Comcast's Xfinity internet customers have been reporting multiple websites, including PayPal, Steam, and TorrentFreak have been getting blocked by the ISP's "protected browsing" setting. From a report: The "protected browsing" setting is designed to "reduce the risk of accessing known sources of malware, spyware, and phishing for all devices connected to your home network." This, in general, isn't a bad thing. It's similar to Google Chrome's security settings that warn you when you have an insecure connection. But it's odd that Xfinity's security setting would be blocking perfectly harmless sites like PayPal. Multiple consumers have been reporting on Comcast's forums and elsewhere that they've been blocked while trying to access sites that many people use every day. After posting about it on the forums, one user who said they couldn't access PayPal said the problem with that particular site had been fixed. Further reading: Comcast's Protected Browsing Blocks TorrentFreak as "Suspicious" Site (TorrentFreak).

An anonymous reader quotes a report from TechCrunch: Seven years after picking up Zagat for $151 million, Google is selling off the perennial restaurant recommendation service. The New York Times is reporting this morning that the technology giant is selling off the company to The Infatuation, a review site founded nine years back by former music execs. The company had been rumored to be courting a buyer since early this year. As Reuters noted at the time, Zagat has increasingly become less of a focus for Google, as the company began growing its database of restaurant recommendations organically. Zagat, meanwhile, has lost much of the shine it had when Google purchased it nearly a decade ago. The Infatuation, which uses an in-house team of reviewers to write up restaurants in major cities like New York, San Francisco, Los Angeles and London, is picking up the service for an undisclosed amount. The site clearly believes there's value left in the Zagat brand, even as the business of online reviews has changed significantly in the seven years sinceGoogle picked it up.

Kirsten Grind and Douglas MacMillan report via The Wall Street Journal (Warning: source may be paywalled; alternative source): YouTube last year stopped hiring white and Asian males for technical positions because they didn't help the world's largest video site achieve its goals for improving diversity, according to a civil lawsuit filed by a former employee. The lawsuit, filed by Arne Wilberg, a white male who worked at Google for nine years, including four years as a recruiter at YouTube, alleges the division of Alphabet's Google set quotas for hiring minorities. Last spring, YouTube recruiters were allegedly instructed to cancel interviews with applicants who weren't female, black or Hispanic, and to "purge entirely" the applications of people who didn't fit those categories, the lawsuit claims.

A Google spokeswoman said the company will vigorously defend itself in the lawsuit. "We have a clear policy to hire candidates based on their merit, not their identity," she said in a statement. "At the same time, we unapologetically try to find a diverse pool of qualified candidates for open roles, as this helps us hire the best people, improve our culture, and build better products." People familiar with YouTube's and Google's hiring practices in interviews corroborated some of the lawsuit's allegations, including the hiring freeze of white and Asian technical employees, and YouTube's use of quotas.

An anonymous reader quotes Ars Technica: A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates. The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec...

In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns. When Jeremy Rowley, an executive vice president at DigiCert, asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates, according to an account posted to a Mozilla security policy forum. The report produced a collective gasp among many security practitioners who said it demonstrated a shockingly cavalier treatment of the digital certificates that form one of the most basic foundations of website security... In a statement, Trustico officials said the keys were recovered from "cold storage," a term that typically refers to offline storage systems. "Trustico allows customers to generate a Certificate Signing Request and Private Key during the ordering process," the statement read. "These Private Keys are stored in cold storage, for the purpose of revocation."
"There's no indication the email was encrypted," reports Ars Technica, and the next day DigiCert sent emails to Trustico's 23,000+ customers warning that their certificates were being revoked, according to Bleeping Computer.

In a related development, Thursday Trustico's web site went offline, "shortly after a website security expert disclosed a critical vulnerability on Twitter that appeared to make it possible for outsiders to run malicious code on Trustico servers."

In December, said it would assign more than 10,000 people to moderate content in an attempt to curb its child exploitation problem. Today, Bloomberg reports that those new moderators mistakenly removed several videos and some channels from right-wing, pro-gun video producers and outlets in the midst of a nationwide debate on gun control. From the report: Some YouTube channels recently complained about their accounts being pulled entirely. On Wednesday, the Outline highlighted accounts, including Titus Frost, that were banned from the video site. Frost tweeted on Wednesday that a survivor of the shooting, David Hogg, is an actor. Jerome Corsi of right-wing conspiracy website Infowars said on Tuesday that YouTube had taken down one of his videos and disabled his live stream. Shutting entire channels would have marked a sweeping policy change for YouTube, which typically only removes channels in extreme circumstances and focuses most disciplinary action on specific videos. But YouTube said some content was taken down by mistake. The site didn't address specific cases and it's unclear if it meant to take action on the accounts of Frost and Corsi. "As we work to hire rapidly and ramp up our policy enforcement teams throughout 2018, newer members may misapply some of our policies resulting in mistaken removals," a YouTube spokeswoman wrote in an email. "We're continuing to enforce our existing policies regarding harmful and dangerous content, they have not changed. We'll reinstate any videos that were removed in error."

An anonymous reader quotes a report from Thomson Reuters Foundation News: The U.S. House of Representatives on Tuesday overwhelmingly passed legislation to make it easier to penalize operators of websites that facilitate online sex trafficking, chipping away at a bedrock legal shield for the technology industry. The bill's passage marks one of the most concrete actions in recent years from the U.S. Congress to tighten regulation of internet firms, which have drawn heavy scrutiny from lawmakers in both parties over the past year due to an array of concerns regarding the size and influence of their platforms. The House passed the measure 388-25. It still needs to pass the U.S. Senate, where similar legislation has already gained substantial support, and then be signed by President Donald Trump before it can become law.

Several major internet companies, including Alphabet Inc's Google and Facebook Inc, had been reluctant to support any congressional effort to dent what is known as Section 230 of the Communications Decency Act, a decades-old law that protects them from liability for the activities of their users. But facing political pressure, the internet industry slowly warmed to a proposal that gained traction in the Senate last year, and eventually endorsed it after it gained sizable bipartisan support. The legislation is a result of years of law-enforcement lobbying for a crackdown on the online classified site backpage.com, which is used for sex advertising. It would make it easier for states and sex-trafficking victims to sue social media networks, advertisers and others that fail to keep exploitative material off their platforms.

Martin Brinkmann, writing for Ghacks: The most recent version of Firefox Nightly, currently at version 60, comes with changes to Firefox's cookie management. Mozilla merged cookie settings with site data in the web browser which impacts how you configure and manage cookie options. If you run Firefox 59 or earlier, you can load about:preferences#privacy to manage privacy related settings in Firefox. If you set the history to "use custom settings for history" or "remember history", you get an option manage cookie settings and to remove individual cookies from Firefox. A click on the link or button opens a new browser window in which all set cookies are listed. You can use it to find set cookies, look up information, remove selected or all cookies. Mozilla engineers changed this in recent versions of Firefox 60 (currently on the Nightly channel).

troublemaker_23 shares a report from iTWire: The Los Angeles Times website is serving a cryptocurrency mining script which appears to have been placed there by malicious attackers, according to a well-known security expert. British infosec researcher Kevin Beaumont, who has warned that Amazon AWS servers could be held to ransom due to lax security, tweeted that the newspaper's site was serving a script created by Coinhive. The Coinhive script mines for the monero cryptocurrency. The S3 bucket used by the LA Times is apparently world-writable and an ethical hacker appears to have left a warning in the repository, warning of possible misuse and asking the owner to secure the bucket.

After being purchased by Fandango in 2016, Flixster Video is officially shutting down. The site has been sending users regular emails over the past several months about the shutdown, reports Android Police. Now, the site is no longer operational, and only points people to its mobile app, which can still be used for getting movie reviews and tickets. The Verge reports: Flixster first announced it was closing in 2016, after being acquired by Fandango along with subsidiary Rotten Tomatoes. That year, Fandango also bought video streaming service M-Go, later rebranding it under FandangoNow. Flixster Video, which let people access their UltraViolet movie collection, was not a part of that deal. The shutdown began with the service telling customers it would no longer be able to redeem digital codes on the site for video playback. Over the past few months, emails have been sent out encouraging people to migrate their Flixster accounts to Vudu and Movies Anywhere in order to make sure nothing was lost. The company says it's not too late for users to do so.

Every tech company wants to produce a smart speaker these days. Earlier this month, Apple finally launched the HomePod, a smart speaker that uses Siri to answer basic questions and play music via Apple Music. In December, Google released their premium Google Home Max speaker that uses the Google Assistant and Google's wealth of knowledge to play music, answer questions, set reminders, and so on. It may be the most advanced smart speaker on the market as it has the hardware capable of playing high fidelity audio, and a digital assistant that can perform over one million actions. There is, however, no denying the appeal of the Amazon Echo, which is powered by the Alexa digital assistant. Since it first made its debut in late 2014, it has had more time to develop its skill set. Amazon says Alexa controls "tens of millions of devices," including Windows 10 PCs.

A new report from The Guardian, citing the industry site MusicAlly, says that Spotify is working on a line of "category defining" hardware products "akin to Pebble Watch, Amazon Echo, and Snap Spectacles." The streaming music company has posted an ad for a senior product manager to "define the product requirements for internet connected hardware [and] the software that powers it." With Spotify looking to launch a smart speaker in the not-too-distant-future, the decision to purchase a smart speaker has become all the more difficult. Do you own a smart speaker? If so, which device do you own and why? Do you see a clear winner, or can they all satisfy your basic needs?

dryriver shares a report from BBC: News organizations have tried many novel ways to make readers pay -- but this idea is possibly the most audacious yet. If a reader chooses to block its advertising, U.S. publication Salon will use that person's computer to mine for Monero, a cryptocurrency similar to Bitcoin. Creating new tokens of a cryptocurrency typically requires complex calculations that use up a lot of computing power. Salon told readers: "We intend to use a small percentage of your spare processing power to contribute to the advancement of technological discovery, evolution and innovation." The site is making use of CoinHive, a controversial mining tool that was recently used in an attack involving government websites in the UK, U.S. and elsewhere. However, unlike that incident, where hackers took control of visitors' computers to mine cryptocurrency, Salon notifies users and requires them to agree before the tool begins mining.

Google is rolling out tappable, visual stories that incorporate text, images, and videos in the style made popular by Snapchat. "It started widely testing the multimedia format, called AMP stories, today (Feb. 13) in an effort to help publishers engage more with readers on mobile," reports Quartz. Google announced the feature in a developer blog post. From the report: Users can now find Google stories in search results -- in a box called "visual stories" -- when they search on mobile at g.co/ampstories for the names of publishers that have begun using the format, such as CNN, Conde Nast, Hearst, Mashable, Meredith, Mic, Vox Media, and the Washington Post brands. Google worked with those publishers to develop the format. Desktop users can also get a taste of stories through Google's Accelerate Mobile Pages site. When a user selects a story, like Cosmopolitan magazine's piece on apple cider vinegar, it displays in a full-screen, slideshow format, similar to those on Snapchat and Instagram.

The multimedia format is part of Google's Accelerated Mobile Pages (AMP) project, a competitor to Facebook's Instant Articles that helps load pages faster on mobile devices. Like AMP, the AMP story format is open-sourced, so anyone can use it. However, Google is reportedly only displaying stories from a select group of publishers, including those it partnered with on the development, on its own site at the moment. The company said it plans to bring AMP stories to more Google products in the future, and expand the ways they appear in Google search.

An anonymous reader quotes a report from Ars Technica: Apple released its much-hyped HomePod speaker to the masses last week, and the general consensus among early reviews is that it sounds superb for a relatively small device. But most of those reviews seem to have avoided making precise measurements of the HomePod's audio output, instead relying on personal experience to give generalized impressions. That's not a total disaster: a general rule for speaker testing is that while it's good to stamp out any outside factor that may cause a skewed result, making definitive, "objective" claims is difficult. But having some proper measurements is important. Reddit user WinterCharm, whose real name is Fouzan Alam, has made just that in a truly massive review for the site's "r/audiophile" sub. And if his results are to be believed, those early reviews may be underselling the HomePod's sonic abilities. After a series of tests with a calibrated microphone in an untreated room, Alam found the HomePod to sound better than the KEF X300A, a generally well-regarded bookshelf speaker that retails for $999. What's more, Alam's measurements found the HomePod to provide a "near-perfectly flat frequency response," meaning it stays accurate to a given track without pushing the treble, mids, or bass to an unnatural degree. He concludes that the digital signal processing tech the HomePod uses to "self-calibrate" its sound to its surroundings allows it to impress at all volumes and in tricky environments. "The HomePod is 100% an audiophile grade speaker," he writes.

Earlier today, YouTube barred Logan Paul from serving ads on his video channel in response to a "recent pattern of behavior" from him. Now, YouTube has announced a more formal and wider set of sanctions it's prepared to level on any creator that starts to post videos that are harmful to viewers, others in the YouTube community, or advertisers. TechCrunch reports: "We may remove a channel's eligibility to be recommended on YouTube, such as appearing on our home page, trending tab or watch next," Ariel Bardin, Vice President of Product Management at YouTube, writes in a blog post.

The full list of steps, as outlined by YouTube:
1. Premium Monetization Programs, Promotion and Content Development Partnerships. We may remove a channel from Google Preferred and also suspend, cancel or remove a creator's YouTube Original.
2. Monetization and Creator Support Privileges. We may suspend a channel's ability to serve ads, ability to earn revenue and potentially remove a channel from the YouTube Partner Program, including creator support and access to our YouTube Spaces.
3. Video Recommendations. We may remove a channel's eligibility to be recommended on YouTube, such as appearing on our home page, trending tab or watch next.

The changes are significant not just because they could really hit creators where it hurts, but because they also point to a real shift for the platform. YouTube has long been known as a home for edgy videos filled with pranks and potentially offensive content, made in the name of comedy or freedom of expression. Now, the site is turning over a new leaf, using a large team of human curators and AI to track the content of what's being posted, and these videos have a much bigger chance of falling afoul of YouTube's rules and getting dinged.

Reddit has banned the r/deepfakes subreddit that's devoted to making AI-powered porn using celebrities' faces, classifying it as a form of "involuntary pornography." Reddit follows several other platforms that have already banned deepfakes pornography, including Pornhub, which said yesterday that deepfakes imagery counted as nonconsensual pornography. The Verge reports: In a post today, Reddit announced an update to its rules on posting sexual imagery of a person without their consent. The new rule extends a ban on posting photos or video of people who are nude or engaged in sexual acts without the subject's permission, saying that this includes "depictions that have been faked" -- including the sophisticated face-swapped videos that have become especially popular on Reddit over the past month. "Do not post images or video of another person for the specific purpose of faking explicit content or soliciting 'lookalike' pornography."

This doesn't affect all AI-based face swapping enthusiasts on Reddit. The subreddit for FakeApp, a program that allows anyone to swap faces in videos, is still online. So is r/SFWdeepfakes, which is devoted to non-pornographic use of the technology. At least one small, specific subreddit devoted to simulated porn for an individual actor also seems to have slipped under the radar. But along with the central deepfakes hub, the main subreddit for posting not-safe-for-work deepfakes has gotten shut down, and so has the community r/YouTubefakes. The subreddit r/CelebFakes, which focused on non-AI-powered photoshopped pornographic images, was initially left online, but removed shortly after the announcement. The site will rely on "first-party reports" to shut down future deepfakes material.

While most CAPTCHA tests we come across on the Web are usually meant to keep robots out, one website is welcoming them in. From a report: The conceit of Humans Not Invited is essentially a reverse CAPTCHA. Visitors to the site are greeted with a vision test not unlike the ones you've done before, but instead it's filled with seemingly indistinguishable blue and gray blurry boxes. When I tried, prompted to "select all squares with selfie sticks." Most humans, like me, will fail to decipher the hidden selfie sticks and will be shown a message that says "YOU'RE A HUMAN. YOU'RE NOT INVITED." To the human eye these boxes appear indistinguishable, a specially programmed bot can spot out the correct image simply by identifying a handful of pixels, according to the project's creator, Damjanski, (his real name is Danjan Pita).

An anonymous reader shares a report: The operators of some tech support scam websites have found a new trick to block visitors on their shady sites and scare non-technical users into paying for unneeded software or servicing fees. The trick relies on using JavaScript code loaded on these malicious pages to initiate thousands of file download operations that quickly take up the user's memory resources, freezing Chrome on the scammer's site. The trick is meant to drive panicked users into calling one of the tech support phone numbers shown on the screen. According to Jerome Segura -- Malwarebytes leading expert in tech support scam operations, malvertising, and exploit kits -- this new trick utilizes the JavaScript Blob method and the window.navigator.msSaveOrOpenBlob function to achieve the "download bomb" that freezes Chrome.

On Tuesday, Pornhub told Motherboard that it considers deepfakes to be nonconsensual porn and that it will ban these videos. "Deepfakes" is a community originally named after a Redditor who enjoys face-swapping celebrity faces onto porn performers' bodies using a machine learning algorithm. Motherboard reports: "We do not tolerate any nonconsensual content on the site and we remove all said content as soon as we are made aware of it," a spokesperson told me in an email. "Nonconsensual content directly violates our TOS [terms of service] and consists of content such as revenge porn, deepfakes or anything published without a person's consent or permission." Pornhub previously told Mashable that it has removed deepfakes that are flagged by users. Pornhub's position on deepfakes is similar to statements made by Discord and Gfycat, and in line with its existing terms of service, which prohibit content that "impersonates another person or falsely state or otherwise misrepresent your affiliation with a person."

While Sci-Hub is praised by thousands of researchers and academics around the world, copyright holders are doing everything in their power to wipe the site from the web. From a report: Last weekend another problem appeared for Sci-Hub. This time American Chemical Society (ACS) went after CDN provider Cloudflare, which informed the site that a court order requires the company to disconnect several domain names. "Cloudflare has received the attached court order, Case 1:17-cv-OO726-LMB-JFA," the company writes. "Cloudflare will terminate your service for the following domains sci-hub.la, sci-hub.tv, and sci-hub.tw by disabling our authoritative DNS in 24 hours." According to Sci-Hub's operator, losing access to Cloudflare is not "critical," but it may "cause a short pause in website operation."

Firefox 59 will reduce how much information websites pass on about visitors in an attempt to improve privacy for users of its private browsing mode. From a report: When you click a link in your browser to navigate to a new site, the site you go on to visit receives the address of the site you came from, via the so-called "referrer value." While this helps websites understand where visitors are coming from, it can also leak data about the individual browsing, because it tells the site the exact page you were looking at when you clicked the link, said Mozilla. Browsers also send a referrer value when requesting other details like ads, or other social media snippets integrated in a modern website, which means these embedded content features also know exactly what page you're visiting.