 14's development, some teams would add features every day that weren't fully tested, while other teams would contribute changes weekly. "Daily builds were like a recipe with lots of cooks adding ingredients," a person with knowledge of the process said.

New submitter Shad0wz writes: Microsoft's Core Network team just announced they plan on supporting DoH in the Windows resolver. In the blog post, the company writes: Providing encrypted DNS support without breaking existing Windows device admin configuration won't be easy. However, at Microsoft we believe that "we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology." We also believe Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier. There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn't universal. To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS. With the decision made to build support for encrypted DNS, the next step is to figure out what kind of DNS encryption Windows will support and how it will be configured. Here are our team's guiding principles on making those decisions:

Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user's browsing history. To Windows users, this means their experience will be made as private as possible by Windows out of the box. For Microsoft, this means we will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.
Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet. Many users are interested in controlling their privacy and go looking for privacy-centric settings such as app permissions to camera and location but may not be aware of or know about DNS settings or understand why they matter and may not look for them in the device settings.
Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.
Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.

The latest version of Chrome OS, version 78, adds separate browser and device settings, click-to-call, and picture-in-picture support for YouTube. It also introduces virtual desktop support for the operating system with a feature called Virtual Desks. 9to5Google reports: Chrome is getting another cross-device sharing feature after "Send this page" widely rolled in September. With "click-to-call," you can right-click on phone number links -- like tel:800-800-8000 -- to have them sent to your Android device. It's quicker than manually entering those digits or transferring via email. Chrome OS 78 will separate browser and device settings. The former is accessible directly at chrome://settings and what opens when clicking "Settings" at the bottom of the Overflow menu in the top-right corner of any browser window. It opens as a tab and provides web-related preferences. Meanwhile, chrome://os-settings opens as its own window, and can be accessed from the quick settings sheet. It provides device options like Wi-Fi, Bluetooth, and Assistant in a white Material Theme UI with an icon in the launcher/app shelf.

YouTube for Android now supports picture-in-picture with Chrome OS 78. After starting a video in the mobile client, switching to another window, covering, or minimizing the app will automatically open a PiP in the bottom-right corner. Available controls include switching to audio, play/pause, and skipping to the next track. In the top-left, you can expand the window and a settings gear on the other side allows you to open system settings. Tapping in the center expands and returns you to the YouTube Android app. Chrome OS 78 simplifies the printing experience by automatically listing compatible printers without any prior setup required. There are also a number of Linux on Chrome OS enhancements in this version:

- Backups of Linux apps and files can now be saved to local storage, external drive, or Google Drive. That copy can be then restored when setting up a new computer.
- Crostini GPU support will be enabled by default for a "crisp, lower-latency experience."
- You'll be warned when using a Linux app that does not support virtual keyboard in tablet mode.

"Apple, which often positions itself as a champion of privacy and human rights, is sending some IP addresses from users of its Safari browser on iOS to Chinese conglomerate Tencent -- a company with close ties to the Chinese Communist Party," reports the Reclaim the Net blog: Apple admits that it sends some user IP addresses to Tencent in the "About Safari & Privacy" section of its Safari settings.... The "Fraudulent Website Warning" setting is toggled on by default which means that unless iPhone or iPad users dive two levels deep into their settings and toggle it off, their IP addresses may be logged by Tencent or Google when they use the Safari browser. However, doing this makes browsing sessions less secure and leaves users vulnerable to accessing fraudulent websites...

Even if people install a third-party browser on their iOS device, viewing web pages inside apps still opens them in an integrated form of Safari called Safari View Controller instead of the third-party browser. Tapping links inside apps also opens them in Safari rather than a third-party browser. These behaviors that force people back into Safari make it difficult for people to avoid the Safari browser completely when using an iPhone or iPad.
Engadget adds that it's "not clear" whether or not Tencent is actually collecting IP addresses from users outside of China. ("You'll see mention of the collection in the U.S. disclaimer, but that doesn't mean it's scooping up info from American web surfers.")

But Reclaim the Net points out that the possibility is troubling, in part because Safari is the #1 most popular mobile internet browser in America, with a market share of over 50%.

Slashdot reader Cameyo shares a report from TechRepublic: Remote Desktop Protocol (RDP) is -- to the frustration of security professionals -- both remarkably insecure and indispensable in enterprise computing. The September 2019 Patch Tuesday round closed two remote code execution bugs in RDP, while the high-profile BlueKeep and DejaBlue vulnerabilities from earlier this year have sent IT professionals in a patching frenzy. With botnets brute-forcing over 1.5 million RDP servers worldwide, a dedicated RDP security tool is needed to protect enterprise networks against security breaches. Cameyo released on Wednesday an open-source RDP monitoring tool -- appropriately titled RDPmon -- for enterprises to identify and secure against RDP attacks in its environment. The tool provides a visualization of the total number of attempted RDP connections to servers, as well as a view of the currently running applications, the number of RDP users, and what programs those users are running, likewise providing insight to the existence of unapproved software. RDPmon operates entirely on-premise, the program data is not accessible to Cameyo.

Customers of Cameyo's paid platform can also utilize the RDP Port Shield feature, also released Wednesday, which opens RDP ports for authenticated users by setting IP address whitelists in Windows Firewall when users need to connect. RDP was designed with the intent to be run inside private networks, not accessible over the internet. Despite that, enterprise use of RDP over the internet is sufficiently widespread that RDP servers are a high-profile, attractive target for hackers. The report says Cameyo found that Windows public cloud machines on default settings -- that is, with port 3389 open -- experience more than 150,000 login attempts per week.

Irreparably damaged your phone in a freak accident? Not to worry -- Google's got your back. From a report: The search giant today announced that subscribers to Google One, a subscription service that offers expanded cloud storage, can now take advantage of a whole-phone backup solution for Android that automatically copies videos, multimedia messages (MMS), and uncompressed photos to Google's datacenters. But wait, you might say, doesn't Google already offer a free backup solution for Android? That's true, but it only covers content, select data (apps, call history, contacts, and calendar), and settings. (Only Pixel phones get native SMS backup.) And while Google's eponymous Google Photos service backs up photos and videos for free, it by default resizes pics to 16MP (original-quality photos count against your Google Account storage). Google One doesn't touch photos before uploading them, and it throws in the aforementioned text messages backup at no extra charge.

"If you're at all concerned about the privacy of your data, you don't want to leave the default settings in place on your devices -- and that includes anything that runs Windows 10," warns a new article in Wired, listing out the "controls and options you can modify to lock down the use of your data, from the information you share with Microsoft to the access that individual apps have to your location, camera, and microphone."

Long-time Slashdot reader shanen calls the the article "a rough estimate of the degree to which my privacy can be intruded upon," adding some particularly pessimistic additional thoughts: Not just Microsoft, of course. It's safe to conclude that there are similar capabilities embedded in the software from Apple, the google, Amazon, and Facebook (and others...)

[T]here is no real boundary between the software that does the privacy intrusions, the software that controls the intrusions, and the software that tells me the state of the intrusions. Have I actually disabled that particular abuse of my privacy? Or is the software still doing it and lying to me and claiming it isn't doing it...

Or maybe it's the NSA, GRU, FBI, FSB, DHS, MSS, CIA, or any other governmental agency with a secret legal power to compel intrusions that you can't be told about...