Slashdot reader joshuark writes: Beware fake Windows 11 upgrades install RedLine malware, reports Bleeping Computer.

"Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware." Bleeping Computer advises, "...these dangerous sites are promoted via forum and social media posts or instant messages, so don't trust anything but the official Windows upgrade system alerts."
Bleeping Computer points out that hardware incompatibilities rule out upgrades for many Windows 10 users from official distribution channels — "something that malware operators see as an excellent opportunity for finding new victims." The timing of the attacks coincides with the moment that Microsoft announced Windows 11's broad deployment phase, so the attackers were well-prepared for this move and waited for the right moment to maximize their operation's success. RedLine stealer is currently the most widely deployed password, browser cookies, credit card, and cryptocurrency wallet info grabber, so its infections can have dire consequences for the victims.

According to researchers at HP, who have spotted this campaign, the actors used the seemingly legitimate "windows-upgraded.com" domain for the malware distribution part of their campaign. The site appears like a genuine Microsoft site and, if the visitor clicked on the 'Download Now' button, they received a 1.5 MB ZIP archive named "Windows11InstallationAssistant.zip," fetched directly from a Discord CDN...

Although the distribution site is down now, nothing stops the actors from setting up a new domain and restarting their campaign. In fact, this is very likely already happening in the wild.

Earlier this month, a German court fined an unidentified website $110 for violating EU privacy law by importing a Google-hosted web font. The Register reports: The decision, by Landgericht Munchen's third civil chamber in Munich, found that the website, by including Google-Fonts-hosted font on its pages, passed the unidentified plaintiff's IP address to Google without authorization and without a legitimate reason for doing so. And that violates Europe's General Data Protection Regulation (GDPR). That is to say, when the plaintiff visited the website, the page made the user's browser fetch a font from Google Fonts to use for some text, and this disclosed the netizen's IP address to the US internet giant. This kind of hot-linking is normal with Google Fonts; the issue here is that the visitor apparently didn't give permission for their IP address to be shared. The website could have avoided this drama by self-hosting the font, if possible.

The decision says IP addresses represent personal data because it's theoretically possible to identify the person associated with an IP address, and that it's irrelevant whether the website or Google has actually done so. The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of 250,000 euros for each violation, or up to six months in prison, for continued improper use of Google Fonts. Google Fonts is widely deployed -- the Google Fonts API is used by about 50m websites. The API allows websites to style text with Google Fonts stored on remote servers -- Google's or a CDN's -- that get fetched as the page loads. Google Fonts can be self-hosted to avoid running afoul of EU rules and the ruling explicitly cites this possibility to assert that relying on Google-hosted Google Fonts is not defensible under the law.

An anonymous reader quotes a report from Ars Technica: Dozens of legitimate WordPress add-ons downloaded from their original sources have been found backdoored through a supply chain attack, researchers said. The backdoor has been found on "quite a few" sites running the open source content management system. The backdoor gave the attackers full administrative control of websites that used at least 93 WordPress plugins and themes downloaded from AccessPress Themes. The backdoor was discovered by security researchers from JetPack, the maker of security software owned by Automatic, provider of the WordPress.com hosting service and a major contributor to the development of WordPress. In all, Jetpack found that 40 AccessPress themes and 53 plugins were affected.

In a post published Thursday, Jetpack researcher Harald Eilertsen said timestamps and other evidence suggested the backdoors were introduced intentionally in a coordinated action after the themes and plugins were released. The affected software was available by download directly from the AccessPress Themes site. The same themes and plugins mirrored on WordPress.org, the official developer site for the WordPress project, remained clean. "Users who used software obtained directly from the AccessPress website unknowingly provided attackers with backdoor access, resulting in an unknown number of compromised websites," Ben Martin, a researcher with Web security firm Sucuri, wrote in a separate analysis of the backdoor.

The Jetpack post said evidence indicates that the supply chain attack on AccessPress Themes was performed in September. Martin, however, said evidence suggests the backdoor itself is much older than that. Some of the infected websites had spam payloads dating back nearly three years. He said his best guess is that the people behind the backdoor were selling access to infected sites to people pushing web spam and malware. He wrote, "[...] it seems that the malware that we've found associated with this backdoor is more of the same: spam, and redirects to malware and scam sites." The Jetpack post provides full names and versions of the infected AccessPress software. Anyone running a WordPress site with this company's offerings should carefully inspect their systems to ensure they're not running a backdoored instance. Site owners may also want to consider installing a website firewall, many of which would have prevented the backdoor from working.

Arbix Finance, an audited and supposedly trustworthy yield farming platform, has been flagged as a 'rugpull,' deleting its site, Twitter, and Telegram channel and transferring $10 million worth of deposited cryptocurrency. Bleeping Computer reports: Rugpulls, otherwise known as "exit scams," are when pseudo-anonymous platforms or cryptocurrencies are created twith the ultimate goal of collecting funds for an allegedly legitimate "service" and then disappear with deposited funds. Because decentralized networks are inherently untrustworthy, entities like CertiK attempt to evaluate them through audits that analyze a token's smart contracts for signs of fraud, vulnerabilities, privacy problems, etc. In Arbix's case, CertiK's conducted an audit on November 19th, 2021, whose findings had initially been a reason for users to trust Arbix Finance.

However, today CertiK tweeted that Arbix is now classified as a rugpull after the token's smart contract was detected minting 10 million ARBIX to addresses under the owner's control and then dumping them for Ethereum. The operators of Arbix also moved $10 million in funds deposited by users to "unverified pools," where they were converted to Ethereum. The scammers then transferred the Ethereum to Tornado.cash, which acts as a mixer to make it harder to trace the funds. The funds and their movements are being traced, but the chances of them being recovered are slim at this point.

shoor writes: As much as 38 percent of the Internet's domain name lookup servers are vulnerable to a new attack that allows hackers to send victims to maliciously spoofed addresses masquerading as legitimate domains, like bankofamerica.com or gmail.com. The exploit, unveiled in research presented today, revives the DNS cache-poisoning attack that researcher Dan Kaminsky disclosed in 2008. He showed that, by masquerading as an authoritative DNS server and using it to flood a DNS resolver with fake lookup results for a trusted domain, an attacker could poison the resolver cache with the spoofed IP address. From then on, anyone relying on the same resolver would be diverted to the same imposter site.

The sleight of hand worked because DNS at the time relied on a transaction ID to prove the IP number returned came from an authoritative server rather than an imposter server attempting to send people to a malicious site. The transaction number had only 16 bits, which meant that there were only 65,536 possible transaction IDs. Kaminsky realized that hackers could exploit the lack of entropy by bombarding a DNS resolver with off-path responses that included each possible ID. Once the resolver received a response with the correct ID, the server would accept the malicious IP and store the result in cache so that everyone else using the same resolver -- which typically belongs to a corporation, organization, or ISP -- would also be sent to the same malicious server.

A security researcher has discovered a web attack framework developed by a suspected Chinese government hacking group and used to exploit vulnerabilities in 58 popular websites to collect data on possible Chinese dissidents. From a report: Fifty-seven of the sites are popular Chinese portals, while the last is the site for US newspaper, the New York Times. In addition, the tool also abused legitimate browser features in attempts to collect user keystrokes, a large swath of operating system details, geolocation data, and even webcam snapshots of a target's face -- although many of these capabilities weren't as silent as the exploits targeting third-party websites, since they also tended to trigger a browser notification prompt.

Named Tetris, the tool was found secretly uploaded on two websites with a Chinese readership. "The sites both appear to be independent newsblogs," said a security researcher going online under the pseudonym of Imp0rtp3, who analyzed the Tetris attack framework for the first time in a blog post earlier this month. "Both [sites] are focused on China, one site [is focused on China's] actions against Taiwan and Hong-Kong written in Chinese and still updated and the other about general atrocities done by the Chinese government, written in Swedish and last updated [in] 2016," the researcher said. According to Imp0rtp3, users who landed on these two websites were first greeted by Jetriz, the first of Tetris' two components, which would gather and read basic information about a visitor's browser.

An anonymous reader quotes a report from Ars Technica: Muse Group -- owner of the popular audio-editing app Audacity -- is in hot water with the open source community again. This time, the controversy isn't over Audacity -- it's about MuseScore, an open source application that allows musicians to create, share, and download musical scores (especially, but not only, in the form of sheet music). The MuseScore app itself is licensed GPLv3, which gives developers the right to fork its source and modify it. One such developer, Wenzheng Tang ("Xmader" on GitHub) went considerably further than modifying the app -- he also created separate apps designed to bypass MuseScore Pro subscription fees. After thoroughly reviewing the public comments made by both sides at GitHub, Ars spoke at length with Muse Group Head of Strategy Daniel Ray -- known on GitHub by the moniker "workedintheory" -- to get to the bottom of the controversy.

While Xmader did, in fact, fork MuseScore, that's not the root of the controversy. Xmader forked MuseScore in November 2020 and appears to have abandoned that fork entirely; it only has six commits total -- all trivial, and all made the same week that the fork was created. Xmader is also currently 21,710 commits behind the original MuseScore project repository. Muse Group's beef with Xmader comes from two other repositories, created specifically to bypass subscription fees. Those repositories are musescore-downloader (created November 2019) and musescore-dataset (created March 2020). Musescore-downloader describes itself succinctly: "download sheet music from musescore.com for free, no login or MuseScore Pro required." Musescore-dataset is nearly as straightforward: it declares itself "the unofficial dataset of all music sheets and users on musescore.com." In simpler terms: musescore-downloader lets you download things from musescore.com that you shouldn't be able to; musescore-dataset is those files themselves, already downloaded. For scores that are in the public domain or that users have uploaded under Creative Commons licenses, this isn't necessarily a problem. But many of the scores are only available by arrangement between the score owner and Muse Group itself -- and this has several important implications.

Just because you can access the score via the app or website doesn't mean you're free to access it anywhere, anyhow, or redistribute that score yourself. The distribution agreement between Muse Group and the rightsholder allows legitimate downloads, but only when using the site or app as intended. Those agreements do not give users carte blanche to bypass controls imposed on those downloads. Further, those downloads can often cost the distributor real money -- a free download of a score licensed to Muse Group by a commercial rightsholder (e.g., Disney) is generally not "free" to Muse Group itself. The site has to pay for the right to distribute that score -- in many cases, based on the number of downloads made. Bypassing those controls leaves Muse Group on the hook either for costs it has no way to monetize (e.g., by ads for free users) or for violating its own distribution agreements with rightsholders (by failing to properly track downloads).

Over the Fourth of July weekend, a number of news outlets, including Slashdot, ran stories warning that the free and open-source audio editor Audacity may now be classified as spyware due to recent updates to its privacy policy. Ars Technica's Jim Salter looked into these claims and found that that is not the case. An anonymous reader shares an excerpt from his report: FOSS-focused personal technology site SlashGear declares that although Audacity is free and open source, new owner Muse Group can "do some pretty damaging changes" -- specifically meaning its new privacy policy and telemetry features, described as "overarching and vague." FOSSPost goes even further, running the headline "Audacity is now a possible spyware, remove it ASAP." The root of both sites' concern is the privacy policy instigated by new Audacity owner Muse Group, who already published open source music notation tool MuseScore. The privacy policy, which was last updated on July 2, outlines the data which the app may collect [...]. The personal data being collected as outlined in the first five bullet points is not particularly broad -- in fact, it's quite similar to the collected data described in FOSSPost's own privacy policy: IP address, browser user-agent, "some other cookies your browser may provide us with," and (by way of WordPress and Google analytics) "your geographical location, cookies for other websites you visited or any other information your browser can give about you." This leaves the last row -- data necessary for law enforcement, litigation and authorities' requests (if any)." While that's certainly a broad category and not particularly well-defined, it's also a fact of life in 2021. Whether a privacy policy says so or not, the odds are rather good that any given company will comply with legitimate law enforcement requests. If it doesn't, it won't likely be a company for long. The final grain of salt in the wound is a line stating that Audacity is "not intended for individuals below the age of 13" and requesting people under 13 years old "please do not use the App." This is an effort to avoid the added complexity and expense of dealing with laws regulating collection of personal data from children.

The first thing to point out is that neither the privacy policy nor the in-app telemetry in question are actually in effect yet -- both are targeted to an upcoming 3.0.3 release, while the most recent available version is 3.0.2. For now, that means there's absolutely no need for anyone to panic about their currently-installed version of Audacity. [...] Although FOSS-focused media outlets including FOSSPost and Slashgear reported negatively on this issue over the holiday weekend, the contributors and commenters active on the project's Github seem to have been largely satisfied by the May 13 update, which declared that Muse Group would self-host its telemetry sessions rather than using third-party libraries and hosting. The same day the second pull request went live, Github user Megaf said, "Good stuff. As long as the data is not going to [third party tech giants] we should be happy. Collect the data you really need, self-host it, make it private, make it opt-in, and we shall help." It's a small sample, but the sentiment seems broadly supported, with 66 positive and 12 negative reactions. Reaction to Megaf's comment reflects user reaction to the updated pull request itself, which currently has 606 positive and 29 explicitly negative reactions -- a marked improvement over the original pull request's 4,039 explicitly negative reactions and only 300 positive reactions. We believe that the user community got it right -- Muse Group appears to be taking the community's privacy concerns very seriously indeed, and its actual policies as stated appear to be reasonable.

An anonymous reader quotes a report from Ars Technica: Google has given the boot to nine Android apps downloaded more than 5.8 million times from the company's Play marketplace after researchers said these apps used a sneaky way to steal users' Facebook login credentials. In a bid to win users' trust and lower their guard, the apps provided fully functioning services for photo editing and framing, exercise and training, horoscopes, and removal of junk files from Android devices, according to a post published by security firm Dr. Web. All of the identified apps offered users an option to disable in-app ads by logging into their Facebook accounts. Users who chose the option saw a genuine Facebook login form containing fields for entering usernames and passwords.

Then, as Dr. Web researchers wrote: "These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login... into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to hijack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers' C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals. Analysis of the malicious programs showed that they all received settings for stealing logins and passwords of Facebook accounts. However, the attackers could have easily changed the trojans' settings and commanded them to load the web page of another legitimate service. They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service."

The majority of the downloads were for an app called PIP Photo, which was accessed more than 5.8 million times. The app with the next greatest reach was Processing Photo, with more than 500,000 downloads. The remaining apps were: Rubbish Cleaner: more than 100,000 downloads; Inwell Fitness: more than 100,000 downloads; Horoscope Daily: more than 100,000 downloads; App Lock Keep: more than 50,000 downloads; Lockit Master: more than 5,000 downloads; Horoscope Pi: 1,000 downloads; and App Lock Manager: 10 downloads. A search of Google Play shows that all apps have been removed from Play.

"A malicious Home Depot advertising campaign is redirecting Google search visitors to tech support scams," claims Bleeping Computer.

Slashdot reader nickwinlund77 shares their report: BleepingComputer searched for 'home depot' and was shown the malicious advertisement on our first try. Even worse, the ad is the top spot in the research result, making it more likely to be clicked... [T]he ad clearly states it's for www.homedepot.com, and hovering over it shows the site's legitimate destination URL.

However, when visitors click on the ad, they will be redirected through various ad services until eventually they are redirected to a tech support scam. Ultimately, the visitor will land at a page showing an incredibly annoying "Windows Defender - Security Warning' tech support scam. This scam will repeatedly open the Print dialog box, as shown below, which prevents the visitor from easily closing the page.

To make it more difficult for security professionals to diagnose these ads, it appears that they only redirect to the scam once every 24 hours to the same IP address. Once a tech support scam is shown by clicking on the ad, subsequent clicks bring visitors to the legitimate site.

The Verge writes: Lei Jun, the CEO of Chinese phone maker Xiaomi, has confirmed that its upcoming Mi 11 phone will not come with a charger, citing environmental concerns. While that's a legitimate argument against providing yet another hunk of plastic that resembles all the other chargers people already have, Xiaomi joined other phone makers who poked fun at Apple a few short months ago for not including chargers with the iPhone 12.

Jun made the remarks on Chinese social media site Weibo, saying people have many chargers which creates an environmental burden, and therefore the company was canceling the charger for the Mi 11.

Apple's decision not to include chargers with the iPhone 12 was met with some derision, and competitors like Samsung reminded customers in an ad that charging bricks were "included with your Galaxy." That Galaxy ad has apparently been deleted, however, as rumors continue to build that Samsung won't include a charger with its upcoming Galaxy S21 phones.

Google's cloud-based service platform for developing and hosting web apps "can be abused to deliver phishing and malware while remaining undetected by leading enterprise security products," reports Bleeping Computer, citing a startling discovery by security researcher Marcel Afrahim: A Google App Engine subdomain does not only represent an app, it represents an app's version, the service name, project ID, and region ID fields. But the most important point to note here is, if any of those fields are incorrect, Google App Engine won't show a 404 Not Found page, but instead show the app's "default" page (a concept referred to as soft routing)...

Essentially, this means there are a lot of permutations of subdomains to get to the attacker's malicious app. As long as every subdomain has a valid "project_ID" field, invalid variations of other fields can be used at the attacker's discretion to generate a long list of subdomains, which all lead to the same app... The fact that a single malicious app is now represented by multiple permutations of its subdomains makes it hard for sysadmins and security professionals to block malicious activity.

But further, to a technologically unsavvy user, all of these subdomains would appear to be a "secure site." After all, the appspot.com domain and all its subdomains come with the seal of "Google Trust Services" in their SSL certificates. Even further, most enterprise security solutions such as Symantec WebPulse web filter automatically allow traffic to trusted category sites. And Google's appspot.com domain, due to its reputation and legitimate corporate use cases, earns an "Office/Business Applications" tag, skipping the scrutiny of web proxies.

A reporter for Medium's tech site OneZero recently spotted an especially bizarre ad on Instagram: The ad features a GIF of a person wearing a Fitbit-style wristband, with the text "Eliminate Cravings." Across the frame from their hand sits a giant slice of cake. As the person reaches towards the cake, the wristband turns red and zaps them with electricity. You can tell it's zapping them because the whole frame vibrates, and little lightning bolts shoot out of the wristband, like in an old-school Batman movie. All that's missing is an animated "POW!"

At first, I thought it must be either a joke or a metaphor...

Nope. It turns out the Pavlok is exactly what the ad suggests: a Bluetooth-connected, wearable wristband that uses accelerometers, a connected app, and a "snap circuit" to shock its users with 450 volts of electricity when they do something undesirable. The device costs $149.99 and is available on Amazon. The company says it has over 100,000 customers who use the device to help kill food cravings, quit smoking, and to stop touching their face... I immediately saw two fundamental truths at the exact same time. Firstly, the mere existence of an automated self-flagellation wristband is proof that we've reached Peak Wearables. And second, this is the perfect device for Our Times...

Pavlok's founder says he came up with the idea for the company after paying an assistant to slap him every time he went on Facebook.... Through a Chrome extension, it can also (Doom scrollers rejoice) automatically punish actions like spending too much time on Facebook, Twitter, and other potentially time-wasting websites. It can zap you when you open too many Chrome tabs — a use case I'd love to recommend to several programmer friends... But perhaps the most relevant feature for today's world is the ability to program the device to shock you every time you touch your face. This is something which humans do alarmingly often — up to 16 times per hour. The practice has been implicated in spreading coronavirus, or at least contaminating face masks and leading to wasted PPE...

Pavlok may sound bizarre, but it's just the logical extension of an overall trend toward using tech to tweak and prod our brains into new ways of thinking... Pavlok acts as the metaphorical stick to these apps' carrots, giving you the option to beat your brain into submission instead of just tweaking it.
In 2016 Mark Cuban called Pavlok "everything but a legitimate product" in what was probably one of the least-success Shark Tank appearances ever. But Medium's reporter seems convinced it's the appropriate response to this moment in time. "I only need to look at Twitter to feel that I'm being jolted awake with a powerful electrical shock...

"The real thing feels kind of appropriate."

An anonymous reader quotes a report from Ars Technica: Hackers are abusing Google Analytics so that they can more covertly siphon stolen credit card data out of infected ecommerce sites, researchers reported on Monday. Payment card skimming used to refer solely to the practice of infecting point-of-sale machines in brick-and-mortar stores. The malware would extract credit card numbers and other data. Attackers would then use or sell the stolen information so it could be used in payment card fraud. One challenge in pulling off the hack is bypassing website security policies or concealing the exfiltration of massive amounts of sensitive data from endpoint security applications installed on the infected network. Researchers from Kaspersky Lab on Monday said that they have recently observed about two dozen infected sites that found a novel way to achieve this. Instead of sending it to attacker-controlled servers, the attackers send it to Google Analytics accounts they control. Since the Google service is so widely used, ecommerce site security policies generally fully trust it to receive data.

"Google Analytics is an extremely popular service (used on more than 29 million sites, according to BuiltWith) and is blindly trusted by users," Kaspersky Lab researcher Victoria Vlasova wrote here. "Administrators write *.google-analytics.com into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data. What's more, the attack can be implemented without downloading code from external sources." The researcher added: "To harvest data about visitors using Google Analytics, the site owner must configure the tracking parameters in their account on analytics.google.com, get the tracking ID (trackingId, a string like this: UA-XXXX-Y), and insert it into the web pages together with the tracking code (a special snippet of code). Several tracking codes can rub shoulders on one site, sending data about visitors to different Analytics accounts." The "UA-XXXX-Y" refers to the tracking ID that Google Analytics uses to tell one account from another. As demonstrated in the following screenshot, showing malicious code on an infected site, the IDs (underlined) can easily blend in with legitimate code.

CAPTCHAs, those puzzles with muffled sounds or blurred or squiggly letters that websites use to filter out bots (often unsuccessfully), have been annoying end users for more than a decade. Now, the challenge-and-response tests are likely to vex targets in malware attacks. From a report: Microsoft recently spotted an attack group distributing a malicious Excel document on a site requiring users to complete a CAPTCHA, most likely in an attempt to thwart automated detection by good guys. The Excel file contains macros that, when enabled, install GraceWire, a trojan that steals sensitive information such as passwords. The attacks are the work of a group Microsoft calls Chimborazo, which company researchers have been tracking since at least January. Previously, Microsoft observed Chimborazo distributing the Excel file in attachments included in phishing messages and later spreading through embedded Web links. In recent weeks, the group has begun sending phishing emails that change things up again. In some cases, the phishes include links that lead to redirector sites (usually legitimate sites that have been compromised). In other cases, the emails have an HTML attachment that contains a malicious iframe tag.

Either way, clicking on the link or attachment leads to a site where targets download the malicious file, but only after completing the CAPTCHA (which is short for completely automated public Turing test to tell computers and humans apart). The purpose: to thwart automated analysis defenders use to detect and block attacks and get attack campaigns shut down. Typically the analysis is performed by what are essentially bots that download malware samples and run and analyze them in virtual machines. Requiring the successful completion of a CAPTCHA means analysis will only happen when a live human being downloads the sample. Without the automation, the chances of the malicious file flying under the radar are much better. Microsoft has dubbed Chimborazo's ongoing attack campaign Dudear.

Google is pressing on with new plans to hide all parts of web addresses except the domain name. Android Police reports: A few new feature flags have appeared in Chrome's Dev and Canary channels (V85), which modify the appearance and behavior of web addresses in the address bar. The main flag is called "Omnibox UI Hide Steady-State URL Path, Query, and Ref" which hides everything in the current web address except the domain name. For example, "https://www.androidpolice.com/2020/06/07/lenovo-ideapad-flex-5-chromebook-review/" is simply displayed as "androidpolice.com." There are two additional flags that modify this behavior. One reveals the full address once you hover over the address bar (instead of having to click it), while the other only hides the address bar once you interact with the page. An issue page on the Chromium Bug tracker has also been created for keeping track of the changes, though there aren't any additional details there.

There's no public explanation yet for why Google is pressing ahead with these changes, but the company has said in the past that it believes showing the full address can make it harder to tell if the current site is legitimate. "Showing the full URL may detract from the parts of the URL that are more important to making a security decision on a webpage," Chromium software engineer Livvie Lin said in a design document earlier this year. Google has since clarified how the experiment will work and what opt-out options will be available.

"We think this is an important problem area to explore because phishing and other forms of social engineering are still rampant on the web," a Chromium developer on the bug tracker for the change said, "and much research shows that browsers' current URL display patterns aren't effective defenses. We're implementing this simplified domain display experiment so that we can conduct qualitative and quantitative research to understand if it helps users identify malicious websites more accurately."

It was also confirmed that Google will keep the opt-out mechanism that is already present -- an 'Always show full URLs' setting that appears when you right-click the address bar. "We plan to support this opt-out option indefinitely," the same developer said.

The site Android Police is calling out new feature flags in Chrome's early-release Dev and Canary channels (V85) "which modify the appearance and behavior of web addresses in the address bar." The main flag is called "Omnibox UI Hide Steady-State URL Path, Query, and Ref" which hides everything in the current web address except the domain name... There are two additional flags that modify this behavior. One reveals the full address once you hover over the address bar (instead of having to click it), while the other only hides the address bar once you interact with the page...

There's no public explanation yet for why Google is pressing ahead with these changes, but the company has said in the past that it believes showing the full address can make it harder to tell if the current site is legitimate. "Showing the full URL may detract from the parts of the URL that are more important to making a security decision on a webpage," Chromium software engineer Livvie Lin said in a design document earlier this year.

However, it's also worth considering that making the web address less important, as this feature does, benefits Google as a company. Google's goal with Accelerated Mobile Pages (AMP) and similar technologies is to keep users on Google-hosted content as much as possible, and Chrome for Android already modifies the address bar on AMP pages to hide that the pages are hosted by Google. Modifying addresses on the desktop is another step towards making them irrelevant, which hurts the decentralized nature of the internet as a whole.

SiliconANGLE reports: [C]ode repository management firm GitLab Inc. decided to phish their own employees to see what would happen. The result was not good: One in five employees fell for the fake emails...

The GitLab team behind the exercise purchased the domain name gitlab.company, then used G Suite to facilitate the delivery of the phishing email. ["Congratulations. Your IT Department has identified you as a candidate for Apple's System Refresh Program..."] The domain name and G Suite services were set up to look legitimate, complete with SSL certificates to make the emails look less suspicious to automated phishing site detection and human inspection.

Fifty GitLab employees were targeted with an email that asked them to click on a link to accept an upgrade. The link took them to the fake gitlab.company website where they were asked to enter their login details. On the positive side, only 17 of the 50 targeted employees clicked on the provided link.

However, 10 of those 17 then attempted to log in on the fake site.
Six of the 50 employees reported the email to GitLab's security operations team, the article notes. "Those who logged in on the fake site were then redirected to the phishing test section of the GitLab Handbook."

America's Supreme Court "is finally considering whether to rein in the nation's sweeping anti-hacking law, which cybersecurity pros say is decades out of date and ill-suited to the modern Internet," according to the Washington Post's cybersecurity writer: The justices agreed to hear a case this fall that argues law enforcement and prosecutors have routinely applied the law too broadly and used it to criminalize not just hacking into websites but also far more innocuous behavior — such as lying about your name or location while signing up on a website or otherwise violating the site's terms of service...

[C]urrent interpretations of the 1986 law, known as the Computer Fraud and Abuse act (CFAA), have made researchers wary of revealing bugs they find because they fear getting in trouble with police or with companies, which can also sue under the law in civil courts. "Computer researchers are constantly afraid that a security test they run is going to run them afoul of the law," Tor Ekeland, an attorney who specializes in defending people accused of violating the CFAA, told me. "This law makes the Internet less safe because it chills legitimate information security research and it's bad for the economy because it chills innovation...."

"This is about whether a statute should be drafted so broadly that everyone is committing crimes all the time and the government gets to choose who to prosecute," Greg Nojeim, senior counsel at the Center for Democracy and Technology, told me... The Justice Department even charged WikiLeaks founder Julian Assange under the law — his crime was allegedly giving advice to one of the site's main leakers Chelsea Manning about how to crack a Defense Department password to gather more information...

One of the best-known CFAA prosecutions was of the Internet activist Aaron Swartz.

A petition with over 350,000 signatures is calling on Pornhub to stop posting non-consensual videos and marketing them as "pornography." Kate Isaacs writes via The Guardian: Pornhub's argument that "extremists" are lobbying to shut them down is ridiculous. I'm non-religious, liberal and sex positive and in no way "anti-porn." I started the #NotYourPorn campaign after a friend had her iCloud account hacked last year. Videos of her and an ex had been stolen from her phone and then uploaded to Pornhub. We have tried to have my friend's videos taken down: we told the company that she was underage, that she didn't consent to being on their website and still it took several weeks to remove it. Unfortunately, by then the damage was already done. When one video had been removed, an identical video with her full name attached would pop back up again. This cycle of reporting the video to Pornhub, delayed removal and subsequent re-uploading continued for months -- until she ended up on Pornhub's top five trending videos in the UK. My friend fell into a state of depression at the knowledge that she had been reduced to a search term, her body packaged up as porn and sold for profit.

Since then I have worked with 50 women who were turned into "porn stars" without their permission -- some of whom were under 18 -- when videos of them were posted on Pornhub without their consent. Before you tell yourself that this would never happen to you (because you wouldn't be so careless as to have a video of yourself like that in the first place) then I'd ask you to consider Catherine's* case. Catherine got in contact with me when she found that her ex had been secretly recording them having sex, and without her knowledge uploading these videos to Pornhub for glory -- and even a cash reward. When Catherine discovered his Pornhub page, she found videos of what appeared to be other unsuspecting victims too, all promoted under "secret recording" categories on the website. Secret recording categories can still be found on Pornhub. "Pornhub hide themselves behind freedom of expression and argue that all sexual fantasies on their site are just that: legitimate fantasies acted out by consenting adults. They have defended the "young teen" and "drunk stolen snapchat" categories as legitimate fantasy protected by freedom of speech," Isaac writes in closing.

"Let me be clear: this isn't about censorship or stifling kinks -- there are plenty of ethical porn companies who have strong systems in place to ensure everyone involved in production is a consenting adult. This is about a huge corporation profiting from non-consensual videos -- and an industry that publishes abusive content with no regulatory body or government holding them to account."