An anonymous reader quotes a report from VentureBeat: Mozilla today announced a slew of privacy improvements. The company has turned on Enhanced Tracking Protection, which blocks cookies from third-party trackers in Firefox, by default. Mozilla has also improved its Facebook Container extension, released a Firefox desktop extension for its rebranded Lockwise password keeper, and updated Firefox Monitor with a dashboard for multiple email addresses.

If you download a fresh copy of Firefox today, Enhanced Tracking Protection will be on by default as part of the Standard setting. That means third-party tracking cookies are blocked without users having to change a thing. You will notice Enhanced Tracking Protection working if there is a shield icon in the address bar. If you click on the shield icon and open the Content Blocking section and then Cookies, you'll see a Blocking Tracking Cookies section. There you can see the companies listed as third-party cookies and trackers that Firefox has blocked. You can also turn off blocking for a specific site. The feature focuses on third-party trackers (the ad industry) while allowing first-party cookies (logins, where you last left off, and so on). Mozilla says it is enabling Enhanced Tracking Protection by default because most users don't change their browser settings.

An anonymous reader writes: Mozilla today announced a slew of privacy improvements. The company has turned on Enhanced Tracking Protection, which blocks cookies from third-party trackers in Firefox, by default. Mozilla has also improved its Facebook Container extension, released a Firefox desktop extension for its rebranded Lockwise password keeper, and updated Firefox Monitor with a dashboard for multiple email addresses. Mozilla added basic Tracking Protection to Firefox 42's private browsing mode in November 2015. The feature blocked website elements (ads, analytics trackers, and social share buttons) based on Disconnect's tracking protection rules. With the release of Firefox 57 in November 2017, Mozilla added an option to enable Tracking Protection outside of private browsing. (Tracking Protection was not turned on by default because it can break websites and cut off revenue streams for content creators who depend on third-party advertising.)

An anonymous reader quotes a report from Vice News: Google has found itself under fire for plans to limit the effectiveness of popular ad blocking extensions in Chrome. While Google says the changes are necessary to protect the "user experience" and improve extension security, developers and consumer advocates say the company's real motive is money and control. In the wake of ongoing backlash to the proposal, Chrome software security engineer Chris Palmer took to Twitter this week to claim the move was intended to help improve the end-user browsing experience, and paid enterprise users would be exempt from the changes.

Chrome security leader Justin Schuh also said the changes were driven by privacy and security concerns. Adblock developers, however, aren't buying it. uBlock Origin developer Raymond Hill, for example, argued this week that if user experience was the goal, there were other solutions that wouldn't hamstring existing extensions. "Web pages load slow because of bloat, not because of the blocking ability of the webRequest API -- at least for well crafted extensions," Hill said. Hill said that Google's motivation here had little to do with the end user experience, and far more to do with protecting advertising revenues from the rising popularity of adblock extensions. The team behind the EFF's Privacy Badger ad-blocking extension also spoke out against the changes. "Google's claim that these new limitations are needed to improve performance is at odds with the state of the internet," the organization said. "Sites today are bloated with trackers that consume data and slow down the user experience. Tracker blockers have improved the performance and user experience of many sites and the user experience. Why not let independent developers innovate where the Chrome team isn't?"

Google is cracking down again on deceptive Chrome extension installation practices. The browser maker listed new rules yesterday that extension developers must follow, or face the possibility of having their extension removed from the official Chrome Web Store. From a report: These new rules come after last year Google banned the installation of Chrome extensions via third-party sites (called inline installs) and limited the installation process to users visiting the extension's official Chrome Web Store page only. [...] But yesterday, Google announced plans to remove all Chrome extensions that abuse the following tactics to trick users towards pressing the "Add to Chrome" button: 1. Extensions that lack a clear "disclosure" that explains to users what they can expect by installing the Chrome extension. 2. Extensions that use misleading disclosures or explanations for the extension's purpose. 3. Hiding disclosure texts (extension's purpose) in large blocks of text, down the page, or using text and fonts that make the disclosure unreadable. 4. Using misleading interactive elements (such as buttons or forms) that trick the user into believing they're taking an action, but unknown to them, they are actually installing a Chrome extension. [...]

Earlier this year, Google proposed changes to the open-source Chromium browser that would break content-blocking extensions, including various ad blockers. Despite the overwhelming negative feedback to the move, Google appears to be standing firm on the changes, sharing that current ad blocking capabilities will be restricted to enterprise users. 9to5Google reports: Manifest V3 comprises a major change to Chrome's extensions system, including a revamp to the permissions system and a fundamental change to the way ad blockers operate. In particular, modern ad blockers, like uBlock Origin and Ghostery, use Chrome's webRequest API to block ads before they're even downloaded. With the Manifest V3 proposal, Google deprecates the webRequest API's ability to block a particular request before it's loaded. As you would expect, power users and extension developers alike criticized Google's proposal for limiting the user's ability to browse the web as they see fit.

Now, months later, Google has responded to some of the various issues raised by the community, sharing more details on the changes to permissions and more. The most notable aspect of their response, however, is a single sentence buried in the text, clarifying their changes to ad blocking and privacy blocking extensions: "Chrome is deprecating the blocking capabilities of the webRequest API in Manifest V3, not the entire webRequest API (though blocking will still be available to enterprise deployments)." Google is essentially saying that Chrome will still have the capability to block unwanted content, but this will be restricted to only paid, enterprise users of Chrome. This is likely to allow enterprise customers to develop in-house Chrome extensions, not for ad blocking usage.

Huawei's home-grown operating system -- codenamed HongMeng -- that's set to replace Android once the Huawei ban from Google comes into full effect, will be commercially rolled out next month, a Middle East head for the firm revealed exclusively to TechRadar Middle East. From a report: On May 20, Google announced that it would partially cut off Huawei devices from its Android operating system but was given an extension till August 19 by the US White House. "Huawei knew this was coming and was preparing. The OS was ready in January 2018 and this was our 'Plan B'," said Alaa Elshimy, Managing Director and Vice President of Huawei Enterprise Business Group Middle East. "We did not want to bring the OS to the market as we had a strong relationship with Google and others and did not want to ruin the relationship. Now, we are rolling it out next month."

GitHub today launched Sponsors, a new tool that lets you give financial support to open-source developers through recurring monthly payments. Developers will be able to opt into having a "Sponsor me" button on their GitHub repositories and open-source projects will also be able to highlight their funding models, no matter whether that's individual contributions to developers or using Patreon, Tidelift, Ko-fi or Open Collective. TechCrunch reports: The mission here, GitHub says, is to "expand the opportunities to participate in and build on open source." That's likely to be a bit controversial among some open-source developers who don't want financial interests to influence what people will work on. And there may be some truth to that as this may drive open-source developers to focus on projects that are more likely to attract financial contributions over more esoteric projects that are interesting and challenging but aren't likely to find financial backers on GitHub.

The program is only open to open-source developers. During the first year of a developer's participation, GitHub (and by extension, its corporate overlords at Microsoft) will also match up to $5,000 in contributions. For the next 12 months, GitHub won't charge any payment processing fees either (though it will do so after this time is over). GitHub tells me that developers will be able to set up multiple sponsorship tiers with benefits that can be set by the developer, too. In many ways, then, this isn't all that different from sponsoring a Twitch streamer, for example, with monthly payments and special benefits depending on how much you pay.

An anonymous reader writes: At its Build 2018 developer conference a year ago, Microsoft previewed Visual Studio IntelliCode, which uses AI to offer intelligent suggestions that improve code quality and productivity. In April, Microsoft launched Visual Studio 2019 for Windows and Mac. At that point, IntelliCode was still an optional extension that Microsoft was openly offering as a preview. But at Build 2019 earlier this month, Microsoft shared that IntelliCode's capabilities are now generally available for C# and XAML in Visual Studio 2019 and for Java, JavaScript, TypeScript, and Python in Visual Studio Code. Microsoft also now includes IntelliCode by default in Visual Studio 2019. IntelliCode has come a long way since May 2018, but Microsoft is only getting started. When it comes to using AI to aid developers, the company wants to help at every step of the way, according to Amanda Silver, a director of Microsoft's developer division.

"If you look at the entire application developer lifecycle, from code review to testing to continuous integration, and so on, there are opportunities at every single stage for machine learning to help," Silver told VentureBeat. "IntelliCode is, very broadly, the notion that we want to take artificial intelligence -- and really machine learning techniques -- and allow that to make developers and development teams more productive. "IntelliCode is really only at the early stages -- authoring and helping to focus code reviews. But over time, we really think that we can apply it to the entire application developer lifecycle."

Long-time Slashdot reader solardiz has long bring an advocate for bringing security to open environments. Wednesday he contacted Slashdot to share this update about a piece of software he's authored called John the Ripper: John the Ripper is the oldest still evolving password cracker program (and Open Source project), first released in 1996. John the Ripper 1.9.0-jumbo-1, which has just been announced with a lengthy list of changes, is the first release to include FPGA support (in addition to CPU, GPU, and Xeon Phi). This is a long-awaited (or long-delayed) major release, encompassing 4.5 years of development and 6000+ commits by 80+ contributors. From the announcement:

"Added FPGA support for 7 hash types for ZTEX 1.15y boards [...] we support: bcrypt, descrypt (including its bigcrypt extension), sha512crypt & Drupal7, sha256crypt, md5crypt (including its Apache apr1 and AIX smd5 variations) & phpass. As far as we're aware, several of these are implemented on FPGA for the very first time. For bcrypt, our ~119k c/s at cost 5 in ~27W greatly outperforms latest high-end GPUs per board, per dollar, and per Watt. [...] We also support multi-board clusters (tested [...] for up to 16 boards, thus 64 FPGAs, [...] on a Raspberry Pi 2 host)."

An anonymous reader quotes a report from Ars Technica: Cloud Peak Energy, the U.S.' fourth-largest coal mining company, filed for Chapter 11 bankruptcy late last week as the company missed an extension deadline to make a $1.8 million loan payment. In a statement, Cloud Peak said it will continue to operate its three massive coal mines in Wyoming and Montana while it goes through the restructuring process. Colin Marshall, the president and CEO of the company, said that he believed a sale of the company's assets "will provide the best opportunity to maximize value for Cloud Peak Energy."

Cloud Peak was one of the few major coal producers who escaped the significant coal industry downturn between 2015 and 2016. That bought it a reputation for prudence and business acumen. But thinning margins have strained the mining company as customers for thermal coal continue to dry up. Coal-fired electricity is expected to fall this summer, even though summer months are usually boom times for coal plants as air conditioning bolsters electricity demand. That's because cheap natural gas and a boost in renewable capacity have displaced dirtier, more expensive coal. According to the Casper Star Tribune, Cloud Peak shipped 50 million tons of coal in 2018. The paper noted that after the bankruptcy filing, "speculation almost immediately began that Cloud Peak would sell its mines."

Krystalo writes: At its developer conference Build today, Microsoft previewed new Visual Studio features for remote work, the .NET roadmap, and launched ML.NET 1.0. In April, Microsoft launched Visual Studio 2019 for Windows and Mac. Two notable features were Visual Studio Live Share, a real-time collaboration tool included with Visual Studio 2019, and Visual Studio IntelliCode, an extension offering AI-assisted code completion. At Build 2019, Microsoft shared that IntelliCode's capabilities are now generally available for C# and XAML in Visual Studio 2019 and for Java, JavaScript, TypeScript, and Python in Visual Studio Code. And IntelliCode is now included by default in Visual Studio 2019, starting in version 16.1 Preview 2. The company also previewed an algorithm that can locally track your edits -- repeated edit detection -- and suggest other places where you need that same change. But that's just the tip of the iceberg. Microsoft is experimenting with features that let developers work from anywhere, on any device. The company today announced a private preview for three such new capabilities: Remote-powered developer tools, cloud-hosted developer environments, and a browser-based web companion tool. If the future of work is remote, Microsoft wants to be ready.

[...] Microsoft also announced that it is skipping .NET 4 to avoid confusion with the .NET Framework, which has been on version 4 for years. Going forward, developers will be able to use .NET to target Windows, Linux, macOS, iOS, Android, tvOS, watchOS, WebAssembly, and more. .NET Core 3 will be succeeded by .NET 5, featuring new .NET APIs, runtime capabilities, and language features. Calling it .NET 5 makes it the highest version Microsoft has ever shipped and indicates that the company hopes it is the future for the .NET platform. .NET Core 3 closes much of the remaining capability gap with .NET Framework 4.8, enabling Windows Forms, WPF, and Entity Framework 6. .NET 5 will build on this work, Microsoft says, combining .NET Core, .NET Framework, Xamarin, and Mono (the original cross-platform implementation of .NET) into a single platform. .NET 5 will provide both Just-in-Time (JIT) and Ahead-of-Time (AOT) compilation models. JIT has better performance for desktop/server workloads and development environments. AOT has a faster startup and a small footprint, which is required for mobile and IoT devices. .NET 5 will offer one unified toolchain supported by new SDK project types and a flexible deployment model (side-by-side and self-contained EXEs).

An anonymous reader quotes CNET: "Mozilla on Sunday began distributing new Firefox updates to fix a problem that broke extensions for many browser users on Friday," reports CNET: Mozilla had released an update Saturday, but Sunday's fix should help more people who were still affected. "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday," Mozilla said in a tweet Sunday... "No active steps need to be taken to make add-ons work again. In particular, please do not delete and/or reinstall any add-ons as an attempt to fix the issue," Kev Needham, Mozilla's product manager for add-ons, said in a blog post about the problem.

Did you just open Firefox only to find all of your extensions disabled and/or otherwise not working? You're not alone, and it's nothing you did. From a report: Reports are pouring in of a glitch that has spontaneously disabled effectively all Firefox extensions. Each extension is now being listed as a "legacy" extension, alongside a warning that it "could not be verified for use in Firefox and has been disabled." A ticket submitted to Mozilla's Bugzilla bug tracker first hit at around 5:40 PM Pacific, and suggests the sudden failure is due to a code signing certificate built into the browser that expired just after 5 PM (or midnight on May 4th in UTC time). Because the glitch stems from an underlying certificate, re-installing extensions won't work -- if you try, you'll likely just be met with a different error message. Getting extensions back for everyone is going to require Mozilla to issue a patch.
UPDATE (5/5/2019): On Sunday Firefox released the second of two weekend updates to address the problem, tweeting that "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday."

An anonymous reader shares a report: Michael Leggett is even more annoyed with Gmail than you are. "It's like Lucky Charms got spewed all over the screen," he says to me, as he scrolls through his inbox. It's true. Folders, contacts, Google apps like Docs and Drive -- and at least half a dozen notifications -- all clutter Gmail at any given moment. And of course, there's that massive Gmail logo that sits in the upper left-hand corner of the screen. Just in case you forgot that you just typed "gmail.com" into your browser bar three seconds ago. "Go look at any desktop app and tell me how many have a huge fucking logo in the top left," rants Leggett. "C'mon. It's pure ego, pure bullshit. Drop the logo. Give me a break."

Rather than sit there and stew, Leggett decided to do something about it: He created a free Chrome extension called Simplify, where all the extraneous folders and functions overloading Gmail seem to melt away, leaving you with a calm screen and nothing but your messages. It's understatedly beautiful, and every button just seems like it's in the right place. In fact, it feels a little too good for some random free Chrome extension made by some random developer. Let's just say that Leggett was highly qualified for the job. You see, Leggett was actually the lead designer for Gmail from 2008 to 2012. He also cofounded the since-discontinued Inbox, which attempted to reimagine Gmail for the modern era.

An anonymous reader quotes a report from BleepingComputer: Google is adding a new admin policy to Chrome that will automatically uninstall browser extensions that are blacklisted by administrators. Currently, administrators can enable a policy called "Configure extension installation blacklist" to create a blacklist of Chrome extension. These blacklisted extensions are added as individual extension ids, and once added, will prevent managed users from installing the associated extensions. To do this, Windows administrators can download Chrome's policy templates and add them to the Group Policy Editor. Once added, they will be able to configure various group polices.

While this policy prevents users from installing an extension, it does not do anything for those users who have already installed the extension. Due to this, administrators have been requesting a new group policy that will cause Chrome to remove any extension that is listed under the "Configure extension installation blacklist" policy. Google agrees and have started working on a new Chrome policy called "Uninstall blacklisted extensions" that will uninstall any extensions whose IDs have been blacklisted. In addition to removing the extensions, it will remove any associated local user data as well. The new policy is expected to be released with Chrome 75, which is heading to beta in May and expected to be released to the Stable channel in June.

Online retail giant Amazon and the governments of eight South American countries have been given a final deadline to reach an agreement over how to use the ".amazon" web address extension after a seven-year dispute. From a report: What will happen next? It's a name that evokes epic proportions: the world's largest rainforest; a global tech company; and now a diplomatic saga nearing its end. This is the battle of the Amazon and it starts back in 2012. The Internet Corporation for Assigned Names and Numbers (ICANN), the body that polices the world wide web's address system, decided to expand its list of generic top-level domains (gTLD) - the bit that comes after the dot in a web address. The new rules allowed companies to apply for brand new extensions, offering internet users and businesses more ways to personalise their website name and addresses. But eight countries containing the Amazon rainforest objected to the retail giant's plans concerning the new .amazon domain name.

Google announced today that Gmail has become the first major email provider to support two new security standards, namely MTA-STS and TLS Reporting. Both are extensions to the Simple Mail Transfer Protocol (SMTP), the protocol through which all emails are sent today. ZDNet reports: The purpose of MTA-STS and TLS Reporting is to help email providers establish cryptographically secure connections between each other, with the main goal of thwarting SMTP man-in-the-middle attacks. The two new standards will prevent this by allowing legitimate email providers to create a secure channel for exchanging emails. For example, SMTP MTA Strict Transport Security (MTA-STS) works by allowing email server admins to set up an MTA-STS policy on their server. This policy allows a legitimate provider to request that external email servers verify the security of a SMTP connections before sending any emails. Minimum requirements, such as forcing external email servers to authenticate with a valid public certificate encrypted with TLS 1.2 or higher, can be enforced, depending on preferences, ensuring that emails sent to a company's server travel through an obligatory and properly encrypted channel -- or they don't arrive at all.

In addition, the TLS Reporting SMTP extension sets up a reporting mechanism through which a legitimate email server can request daily reports from other email servers about the success or failure of emails that have been sent to the legitimate server's domain. Both, when combined, will either prevent or help email server admins identify SMTP man-in-the-middle attacks against their email traffic.

"Last month it was discovered that WinRAR, software used to open .zip archive files, has been vulnerable for the last 19 years to a bug that's easily exploited by hackers and malware distributors," writes SlashGear. A Slashdot reader quotes their report: Check Point, the security researchers that revealed the WinRAR bug, explain that the software is exploited by giving malicious files a RAR extension, so that when opened they can automatically extract malware programs. These programs are installed in a PC's startup folder, allowing them to start running anytime the computer is turned on, all without the user's knowledge.

Once the bug was disclosed, however, hacker groups really began using it to their advantage, with various nations becoming the target of state-backed cyber-espionage campaigns attempting to collect intelligence. The latest comes from McAfee, the software security firm, which notes that it has identified over 100 unique exploits that use the WinRAR bug, most of them targeting the U.S.
WinRar 5.70, released in late January, patches the behavior, but "it must be manually downloaded and installed from the website, leaving most users unaware of the critical update," the article warns.

It also estimates that during the last 19 years WinRar has been downloaded over 500 million times.

Valve is expanding its Steam Link game-streaming feature in a big way with Steam Link Anywhere, a new service that will allow you to stream your Steam games from your computer to anywhere in the world through Steam Link hardware or the Steam Link app. From a report: Steam Link Anywhere is an extension of Steam Link that will enable users to connect to their PCs and play games from anywhere (thus the name), rather than being limited to a local network. It's compatible with both the Steam Link hardware and app, and will be rolled out automatically (and freely) to everyone who owns the hardware with beta firmware installed, the Android app beta, or the Raspberry Pi app. You'll also need to be enrolled in the Steam client beta, and have the latest version installed. Assuming you've got all that covered, you'll see an "Other Computer" option on the screen when searching for computers to connect to via Steam Link. Select that, follow the instructions, and you'll be set. Valve didn't provide specific network requirements but said you'll need "a high upload speed from your computer and strong network connection to your Steam Link device" in order to use it.

Valve has announced the "early beta" release of Steam Link Anywhere, which will enable streamed gaming to any compatible device, and Steam Networking Sockets APIs, granting developers access to the technology and infrastructure that underlies CS:GO and Dota 2. PC Gamer reports: Steam Link Anywhere is an extension of Steam Link that will enable users to connect to their PCs and play games from anywhere (thus the name), rather than being limited to a local network. It's compatible with both the Steam Link hardware and app, and will be rolled out automatically (and freely) to everyone who owns the hardware with beta firmware installed, the Android app beta, or the Raspberry Pi app. You'll also need to be enrolled in the Steam client beta, and have the latest version installed. Assuming you've got all that covered, you'll see an "Other Computer" option on the screen when searching for computers to connect to via Steam Link. Select that, follow the instructions, and you'll be set. Valve didn't provide specific network requirements but said you'll need "a high upload speed from your computer and strong network connection to your Steam Link device" in order to use it.

Steam Networking Sockets APIs isn't as flashy (and that "flash" is definitely relative) but is aimed squarely at developers, and could be even more significant to Steam's fortunes given the pressure it's facing from the Epic Games Store: It enables developers to run their game traffic through Valve's own private gaming network, providing players "faster and more secure connections." It's free for developers, and "a large portion" of the API is now open source, which could be a pretty big draw for devs look to incorporate online play with a minimum of fuss. If that's your bag, you can get more detailed information at steamcommunity.com, and Valve will be talking about the new feature in-depth at a Game Developer's Conference panel next Thursday, March 21.