Mozilla engineer Martin Thomson reveals they've been collaborating with Meta (formerly Facebook) on new technology that can measure "conversions" from advertising while still preserving privacy.

The proposed new technology is called Interoperable Private Attribution, or IPA. IPA has two key privacy-preserving features. First, it uses Multi-Party Computation (MPC) to avoid allowing any single entity — websites, browser makers, or advertisers — to learn about user behavior. Mozilla has some experience with MPC systems as we've deployed Prio for privacy-preserving telemetry. Second, it is an aggregated system, which means that it produces results that cannot be linked to individual users. Together these features mean that IPA cannot be used to track or profile users.

IPA is designed to provide a lot of flexibility for advertising businesses in terms of how they use the system. Cross-device and cross-browser attribution options in IPA enable new and more robust attribution capabilities, while maintaining privacy. The IPA proposal aims to ensure that all sites benefit from these features with the match key concept, which allows smaller players to access the greater reach of entities to cross-device attribution.
"Advertising provides critical support for the Web," the blog post argues — and they've now proposed IPA to the World Wide Web Consortium's dedicated Private Advertising Technology Community Group, while calling their idea "still a work in progress."

Slashdot reader joshuark writes: Beware fake Windows 11 upgrades install RedLine malware, reports Bleeping Computer.

"Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware." Bleeping Computer advises, "...these dangerous sites are promoted via forum and social media posts or instant messages, so don't trust anything but the official Windows upgrade system alerts."
Bleeping Computer points out that hardware incompatibilities rule out upgrades for many Windows 10 users from official distribution channels — "something that malware operators see as an excellent opportunity for finding new victims." The timing of the attacks coincides with the moment that Microsoft announced Windows 11's broad deployment phase, so the attackers were well-prepared for this move and waited for the right moment to maximize their operation's success. RedLine stealer is currently the most widely deployed password, browser cookies, credit card, and cryptocurrency wallet info grabber, so its infections can have dire consequences for the victims.

According to researchers at HP, who have spotted this campaign, the actors used the seemingly legitimate "windows-upgraded.com" domain for the malware distribution part of their campaign. The site appears like a genuine Microsoft site and, if the visitor clicked on the 'Download Now' button, they received a 1.5 MB ZIP archive named "Windows11InstallationAssistant.zip," fetched directly from a Discord CDN...

Although the distribution site is down now, nothing stops the actors from setting up a new domain and restarting their campaign. In fact, this is very likely already happening in the wild.

Samsung held a launch event for its new Galaxy smartphones in a metaverse this week but many people struggled to gain access as they encountered technical difficulties. CNBC reports: The South Korean tech giant hosted the event Wednesday on Decentraland, a cryptocurrency-focused virtual world that users can create, explore and trade in. Decentraland, one of many metaverse efforts, is accessed via a desktop browser. Users create an avatar which they can then navigate around the blockchain-powered virtual world using a mouse and keyboard -- something that isn't exactly intuitive for non-gamers. The event specifically took place in Samsung 837X, a virtual building that Samsung has built on Decentraland that's designed to be a replica of its flagship New York experience center. Samsung 837X is there all the time but there just happened to be an event inside the building's "Connectivity Theatre" on Wednesday. But CNBC, and many others, struggled to find the 837X building and when we did many of us were unable to gain access to it.

When an avatar is first created on Decentraland, it lands in a sort of atrium where clouds appear to be gliding across the floor. There's a round pool in the middle that has a worrying vortex in the center. Our avatar was soon surrounded by around 20 others. A chat box in the bottom left-hand corner of the screen was full of messages like "help" and "I hate this game." One user named claireinnit#87fa, boldly claimed "we're in the ----in future." On the opposite side of the intimidating pool, three large boards read "classics, events and crowd." An ad for Samsung 837X hang on the "crowd" board. Once clicked (easier said than done), you're then given the option to "jump in." After jumping in, you're transported to Samsung's little world on Decentraland and you can see the 837X building. There's a pizza store next door, but not much else.

CNBC immediately noticed a large line of people at the main entrance to the 837X building. People were struggling to get in. Some users were getting their avatars to jump on other people's heads as they clambered to the front of the queue but it didn't help. The doors wouldn't open and the chatbox was again full of pleas for help. A rumor circulated that a YouTuber had managed to find a way in, while a CNET journalist wrote on Twitter that they had managed to gain access by switching to the "ATHENA" server. It wasn't immediately obvious how to do this. "Many people were unable to actually enter Samsung 837X before the event started," wrote CNET's Russell Holly. [...] After around 30 minutes of trying to access Samsung's building in the metaverse, CNBC gave up and went back to the real world.

Meta's stock plunged 26% Thursday — its biggest one-day drop ever, lowering its marketing valuation by more than $230 billion. And then on Friday it dropped just a little bit more.

A New York Times technology correspondent offers six reasons Meta is in trouble: User growth has hit a ceiling. The salad days of Facebook's wild user growth are over. Even though the company on Wednesday recorded modest gains in new users across its so-called family of apps — which includes Instagram, Messenger and WhatsApp — its core Facebook social networking app lost about half a million users over the fourth quarter from the previous quarter.

That's the first such decline for the company in its 18-year history, during which time it had practically been defined by its ability to bring in more new users. The dip signaled that the core app may have reached its peak. Meta's quarterly user growth rate was also the slowest it has been in at least three years. Meta's executives have pointed to other growth opportunities, like turning on the money faucet at WhatsApp, the messaging service that has yet to generate substantial revenue. But those efforts are nascent. Investors are likely to next scrutinize whether Meta's other apps, such as Instagram, might begin to hit their top on user growth....

Apple's changes are limiting Meta and Google is stealing online advertising share. Last spring, Apple introduced an "App Tracking Transparency" update to its mobile operating system, essentially giving iPhone owners the choice as to whether they would let apps like Facebook monitor their online activities. Those privacy moves have now hurt Meta's business and are likely to continue doing so...

On Wednesday, David Wehner, Meta's chief financial officer, noted that as Apple's changes have given advertisers less visibility into user behaviors, many have started shifting their ad budgets to other platforms. Namely Google. In Google's earnings call this week, the company reported record sales, particularly in its e-commerce search advertising. That was the very same category that tripped up Meta in the last three months of 2021. Unlike Meta, Google is not heavily dependent on Apple for user data. Mr. Wehner said it was likely that Google had "far more third-party data for measurement and optimization purposes" than Meta's ad platform. Mr. Wehner also pointed to Google's deal with Apple to be the default search engine for Apple's Safari browser. That means Google's search ads tend to appear in more places, taking in more data that can be useful for advertisers. That's a huge problem for Meta in the long term, especially if more advertisers switch to Google search ads.
Meta's other problems include competition from TikTok (and the problems with monetizing "Reels," Meta's own TikTok clone on Instagram), as well as pending antitrust investigations (and the way it hampers future social media acquisitions). But with Meta expected to continue spending more than $10 billion a year on virtual reality, "still the province of niche hobbyists [that] has yet to really break into the mainstream," the article also suggests its final reason for why Meta is in trouble: that "Spending on the metaverse is bonkers."

A top VR web browser is closing down. Today, Mozilla announced it's shutting down its Firefox Reality browser -- the four-year-old browser built for use in virtual reality environments. The technology had allowed users to access the web from within their VR headset, doing things like visiting URLs, performing searches, and browsing both the 2D and 3D internet using your VR hand controllers, instead of a mouse. From a report: Firefox Reality first launched in fall 2018 and has been available on Viveport, Oculus, Pico, and Hololens platforms through their various app stores. While capable of surfing the 2D web, the expectation was that users would largely use the new technology to browse and interact with the web's 3D content, like 360-degree panoramic images and videos, 3D models, and WebVR games, for example. But in an announcement published today, Mozilla says the browser will be removed from the stores where it's been available for download in the "coming weeks." Mozilla is instead directing users who still want to utilize a web browser in VR to Igalia's upcoming open-source browser, Wolvic, which is based on Firefox Reality's source code. This browser will be available for download starting next week, so users won't have to go without -- they'll just have to make the switch.

Mozilla is rolling out new updates to its mobile and desktop VPN offerings, the company announced on Tuesday. From a report: With the launch of Mozilla VPN 2.7, the company is bringing one of Firefox's popular add-ons, Multi-Account Containers, to the desktop platform and also introducing a multi-hop feature to the Android and iOS version of the VPN service. Firefox's Multi-Account Containers allow users to separate different parts of their online activities, such as work, shopping and banking. Instead of having to open a new window or different browser to check your work email, you can isolate that activity in a container tab, which prevents other sites from tracking your activity across the web. The company says combining the add-on with Mozilla's VPN adds an extra layer of protection to users' compartmentalized browsing activity and also adds extra protection to their locational information.

An anonymous reader quotes a report from Motherboard: One of the world's largest publishers of academic papers said it adds a unique fingerprint to every PDF users download in an attempt to prevent ransomware, not to prevent piracy. Elsevier defended the practice after an independent researcher discovered the existence of the unique fingerprints and shared their findings on Twitter last week. "The identifier in the PDF helps to prevent cybersecurity risks to our systems and to those of our customers -- there is no metadata, PII [Personal Identifying Information] or personal data captured by these," an Elsevier spokesperson said in an email to Motherboard. "Fingerprinting in PDFs allows us to identify potential sources of threats so we can inform our customers for them to act upon. This approach is commonly used across the academic publishing industry."

When asked what risks he was referring to, the spokesperson sent a list of links to news articles about ransomware. However, Elsevier has a long history of pursuing people who pirate or share its paywalled academic articles. [...] It's unclear exactly how fingerprinting every PDF downloaded could actually prevent ransomware. Jonny Saunders, a neuroscience PhD candidate at University of Oregon, who discovered the practice, said he believes Elsevier is trying to surveil its users and prevent people from sharing research without paying the company. "The subtext there is pretty loud to me," Saunders told Motherboard in an online chat. "Those breaches/ransoms are really a pretext for saying 'universities need to lock down accounts so people can't skim PDFs. When you have stuff that you don't want other people to give away for free, you want some way of finding out who is giving it away, right?"

"Saying that the unique identifiers *themselves* don't contain PII is a semantic dodge: the way identifiers like these work is to be able to match them later with other identifying information stored at the time of download like browser fingerprint, institutional credentials, etc," Saunders added. "Justifying them as a tool to protect against ransomware is a straightforward admission that these codes are intended to identify the downloader: how would they help if not by identifying the compromised account or system?"

FLoC (Federated Learning of Cohorts), Google's controversial project for replacing cookies for interest-based advertising by instead grouping users into groups of users with comparable interests, is dead. In its place, Google today announced a new proposal: Topics. From a report: The idea here is that your browser will learn about your interests as you move around the web. It'll keep data for the last three weeks of your browsing history and as of now, Google is restricting the number of topics to 300, with plans to extend this over time. Google notes that these topics will not include any sensitive categories like gender or race. To figure out your interests, Google categorizes the sites you visit based on one of these 300 topics. For sites that it hasn't categorized before, a lightweight machine learning algorithm in the browser will take over and provide an estimated topic based on the name of the domain.

When you hit upon a site that supports the Topics API for ad purposes, the browser will share three topics you are interested in -- one for each of the three last weeks -- selected randomly from your top five topics of each week. The site can then share this with its advertising partners to decide which ads to show you. Ideally, this would make for a more private method of deciding which ad to show you -- and Google notes that it also provides users with far greater control and transparency than what's currently the standard. Users will be able to review and remove topics from their lists -- and turn off the entire Topics API, too.

Opera has launched its Web3 "Crypto Browser" into beta with features like a built-in crypto wallet, easy access to cryptocurrency/NFT exchanges, support for decentralized apps (dApps) and more. From a report: The aim is to "simplify the Web3 user experience that is often bewildering for mainstream users," Opera EVP Jorgen Arnensen said in statement. A key feature is the built-in non-custodial wallet that will support blockchains including Ethereum, Bitcoin, Celo and Nervos from the get-go. It also announced partnerships with Polygon and others. The idea is to let you access your crypto without the need for any extensions, with the option of using third-party wallets as well. You can purchase cryptocurrencies via a fiat to crypto on-ramp, swap crypto directly in-wallet, send and receive it and check your wallet balance. It even has a secure clipboard that ensures other apps can't data when you copy/paste. The other primary function is support for Web3, aka blockchain-based decentralized internet, aka the buzzy new thing among crypto enthusiasts (and skeptics). On top of providing extra security via blockchain encryption, it allows users to access things like GameFi "where you can earn as you play your way through all sorts of metaverses," Opera notes. It also offers a "Crypto Corner" with the latest blockchain news that also "lets you grow your Web3 skills," according to Opera.

It's been 518 days since Apple kicked Fortnite off of the App Store after Epic Games tried to bypass its payment system. Now the popular free-to-play battle royale is once again playable on iPhones, sort of. From a report: Starting next week, Fortnite will be available on iOS by way of streaming, as part of an upcoming closed beta for Nvidia's GeForce Now game streaming program. "Fortnite on GeForce NOW will launch in a limited-time closed beta for mobile, all streamed through the Safari web browser on iOS and the GeForce NOW Android app," Nvidia announced on its blog today. "The beta is open for registration for all GeForce NOW members, and will help test our server capacity, graphics delivery and new touch controls performance."

GeForce Now, subscriptions for which range from free to $200 a year for the premium tier, lets users stream games they already own to PCs, tablets, and smartphones. It's one way to make blockbuster PC games portable, or to play them on rigs with beefier specs than the ones people already have at home. In Fortnite's case, GeForce Now subscribers will soon be able to stream the shooter to iOS devices and play it using touch controls via Apple's Safari. The browser workaround is one way companies like Microsoft have been able to get their game streaming platforms on iPhones despite Apple's ban on allowing them inside its App Store. Now its bringing back the game that kicked off a massive, messy, year-long legal battle that's still raging to this day.

An anonymous reader quotes a report from Gizmodo: Researchers at Mozilla announced this week the launch of its "Facebook Pixel Hunt" study, which seeks to track the company's immense web-wide tracking network and investigate the intel it's collecting on users. As the name suggests, this study is focused on a piece of tracking tech known as the "Facebook pixel." Chances are, you've visited a site that uses it; these tiny pieces of tech are buried in literally millions of sites across the web, from online stores to news outlets to... well, you name it. In exchange for onboarding a free pixel on their site, these sites can then track their own visitors and microtarget ads with the same sort of precision you'd expect from a data-hungry company like Facebook.

In exchange for giving these sites the power to track every pageview, purchase, search query, and much, much more, Facebook (naturally) requires that this data be shared with it, too. In cases where the website visitor has an account on some Facebook platform, this offsite data just gets glombed onto whatever Facebook already knows about that person. If they don't have a Facebook account, then the company collects that data anyway, and uses it to create a "shadow profile" of that particular person. These are the sorts of shadowy practices that Mozilla's team wants to research with this study -- and you can help them do it if you're a Firefox user. Mozilla teamed up with reporters from the Markup to gather details about Facebook tracking using a free-to-download browser extension, Mozilla Rally, that will hoover up data sent out by Facebook's pixels as you browse across the web. Aside from that data, the extension also keeps track of the time spent on different web pages, the URLs that the browser visits, and more. Mozilla was quick to note in its announcement that the only data being exported from the extension will be de-identified, and not shared with any third parties besides the Markup's reporters.

NBC News writes: VPNs, or virtual private networks, continue to be used by millions of people as a way of masking their internet activity by encrypting their location and web traffic. But on the modern internet, most people can safely ditch them, thanks to the widespread use of encryption that has made public internet connections far less of a security threat, cybersecurity experts say. "Most commercial VPNs are snake oil from a security standpoint," said Nicholas Weaver, a cybersecurity lecturer at the University of California, Berkeley. "They don't improve your security at all...."

Most browsers have quietly implemented an added layer of security in recent years that automatically encrypts internet traffic at most sites with a technology called HTTPS. Indicated by a tiny padlock by the URL, the presence of HTTPS means that worrisome scenario, in which a scammer or a hacker squats on a public Wi-Fi connection in order to watch people's internet habits, isn't feasible. It's not clear that the threat of a hacker at your coffee shop was ever that real to begin with, but it is certainly not a major danger now, Weaver said. "Remember, someone attacking you at the coffee shop needs to be basically at the coffee shop," he said. "I don't know of them ever being used outside of pranks. And those are all irrelevant now with most sites using HTTPS," he said in a text message.

There are still valid uses for VPNs. They're an invaluable tool for getting around certain types of censorship, though other options also exist, such as the Tor Browser, a free web browser that automatically reroutes users' traffic and is widely praised by cybersecurity experts. VPNs are also vital for businesses that need their employees to log in remotely to their internal network. And they're a popular and effective way to watch television shows and movies that are restricted to particular countries on streaming services. But like with antivirus software, the paid VPN industry is a booming global market despite its core mission no longer being necessary for many people.

Most VPNs market their products as a security tool. A Consumer Reports investigation published earlier this month found that 12 of the 16 biggest VPNs make hyperbolic claims or mislead customers about their security benefits. And many can make things worse, either by selling customers' browsing history to data brokers, or by having poor cybersecurity.
The article credits the Electronic Frontier Foundation for popularizing encryption through browser extensions and web site certificates starting in 2010. "In 2015, Google started prioritizing websites that enabled HTTPS in its search results. More and more websites started offering HTTPS connections, and now practically all sites that Google links to do so.

"Since late 2020, major browsers such as Brave, Chrome, Firefox, Safari and Edge all built HTTPS into their programs, making Electronic Frontier Foundation's browser extension no longer necessary for most people."

An anonymous reader quotes a report from Bloomberg Law: Alphabet CEO Sundar Pichai must face questioning in a California federal court lawsuit over privacy concerns surrounding Google's "incognito" web browsing mode. Lawyers for the consumers who sued want to ask Pichai about user misconceptions of their privacy online while using Google's Chrome browser. Pichai is subject to up to two hours of testimony under an order issued Monday in the U.S. District Court for the Northern District of California.

The lawsuit, filed in June 2020, alleges that Google tracks users even when they're browsing in incognito mode. Google disputes the claims, arguing that its privacy disclosures make clear that the private browsing mode doesn't make user activities "invisible" online. In an earlier order, Judge Lucy Koh also allowed consumers to question Google's chief marketing officer, Lorraine Twohill, about incognito's branding as private. Google has tried to toss the claims from consumers, but so far Koh has let them proceed. The company also argued against questioning Pichai, saying lower-level employees responsible for Chrome and the incognito mode are better suited to answering inquiries about private browsing.

A team of academics said it found more than 1,200 phishing toolkits deployed in the wild that are capable of intercepting and allowing cybercriminals to bypass two-factor authentication (2FA) security codes. From a report: Also known as MitM (Man-in-the-Middle) phishing toolkits, these tools have become extremely popular in the cybercrime underworld in recent years after major tech companies started making 2FA a default security feature for their users. The direct result was that threat actors who managed to trick a user into entering credentials on a phishing site found that the stolen credentials became useless since they couldn't bypass the 2FA procedure. To counter this new trend in account security protections, since at least 2017, threat actors started adopting new tools that would allow them to bypass 2FA by stealing a user's authentication cookies, which are files created inside a web browser once the user has logged into an account after the 2FA process was completed. In most instances, cybercrime groups have relied on a malware category known as an "infostealer" to steal these authentication cookie files from computers they managed to infect. However, there is another way to steal these files that does not rely on infecting a computer with malware -- namely, by stealing the authentication cookies while they transit the internet from the service provider to a user's computer.

An anonymous reader quotes a report from The Record: Many apps used by schools contain features that can lead to the "unregulated and out of control" sharing of student data to advertising companies and other security issues, according to a report published Monday by the nonprofit Me2B Alliance. The report follows up on research published by the group in May, which audited 73 apps used by 38 schools to find that 60% of them were sending student data to a variety of third parties. Roughly half of them were sending student data to Google, while 14% were sending data to Facebook.

In the update, Me2B specifically looked at the use of a common feature called "WebView," which allows developers to integrate web pages into apps. Although the feature allows schools to include dynamic details -- like calendars and results of sporting events -- in apps without having to update the app itself, it can lead to the siphoning of student data and, in particularly bad cases, students and parents being targeted by scams. For example, on several occasions the researchers observed the hijacking of web pages linked to by school apps, leading users to malicious sites. An app used by Maryland's largest school district accidentally directed users to a compromised site that once was used for the district's sports teams. The Quinlan, Texas school district had a sports domain integrated into its app that was purchased by an unknown actor for $30 before anyone took action -- a security threat that's sometimes called a "dangling domain." Some of the recommendations to mitigate security risks include "training for app administrators, creating processes at schools for keeping track of expiring URLs, requiring schools to report lost or dangling domains within a specific time, and launching a 'privacy bounty program' at the US Department of Education to audit school apps," reports The Record. "But perhaps the fastest way to reduce these risks is to alter the way the apps work."

"Apple and Google can change rules for in-app WebView links to ensure app developers can't overrule a local device browser preference," said Zach Edwards, who is in charge of data integrity testing for the Me2B Alliance.

Mozilla has fixed an issue in its Firefox browser where usernames and passwords were being recorded in the Windows Cloud Clipboard feature, in what the organization categorized as a severe security risk that could have exposed credentials to non-owners whenever users copied or cut a password. From a report: The issue was fixed in Firefox 94, released last month, but was detailed in more depth this week by Mozilla developers. At its core, the bug is related to Windows Cloud Clipboard, a feature added to Windows 10 in September 2018 (v1809 release), a feature that allows users to sync their local clipboard history to their Microsoft accounts. The feature is disabled by default, but once enabled, it allows users to access the cloud clipboard section by pressing the Windows+V shortcut. This grants users access to clipboard data from all devices, but the feature is also used for its clipboard history capabilities, allowing users to go through past items they copied or cut and re-paste the same data in new contexts, making it extremely useful for most IT workers. In a blog post on Wednesday, Mozilla said that they have now modified the Firefox browser so that usernames and passwords copied from the browser's password section (about:logins) won't be stored in the Windows Cloud Clipboard feature, but instead will be stored only locally, in a separate clipboard section.

Ars Technica's reviews editor remembers how Google Toolbar launched back when Internet Explorer "had a rock-solid monopoly" on December 11, 2000, and marked Google's first foray into browser ownership. "Rather than idly sit by and live under Internet Explorer's rule, Google's plan was to hijack Microsoft's browser with various plugins." Once upon a time, Toolbar.google.com offered to guide any wayward Internet Explorer users across the web with the power of Google.... It also patched up long-neglected Internet Explorer with new features, like highlighted search terms in pages, pop-up blocking, spell check, autofill, and Google Translate. Phase 2 of the hijack plan was Google Gears, which augmented IE with new APIs for web developers. Eventually, Google stopped fixing other companies' browsers and launched Google Chrome in 2008, which would make all of this obsolete.
But it ended as Google finally pulled the plug this week on "a dusty, forgotten server" that had spent nearly 21 years blurting out "Take the best of Google everywhere on the web!" Now, it redirects to a support page saying "Google Toolbar is no longer available for installation. Instead, you can download and install Google Chrome." The good news is that we wrote most of this post at the end of November, so this might be the Internet's very last hands-on of the now-dead product....

To say the app had been neglected is an understatement. The about page read, "Copyright 2014 Google," though Google definitely stopped performing maintenance on Toolbar before that. You could still do a Google Search, and you could still sign into Google Toolbar, but so much there was broken or a time capsule from a bygone era....

The "share" settings were a bloodbath, listing options for Google Reader (killed July 2013), Orkut (killed September 2014), Google+ (killed April 2019), and Google Bookmarks (killed September 2021). There were also search shortcuts for Google Blog Search (killed May 2011) and Picasa Web Albums (dead May 2016)....

The spell-check servers didn't work anymore, and I couldn't translate anything. The baked-in-by-default connections to Google+ and Google Bookmarks would also let you know that those products have been shut down. Even some of the "working" integrations, like Gmail, didn't really work because Gmail no longer supports Internet Explorer....

One feature that really blew my mind was a button that said, "Turn off features that send information." Google Toolbar apparently had a one-click privacy kill switch back in the day.

"Windows Me was unstable, unloved and unusable," remembered Computerworld last year, on the 20th anniversary of its release, calling it "a stink bomb of an operating system." Windows Me was a ghastly, slapdash piece of work, incompatible with lots of hardware and software. It frequently failed during the installation process — which should have been the first sign for people that this was an operating system they shouldn't try.Often, when you tried to shut it down, it declined to do so, like a two-year-old throwing a temper tantrum over being forced to go to sleep. It was slow and insecure. Its web browser, Internet Explorer, frequently refused to load web pages.
But they ultimately argue that it wasn't as bad as Windows Vista, which "simply refused to run, or ran so badly it was useless on countless PCs. Not just old PCs, but even newly bought PCs, right out of the box, with Vista installed." And they conclude that the worst Microsoft OS of all is still Windows 8. ("You want bad? You want stupid? You want an operating system that not only was roundly reviled by consumers and businesses alike, but also set Microsoft's business plans back years?")

Slashdot reader alaskana98 even remembers Windows ME semi-fondly as "the last Microsoft OS to use the Windows 95 codebase." While rightly being panned as a buggy and crash-prone OS — indeed it was labelled as the worst version of Windows ever released by Computer World — it did introduce a number of features that continue on to this very day. Those features include:

-A personalized start menu that would show your most recently accessed programs, today a common feature in the Windows landscape.
-Software support for DVD playback. Previously one needed a dedicated card to playback DVDs.
-Windows Movie Maker and Windows Media Player 7, allowing home users to create, edit and burn their own digital home movies. While seemingly pedestrian in today's times, these were groundbreaking features for home users in the year 2000.
-The first iteration of System Restore — imagine a modern version of Windows not having the ability to conveniently restore to a working configuration — before Windows ME, this was simply not a possibility for the average home user unless you had a rigorous backup routine.
-The removal of real-mode DOS. While very controversial at the time, this change arguably improved the speed and reliability of the boot process.

Love it or hate it (well, lets face it, if you were a computer user at that point you probably hated it) — Windows ME did make several important contributions to the modern OS landscape that are often overlooked to this day. Do you have any stories from the heady days of late 2000 when Windows ME was first released?
Slashdot reader Z00L00K remembers in a comment that "The removal of real-mode DOS is what REALLY made ME impossible to use for most of us at the time. It broke backwards compatibility so hard that the only way out was to use any of the earlier versions of Windows instead!"

Is this re-awakening images of the year 2000 for anyone? Share your own memories and thoughts in the comments.

What do you remember about Windows ME?

In a recent blog post from the Electronic Frontier Foundation, the digital rights group warns that Google Chrome's latest specification for building Chrome extensions, known as Manifest V3, "is outright harmful to privacy efforts." EFF technologist Daly Barnett writes: Like FLoC and Privacy Sandbox before it, Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks. [...] It will restrict the capabilities of web extensions -- especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these -- like some privacy-protective tracker blockers -- will have greatly reduced capabilities. Google's efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites.

It's also doubtful Mv3 will do much for security. Firefox maintains the largest extension market that's not based on Chrome, and the company has said it will adopt Mv3 in the interest of cross-browser compatibility. Yet, at the 2020 AdBlocker Dev Summit, Firefox's Add-On Operations Manager said about the extensions security review process: "For malicious add-ons, we feel that for Firefox it has been at a manageable level... since the add-ons are mostly interested in grabbing bad data, they can still do that with the current webRequest API that is not blocking." In plain English, this means that when a malicious extension sneaks through the security review process, it is usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. A more thorough review process could improve security, but Chrome hasn't said they'll do that. Instead, their solution is to restrict capabilities for all extensions.

As for Chrome's other justification for Mv3 -- performance -- a 2020 study (PDF) by researchers at Princeton and the University of Chicago revealed that privacy extensions, the very ones that will be hindered by Mv3, actually improve browser performance. The development specifications of web browser extensions may seem in the weeds, but the broader implications should matter to all internet citizens: it's another step towards Google defining how we get to live online. Considering that Google has been the world's largest advertising company for years now, these new limitations are paternalistic and downright creepy.

Mozilla has announced through its Mozilla Hacks blog that it plans to ship a 'novel sandboxing technology' called RLBox with Firefox 95 which it has been developing alongside researchers from the University of California San Diego and the University of Texas. From a report: It said RLBox makes it easier to isolate subcomponents of the browser efficiently and gives Mozilla more options than traditional sandboxing granted it. Mozilla said this new method of sandboxing, which uses WebAssembly to isolate potentially-buggy code, builds on a prototype that was shipped in Firefox 74 and Firefox 75 to Linux and Mac users respectively. With Firefox 95, RLBox will be deployed on all supported Firefox platforms including desktop and mobile to isolate three different modules: Graphite, Hunspell, and Ogg. With Firefox 96, two more modules, Expat and Woff2, will also be isolated.