An anonymous reader quotes a report from The Verge: Apple today released iOS 11.4.1, and while most of us are already looking ahead to all the new stuff coming in iOS 12, this small update contains an important new security feature: USB Restricted Mode. Apple has added protections against the USB devices being used by law enforcement and private companies that connect over Lightning to crack an iPhone's passcode and evade Apple's usual encryption safeguards.

If you go to Settings and check under Face ID (or Touch ID) & Passcode, you'll see a new toggle for USB Accessories. By default, the switch is off. This means that once your iPhone or iPad has been locked for over an hour straight, iOS will no longer allow USB accessories to connect to the device -- shutting out cracking tools like GrayKey as a result. If you've got accessories that you want to continue working after your iPhone has been sitting locked for awhile, you can toggle the option on to remove the hour limit. Apple's wording is a bit confusing. You should leave the toggle disabled if you want your iPhone to be most secure.

An anonymous reader quotes a report from Gizmodo: A study from the Norwegian Consumer Council dug into the underhanded tactics used by Microsoft, Facebook, and Google to collect user data. "The findings include privacy intrusive default settings, misleading wording, giving users an illusion of control, hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy friendly option requires more effort for the users," states the report, which includes images and examples of confusing design choices and strangely worded statements involving the collection and use of personal data.

Google makes opting out of personalized ads more of a chore than it needs to be and uses multiple pages of text, unclear design language, and, as described by the report, "hidden defaults" to push users toward the company's desired action. "If the user tried to turn the setting off, a popup window appeared explaining what happens if Ads Personalization is turned off, and asked users to reaffirm their choice," the report explained. "There was no explanation about the possible benefits of turning off Ads Personalization, or negative sides of leaving it turned on." Those who wish to completely avoid personalized ads must traverse multiple menus, making that "I agree" option seem like the lesser of two evils. In Windows 10, if a user wants to opt out of "tailored experiences with diagnostic data," they have to click a dimmed lightbulb, while the symbol for opting in is a brightly shining bulb, says the report.

Another example has to do with Facebook. The social media site makes the "Agree and continue" option much more appealing and less intimidating than the grey "Manage Data Settings" option. The report says the company-suggested option is the easiest to use. "This 'easy road' consisted of four clicks to get through the process, which entailed accepting personalized ads from third parties and the use of face recognition. In contrast, users who wanted to limit data collection and use had to go through 13 clicks."

According to MarketWatch's Leslie Albrecht, people are using the peer-to-peer payment app Venmo to find out if their spouse is cheating. Some are even saying the app is more effective than Facebook at this sort of investigation. "What you're seeing on Instagram or Facebook is what they want you to see," said Abby Faber, a 19-year-old freshman at Indiana University. "They're edited pictures that they put up. But with Venmo, it's very normal casual interactions. It's what they were doing and spending money on." From the report: Some users seem to forget that their transactions are public by default, and their payment activity provides an unfiltered paper trail of what's really happening in their lives. In [Faber's] case, she checked up on her ex-boyfriend and saw he was spending money on pizza and the popular video game Fortnite -- and making regular payments to one girl, who Faber guessed is his new hook-up.

Venmo has had a social component since it launched in 2009. Users see a feed of both their own friends' payments and total strangers' activity every time they open the app, and it's easy to look up users. Exact amounts aren't listed, but you can see who's paying who and which words or emoji they use to describe the payment. The social feed is Venmo's "secret sauce," said Erin Mackey, a spokeswoman for Venmo and its parent company PayPal. In fact, it's usually the reason people are logging on. "Our most active users check Venmo daily and the average user checks Venmo two to three times per week -- and it's not for payments, but to see what their friends and family are doing." The report mentions a settlement Venmo reached with the FTC last year over its public-by-default social component. The FTC accused (PDF) Venmo of "misleading" users about the fact that they needed to change two separate privacy settings to make their transactions completely private. "Venmo reached a settlement with the FTC, and a company spokesperson noted that users now have three options for controlling who can see their payments," reports MarketWatch.

Yesterday, Twitter announced several new changes to quiet trolls and remove spam. According to Slate, the company "will begin hiding tweets from certain accounts in conversations and search results." In order to see them, you'll now have to scroll to the bottom of the conversation and click "Show more replies," or go into your search settings and choose "See everything." From the report: When Twitter's software decides that a certain user is "detract[ing] from the conversation," all of that user's tweets will be hidden from search results and public conversations until their reputation improves. And they won't know that they're being muted in this way; Twitter says it's still working on ways to notify people and help them get back into its good graces. In the meantime, their tweets will still be visible to their followers as usual and will still be able to be retweeted by others. They just won't show up in conversational threads or search results by default. The change will affect a very small fraction of users, explained Twitter's vice president of trust and safety, Del Harvey -- much less than 1 percent. Still, the company believes it could make a significant difference in the average user's experience. In early testing of the new feature, Twitter said it has seen a 4 percent drop in abuse reports in its search tool and an 8 percent drop in abuse reports in conversation threads.

At its Google I/O conference this week, YouTube announced a series of new controls that will allow users to set limits on their viewing, and then receive reminders telling them to "take a break." "The feature is rolling out now in the latest version of YouTube's app, along with others that limit YouTube's ability to send notifications, and soon, one that gives users an overview of their binge behavior so they can make better-informed decisions about their viewing habits," reports TechCrunch. From the report: With "Take a Break," available from YouTube's mobile app Settings screen, users can set a reminder to appear every 15, 30, 60, 90 or 180 minutes, at which point the video will pause. You can then choose to dismiss the reminder and keep watching, or close the app.

Also new is a feature that lets you disable notification sounds during a specified time period each day -- say, for example, from bedtime until the next morning. When users turn on the setting to disable notifications, it will, by default, disable them from 10 PM to 8 AM local time, but this can be changed. Combined with this is an option to get a scheduled digest of notifications as an alternative. And YouTube is preparing to roll out a "time watched profile" that will appear in the Account menu and display your daily average watch time, and how long you've watched YouTube videos today, yesterday and over the past week, along with a set of tools to help you manage your viewing habits.

Catalin Cimpanu, writing for BleepingComputer: Google engineers have rolled out a new Chrome user interface (UI). Work on the new Refresh UI has been underway since last year, Bleeping Computer has learned. The new UI is in early testing stages, and only available via the Google Chrome Canary distribution, a version of the Chrome browser used as a testing playground. Users who are interested in giving the new UI a spin must install Chrome Canary, and then access chrome://flags, a section that contains various experimental options not included in Chrome's default settings section.

Steam Spy, the world's most comprehensive game ownership and play estimator available to the public, announced that it "won't be able to operate anymore" thanks to recent changes to Valve's privacy policy. "Valve just made a change to their privacy settings, making games owned by Steam users hidden by default," the site's operators announced on its official Twitter account. "Steam Spy relied on this information being visible by default." The creator of the website, Sergey Galyonkin, suggested that the site will only remain as an "archive" from here on out. Ars Technica reports: Indeed, Steam's new private-by-default setting is the kind of proactive, data-protective move that sites like Facebook have faced repeated scrutiny about over the past decade. However, as of press time, we could not confirm exactly how these updated settings will work, thanks to the service's "edit privacy settings" page currently appearing blank. (This can be found in the Steam interface by selecting the word "profile" under the menu that appears when mousing over your username.)

Valve pointed out that Steam will also receive a long, long, long-awaited "invisible" function for Steam's online-status toggle, which will allow players to actively communicate with Steam friends while hiding from the general public, and that it will also specifically let players hide both game ownership and gameplay time counts from friends. The company explained that Tuesday's changes came "directly from user feedback," which Steam Spy founder Sergey Galyonkin questioned via his site's Twitter feed: "They said it was by users feedback which makes me as a person born in the Soviet Union very suspicious :)" After Epic Games founder Tim Sweeney applauded Valve's privacy-minded policy change, Galyonkin responded with his own opinion on why so much data was open on Steam in the first place: "This was always a compromise between being able to play with other people and privacy," he wrote in response. "It seems they moved towards privacy now."

Google Home speakers can now play music and other audio on the Bluetooth speakers you might have around the house. "We brought this feature to life after hearing how much you wanted to amp up the sound with your Google Home Mini," the company said in a blog announcement. "Now any of your Google Home devices can connect to other Bluetooth speakers so you can control your entertainment experience simply using the sound of your voice." The Verge reports: You can also add your existing Bluetooth speakers to Google Home groups for multi-room audio, which is where this might prove handy for Home Max users. You can pair a Bluetooth speaker with Google Home in the device settings section of the Home app. Just set it as your default speaker. Your Home device will still listen for your commands, but will route all audio through the connected Bluetooth speaker. This doesn't magically give those paired speakers Google Assistant's smarts, though. "You'll still need to talk to your Google Home device -- not the connected Bluetooth speakers -- for queries like asking questions, getting weather updates, and using smart home commands."

Thousands of etcd servers "are spitting sensitive passwords and encrypted keys," reports Fossbytes: Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys. First, he ran a query on the hacker search engine Shodan that returned around 2300 servers running etcd database. Then, he ran a simple script that gave him the login credentials stored on these servers which can be used to gain access to CMSs, MySQL, and PostgreSQL databases, etc.

etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront... All of the data he harvested from around 1500 servers is around 750MB in size... Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures.
Another security research independently verified the results, and reported that one MySQL database had the root password "1234".

Stating with Firefox 60 -- expected to be released in May 2018 -- websites won't be able to use Firefox to access data from sensors that provide proximity distances and ambient light information. From a report: Firefox was allowing websites to access this data via the W3C Proximity and Ambient Light APIs. But at the start of the month, Mozilla engineers decided to disable access to these two APIs by default. The APIs won't be removed, but their status is now controlled by two Firefox flags that will ship disabled by default. This means users will have to manually enable the two flags before any website can use Firefox to extract proximity and ambient light data from the device's underlying sensors. The two flags will be available in Firefox's about:config settings page. The screenshot below shows the latest Firefox Nightly version, where the two flags are now disabled, while other sensor APIs are enabled.

In an announcement on Ubuntu mailing list, Will Cooke, on behalf of the Ubuntu Desktop team, announced Canonical's plans to collect some data related to the users' system configuration and the packages installed on their machines. From a report: Before you read anything further, it's important to note that users will have the option to opt-out of this data collection. The company plans to add a checkbox to the installer, which would be checked by default. The option could be like: "Send diagnostics information to help improve Ubuntu." As per your convenience, you can opt-out during the installation. An option to do the same will also be made available in the Privacy panel of GNOME Settings. With this data collection, the team wishes to improve the daily experiences of the Ubuntu users. It's worth noting that the collected data will be sent over encrypted connections and no IP addresses will be tracked. To be precise, the collected data will include: flavour and version of Ubuntu, network connectivity or not, CPU family, RAM, disk(s) size, screen(s) resolution, GPU vendor and model, OEM manufacturer, location (based on the location selection made during install), no IP information, time taken for Installation, auto-login enabled or not, disk layout selected, third party software selected or not, download updates during install or not, livePatch enabled or not.

A German consumer rights group said on Monday that a court had found Facebook's use of personal data to be illegal because the U.S. social media platform did not adequately secure the informed consent of its users. From a report: The verdict, from a Berlin regional court, comes as Big Tech faces increasing scrutiny in Germany over its handling of sensitive personal data that enables it to micro-target online advertising. The Federation of German Consumer Organisations (vzvb) said that Facebook's default settings and some of its terms of service were in breach of consumer law, and that the court had found parts of the consent to data usage to be invalid. "Facebook hides default settings that are not privacy-friendly in its privacy center and does not provide sufficient information about it when users register," said Heiko Duenkel, litigation policy officer at the vzvb. "This does not meet the requirement for informed consent."

An anonymous reader quotes a report from 9to5Google: Our early look at Fuchsia OS last May provided a glimpse into a number of new interface paradigms. Several months later, we now have an updated hands-on with Google's future operating system that can span various form factors. This look at the in-development OS eight months later comes courtesy of Ars Technica who managed to get Fuchsia installed on the Pixelbook. The Made by Google Chromebook is only the third officially supported "target device" for Fuchsia development. As our last dive into the non-Linux kernel OS was through an Android APK, we did not encounter a lockscreen. The Ars hands-on shows a basic one that displays the time at center and Fuchsia logo in the top-left corner to switch between phone and desktop/tablet mode, while a FAB (of sorts) in the opposite corner lets users bring up WiFi controls, Login, and Guest.

Only Guest is fully functioning at this stage -- at least for non-Google employees. Once in this mode, we encounter an interface similar to the one we spotted last year. The big difference is how Google has filled in demo information and tweaked some elements. On phones and tablets, Fuchsia essentially has three zones. Recent apps are above, at center are controls, and below is a mixture of the Google Feed and Search. The controls swap out the always-displayed profile icon for a Fuchsia button. Tapping still surfaces Quick Settings which actually reflect current device battery levels and IP address. Impressively, Ars found a working web browser that can actually surf the internet. Google.com is the default homepage, with users able to visit other sites through that search bar. Other examples of applications, which are just static images, include a (non-working) phone dialer, video player, and Google Docs. The Google Calendar is notable for having subtle differences to any known version, including the tablet or web app.

An anonymous reader quotes a report from Ars Technica: Meltdown and Spectre are not the only security problems Intel is facing these days. Today, researchers at F-Secure have revealed another weakness in Intel's management firmware that could allow an attacker with brief physical access to PCs to gain persistent remote access to the system, thanks to weak security in Intel's Active Management Technology (AMT) firmware -- remote "out of band" device management technology installed on 100 million systems over the last decade, according to Intel. [T]he latest vulnerability -- discovered in July of 2017 by F-Secure security consultant Harry Sintonen and revealed by the company today in a blog post -- is more of a feature than a bug. Notebook and desktop PCs with Intel AMT can be compromised in moments by someone with physical access to the computer -- even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords -- by rebooting the computer, entering its BIOS boot menu, and selecting configuration for Intel's Management Engine BIOS Extension (MEBx).

If MEBx hasn't been configured by the user or by their organization's IT department, the attacker can log into the configuration settings using Intel's default password of "admin." The attacker can then change the password, enable remote access, and set the firmware to not give the computer's user an "opt-in" message at boot time. "Now the attacker can gain access to the system remotely," F-Secure's release noted, "as long as they're able to insert themselves onto the same network segment with the victim (enabling wireless access requires a few extra steps)."

An anonymous reader quotes a report from MacRumors: At least a few hundred iPhone users and counting have complained about the word "it" autocorrecting to "I.T" on iOS 11 and later. When affected users type the word "it" into a text field, the keyboard first shows "I.T" as a QuickType suggestion. After tapping the space key, the word "it" automatically changes to "I.T" without actually tapping the predictive suggestion. A growing number of iPhone users have voiced their frustrations about the issue on the MacRumors discussion forums, Twitter, and other discussion platforms on the web since shortly after iOS 11 was released in late September. Many users claim the apparent autocorrect bug persists even after rebooting the device and performing other basic troubleshooting. A temporary workaround is to tap Settings: General: Keyboard: Text Replacement and enter "it" as both the phrase and shortcut, but some users insist this solution does not solve the problem. A less ideal workaround is to toggle off auto-correction and/or predictive suggestions completely under Settings: General: Keyboard. MacRumors reader Tim shared a video that highlights the issue.

An anonymous reader writes: A bug in the new "Adaptive Icons" feature introduced in Android Oreo has sent thousands of phones into infinite boot loops, forcing some users to reset their devices to factory settings, causing users to lose data along the way. The bug was discovered by Jcbsera, the developer of the Swipe for Facebook Android app (energy-efficient Facebook wrapper app), and does not affect Android Oreo (8.0) in its default state. The bug occurs only with apps that use adaptive icons -- a new feature introduced in Android Oreo that allows icons to change shape and size based on the device they're viewed on, or the type of launcher the user is using on his Android device. For example, adaptive icons will appear in square, rounded, or circle containers depending on the theme or launcher the user is using. The style of adaptive icons is defined a local XML file. The bug first manifested itself when the developer of the Swipe for Facebook Android app accidentally renamed the foreground image of his adaptive icon with the same name as this XML file (ic_launcher_main.png and ic_launcher_main.xml). This naming scheme sends Android Oreo in an infinite loop that regularly crashes the device. At one point, Android detects something is wrong and prompts the user to reset the device to factory settings. Users don't have to open an app, and the crashes still happen just by having an app with malformed adaptive icons artifacts on your phone. Google said it will fix the issue in Android Oreo 8.1.

An anonymous reader quotes a report from Ars Technica: The lack of clear information about what Microsoft does with the data that Windows 10 collects prevents consumers from giving their informed consent, says the Dutch Data Protection Authority (DPA). As such, the regulator says that the operating system is breaking the law. To comply with the law, the DPA says that Microsoft needs to get valid user consent: this means the company must be clearer about what data is collected and how that data is processed. The regulator also complains that the Windows 10 Creators Update doesn't always respect previously chosen settings about data collection. In the Creators Update, Microsoft introduced new, clearer wording about the data collection -- though this language still wasn't explicit about what was collected and why -- and it forced everyone to re-assert their privacy choices through a new settings page. In some situations, though, that page defaulted to the standard Windows options rather than defaulting to the settings previously chosen. In the Creators Update, Microsoft also explicitly enumerated all the data collected in Windows 10's "Basic" telemetry setting. However, the company has not done so for the "Full" option, and the Full option remains the default. The DPA's complaint doesn't call for Microsoft to offer a complete opt out of the telemetry and data collection, instead focusing on ensuring that Windows 10 users know what the operating system and Microsoft are doing with their data. The regulator says that Microsoft wants to "end all violations," but if the software company fails to do so, it faces sanctions.

There are many different ways to navigate a smartphone. Some devices employ capacitive touch navigation buttons in favor of on-screen navigation buttons for the back, home and overview commands. Others, such as the recently released Moto Z2 Force and Moto Z2 Play, feature a mini trackpad under the display that lets users navigate their device through a series of swipes (on-screen navigation buttons are used by default, but the option to use the "one button nav" mini trackpad can be enabled in the settings). The upcoming iPhone 8, for example, may feature a software bar in lieu of a physical/virtual home button, introducing new gesture controls for returning to the home screen and switching between apps.

How do you navigate your smartphone? Given the many different options available on the market, do you think there is one method of navigation that trumps the others, or is it a classic case of "different strokes for different folks?"

An anonymous reader quotes IEEE Spectrum's annual report on the top programming languages: As with all attempts to rank the usage of different languages, we have to rely on various proxies for popularity. In our case, this means having data journalist Nick Diakopoulos mine and combine 12 metrics from 10 carefully chosen online sources to rank 48 languages. But where we really differ from other rankings is that our interactive allows you choose how those metrics are weighted when they are combined, letting you personalize the rankings to your needs. We have a few preset weightings -- a default setting that's designed with the typical Spectrum reader in mind, as well as settings that emphasize emerging languages, what employers are looking for, and what's hot in open source...

Python has continued its upward trajectory from last year and jumped two places to the No. 1 slot, though the top four -- Python, C, Java, and C++ -- all remain very close in popularity. Indeed, in Diakopoulos's analysis of what the underlying metrics have to say about the languages currently in demand by recruiting companies, C comes out ahead of Python by a good margin... Ruby has fallen all the way down to 12th position, but in doing so it has given Apple's Swift the chance to join Google's Go in the Top Ten... Outside the Top Ten, Apple's Objective-C mirrors the ascent of Swift, dropping down to 26th place. However, for the second year in a row, no new languages have entered the rankings. We seem to have entered a period of consolidation in coding as programmers digest the tools created to cater to the explosion of cloud, mobile, and big data applications.
"Speaking of stabilized programming tools and languages," the article concludes, "it's worth noting Fortran's continued presence right in the middle of the rankings (sitting still in 28th place), along with Lisp in 35th place and Cobol hanging in at 40th."

Reader BrianFagioli writes: While Windows 10 is arguably successful from a market share perspective, it is still failing in one big way -- the user experience. Windows 8.x was an absolute disaster, and Microsoft's latest is certainly better than that, but it is still not an enjoyable experience. Before the company tries to add new features (and misses deadlines) like Timeline and Cloud Clipboard, it should focus more on improving the existing user experience. Right now it is failing us and things are not getting better. Even the third-party solutions that aim to turn this spying off aren't 100-percent successful. Unless you unplug from the internet entirely, you can't stop Windows from phoning home to Microsoft. This is a shame, as some consumers are being made to feel violated when using their own computer. Another issue that I can't believe hasn't been resolved is having two locations for system settings. Seriously, Microsoft? We still have "Settings" and "Control Panel" Live Tiles are still worthless, and it is time for Microsoft to kill them. Nobody opens an app launcher and stares at the icons for information. It is distracting and pointless. If I want the weather, I'll open a weather app and see it -- not stare at the icon for the information. It sort of made sense in the Windows 8.x era since you were presented with a full screen of app icons more often, but with a more traditional start-button design in Windows 10, it is time to retire it. Another example: Microsoft doesn't force you to use Edge and Bing entirely, but it still does force you. Cortana is a hot mess, but if you opt to use her, she will only open things in Edge. Searches are Bing-only. In other words, the virtual assistant ignores your default browser settings. Why? Not for the user's benefit. Sadly, the Windows Store is a garbage dump -- many of the "legit" apps are total trash.