Amrita Khalid reports via The Verge: Proton has released a desktop version of its Proton Mail app that will give users full access to both Proton Mail and Proton Calendar and (eventually) the ability to view your emails offline. The desktop app is available in beta is optimized for both Windows and macOS, and encrypts sent emails end-to-end just like with the browser version, according to the Swiss company, while offline access to emails will be available "soon." [...] It's important to note that you'll still need internet access to both send and encrypt your emails on Proton. But the offline feature will let you view and draft emails while traveling, during a power outage, or any other situation where you don't have access to the internet.

Proton is also bringing encrypted auto-forwarding to paid users, both on its desktop and browser versions, though the encryption for forwards will only apply when the forwarded emails go to other Proton users. The company says it has made improvements to Proton Calendar, too, including a fully searchable web version. Not everyone will be able to access Proton's desktop app right away. Proton is restricting access to its paid "Visionary" tier for legacy users at first (though the company is reopening subscriptions to that tier through January 3rd, 2024). The plan is to make the desktop app available to all users in early 2024.

The Browser Company's Chromium-based Arc browser, which aims to rethink the whole browser UI with a sidebar for tabs and lots of personalization options, is finally coming to Windows. In a post on X, the Browser Company says it's sent out the first Windows beta invites. It's currently only available for iOS and Mac users. Slashdot reader dokjest shares the email they received: Hey there,

Hursh here, CTO at the Browser Co, with some exciting news! A little while ago, you signed up for a brand new browser, Arc -- one that The Verge called "The Chrome replacement I've been waiting for" and Shopify's CEO named as "the best browser." Well, starting today, we're onboarding our very first beta testers to Arc on Windows. And you're next!

Over the coming weeks, our team will be onboarding hundreds of beta testers to Arc. And come January, we'll be welcoming 1,000s of you from the waitlist every week. If you don't mind a few bugs and some rough edges, sign up as a beta tester and we'll prioritize your invite to Arc! For us, this period leading up to our Windows release is about crafting the very best version of Arc that we can. And that means learning from you -- what you love, what's missing, what doesn't feel quite right. It still feels surreal to say, but it really does all begin today. Follow along for some fun on isarconwindowsyet.com -- And we'll see you very soon!

- Hursh and The Browser Co Crew

P.S. If you have a friend on Windows with one too many tabs, who could use a better browser -- forward this on to them, too! If you want to get on the beta waitlist, you can sign up here.

An anonymous reader quotes a report from TechCrunch: A number of popular mobile password managers are inadvertently spilling user credentials due to a vulnerability in the autofill functionality of Android apps. The vulnerability, dubbed "AutoSpill," can expose users' saved credentials from mobile password managers by circumventing Android's secure autofill mechanism, according to university researchers at the IIIT Hyderabad, who discovered the vulnerability and presented their research at Black Hat Europe this week. The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a login page in WebView, password managers can get "disoriented" about where they should target the user's login information and instead expose their credentials to the underlying app's native fields, they said. This is because WebView, the preinstalled engine from Google, lets developers display web content in-app without launching a web browser, and an autofill request is generated.

"Let's say you are trying to log into your favorite music app on your mobile device, and you use the option of 'login via Google or Facebook.' The music app will open a Google or Facebook login page inside itself via the WebView," Gangwal explained to TechCrunch prior to their Black Hat presentation on Wednesday. "When the password manager is invoked to autofill the credentials, ideally, it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app." Gangwal notes that the ramifications of this vulnerability, particularly in a scenario where the base app is malicious, are significant. He added: "Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information."

The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper and Enpass, on new and up-to-date Android devices. They found that most apps were vulnerable to credential leakage, even with JavaScript injection disabled. When JavaScript injection was enabled, all the password managers were susceptible to their AutoSpill vulnerability. Gangwal says he alerted Google and the affected password managers to the flaw. Gangwal tells TechCrunch that the researchers are now exploring the possibility of an attacker potentially extracting credentials from the app to WebView. The team is also investigating whether the vulnerability can be replicated on iOS.

An anonymous reader shares a report: The biggest benefit Samsung Internet on a desktop operating system will provide is the syncing of browsing data between your phone and PC, the lack of which has prevented many users from using Samsung Internet as their primary browser app on their phones and tablets. Unfortunately, Samsung hasn't yet implemented full-fledged sync support on Samsung Internet for Windows. While you can log in with your Samsung account, only browsing history, bookmarks, saved pages and open tabs can be synced at this time. Password syncing is not available, which hopefully won't remain the case for long.

The first time you run Samsung Internet on Windows, you can import browsing history, bookmarks/favorites, and search engines from other browsers, including Google Chrome and Microsoft Edge. You can also import bookmarks using an HTML file. As for other features, Samsung Internet on Windows has ad blocker support, a secret (incognito) mode, extension support, light and dark mode themes, and a few others. Since Samsung Internet is based on the open-source Chromium project like Chrome and Microsoft Edge, it should support extensions and add-ons that work on those browsers.

"The abolition of third-party cookies will make it possible to protect privacy-related data such as what sites users visit and what pages they view from advertising companies," notes the Japan-based site Gigazine.

And this month "Google has confirmed that it is on track to start disabling third-party cookies across its Chrome browser in a matter of weeks," writes TechRadar: An internal email published online sees Google software engineer Johann Hofmann share with colleagues the company's plan to switch off third-party cookies for 1% of Chrome users from Q1 2024 — a plan that was shared months ago and that, surprisingly, remains on track, given the considerable pushbacks so far... Hofmann explains that Google is still awaiting a UK Competition and Markets Authority consultation in order to address any final concerns before "Privacy Sandbox" gets the go-ahead.
The Register explores Google's "Privacy Sandbox" idea: Since 2019 — after it became clear that European data protection rules would require rethinking how online ads work — Google has been building a set of ostensibly privacy-preserving ad tech APIs known as the Privacy Sandbox... One element of the sandbox is the Topics API: that allows websites to ask Chrome directly what the user is interested in, based on their browser history, so that targeted ads can be shown. Thus, no need for any tracking cookies set by marketers following you around, though it means Chrome squealing on you unless you tell it not to...

Peter Snyder, VP of privacy engineering at Brave Software, which makes the Brave browser, told The Register in an email that the cookie cutoff and Privacy Sandbox remains problematic as far as Brave is concerned. "Replacing third-party cookies with Privacy Sandbox won't change the fact that Google Chrome has the worst privacy protections of any major browser, and we're very concerned about their upcoming plans," he said. "Google's turtle-paced removal of third-party cookies comes along with a large number of other changes, which when taken together, seriously harm the progress other browsers are making towards a user-first, privacy-protecting Web.

"Recent Google Chrome changes restrict the ability for users to modify, make private, and harden their Web experience (Manifest v3), broadcasting users' interests to websites they visit (Topics), dissolving privacy boundaries on the Web (Related Sites), offloading the battery-draining costs of ad auctions on users (FLEDGE/Protected Audience API), and reducing user control and Web transparency (Signed Exchange/WebBundles)," Snyder explained. "And this is only a small list of examples from a much longer list of harmful changes being shipped in Chrome."

Snyder said Google has characterized the removal of third-party cookies as getting serious about privacy, but he argued the truth is the opposite. "Other browsers have shown that a more private, more user-serving Web is possible," he said. "Google removing third-party cookies should be more accurately understood as the smallest possible change it can make without harming Google's true priority: its own advertising business."
The Register notes that other browser makers such as Apple, Brave, and Mozilla have already begun blocking third-party cookies by default, while Google Chrome and Microsoft Edge "provide that option, just not out of the box."

EFF senior staff technologist Jacob Hoffman-Andrews told The Register that "When Google Chrome finishes the project on some unspecified date in the future, it will be a great day for privacy on the web. According to the announcement, the actual phased rollout is slated to begin in Q3 2024, with no stated deadline to reach 100 percent. Let's hope Google's advertising wing does not excessively delay these critical privacy improvements."

TechRadar points out that after the initial testing period in 2024, Google will begin its phased rollout of the cookie replacement program — starting in June.

Thanks to long-time Slashdot reader AmiMoJo for sharing the news.

An anonymous reader shares a report: Firefox users across the internet say that they are encountering an "artificial" five-second load time when they try to watch YouTube videos that exists on Firefox, but not Chrome. Google, meanwhile, told 404 Media that this is all part of its larger effort against ad blockers, and that it doesn't have anything to do with Firefox at all. [...] Mozilla, which makes Firefox, told 404 Media that it does not believe this is a Firefox-specific issue. Enough people have posted about it, however, that it is clearly happening for some users and not others.

In a statement to 404 Media, Google did not provide specifics but also did not deny implementing an artificial wait time. "To support a diverse ecosystem of creators globally and allow billions to access their favorite content on YouTube, we've launched an effort to urge viewers with ad blockers enabled to allow ads on YouTube or try YouTube Premium for an ad free experience, the spokesperson said. "Users who have ad blockers installed may experience suboptimal viewing, regardless of the browser they are using."

Firefox 120 will be available tomorrow, bringing support for the Global Privacy Control "Sec-GPC" request header to indicate whether a user consents to a website or service selling or sharing their personal information with third parties. It's also enabling the WebAssembly GC extension by default, opening up new languages like Dart and Kotlin to run in the browser. Phoronix's Michael Larabel highlights some of the other features included in this release: - Ubuntu Linux users now have the ability to import data from Chromium when both are installed as Snap packages. - Picture-in-Picture mode now supports corner snapping on Windows and Linux.
- Support for the light-dark() CSS color function that allows setting of colors for both light and dark without needing to use the prefers-color-scheme media feature. This allows conveniently specifying the preferred light color theme value followed by the dark color theme value.
- CSS support for the lh and rlh line height units.

An anonymous reader quotes a report from 9to5Google: With Manifest V3, Google wants to make extensions safer by prioritizing privacy, but was initially criticized for the impact to ad blockers. The Chrome team has since added new features in response and is ready to disable old Manifest V2 extensions in 2024. Google will begin automatically disabling Manifest V2 extensions in Chrome Dev, Canary, and Beta as early as June 2024 (Chrome 127+). Similarly, Chrome Web Store installs will no longer be possible. Developers are encouraged to update and migrate before then.

This will gradually roll out, with Google taking into account user feedback and data to "make sure Chrome users understand the change and what actions they can take to find alternative, up-to-date extensions." [Google said in a statement:] "We expect it will take at least a month to observe and stabilize the changes in pre-stable before expanding the rollout to stable channel Chrome, where it will also gradually roll out over time. The exact timing may vary depending on the data collected, and during this time, we will keep you informed about our progress." This was originally schedule to take place in 2023, but Google spent this year closing the functionality gap between Manifest V2 and V3 [...].

An anonymous reader quotes a report from TechCrunch: Earlier this year, Mozilla acquired Fakespot, a startup that leverages AI and machine learning to identify fake and deceptive product reviews. Now, Mozilla is launching its first LLM (large language model) with the arrival of Fakespot Chat, an AI agent that will help consumers as they shop online by answering questions about the product or even suggesting questions that could be useful in your product research. [...] Fakespot has been using AI, including generative AI technologies, to make the online shopping process more trustworthy, not less. For instance, it launched a generative AI feature called Pros and Cons last year, that could replace the need for reading reviews by writing up its own summaries of a product's positives and negatives. The feature was trained on billions of data points, with the model itself using five different models under its hood, the company said.

This week, Fakespot Chat launched into testing, allowing shoppers to ask an AI chatbot about a product they're considering, similar to how you could ask a salesperson for help if you were shopping in a physical store in the real world. The technology uses AI and machine learning to sort through the product reviews, sorting real from fake, to answer the user's questions. The information from your chat session is saved to improve the experience for others, Mozilla notes, but users don't have to create an account or divulge personal information for the experience to work. The feature is available via the Fakespot Analyzer or it can be used on an Amazon.com product from Fakespot's browser extension. For the former, you'd copy and paste the URL of the product into the analyzer to ask your questions, but if using the browser add-on, the analysis starts automatically. When the analysis is complete, Fakespot Chat appears on the right-hand side of the analysis page alongside other features, like Pros and Cons, as well as Fakespot's Review Grades and Highlights. You can then interrogate the AI agent about the product as you weigh your purchase decisions.

The Brave browser is rolling out a privacy-focused AI assistant named Leo, which the company claims provides "unparalleled privacy" compared to AI chatbot services likes Bing Chat, ChatGPT, Google Bard and others. The Verge reports: Following several months of testing, Leo is now available to use for free by all Brave desktop users running version 1.60 of the web browser. Leo is rolling out "in phases over the next few days" and will be available on Android and iOS "in the coming months."

The core features of Leo aren't too dissimilar from other AI chatbots like Bing Chat and Google Bard: it can translate, answer questions, summarize webpages, and generate new content. Brave says the benefits of Leo over those offerings are that it aligns with the company's focus on privacy -- conversations with the chatbot are not recorded or used to train AI models, and no login information is required to use it. As with other AI chatbots, however, Brave claims Leo's outputs should be "treated with care for potential inaccuracies or errors."

The standard version of Leo utilizes Meta's Llama 2 large language model and is free to use by default. For users who prefer to access a different AI language model, Brave is also introducing Leo Premium, a $15 monthly subscription that features Anthropic's AI assistant, Claude Instant -- a faster and cheaper version of Anthropic's Claude 2 large language model. Brave says that additional models will be available to Leo Premium users alongside access to higher-quality conversations, priority queuing during peak usage, higher rate limits, and early access to new features.

Mozilla Foundation's decision to switch the search engine built into its Firefox browser to Yahoo from Google was a "failed" bet that degraded the user experience, the company's chief executive said. From a report: Chief Executive Officer Mitchell Baker said Mozilla decided to switch to Yahoo's technology in 2014 after CEO Marissa Mayer took over and promised "to make a big bet on us."

"That bet failed," Baker said in a videotaped interview from 2022 played Wednesday in Google's defense during the Justice Department's antitrust trial. "The search experience that Yahoo was providing to Firefox users deteriorated." The Mozilla example -- the only situation in which a browser has switched the default search engine provider -- has been cited by both Google and the Justice Department to support their arguments in the case. [...] Yahoo agreed to pay Mozilla a minimum of $375 million -- more than the $276 million a year that Google was offering, Baker said. It also agreed to reduce the number of ads and offer less user tracking than Google, but over time Yahoo reneged on that and began showing more advertising, she added.

Google Chief Executive Sundar Pichai took the stand Monday in the tech giant's antitrust trial, a pivotal moment in a case that could result in major changes to the company's search engine. From a report: Pichai described Google's search dominance as the result of its innovation and early investment in its Chrome browser. "We realized early on that browsers are critical to how people are able to navigate and use the web," Pichai said during questioning by Google lawyer John Schmidtlein.

"It became very clear early on that if you make the user's experience better, they would use the web more, they would enjoy using the web more, and they would search more in Google as well," Pichai said. [...] The nonjury trial is being heard by U.S. District Judge Amit Mehta, who could ultimately order a breakup or other changes to Google's business practices. Schmidtlein, Google's lead counsel, questioned Pichai about the deal at the heart of the case: the search giant's contract with Apple that makes it the default search engine on Apple's Safari web browser. The Apple deal "makes it very, very seamless and easy for users to use our services," Pichai said. "We know that making it the default will lead to increased usage of our products and services, particularly Google search in this case. So there is clear value in that and that's what we were looking for."

Google has worried for years that Apple would one day expand its internet search technology, and has been working on ways to prevent that from happening. From a report: For years, Google watched with increasing concern as Apple improved its search technology, not knowing whether its longtime partner and sometimes competitor would eventually build its own search engine. Those fears ratcheted up in 2021, when Google paid Apple around $18 billion to keep Google's search engine the default selection on iPhones, according to two people with knowledge of the partnership, who were not authorized to discuss it publicly. The same year, Apple's iPhone search tool, Spotlight, began showing users richer web results like those they could have found on Google.

Google quietly planned to put a lid on Apple's search ambitions. The company looked for ways to undercut Spotlight by producing its own version for iPhones and to persuade more iPhone users to use Google's Chrome web browser instead of Apple's Safari browser, according to internal Google documents reviewed by The New York Times. At the same time, Google studied how to pry open Apple's control of the iPhone by leveraging a new European law intended to help small companies compete with Big Tech. Google's anti-Apple plan illustrated the importance that its executives placed on maintaining dominance in the search business. It also provides insight into the company's complex relationship with Apple, a competitor in consumer gadgets and software that has been an instrumental partner in Google's mobile ads business for more than a decade.

Google is getting ready to test a new "IP Protection" feature for the Chrome browser that enhances users' privacy by masking their IP addresses using proxy servers. From a report: Recognizing the potential misuse of IP addresses for covert tracking, Google seeks to strike a balance between ensuring users' privacy and the essential functionalities of the web. IP addresses allow websites and online services to track activities across websites, thereby facilitating the creation of persistent user profiles. This poses significant privacy concerns as, unlike third-party cookies, users currently lack a direct way to evade such covert tracking.

While IP addresses are potential vectors for tracking, they are also indispensable for critical web functionalities like routing traffic, fraud prevention, and other vital network tasks. The "IP Protection" solution addresses this dual role by routing third-party traffic from specific domains through proxies, making users' IP addresses invisible to those domains. As the ecosystem evolves, so will IP Protection, adapting to continue safeguarding users from cross-site tracking and adding additional domains to the proxied traffic. "Chrome is reintroducing a proposal to protect users against cross-site tracking via IP addresses. This proposal is a privacy proxy that anonymizes IP addresses for qualifying traffic as described above," reads a description of the IP Protection feature. Initially, IP Protection will be an opt-in feature, ensuring users have control over their privacy and letting Google monitor behavior trends.

An anonymous reader quotes a report from Krebs on Security: Okta, a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit, KrebsOnSecurity has learned. Okta says the incident affected a "very small number" of customers, however it appears the hackers responsible had access to Okta's support platform for at least two weeks before the company fully contained the intrusion. In an advisory sent to an undisclosed number of customers on Oct. 19, Okta said it "has identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases."

Okta explained that when it is troubleshooting issues with customers it will often ask for a recording of a Web browser session (a.k.a. an HTTP Archive or HAR file). These are sensitive files because in this case they include the customer's cookies and session tokens, which intruders can then use to impersonate valid users. "Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens," their notice continued. "In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it."

Okta has published a blog post about this incident that includes some "indicators of compromise" that customers can use to see if they were affected. But the company stressed that "all customers who were impacted by this have been notified. If you're an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets." The security firm BeyondTrust is among the Okta customers who was involved in the breach. "BeyondTrust Chief Technology Officer Marc Maiffret said that [Okta's] alert came more than two weeks after his company alerted Okta to a potential problem," reports Krebs. They have also published a blog post detailing their findings.

An anonymous reader quotes a report from The Verge: Here's how your computer should work, according to Mustafa Abdelhai, the co-founder and CEO of a startup called Deta. Instead of a big empty screen full of icons, your desktop should be an infinite canvas on which you can take notes or watch movies or run full apps just by drawing a rectangle on the screen. Instead of logging in to a bunch of cloud services over which you ultimately have no control, you should be able to download software like PC users did 20 years ago, and the stuff you download should be completely yours. All your apps should talk to each other, so you can move data between them or even use multiple apps' features simultaneously. You should be able to use AI to accomplish almost anything. And it should all happen in a browser tab.

For the last couple of years, the Berlin-based Deta has been building what it calls "the personal cloud computer." The product Deta is launching today is called Space OS, and the way Abdelhai explains it, it's the first step in putting the personal back in the personal computer. "Personal computing took a dive at the turn of the century," he says, "when cloud computing became the big thing. We all moved to the cloud, moved our data, and we don't own it anymore. It's just somebody else's computer." Deta wants to give it back. [...]

Deta's idea is both a very new one and a very old one. It harkens back to the early days of computers when you bought software in a box at a store and installed it on your computer. The cloud era, of course, made computing vastly easier and more powerful but also systematically ate away at the idea that you could control anything on your devices. It's an interesting thought experiment, actually: if every cloud service shut down tomorrow, what would be left on your phone or your laptop? Odds are, not much. Deta's trying to undo that a bit, to embrace the cloud and the expansive universe of apps while giving you back the feeling that your computer -- and everything on it -- is yours and no one else's. Because your computer should be yours -- even if it's on somebody's server.

Liam Proven writes via The Register: Steam OS is the Arch-based distro for a handheld Linux games console, and Valve is aggressively pushing Linux's usability and Windows interoperability for the device. Two unusual companies, Valve Software and Igalia, are working together to improve the Linux-based OS of the Steam Deck handheld games console. The device runs a Linux distro called Steam OS 3.0, but this is a totally different distro from the original Steam OS it announced a decade ago. Steam OS 1 and 2 were based on Debian, but Steam OS 3 is based on Arch Linux, as Igalia developer Alberto Garcia described in a talk entitled How SteamOS is contributing to the Linux ecosystem.

He explained that although Steam OS is built from some fairly standard components -- the normal filesystem hierarchy, GNU user space, systemd and dbus -- Steam OS has quite a few unique features. It has two distinct user interfaces: by default, it starts with the Steam games launcher, but users can also choose an option called Switch to Desktop, which results in a regular KDE Plasma desktop, with the ability to install anything: a web browser, normal Linux tools, and non-Steam games.

Obviously, though, Steam OS's raison d'etre is to run Steam games, and most of those are Windows games which will never get native Linux versions. Valve's solution is Proton, an open-source tool to run Windows games on Linux. It's formed from a collection of different FOSS packages, notably: [Wine, DXVK, VKD3D-Proton, and GStreamer]. The result is a remarkable degree of compatibility for some of the most demanding Windows apps around [...]. You can view Garcia's 49-page presentation here (PDF).

Lawrence Abrams writes via BleepingComputer: After almost three years, Microsoft has finally added the 'Never combine taskbar button' back to Windows, and it still doesn't work correctly. The combine taskbar items feature in Windows 10 allows you to show an icon for every open application in Windows, even if they are multiple instances of the same application. For example, if you have ten instances of Notepad or a few browser windows open, the feature will allow you to see an icon on the taskbar for each open Windows rather than combining it into a single application icon.

For me and many others, removing this feature made it impossible to upgrade to Windows 11, as switching between the myriad open windows became a nightmare. This frustration is reflected in the Windows 11 Feedback Hub, where a suggestion to never combine app icons and show labels has received 17,527 upvotes, making it the 10th most requested feature. Today, those users who have been holding off on upgrading to Windows 11 because of this missing feature "may" finally be able to do so. This is because Microsoft finally released the "never combine" feature as part of its Windows 11 22H2 Moment 4 update released today.

However, even with this feature added, it is still subpar to Windows 10, as, unlike the previous version of Windows, it continues to show the windows titles next to the icon, taking up a lot of space. It's baffling that Microsoft can't get this feature right after three years with it being one of the most highly requested features. A simple toggle to disable the showing of Windows titles could have been added, or Microsoft could have replicated the Windows 10 feature many of us requested.

An anonymous reader quotes a report from Ars Technica: GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites, researchers have demonstrated in a paper (PDF) published Tuesday. The cross-origin attack allows a malicious website from one domain -- say, example.com -- to effectively read the pixels displayed by a website from example.org, or another different domain. Attackers can then reconstruct them in a way that allows them to view the words or images displayed by the latter site. This leakage violates a critical security principle that forms one of the most fundamental security boundaries safeguarding the Internet. Known as the same origin policy, it mandates that content hosted on one website domain be isolated from all other website domains. [...]

GPU.zip works only when the malicious attacker website is loaded into Chrome or Edge. The reason: For the attack to work, the browser must:

1. allow cross-origin iframes to be loaded with cookies
2. allow rendering SVG filters on iframes and
3. delegate rendering tasks to the GPU

For now, GPU.zip is more of a curiosity than a real threat, but that assumes that Web developers properly restrict sensitive pages from being embedded by cross-origin websites. End users who want to check if a page has such restrictions in place should look for the X-Frame-Options or Content-Security-Policy headers in the source. "This is impactful research on how hardware works," a Google representative said in a statement. "Widely adopted headers can prevent sites from being embedded, which prevents this attack, and sites using the default SameSite=Lax cookie behavior receive significant mitigation against personalized data being leaked. These protections, along with the difficulty and time required to exploit this behavior, significantly mitigate the threat to everyday users. We are in communication and are actively engaging with the reporting researchers. We are always looking to further improve protections for Chrome users."

An Intel representative, meanwhile, said that the chipmaker has "assessed the researcher findings that were provided and determined the root cause is not in our GPUs but in third-party software." A Qualcomm representative said "the issue isn't in our threat model as it more directly affects the browser and can be resolved by the browser application if warranted, so no changes are currently planned." Apple, Nvidia, AMD, and ARM didn't comment on the findings.

An informational write-up of the findings can be found here.

A group of publishers in the U.S. have filed a lawsuit against the "notorious" online database Library Genesis (Libgen), a website known for providing free access to scientific papers and books. The lawsuit accuses Libgen of facilitating the unauthorized distribution of copyrighted academic materials. The Register reports: The suit, filed in a New York federal court [PDF], asks for a legal order "requiring the transfer of the Libgen domain names to plaintiffs or, at plaintiffs' election, canceling or deleting the Libgen domain names," with the idea of frustrating visitors -- mostly students -- believed to number in their millions. The filing said that according to similarweb.com, the sites collectively were visited by 9 million people from the U.S. each month from March to May 2023. The suit alleges that several of the Libgen websites solicit "donations" from users. "These solicitations are in English and seek payments only in Bitcoin or [Monero]." It adds: "one Libgen Site reports that it has raised $182,540 from donations since January 1, 2023."

The publishers also claim the people who run LibGen -- named in the suit as Does 1-50 and whom it says "are believed to reside outside of the United States at unknown foreign locations" -- derive "revenue from interstate or international commerce, including through advertisements." It goes on to add: "Defendants compete directly with Plaintiffs by distributing infringing copies of their works for free, displacing legitimate sales. When a consumer obtains Plaintiffs' works from the Libgen Sites instead of through legitimate channels, no remuneration is provided to Plaintiffs or their authors for the substantial investments they have made to create and publish the works."

The textbook publishers claim that "through social media and from their peers, students are bombarded with messages to use the Libgen Sites instead of paying for legal copies of textbooks" -- thus depriving the publishers and the authors they represent of their income. The suit also asks for damages without detailing an amount, although it asks for "an accounting and disgorgement of Defendants' profits, gains, and advantages realized from their unlawful conduct." The complaint claims the ads are in English and for various "U.S. products, such as browser extensions and online games". The suit adds that some "also appear to be phishing attempts, which can result in users downloading a virus or other malicious program onto their computers."

The lawsuit also calls out Google and "other intermediaries," U.S. companies it claims help LibGen "conduct their unlawful operations" -- "NameCheap for domain registration services, Cloudflare for proxy services, and Google for search engine services." It goes on to include a screenshot of Google's "knowledge panel," which it says "describes Libgen as a site [that] enables free access to content that is otherwise paywalled or not digitized elsewhere."