A viral Twitter rant about Windows 10 Enterprise supposedly ignoring users' privacy settings has since been clarified. "I made mistakes on my original testing and therefore saw more connections than I should have," writes IT security analyst Mark Burnett, "including some to Google ads." But his qualified results -- quoted below -- are still critical of Microsoft:

• You can cut back even more using the Windows Restricted Traffic Limited Functionality Baseline but break many things.
• Settings can be set wrong if you aren't paying attention. Also, settings are not consistent and can be confusing to beginners.
• You are opted-in to just about everything by default and have to set hundreds of settings to opt out, even on an Enterprise Windows system. Sometimes multiple settings for the same feature. Most Microsoft documentation discourages opting out and warns of a less optimal experience... But you can't completely opt-out. Windows still tracks too much.
• Home and Professional users are much worse off due to limitations of some settings and lack of an IT staff... I'm not saying ditch Windows. I'm saying let's fix this. If we can't fix it, then we ditch Windows.

BrianFagioli quotes a report from BetaNews: As more and more consumers buy Mac computers, evildoers will have increased incentive to write malware for macOS. Luckily, users of Apple's operating system that choose to use Google Chrome for web surfing will soon be safer. You see, the search giant is improving its Safe Browsing initiative to better warn macOS users of malicious websites and attempts to alter browser settings. "As part of this next step towards reducing macOS-specific malware and unwanted software, Safe Browsing is focusing on two common abuses of browsing experiences: unwanted ad injection, and manipulation of Chrome user settings, specifically the start page, home page, and default search engine. Users deserve full control of their browsing experience and Unwanted Software Policy violations hurt that experience," says Google. The search giant further explains, "The recently released Chrome Settings API for Mac gives developers the tools to make sure users stay in control of their Chrome settings. From here on, the Settings Overrides API will be the only approved path for making changes to Chrome settings on Mac OSX, like it currently is on Windows. Also, developers should know that only extensions hosted in the Chrome Web Store are allowed to make changes to Chrome settings. Starting March 31 2017, Chrome and Safe Browsing will warn users about software that attempts to modify Chrome settings without using the API."

Julia Fioretti, reporting for Reuters: European Union data protection watchdogs said on Monday they were still concerned about the privacy settings of Microsoft's Windows 10 operating system despite the U.S. company announcing changes to the installation process. The watchdogs, a group made up of the EU's 28 authorities responsible for enforcing data protection law, wrote to Microsoft last year expressing concerns about the default installation settings of Windows 10 and users' apparent lack of control over the company's processing of their data. The group -- referred to as the Article 29 Working Party -- asked for more explanation of Microsoft's processing of personal data for various purposes, including advertising. "In light of the above, which are separate to the results of ongoing inquiries at a national level, even considering the proposed changes to Windows 10, the Working Party remains concerned about the level of protection of users' personal data," the group said in a statement which also acknowledged Microsoft's willingness to cooperate.

An anonymous reader writes: Samsung's new display scaling options change the default resolution of the Galaxy S7 and S7 edge. The Nougat update to the Galaxy S7 and S7 edge introduces a new display scaling option that lets you reduce the screen resolution as a way to conserve battery life. With the update, you can now choose between three modes -- WQHD (2560x1440), FHD (1920x1080), and HD (1280x720). While it's a nifty feature to have, the display on the Galaxy S7 and S7 edge is automatically defaulting to Full HD for those that have installed the update. Fortunately, you can easily switch back to the native Quad HD resolution by navigating to Settings -> Display.

Uber recently landed itself in hot water after a report claimed that its app was tracking the location of passengers even when they had not used the service for weeks. The company has responded to the accusations. From a report: The company has come up with an explanation and says that the location-tracking is enabled for some users due to a new iOS setting. Uber stresses that it's not its app that's doing this -- but an iOS feature. John Gruber of DaringFireball in a recent post had claimed how Uber was tracking user location and it could be easily checked via Settings > Privacy > Location Services on an iOS device. The setting showed how an app was tracking the location in three options: "Always", "While using the app", and "Never." However, several users shared screenshots of the Settings page that showed Uber location tracking as set to "Always" despite not having used the app in nearly a week. An Uber spokesperson in a statement said this behaviour was attributable to use of the new iOS Maps extension, "For people who choose to integrate ride-sharing apps with iOS Maps, location data must be shared in order for you to request a ride inside the Maps app. Map extensions are disabled by default and you can choose to turn them on in your iOS settings."

Security experts consider the aging FTP and Telnet protocols unsafe, and HP has decided to clamp down on access to networked printers through the remote-access tools. From a report on PCWorld: Some of HP's new business printers will, by default, be closed to remote access via protocols like FTP and Telnet. However, customers can activate remote printing access through those protocols if needed. "HP has started the process of closing older, less-maintained interfaces including ports, protocols and cipher suites" identified by the U.S. National Institute of Standards and Technology as less than secure, the company said in a statement. In addition, HP also announced firmware updates to existing business printers with improved password and encryption settings, so hackers can't easily break into the devices.

An anonymous reader quotes Bleeping Computer: Chrome 55, released earlier this week, now blocks all Adobe Flash content by default, according to a plan set in motion by Google engineers earlier this year... While some of the initial implementation details of the "HTML5 By Default" plan changed since then, Flash has been phased out in favor of HTML5 as the primary technology for playing multimedia content in Chrome.

Google's plan is to turn off Flash and use HTML5 for all sites. Where HTML5 isn't supported, Chrome will prompt users and ask them if they want to run Flash to view multimedia content. The user's option would be remembered for subsequent visits, but there's also an option in the browser's settings section, under Settings > Content Settings > Flash > Manage Exceptions, where users can add the websites they want to allow Flash to run by default.
Exceptions will also be made automatically for your more frequently-visited sites -- which, for many users, will include YouTube. And Chrome will continue to ship with Flash -- as well as an option to re-enable Flash on all sites.

Fudge Factor 3000 writes: Google has quietly changed its privacy policy to allow it to associate web tracking, which is supposed to remain anonymous, with personally identifiable user data. This completely reneges its promise to keep a wall between ad tracking and personally identifiable user data, further eroding one's anonymity on the internet. Google's priorities are clear. All they care about is monetizing user information to rake in the big dollars from ad revenue. Think twice before you purchase the premium priced Google Pixel. Google is getting added value from you as its product without giving you part of the revenue it is generating through tracking through lower prices. The crossed-out section in its privacy policy, which discusses the separation of information as mentioned above, has been followed with this statement: "Depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google's services and the ads delivered by Google." ProPublica reports: "The change is enabled by default for new Google accounts. Existing users were prompted to opt-in to the change this summer. The practical result of the change is that the DoubleClick ads that follow people around on the web may now be customized to them based on your name and other information Google knows about you. It also means that Google could now, if it wished to, build a complete portrait of a user by name, based on everything they write in email, every website they visit and the searches they conduct. The move is a sea change for Google and a further blow to the online ad industry's longstanding contention that web tracking is mostly anonymous. In recent years, Facebook, offline data brokers and others have increasingly sought to combine their troves of web tracking data with people's real names. But until this summer, Google held the line." You can choose to opt in or out of the personalized ads here.

Facebook won the "Big Brother" award in Belgium on Thursday, after people in the nation reached a conclusion that the social juggernaut is the ultimate privacy villain. "Facebook is a multi-billion dollar company that has one commodity - you!" said Joe McNamee, Executive Director of European Digital Rights. From a CNET report: Facebook, nominated by international digital advocacy group EDRi, won after being criticized for its default privacy settings in a unanimous decision. The social network didn't respond to requests for comment. "Facebook has access to a wide range of personal data, and it tracks your movements across the web, whether you are logged in or not," EDRi said. "And the devil is in the default: To opt out, you are expected to navigate Facebook's complex web of settings."

An anonymous reader quotes a report from VentureBeat: As promised, Google has finally brought the Google Play store to Chrome OS. Android apps, Android games, and media content from the store are all now finally available on Chromebooks running the latest stable build. But that still doesn't mean all Chromebook owners can use the store. This continues to be a gradual rollout -- even on the stable channel, Google is limiting the launch in multiple ways. "A beta release of the Play store is available to users now on the Acer R11 and Asus Flip (and coming soon to Pixel 2015) and can be enabled from the Settings page," a Google spokesperson told VentureBeat. "The team is hard at work making the experience great for users before making the Play Store available by default on these Chromebooks." That's right -- even though we're still talking about just three devices, the Play store is disabled by default. Once you've updated to version 53.0.2785.129 (make sure to switch back to the stable channel if you aren't already on it), you'll have to enable the Play Store in Chrome Settings.

SonicSpike quotes a report from ABC News: FBI Director James Comey warned again Tuesday about the bureau's inability to access digital devices because of encryption and said investigators were collecting information about the challenge in preparation for an "adult conversation" next year. Widespread encryption built into smartphones is "making more and more of the room that we are charged to investigate dark," Comey said in a cybersecurity symposium. The remarks reiterated points that Comey has made repeatedly in the last two years, before Congress and in other settings, about the growing collision between electronic privacy and national security. "The conversation we've been trying to have about this has dipped below public consciousness now, and that's fine," Comey said at a symposium organized by Symantec, a technology company. "Because what we want to do is collect information this year so that next year we can have an adult conversation in this country." The American people, he said, have a reasonable expectation of privacy in private spaces -- including houses, cars and electronic devices. But that right is not absolute when law enforcement has probable cause to believe that there's evidence of a crime in one of those places, including a laptop or smartphone. "With good reason, the people of the United States -- through judges and law enforcement -- can invade our private spaces," Comey said, adding that that "bargain" has been at the center of the country since its inception. He said it's not the role of the FBI or tech companies to tell the American people how to live and govern themselves. "We need to understand in the FBI how is this exactly affecting our work, and then share that with folks," Comey said, conceding the American people might ultimately decide that its privacy was more important than "that portion of the room being dark." Comey made his remarks to the 2016 Symantec Government Symposium. The Daily Dot has another take on Comey's remarks, which you can read here.

An anonymous reader writes from a report via WinBeta: A new report from scientists Mark Ziemann, Yotam Eren, and Assam El-Osta says that 20% of scientific papers on genes contain gene name conversion errors caused by Excel. In the scientific article, titled "Gene name errors are widespread in the scientific literature," article's abstract section, the scientists explain: "The spreadsheet software Microsoft Excel, when used with default settings, is known to convert gene names to dates and floating-point numbers. A programmatic scan of leading genomics journals reveals that approximately one-fifth of papers with supplementary Excel gene lists contain erroneous gene name conversions."

It's easy to see why Excel might have problems with certain gene names when you see the "gene symbols" that the scientists use as examples: "For example, gene symbols such as SEPT2 (Septin 2) and MARCH1 [Membrane-Associated Ring Finger (C3HC4) 1, E3 Ubiquitin Protein Ligase] are converted by default to '2-Sep' and '1-Mar', respectively. Furthermore, RIKEN identifiers were described to be automatically converted to floating point numbers (i.e. from accession '2310009E13' to '2.31E+13'). Since that report, we have uncovered further instances where gene symbols were converted to dates in supplementary data of recently published papers (e.g. 'SEPT2' converted to '2006/09/02'). This suggests that gene name errors continue to be a problem in supplementary files accompanying articles. Inadvertent gene symbol conversion is problematic because these supplementary files are an important resource in the genomics community that are frequently reused. Our aim here is to raise awareness of the problem." You can view the scientific paper in its entirety here.

"The first release candidate for the upcoming FreeBSD 11.0 is ready for testing," reports Distrowatch, noting various changes. ("A NULL pointer dereference in IPSEC has been fixed; support for SSH protocol 1 has been removed; OpenSSH DSA keys have been disabled by default...") Now an anonymous Slashdot reader writes: Sunday Phoronix performed some early benchmark testing, comparing FreeBSD 10.3 to FreeBSD 11.0 as well as DragonFlyBSD, Ubuntu, Intel Clear Linux and CentOS Linux 7. They reported mixed results -- some wins and some losses for FreeBSD -- using a clean install with the default package/settings on the x86_64/amd64 version for each operating system.

FreeBSD 11.0 showed the fastest compile times, and "With the SQLite benchmark, the BSDs came out ahead of Linux [and] trailed slightly behind DragonFlyBSD 4.6 with HAMMER. The 11.0-BETA4 performance does appear to regress slightly for SQLite compared to FreeBSD 10.3... With the BLAKE2 crypto test, all four Linux distributions were faster than DragonFlyBSD and FreeBSD... with the Apache web server benchmark, FreeBSD was able to outperform the Linux distributions..."

An anonymous reader writes from a report via Softpedia: Microsoft fixed today a serious security flaw in the Windows PDF Library, a standard library used by Windows 10 to open and render PDF files, embedded by default in Edge. Exploiting this flaw allows attackers to execute code on the user's machine and take over the device, just by tricking a user into accessing a PDF hosted online via Edge. Since Edge is not only the default browser in Windows 10, but also the default PDF reader, this flaw puts countless of users that have not changed those settings at risk. Even worse, Microsoft has the annoying habit of resetting your personal app preferences once in a blue moon, always reverting Edge as the default browser and the default app to open PDF files.

Google announced in a blog post today that Chrome will officially start to "de-emphasize Flash in favor of HTML5." VentureBeat reports: "In September 2016, Chrome will block Flash content that loads behind the scenes, which the company estimates accounts for more than 90 percent of the Flash on the web. In December, Chrome will make HTML5 the default experience for central content, such as games and videos, except on sites that only support Flash." Google detailed next month's plan (design doc), when Chrome 53 will be released: "In September 2015, we made 'Detect and run important plugin content' the default plugin setting in Chrome, automatically pausing any cross-origin plugin content smaller than 400px in width or 300px in height. This behavior has an exception for any plugin content that is 5x5 or smaller or is an undefined size, because there was no canonical way of detecting viewability until Intersection Observer was standardized and implemented. We would now like to remove this exception and instead not load tiny, cross-origin content. If the user has their plugin setting set to the default of 'Detect and run important plugin content,' the browser will not instantiate cross-origin plugin content that is roughly 5x5 or smaller or has an undefined size. An icon will be displayed in the URL bar indicating that plugin content is not running, allowing the user to reload the page with plugin content running or open settings to add a site-wide exception. Other choices of the plugin content setting are unaffected by this launch."

An anonymous reader writes: Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user's Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account). The bug itself seems to be present in all Windows systems since Windows 95 / NT, although only Windows 8 and above are effectively compromised. To see if your machine is affected, you may want to check the public demonstration of the exploit, set up by the guys from [Perfect Privacy] and based on [VladikSS] original work. Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user's Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker's network share.

Peiter "Mudge" Zatko and his wife, Sarah, a former NSA mathematician, have started a nonprofit in the basement of their home "for testing and scoring the security of software... He says vendors are going to hate it." Slashdot reader mspohr shares an article from The Intercept: "Things like address space layout randomization [ASLR] and having a nonexecutable stack and heap and stuff like that, those are all determined by how you compiled [the source code]," says Sarah. "Those are the technologies that are really the equivalent of airbags or anti-lock brakes [in cars]..." The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on "ancient compilers" that either don't have modern protective measures or don't have them turned on by default...

The process they use to evaluate software allows them to easily compare and contrast similar programs. Looking at three browsers, for example -- Chrome, Safari, and Firefox -- Chrome came out on top, with Firefox on the bottom. Google's Chrome developers not only used a modern build environment and enabled all the default security settings they could, Mudge says, they went "above and beyond in making things even more robust." Firefox, by contrast, "had turned off [ASLR], one of the fundamental safety features in their compilation."
The nonprofit was funded with $600,000 in funding from DARPA, the Ford Foundation, and Consumers Union, and also looks at the number of external libraries called, the number of branches in a program and the presence of high-complexity algorithms.

AMD's 150-watt Radeon RX 480 apparently draws more power than it is supposed to. According to Tom's Hardware blog, AMD's new graphics card used an average of 168W under load. Furthermore, the publication found that card pulled up to a whopping 90W over the motherboard's PCI-E slot, far exceeding the 75W maximum the slot it rated for. PC Perspective's findings were similar, with Witcher 3 title consuming over 190W of sustained power draw when the RX 480 was overclocked. Worse, the blog discovered that AMD's card drew 7 amps over the PCI-E slot's +12v rail, which is rated for 5.5 amps maximum. These issues could theoretically (but not likely) damage lower-end motherboards in extreme circumstances, writes PCWorld. The chip company last week addressed the concerns, noting that it will soon release a software fix. In a new statement to PCWorld, the company adds:"We promised an update today (July 5, 2016) following concerns around the Radeon RX 480 drawing excess current from the PCIe bus. Although we are confident that the levels of reported power draws by the Radeon RX 480 do not pose a risk of damage to motherboards or other PC components based on expected usage, we are serious about addressing this topic and allaying outstanding concerns. Towards that end, we assembled a worldwide team this past weekend to investigate and develop a driver update to improve the power draw. We're pleased to report that this driver -- Radeon Software 16.7.1 -- is now undergoing final testing and will be released to the public in the next 48 hours. In this driver we've implemented a change to address power distribution on the Radeon RX 480 -- this change will lower current drawn from the PCIe bus. Separately, we've also included an option to reduce total power with minimal performance impact. Users will find this as the "compatibility" UI toggle in the Global Settings menu of Radeon Settings. This toggle is "off" by default. Finally, we've implemented a collection of performance improvements for the Polaris architecture that yield performance uplifts in popular game titles of up to 3%. These optimizations are designed to improve the performance of the Radeon RX 480, and should substantially offset the performance impact for users who choose to activate the "compatibility" toggle.

There is no shortage of messaging apps out there, so which one should you be using? If you care about your privacy, you would want your messaging client to be end-to-end encrypted. This narrows down the list to WhatsApp, Signal, and Allo. The Intercept has evaluated the apps to find which among the three is the best from the privacy standpoint. The publication says that while all the three aforementioned apps use the same secure messaging protocol (Open Whisper System's), they differ on exactly what information is encrypted, what metadata is collected, and what, precisely, is stored in the cloud.
WhatsApp:It's important to keep in mind that, even with the Signal protocol in place, WhatsApp's servers can still see messages that users send through the service. They can't see what's inside the messages, but they can see who is sending a message to whom and when.In addition, WhatsApp also retains your contact list -- provided you have shared it with the service. If government requests access to this data, WhatsApp could hand it over.
Allo:The first thing to understand about Google's forthcoming Allo app is that, by default, Google will be able to read all of your Allo messages. If you want end-to-end encryption via the Signal protocol, you need to switch to an "incognito mode" within the app, which will be secure but include fewer features. [...] Allo's machine learning features prevent Google from turning on end-to-end encryption for all messages, since Google needs to be able to ingest the content of messages for the machine learning to work, a Google spokesperson confirmed. Signal:The first thing that sets Signal apart from WhatsApp and Allo is that it is open source. The app's code is freely available for experts to inspect for flaws or back doors in its security. Another thing that makes Signal unique is its business model: There is none. In stark contrast to Facebook and Google, which make their money selling ads, Open Whisper Systems is entirely supported by grants and donations. With no advertising to target, the company intentionally stores as little user data as possible. Signal's privacy policy is short and concise. Unlike WhatsApp, Signal doesn't store any message metadata. [...] If you back up your phone to your Google or iCloud account, Signal doesn't include any of your messages in this backup.But what about Telegram, you ask? A Gizmodo report, also published on Wednesday, says that Telegram's default settings store your message on its unencrypted servers. "This is pretty much one of the worst things you could imagine when trying to send secure messages."

An anonymous reader writes: It's no secret that Google's Chrome browser eats up a considerable amount of memory (and by extension, battery). On Monday, Microsoft announced that its Edge browser has succeeded on that front. Citing several tests, Microsoft claims Edge browser is a better choice for portable device owners. The company took four identical laptops running Windows 10 to see which of the four most popular browsers would be most efficient when it comes to battery life. Interestingly, Chrome was the first to kill the laptop in the video streaming test at 4 hours and 19 minutes. Firefox closely followed its rival at 5 hours and 9 minutes, while Opera (running on the same tech as Chrome) managed to hit 6 hours and 18 minutes. In Microsoft's tests, it was found that Edge was best of the bunch when it came to enjoying a video online, lasting for 7 hours and 22 minutes. That's worked out to be 70% longer than Chrome.In a blog post, Microsoft wrote: "We designed Microsoft Edge from the ground up to prioritize power efficiency and deliver more battery life, without any special battery saving mode or changes to the default settings. Our testing and data show that you can simply browse longer with Microsoft Edge than with Chrome, Firefox, or Opera on Windows 10 devices."