Mozilla is resurrecting its recently expunged Test Pilot program with a renewed focus on privacy-focused tools and products. The Firefox developer today lifted the lid on the first product to emerge from the new Test Pilot, and it appears to be something akin to a virtual private network (VPN) in all but name. From a report: Firefox Private Network, as the new tool is called, is available in beta today for logged-in Firefox desktop users in the U.S. only, and is accessible through a browser extension. By way of a quick recap, Mozilla debuted Firefox Test Pilot a decade ago but then relaunched it back in 2016. Test Pilot went on to attain an average of 100,000 daily users, each looking to test Mozilla's latest developments -- including a price-tracking feature for online shoppers, content recommendations based on browsing activity, and more.

Some of these became full-fledged features within Firefox and others did not, but back in January Mozilla announced it was killing its Test Pilot program altogether. This came as something of a surprise given Mozilla's own statements about the success of the program. At the time, Mozilla said it was "evolving" its approach to experimentation and suggested it was looking to ideate more widely across the company. Fast-forward nine months, and Firefox Test Pilot is back for a third time.

Samsung has announced a new prototype key-value SSD that is compatible with the first industry standard API for key-value storage devices. "Earlier this year, the Object Drives working group of Storage Networking Industry Association (SNIA) published version 1.0 of the Key Value Storage API Specification," reports AnandTech. "Samsung has added support for this new API to their ongoing key-value SSD project." From the report: Samsung has been working on key-value SSDs for quite a while, and they have been publicly developing open-source software to support KV SSDs for over a year, including the basic libraries and drivers needed to access KV SSDs as well as a sample benchmarking tool and a Ceph backend. The prototype drives they have previously discussed have been based on their PM983 datacenter NVMe drives with TLC NAND, using custom firmware to enable the key-value interface. Those drives support key lengths from 4 to 255 bytes and value lengths up to 2MB, and it is likely that Samsung's new prototype is based on the same hardware platform and retains similar size limits.

Samsung's Platform Development Kit software for key-value SSDs originally supported their own software API, but now additionally supports the vendor-neutral SNIA standard API. The prototype drives are currently available for companies that are interested in developing software to use KV SSDs. Samsung's KV SSDs probably will not move from prototype status to being mass production products until after the corresponding key-value command set extension to NVMe is finalized, so that KV SSDs can be supported without needing a custom NVMe driver. The SNIA standard API for key-value drives is a high-level transport-agnostic API that can support drives using NVMe, SAS or SATA interfaces, but each of those protocols needs to be extended with key-value support.

Microsoft is killing support for the EPUB document format in Edge classic, and it won't be supported in the new, Chromium-based version of Microsoft Edge. Thurrott reports: "Download an .epub app to keep reading," a notification in Edge classic reads when you load an EPUB document. "Microsoft Edge will no longer be supporting [sic] e-books that use the .epub file extension. Visit the Microsoft Store to see our recommended .epub apps." Aside from the contorted grammar and word usage in the notification -- it's "support" not "be supporting," Microsoft -- the linked webpage is a "Reading room" area on the Microsoft Store that includes audiobook apps in addition to e-book apps. So good luck with that.

Microsoft provides a more grammatically correct explanation for the change on its Microsoft Edge support site, which notes that "Microsoft Edge will no longer support e-books that use the .epub file extension." The site also links to the same terrible Microsoft Store area, but adds that "you can expect to see more added over time as we partner with companies like the DAISY Consortium to add additional, accessible apps... These apps are expected to be available in the Microsoft Store after September 2019." Given that, it's likely that EPUB support will disappear in Edge classic sometime after those apps appear in the Store.

Major tech companies including Alibaba, Arm, Baidu, IBM, Intel, Google Cloud, Microsoft, and Red Hat today announced intent to form the Confidential Computing Consortium to improve security for data in use. From a report: Established by the Linux Foundation, the organization plans to bring together hardware vendors, developers, open source experts, and others to promote the use of confidential computing, advance common open source standards, and better protect data. "Confidential computing focuses on securing data in use. Current approaches to securing data often address data at rest (storage) and in transit (network), but encrypting data in use is possibly the most challenging step to providing a fully encrypted lifecycle for sensitive data," the Linux Foundation said today in a joint statement. "Confidential computing will enable encrypted data to be processed in memory without exposing it to the rest of the system and reduce exposure for sensitive data and provide greater control and transparency for users."

The consortium also said the group was formed because confidential computing will become more important as more enterprise organizations move between different compute environments like the public cloud, on-premises servers, or the edge. To get things started, companies made a series of open source project contributions including Intel Software Guard Extension (SGX), an SDK for code protection at the hardware layer.

An anonymous reader quotes a report from Reuters: The U.S. Commerce Department is expected to extend a reprieve given to Huawei Technologies that permits the Chinese firm to buy supplies from U.S. companies so that it can service existing customers, two sources familiar with the situation said. The "temporary general license" will be extended for Huawei for 90 days, the sources said.

Commerce initially allowed Huawei to purchase some American-made goods in May shortly after blacklisting the company in a move aimed at minimizing disruption for its customers, many of which operate networks in rural America. An extension will renew an agreement set to lapse on August 19, continuing the Chinese company's ability to maintain existing telecommunications networks and provide software updates to Huawei handsets. The situation surrounding the license, which has become a key bargaining chip for the United States in its trade negotiations with China, remains fluid and the decision to continue the Huawei reprieve could change ahead of the Monday deadline, the sources said.

A new Google study this week confirmed the obvious: internet users need to stop using the same password for multiple websites unless they're keen on having their data hijacked, their identity stolen, or worse. From a report: It seems like not a day goes by without a major company being hacked or leaving user email addresses and passwords exposed to the public internet. These login credentials are then routinely used by hackers to hijack your accounts, a threat that's largely mitigated by using a password manager and unique password for each site you visit. Sites like "have I been pwned?" can help users track if their data has been exposed, and whether they need to worry about their credentials bouncing around the dark web. But it's still a confusing process for many users unsure of which passwords need updating.

To that end, last February Google unveiled a new experimental Password Checkup extension for Chrome. The extension warns you any time you log into a website using one of over 4 billion publicly-accessible usernames and passwords that have been previously exposed by a major hack or breach, and prompts you to change your password when necessary. The extension was built in concert with cryptography experts at Stanford University to ensure that Google never learns your usernames or passwords, the company says in an explainer. Anonymous telemetry data culled from the extension has provided Google with some interesting information on how widespread the practice of account hijacking and non-unique passwords really is.

There are 188,620 extensions available on the Chrome Web Store, and while you might think this provides a wide variety of choices for Chrome users, in reality, most of these extensions are dead or dwindling, with very few having active installations. From a report: All in all, about 50% of all Chrome extensions have fewer than 16 installs, meaning that half of the Chrome extension ecosystem is actually more of a ghost town, according to a recent scan of the entire Chrome Web Store conducted by Extension Monitor. Further, 19,379 extensions (just over 10%) have zero installs, and 25,540 extensions (13% of the total) have just one user. The scan found that there are very few Chrome extensions that managed to establish a dedicated userbase. According to Extension Monitor, around 87% of all extensions have fewer than 1,000 installs.

Is Google making the wrong response to the DataSpii report on a "catastrophic data leak"? The EFF writes: In response to questions about DataSpii from Ars Technica, Google officials pointed out that they have "announced technical changes to how extensions work that will mitigate or prevent this behavior." Here, Google is referring to its controversial set of proposed changes to curtail extension capabilities, known as Manifest V3.

As both security experts and the developers of extensions that will be greatly harmed by Manifest V3, we're here to tell you: Google's statement just isn't true. Manifest V3 is a blunt instrument that will do little to improve security while severely limiting future innovation... The only part of Manifest V3 that goes directly to the heart of stopping DataSpii-like abuses is banning remotely hosted code. You can't ensure extensions are what they appear to be if you give them the ability to download new instructions after they're installed.

But you don't need the rest of Google's proposed API changes to stop this narrow form of bad extension behavior. What Manifest V3 does do is stifle innovation...
The EFF makes the following arguments Google's proposal:

• Manifest V3 will still allow extensions to observe the same data as before, including what URLs users visit and the contents of pages users visit
• Manifest V3 won't change anything about how "content scripts" work...another way to extract user browsing data.
• Chrome will still allow users to give extensions permission to run on all sites.

In response Google argued to Forbes that the EFF "fails to account for the proposed changes to how permissions work. It is the combination of these two changes, along with others included in the proposal, that would have prevented or significantly mitigated incidents such as this one."

But the EFF's technology projects director also gave Forbes their response. "We agree that Google isn't killing ad-blockers. But they are killing a wide range of security and privacy enhancing extensions, and so far they haven't justified why that's necessary."

And in the same article, security researcher Sean Wright added that Google's proposed change "appears to do little to prevent rogue extensions from obtaining information from loaded sites, which is certainly a privacy issue and it looks as if the V3 changes don't help."

The EFF suggests Google just do a better job of reviewing extensions.

"Google has finally chopped the 'www' from Chrome's address bar after delaying the controversial move due to a backlash," reports TechRepublic: The move to remove 'www' was initially planned for last year, when Google announced it would cut "trivial subdomains" from the address bar in Chrome 69. Now Google has begun truncating the visible URL in Chrome for desktop and Android, rolling out the change in version 76 of the browser, released this week. By default sites in Chrome now no longer display the "https" scheme or the "www" subdomain, with the visible address starting after this point. To view the full URL, users now have to click the address bar twice on desktop and once on mobile. Google has argued the move is driven by a desire for greater simplicity and usability of Chrome...

However the announcement provoked a fresh wave of criticism, from those who say the move will confuse users and even potentially make it easier for them to inadvertently connect to fake sites... There are also some who claim Google's motivation in changing how the URL is displayed may be to make it harder for users to tell whether they are on a page hosted on Google's Accelerated Mobile Pages subdomain...

Google says it has also built a Chrome extension that doesn't obfuscate the URL to "help power users recognize suspicious sites and report them to Safe Browsing". Despite the backlash from some online, Chrome isn't the first browser to truncate the URL in this way, with Apple's Safari similarly hiding the full address.

An anonymous reader quotes a report from ZDNet: For the past week, a new ransomware strain has been wreaking havoc across Germany. Named GermanWiper, this ransomware doesn't encrypt files but instead it rewrites their content with zeroes, permanently destroying users' data. As a result, any users who get infected by this ransomware should be aware that paying the ransom demand will not help them recover their files. Unless users had created offline backups of their data, their files are most likely gone for good. For now, the only good news is that this ransomware appears to be limited to spreading in German-speaking countries only, and with a focus on Germany primarily.

According to German security researcher Marius Genheimer and CERT-Bund, Germany's Computer Emergency Response Team, the GermanWiper ransomware is currently being distributed via malicious email spam (malspam) campaigns. These emails claim to be job applications from a person named "Lena Kretschmer." A CV is attached as a ZIP file to these emails, and contains a LNK shortcut file. The LNK file is boobytrapped and will install the GermanWiper ransomware. When users run this file, the ransomware will rewrite the content of various local files with the 0x00 (zero character), and append a new extension to all files. This extension has a format of five random alpha-numerical characters, such as .08kJA, .AVco3, .OQn1B, .rjzR8, etc.. After it "encrypts" all targeted files, GermanWiper will open the ransom note (an HTML file) inside the user's default browser. The ransom note looks like the one below. A video of the infection process is also available here. Victims are given seven days to pay the ransom demand. It is important to remember that paying the ransom note won't help users recover their files.

In a move intended to de-escalate a standoff between scientists and native Hawaiians blocking the construction of a massive telescope on a mountaintop they believe to be sacred land, Gov. David Ige on Tuesday night rescinded an emergency proclamation that was issued to help remove demonstrators. NPR reports: Ige made the announcement at a press conference saying there are no immediate plans to move heavy construction equipment onto Mauna Kea, the intended site of the Thirty Meter Telescope, which is expected to be the largest in the world, looking farther back into space and time than any other instrument is capable of doing. "Because TMT construction is not imminent, I am withdrawing the emergency proclamation effective immediately," Ige said in a tweet. "I remain committed to moving forward with this project in a peaceful way and will continue efforts to engage the community."

He cautioned the large crowds who have gathered in protest at the base of the mountain since mid-July, when construction was set to start, of hazardous conditions "in light of the potential bad weather." Ige's move followed a decision by the Department of Land and Natural Resources to grant a two-year extension of the Conservation District Use permit deadline for the initiation of construction.

"Google is giving Chrome extension makers until October 15 to minimize the amount of data they collect during browser sessions or face expulsion from the Chrome Web Store," reports PC Magazine: The change addresses how the extensions generally need to request certain permissions from your browser in order to function. However, some of these permissions can be pretty powerful; they can include the ability to take desktop screenshots, capture audio from a microphone, and collect data from the local file system, among other things, which can open the door to potential abuse.

The risks prompted Google to work toward securing the 180,000+ Chrome extensions on the company's official web store. "We're requiring extensions to only request access to the least amount of data," the company said in a Tuesday blog post. "While this has previously been encouraged of developers, now we're making this a requirement for all extensions."

ikhider writes: Breukelen, Amsterdam born actor, Rutger Hauer, who played Roy Batty in the 1982 sci-fi classic Blade Runner and improvised the "tears in the rain" dialogue as his android character died, has too finally passed away last Friday after an illness. His funeral was held on Wednesday, July 24th. Hauer starred in TV since 1969 and then went on to movies like Sin City and Batman Begins, but is best known as Roy Batty, the android built with a four year lifespan who, with fellow androids, desperately wanted an extension. His costars paid tribute via social media. Perhaps we, the fans, can do so with private screenings of one of the Director's Cut of Blade Runner.

The Verge recently profiled "a small group of merchants who travel the backroads of America searching clearance aisles and dying chains for goods to sell on Amazon.

"Some live out of RVs and vans, moving from town to town, only stopping long enough to pick the stores clean and ship their wares to Amazon's fulfillment centers." The majority of goods sold on Amazon are not sold by Amazon itself, but by more than 2 million merchants who use the company's platform as their storefront and infrastructure. Some of these sellers make their own products, while others practice arbitrage, buying and reselling wares from other retailers. Amazon has made this easy to do, first by launching Fulfillment by Amazon, which allows sellers to send their goods to company warehouses and have Amazon handle storage and delivery, and then with an app that lets sellers scan goods to instantly check whether they'd be profitable to sell on the site. A few sellers, like [Chris] Anderson, have figured out that the best way to find lucrative products is to be mobile, scouring remote stores and chasing hot-selling items from coast to coast.

"It's almost like I'm the front end of the business and Amazon is just an extension of my arm," says Sean-Patrick Iles, a nomad who spent weeks driving cross-country during Toys R Us' final days. It was a feeding frenzy Anderson and others also hit the road for...

For Anderson, the holy grail is the Bounce Dryer Bar, a $5 plastic oblong you affix to the dryer rather than adding a dryer sheet to each load. Now discontinued, a two-pack sells on Amazon for $300. Discontinued nail polish, Pop-Tarts, hair curling products: Anderson has chased them all when the scanner has shown them fetching multiples of their normal price. He once hunted a particular brand of discontinued dental floss across the Big Lots of America, buying six-packs for 99 cents and selling them on Amazon for over $100 apiece.
According to the article, Anderson "thinks the constant travel is part of why his marriage ended..."

Netflix Hangouts is a new Chrome extension that tries to make it easier to get away with watching Netflix while you're supposed to be working. Just go to the show you want to catch up on during work hours, and press the extension's icon in your Chrome menu to bring up a fake four-person conference call. Then you can sit back and watch the show in the window's bottom right feed while three fake colleagues get down to business. The Verge reports: The extension was developed by Mschf Internet Studios, which has produced a few internet curiosities like this over the years. There was the Slack channel that offered $1,000 in prize money for the first person to correctly guess each word of the day (it was shut down by Slack after just a week), a man who ate various foods as disgusting ice cream toppings, and who could forget Tabagotchi, the lovable virtual avatar that slowly died as you opened more and more tabs? Netflix Hangouts is the latest in a long line of services designed to let you slack off at work.

To many, Jony Ive's departure from Apple last week felt very sudden. But a narrative is forming to suggest that he's been slowly drifting apart from the company for several years as the iPhone maker's priorities shifted from product design to operations. Here are some of the highlights from The Wall Street Journal [paywalled] piece: Ive was "dispirited" by Tim Cook who "showed little interest in the product development process," according to sources speaking to the WSJ. Ive grew increasingly frustrated as Apple's board was populated by directors with backgrounds unrelated to the company's core business. Ive disagreed with "some Apple leaders" on how to position the Apple Watch. Ive pushed for the Apple Watch to be sold as a fashion accessory, not as an extension of the iPhone. The product that went on sale was a compromise. Apple only sold a quarter of what the company forecasted in the first year, according to the WSJ, with "thousands" of the $17,000 gold Apple Watch Edition left unsold. Further reading: 'Apple is Not in Trouble Because Jony Ive is Leaving, It Is in Trouble Because He's Not Being Replaced'.

Google today launched a new Chrome extension that will simplify the process of reporting a malicious site to the Google Safe Browsing team so that it can be analyzed, reviewed, and blacklisted in Chrome and other browsers that support the Safe Browsing API. From a report: Named the Suspicious Site Reporter, this extension adds an icon to the Google Chrome toolbar that when pressed, opens a popup window from where users can file an automatic report for the current site they're on, and which they suspect might be up to no good. "If the site is added to Safe Browsing's lists, you'll not only protect Chrome users but users of other browsers and across the entire web," said Emily Schechter, Chrome Product Manager. The Safe Browsing API is implemented not only in the mobile and desktop versions of Chrome but also in the mobile and desktop versions of Mozilla Firefox and Apple's Safari.

Researchers from Austria's Graz University of Technology "have devised an automated system for browser profiling using two new side channel attacks that can help expose information about software and hardware," reports The Register.

The researchers recently presented a paper titled "JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits," which The Register says "calls into question the effectiveness of anonymized browsing and browser privacy extensions... "

Long-time Slashdot reader Artem S. Tashkinov shared their report: One of the side-channel attacks developed for JavaScript Template Attacks involve measuring runtime differences between two code snippets to infer the underlying instruction set architecture through variations in JIT compiler behavior. The other involves measuring timing differences in the memory allocator to infer the allocated size of a memory region.

The boffins' exploration of the JavaScript environment reveals not only the ability to fingerprint via browser version, installed privacy extension, privacy mode, operating system, device microarchitecture, and virtual machine, but also the properties of JavaScript objects. And their research shows there are far more of these than are covered in official documentation. This means browser fingerprints have the potential to be far more detailed -- have more data points -- than they are now.

The Mozilla Developer Network documentation for Firefox, for example, covers 2,247 browser properties. The researchers were able to capture 15,709. Though not all of these are usable for fingerprinting and some represent duplicates, they say they found about 10,000 usable properties for all browsers.

AmiMoJo shared this post from one of the ACLU's senior technology policy analysts about what happens when security cameras get AI upgrades: [I]magine that all that video were being watched -- that millions of security guards were monitoring them all 24/7. Imagine this army is made up of guards who don't need to be paid, who never get bored, who never sleep, who never miss a detail, and who have total recall for everything they've seen. Such an army of watchers could scrutinize every person they see for signs of "suspicious" behavior. With unlimited time and attention, they could also record details about all of the people they see -- their clothing, their expressions and emotions, their body language, the people they are with and how they relate to them, and their every activity and motion...

The guards won't be human, of course -- they'll be AI agents.

Today we're publishing a report on a $3.2 billion industry building a technology known as "video analytics," which is starting to augment surveillance cameras around the world and has the potential to turn them into just that kind of nightmarish army of unblinking watchers.... Many or most of these technologies will be somewhere between unreliable and utterly bogus. Based on experience, however, that often won't stop them from being deployed -- and from hurting innocent people...

We are still in the early days of a revolution in computer vision, and we don't know how AI will progress, but we need to keep in mind that progress in artificial intelligence may end up being extremely rapid. We could, in the not-so-distant future, end up living under armies of computerized watchers with intelligence at or near human levels. These AI watchers, if unchecked, are likely to proliferate in American life until they number in the billions, representing an extension of corporate and bureaucratic power into the tendrils of our lives, watching over each of us and constantly shaping our behavior... Policymakers must contend with this technology's enormous power. They should prohibit its use for mass surveillance, narrow its deployments, and create rules to minimize abuse.
They argue that the threat is just starting to emerge. "It is as if a great surveillance machine has been growing up around us, but largely dumb and inert -- and is now, in a meaningful sense, 'waking up.'"

An anonymous reader shares a report: After being ripped to shreds by angry users, Google engineers have promised this week that the upcoming changes to Chrome's extensions system won't cripple ad blockers, as everyone is fearing. Instead, the company claims that the new extension API changes will actually improve user privacy and bring speed improvements. Furthermore, Google also promised to raise a maximum limit in one of the upcoming APIs that should address and lay to rest the primary criticism brought against the new extensions API by developers of ad blockers during the last six months.