Microsoft has announced that it will install a new Google Chrome extension for some Office 365 ProPlus customers that will force the browser to use Bing as the default search engine "to access relevant workplace information directly from the browser address bar." From a report: The Microsoft Search in Bing extension will be added to all new Office 365 ProPlus installations and when updating to newer releases. The only customers that won't have this Chrome extension installed automatically are those that already have set Bing as their default Chrome search engine. "Microsoft Search is part of Microsoft 365 and is turned on by default for all Microsoft apps that support it," Microsoft says. "Even after Bing is made the default search engine, your users can still change to a different default search engine in Google Chrome on their own."

Microsoft today launched its new Edge browser based on Google's Chromium open source project. You can download Chromium Edge now for Windows 7, Windows 8, Windows 10, and macOS directly from microsoft.com/edge in more than 90 languages. From a report: Business features aside, there's also support for Chrome-based extensions, 4K streaming, Dolby audio, inking in PDF, and privacy tools. For the last one, it's worth noting that tracking prevention is on by default and offers three levels of control, like Firefox's tracking protection. Chrome extension support is probably the most important feature for most users. By default, extensions that have been ported over to Edge can be downloaded from the Microsoft Store. Chromium Edge also has an option to "Allow extensions from other stores" to get Chrome extensions from the Chrome Web Store. There are still a few features missing from Chromium Edge, most notably history sync and extension sync. Microsoft is working on these and some other inking functionality that it still wants to port from legacy Edge, as Microsoft is calling it. Microsoft also claims that Chromium Edge is "twice as fast as legacy Edge." Curiously, the team isn't making any claims against other browsers -- at least not yet.

VeriSign has released a "proposed agreement" with ICANN to amend their exclusive .com registry agreement to allow them to raise the price of dotcom registrations up to 28% every six years.

Those new terms "are now open to public comment" -- and the Register points out that ICANN's decision seems to come with a corresponding $20 million for ICANN: Operator of the dot-com registry, Verisign, has decided to pay DNS overseer ICANN $4 million a year for the next five years in order to "educate the wider ICANN community about security threats."

Even though the generous $20 million donation has nothing to do with ICANN signing off on an extension of the dot-com contract until 2024, the "binding letter of intent" [PDF] stating the exact amount of funding will be appended to the registry agreement that Verisign has with ICANN to run the dot-com registry.

That extension lifts a price freeze put in place several years ago and will allow Verisign to increase prices by seven per cent a year [in each of the last four years of each six year contract renewal]. It's an increase that we calculated was worth $993 million and which the stock market appeared to agree with when it raised the company's share price by 16 per cent when the agreement was first flagged in November 2018...

ICANN explains the $20 million this time will be used to "support ICANN's initiatives to preserve and enhance the security, stability and resiliency of the DNS, including root server system governance, mitigation of DNS security threats, promotion and/or facilitation of DNSSEC deployment, the mitigation of name collisions, and research into the operation of the DNS."

Which is all entirely above board and not at all shady.

In an apparent swipe at PayPal's recent $4 billion acquisition of Honey, a popular browser extension that tracks prices and discount codes, Amazon labeled the service as "a security risk" for shoppers over the holidays. Wired reports: "Honey tracks your private shopping behavior, collects data like your order history and items saved, and can read or change any of your data on any website you visit," the message read. "To keep your data private and secure, uninstall this extension immediately." It was followed by a hyperlink where users could learn how to do so. Screenshots of the warning were posted to forums and social media by Honey users, like Ryan Hutchins, an editor at Politico.

Honey isn't some obscure browser extension from an unknown developer. Founded in 2012, the Los Angeles-based startup now boasts over 17 million users. It finds discount codes to save shoppers money at tens of thousands of online retailers, including Amazon. Amazon's warning, which began appearing on December 20, confused and angered many of Honey's users, some of whom complained on its official social media channels. The browser extension has been compatible with Amazon since it was founded, and it is a significant part of Honey's appeal. Amazon declined to explain why it decided to label Honey a security risk so suddenly last month. "Our goal is to warn customers about browser extensions that collect personal shopping data without their knowledge or consent," a spokesperson for the company said in a statement. They declined to answer follow-up questions about the basis for that claim. Honey says in its privacy policy that it doesn't "track your search engine history, emails, or your browsing on any site that is not a retail website."

"We're aware that Droplist and other Honey features were not available on Amazon for a period of time. We know these are tools that people love and worked quickly to restore the functionality. Our extension is not -- and has never been -- a security risk and is safe to use," a Honey spokesperson said.

An anonymous reader quotes a report from Ars Technica: A new U.S. law prohibits broadband and TV providers from charging "rental" fees for equipment that customers have provided themselves. A U.S. government spending bill approved by Congress and signed by President Trump last month includes new requirements for television and broadband providers. A new "consumer right to accurate equipment charges" prohibits the companies from charging customers for "covered equipment provided by the consumer." Covered equipment is defined as "equipment (such as a router) employed on the premises of a person... to provide [TV service] or to provide fixed broadband Internet access service."

The companies may not charge rental or lease fees in cases when "the provider has not provided the equipment to the consumer; or the consumer has returned the equipment to the provider." The new law is an update to the Communications Act and is scheduled to apply six months after passage, which would be June 20. The law gives the Federal Communications Commission an option to extend the deadline by six months if the FCC "finds that good cause exists for such an additional extension." One ISP in particular that's been requiring customers to pay a monthly fee for equipment they own is Frontier, which charges a $10 a month "Wi-Fi Router" fee, even if the router they use is fully compatible with the service and requires no additional work on Frontier's part.

Frontier told Ars that it will comply with the new law, but it apparently won't give customers a break on rental fees until it's actually in place. "Once the new law is effective, Frontier plans to comply with the requirements," a company spokesperson told them.

A Google Chrome extension was caught injecting JavaScript code on web pages to steal passwords and private keys from cryptocurrency wallets and cryptocurrency portals. From a report: The extension is named Shitcoin Wallet (Chrome extension ID: ckkgmccefffnbbalkmbbgebbojjogffn), and was launched last month, on December 9. According to an introductory blog post, Shitcoin Wallet lets users manage Ether (ETH) coins, but also Ethereum ERC20-based tokens -- tokens usually issued for ICOs (initial coin offerings). Users can install the Chrome extension and manage ETH coins and ERC20 tokens from within their browser, or they can install a Windows desktop app, if they want to manage their funds from outside a browser's riskier environment. However, the wallet app wasn't what it promised to be. Yesterday, Harry Denley, Director of Security at the MyCrypto platform, discovered that the extension contained malicious code. According to Denley, the extension is dangerous to users in two ways. First, any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk.

"Retired Lt. Gen. Steven L. Kwast says fantastic technology exists that could transport a human anywhere on earth within an hour," reports The Drive, in an article shared by schwit1: As has been common as of late, Lt. Gen Kwast cites rapidly growing Chinese military and technological advances as the reason why the United States must invest heavily in new space-based technologies. "We can say today we are dominant in space but the trend lines are what you have to look at and they will pass us in the next few years if we do not do something. They will win this race and then they will put roadblocks up to space," Kwast argues, "because once you get the high ground, that strategic high ground, it's curtains for anybody trying to get to that high ground behind them." Kwast claims China is already building a "Navy in space" complete with the space-based equivalents of "battleships and destroyers" which are "able to maneuver and kill and communicate with dominance, and we [the United States] are not." Kwast's speech centers on the thesis that the United States needs a Space Force in order to counter Chinese advances and win the competition over the economy of the future and, as an extension, who sets the values of the future...

Around the 12:00 mark in the speech, Kwast makes the somewhat bizarre claim that the U.S. currently possesses revolutionary technologies that could render current aerospace capabilities obsolete... "[T]echnology can be built today with technology that is not developmental to deliver any human being from any place on planet Earth to any other place in less than an hour...."

Kwast's comment is only one of several curious comments made by military leadership lately and they do seem to claim that we could be on the precipice of a great leap in transportation technology. We also don't know exactly where he is coming from on all this as it is not necessarily the direct wheelhouse of someone who was running the Air Force's training portfolio, although it does have overlaps...

Is all this setting the stage for a new space race that will benefit mankind by furthering scientific and technological development, or is it ushering in the conditions for the first great space war?

Microsoft's new Chromium-based Edge browser is now open to developers to submit extensions. The updated version of Edge is set to launch on January 15. From a report: Microsoft says that if a developer has already created an extension for Google Chrome, there shouldn't be any additional work to port it over to Edge Chromium. The browser will be the new default delivered to all 900 million Windows 10 users, so developers should have no reason not to port their extensions over.

Mozilla announced this week that all developers of Firefox add-ons must enable a two-factor authentication (2FA) solution for their account. From a report: "Starting in early 2020, extension developers will be required to have 2FA enabled on AMO [the Mozilla Add-Ons portal]," said Caitlin Neiman, Add-ons Community Manager at Mozilla. "This is intended to help prevent malicious actors from taking control of legitimate add-ons and their users," Neiman added. When this happens, hackers can use the developers' compromised accounts to ship tainted add-on updates to Firefox users. Since Firefox add-ons have a pretty privileged position inside the browser, an attacker can use a compromised add-on to steal passwords, authentication/session cookies, spy on a user's browsing habits, or redirect users to phishing pages or malware download sites. These types of incidents are usually referred to as supply-chain attacks.

Google is rolling out Chrome 79, and it includes a number of password protection improvements. The Verge reports: The biggest addition is that Chrome will now warn you when your password has been stolen as part of a data breach. Google has been warning about reused passwords in a separate browser extension or in its password checkup tool, but the company is now baking this directly into Chrome to provide warnings as you log in to sites on the web.

You can control this new functionality in the sync settings in Chrome, and Google is using strongly hashed and encrypted copies of passwords to match them using multiple layers of encryption. This allows Google to securely match passwords using a technique called private set intersection with blinding. Alongside password warnings, Google is also improving its phishing protection with a real-time option. Google has been using a list of phishing sites that updates every 30 minutes, but the company found that fraudsters have been quickly switching domains or hiding from Google's crawlers. This new real-time protection should generate warnings for 30 percent more cases of phishing.

Mozilla today removed four Firefox extensions made by Avast and its subsidiary AVG after receiving credible reports that the extensions were harvesting user data and browsing histories. From a report: The four extensions are Avast Online Security, AVG Online Security, Avast SafePrice, and AVG SafePrice. The first two are extensions that show warnings when navigating to known malicious or suspicious sites, while the last two are extensions for online shoppers, showing price comparisons, deals, and available coupons. Mozilla removed the four extensions from its add-ons portal after receiving a report from Wladimir Palant, the creator of the AdBlock Plus ad-blocking extension. Palant analyzed the Avast Online Security and AVG Online Security extensions in late October and found that the two were collecting much more data than they needed to work -- including detailed user browsing history, a practice prohibited by both Mozilla and Google.

The Trump administration is giving American companies another three months to do business with the Chinese telecom giant Huawei, the Commerce Department said Monday. From a report: It is the third time the U.S. has extended a reprieve, which is meant to help ease disruption for Huawei customers. Many Internet and cellphone carriers in rural parts of the U.S. buy networking equipment from Huawei, and the temporary extension means they can keep their networks up to date. "The Temporary General License extension will allow carriers to continue to service customers in some of the most remote areas of the United States who would otherwise be left in the dark," said Commerce Secretary Wilbur Ross in a statement.

Long-time Slashdot reader shanen "just got the darnedest phone call..." The caller knew my name and the name of a bank that I've done business with, and obviously my phone number, but beyond that I have no idea what was going on... There is no problem with my account. She was quite clear about that, but she had no clear reason for calling. As I got more and more suspicious, she asked me to wait and she eventually transferred the call to a man, who claimed to be a manager at the bank, but the entire thing stinks to high heaven.

All I could think of was to suggest that I call him back, but he was apparently unable to provide a phone number that I could independently verify. Why not give me the bank's phone number that I could check on the Internet? One would think that I could then transfer to his extension. After almost nine minutes I just hung up, and now I realize that I have the caller's phone number, but that isn't definitive evidence of anything. A scammer might know that blocking the phone number would have made things more suspicious...

So what should I have done? Do you have any similar experiences to share? Or have I missed warnings about some new scam that's going around? Now I realize that they could start from names and phone numbers and just guess for the largest banks. Maybe I got suspicious too quickly, before she could start asking for the personal information she was really after?
The original submission also includes this question: "If it's an identity theft in progress, then I want to stop it and fast, but how can I tell what's going on?" So leave your own thoughts in the comments.

What should you do if you think someone is trying to steal your identity?

Facebook, Mozilla, and Cloudflare announced today a new technical specification called TLS Delegated Credentials, currently undergoing standardization at the Internet Engineering Task Force (IETF). From a report: The new standard will work as an extension to TLS, a cryptographic protocol that underpins the more widely-known HTTPS protocol, used for loading websites inside browsers via an encrypted connection. The TLS Delegate Credentials extension was specifically developed for large website setups, such as Facebook, or for website using content delivery networks (CDNs), such as Cloudflare. For example, a big website like Facebook has thousands of servers spread all over the world. In order to support HTTPS traffic on all, Facebook has to place a copy of its TLS certificate private key on each one. This is a dangerous setup. If an attacker hacks one server and steals the TLS private key, the attacker can impersonate Facebook servers and intercept user traffic until the stolen certificate expires. The same thing is also valid with CDN services like Cloudflare. Anyone hosting an HTTPS website on Cloudflare's infrastructure must upload their TLS private key to Cloudflare's service, which then distributes it to thousands of servers across the world. The TLS Delegate Credentials extension allows site owners to create short-lived TLS private keys (called delegated credentials) that they can deploy to these multi-server setups, instead of the real TLS private key.

An anonymous reader quotes a report from ZDNet: Mozilla has announced today plans to discontinue one of the three methods through which extensions can be installed in Firefox. Starting next year, Firefox users won't be able to install extensions by placing an XPI extension file inside a special folder inside a user's Firefox directory. The method, known as sideloading, was initially created to aid developers of desktop apps. In case they wanted to distribute a Firefox extension with their desktop app, the developers could configure the app's installer to drop a Firefox XPI extension file inside the Firefox browser's folder.

This method has been available to Firefox extension developers since the browser's early days. However, today, Mozilla announced plans to discontinue supporting sideloaded extensions, citing security risks. Mozilla plans to stop supporting this feature next year in a two-phase plan. The first will take place with the release of Firefox 73 in February 2020. Firefox will continue to read sideloaded extensions, but they'll be slowly converted into normal add-ons inside a user's Firefox profile, and made available in the browser's Add-ons section. By March 2020, with the release of Firefox 74, Mozilla plans to completely remove the ability to sideload an extension. By that point, Mozilla hopes that all sideloaded extensions will be moved inside users' Add-ons section.

Google is facing a backlash over an internal tool for the company's Chrome browser that some employees worry is intended for spying on workers organizing protests and discussing workplace issues. From a report: To get around using the tool, some employees have turned to third-party browsers. That's prompted at least one security engineer at Google to voice concern over the possible vulnerabilities that using outside software could bring. The tool is a software extension for Google's Chrome browser, which is installed on all employee computers. It's designed to activate when workers create calendar events that include more than 100 people or use more than 10 rooms. Google said the tool is a pop-up reminder that asks people to "be mindful" before setting up large meetings. But some employees have accused Google management of trying to keep tabs on big gatherings. Google has called those claims "categorically false" and said the purpose of the tool is to cut down on calendar spam. To avoid the extension, employees are encouraging each other to use browsers other than Chrome, a Google security engineer wrote in an internal forum, screenshots of which were reviewed by CNET. Those browsers include Chromium, the open-source browser foundation on which Google Chrome is built, the engineer wrote, adding that people shifting to other browsers "has an impact on overall security of this fleet."

An anonymous reader quotes a report from Bloomberg: Google employees are accusing the company's leadership of developing an internal surveillance tool that they believe will be used to monitor workers' attempts to organize protests and discuss labor rights. Earlier this month, employees said they discovered that a team within the company was creating the new tool for the custom Google Chrome browser installed on all workers' computers and used to search internal systems. The concerns were outlined in a memo written by a Google employee and reviewed by Bloomberg News and by three Google employees who requested anonymity because they aren't authorized to talk to the press.

The tool would automatically report staffers who create a calendar event with more than 10 rooms or 100 participants, according to the employee memo. The most likely explanation, the memo alleged, "is that this is an attempt of leadership to immediately learn about any workers organization attempts." A representative for Alphabet Inc.'s Google said, "These claims about the operation and purpose of this extension are categorically false. This is a pop-up reminder that asks people to be mindful before auto-adding a meeting to the calendars of large numbers of employees." The extension was prompted by an increase in spam around calendars and events, according to Google. It doesn't collect personally identifiable information, nor does it stop the use of calendars but rather adds a speed bump when employees are reaching out to a large group, the company said.

sharkbiter shares a report from ZDNet: Over the course of the last year and a half, Apple has effectively neutered ad blockers in Safari, something that Google has been heavily criticized all this year. But unlike Google, Apple never received any flak, and came out of the whole process with a reputation of caring about users' privacy, rather than attempting to "neuter ad blockers." The reasons may be Apple's smaller userbase, the fact that changes rolled out across years instead of months, and the fact that Apple doesn't rely on ads for its profits, meaning there was no ulterior motive behind its ecosystem changes.

The reason may have to do with the fact that Apple is known to have a heavy hand in enforcing rules on its App Store, and that developers who generally speak out are usually kicked out. It's either obey or get out. Unlike in Google's case, where Chrome is based on an open-source browser named Chromium and where everyone gets a voice, everything at Apple is a walled garden, with strict rules. Apple was never criticized for effectively "neutering" or "killing ad blockers" in the same way Google has been all this year. In Google's case, the pressure started with extension developers, but it then extended to the public. There was no public pressure on Apple mainly because there aren't really that many Safari users to begin with. With a market share of 3.5%, Safari users aren't even in the same galaxy as Chrome and its 65% market lead.

Furthermore, there is also the problem of public perception. When Apple rolled out a new content blocking feature to replace the old Safari extensions and said it was for everyone's privacy -- as extensions won't be able to access browsing history -- everyone believed it. On the other hand, ads are Google's life blood, and when Google announced updates that limited ad blockers, everyone saw it a secret plan for a big corp to keep its profits intact, rather than an actual security measure, as Google said it was.

'The Big Bang Theory,' an insanely hit comedy show that ended its broadcasting run earlier this year, is now setting more records. From a report: In what is easily a record-setting five-year deal, HBO Max has secured the exclusive domestic streaming rights to The Big Bang Theory. As part of the deal with Warner Bros. Television, the multicamera comedy, created by Chuck Lorre and Bill Prady, has also extended its syndication deal with TBS and will air on the WarnerMedia-owned basic cable network through 2028.

All 12 seasons of the comedy starring Jim Parsons, Johnny Galecki and Kaley Cuoco will be available to stream for the first time ever on WarnerMedia-backed HBO Max when the direct-to-consumer service launches in spring 2020. (A formal launch date has not yet been determined.) Sources estimate that the deal, including both the streaming end and syndication extension, is worth billions of dollars. By comparison, HBO Max paid $425 million over five years ($85 million per year) to move mega-hit Friends from Netflix and onto its own platform. (Friends, like Big Bang Theory, is produced by Warners.) Further reading: Netflix Lands 'Seinfeld' Rights in $500M-Plus Deal After Losing 'Friends' and 'The Office'; and How 'The Big Bang Theory' Normalized Nerd Culture.

Developers of the LastPass password manager have patched a vulnerability that made it possible for websites to steal credentials for the last account the user logged into using the Chrome or Opera extension. Ars Technica reports: The vulnerability was discovered late last month by Google Project Zero researcher Tavis Ormandy, who privately reported it to LastPass. In a write-up that became public on Sunday, Ormandy said the flaw stemmed from the way the extension generated popup windows. In certain situations, websites could produce a popup by creating an HTML iframe that linked to the Lastpass popupfilltab.html window, rather than through the expected procedure of calling a function called do_popupregister(). In some cases, this unexpected method caused the popups to open with a password of the most recently visited site. "Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab," Ormandy wrote. "That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab."

On Friday, LastPass published a post that said the bugs had been fixed and described the "limited set of circumstances" required for the flaws to be exploited. "To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times," LastPass representative Ferenc Kun wrote. "This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis."