Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Bug

Severe IE 11 Bug Allows 'Persistent JavaScript' Attacks (bleepingcomputer.com) 90

An anonymous reader writes: New research published today shows how a malicious website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute any kind of persistent JavaScript code while the user is on other domains. In an interview, the researcher who found these flaws explains that this flaw is an attacker's dream, as it could be used for: ad fraud (by continuing to load ads even when the user is navigating other sites), zero-day attacks (by downloading exploit code even after the user has left the page), tech support scams (by showing errors and popups on legitimate and reputable sites), and malvertising (by redirecting users later on, from other sites, even if they leave the malicious site too quickly).

This severe flaw in the browser security model affects only Internet Explorer 11, which unfortunately is the second most used browser version, after Chrome 55, with a market share of over 10%. Even worse for IE11 users, there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports. For IE11 users, a demo page is available here.

Android

Google's Not-so-secret New OS (techspecs.blog) 129

According to reports late last year, Google is working on a new operating system called Andromeda. Much about it is still unknown, but according to the documentations Google has provided on its website, it's clear that the Fuchsia is the actual name of the operating system, and the kernel is called Magenta. A tech enthusiast dug around the documentations to share the followings: To my naive eyes, rather than saying Chrome OS is being merged into Android, it looks more like Android and Chrome OS are both being merged into Fuchsia. It's worth noting that these operating systems had previously already begun to merge together to an extent, such as when the Android team worked with the Chrome OS team in order to bring Update Engine to Nougat, which introduced A/B updates to the platform. Google is unsurprisingly bringing up Andromeda on a number of platforms, including the humble Intel NUC. ARM, x86, and MIPS bring-up is exactly what you would expect for an Android successor, and it also seems clear that this platform will run on Intel laptops. My best guess is that Android as an API and runtime will live on as a legacy environment within Andromeda. That's not to say that all development of Android would immediately stop, which seems extremely unlikely. But Google can't push two UI APIs as equal app frameworks over the long term: Mojo is clearly the future. Ah, but what is Mojo? Well it's the new API for writing Andromeda apps, and it comes from Chromium. Mojo was originally created to "extract a common platform out of Chrome's renderer and plugin processes that can support multiple types of sandboxed content."
Chrome

Chrome's Sandbox Feature Infringes On Three Patents So Google Must Now Pay $20 Million (bleepingcomputer.com) 104

An anonymous reader writes: After five years of litigation at various levels of the U.S. legal system, today, following the conclusion of a jury trial, Google was ordered to pay $20 million to two developers after a jury ruled that Google had infringed on three patents when it designed Chrome's sandboxing feature. Litigation had been going on since 2012, with Google winning the original verdict, but then losing the appeal. After the Supreme Court refused to listen to Google's petition, they sent the case back for a retrial in the U.S. District Court in Eastern Texas, the home of all patent trolls. As expected, Google lost the case and must now pay $20 million in damages, in the form of rolling royalties, which means the company stands to pay more money as Chrome becomes more popular in the future.
Open Source

LinuxQuestions Users Choose Their Favorite Distro: Slackware (zdnet.com) 145

ZDNet summarizes some of the surprises in this year's poll on LinuxQuestions, "one of the largest Linux groups with 550,000 member". An anonymous reader quotes their report: The winner for the most popular desktop distribution? Slackware...! Yes, one of the oldest of Linux distributions won with just over 16% of the vote. If that sounds a little odd, it is. On DistroWatch, a site that covers Linux distributions like paint, the top Linux desktop distros are Mint, Debian, Ubuntu, openSUSE, and Manjaro. Slackware comes in 28th place... With more than double the votes for any category, it appears there was vote-stuffing by Slackware fans... The mobile operating system race was a runaway for Android, with over 68% of the vote. Second place went to CyanogenMod, an Android clone, which recently went out of business...

Linux users love to debate about desktop environments. KDE Plasma Desktop took first by a hair's breadth over the popular lightweight Xfce desktop. Other well-regarded desktop environments, such as Cinnamon and MATE, got surprisingly few votes. The once popular GNOME still hasn't recovered from the blowback from its disliked design change from GNOME 2 to GNOME 3.

Firefox may struggle as a web browser in the larger world, but on Linux it's still popular. Firefox took first place with 51.7 percent of the vote. Chrome came in a distant second place, with the rest of the vote being divided between a multitude of obscure browsers.

LibreOffice won a whopping 89.6% of the vote for "best office suite" -- and Vim beat Emacs.
Chrome

Most of the Web Really Sucks If You Have a Slow Connection (danluu.com) 325

Dan Luu, hardware/software engineer at Microsoft, writes in a blog post: While it's easy to blame page authors because there's a lot of low-hanging fruit on the page side, there's just as much low-hanging fruit on the browser side. Why does my browser open up 6 TCP connections to try to download six images at once when I'm on a slow satellite connection? That just guarantees that all six images will time out! I can sometimes get some images to load by refreshing the page a few times (and waiting ten minutes each time), but why shouldn't the browser handle retries for me? If you think about it for a few minutes, there are a lot of optimizations that browsers could do for people on slow connections, but because they don't, the best current solution for users appears to be: use w3m when you can, and then switch to a browser with ad-blocking when that doesn't work. But why should users have to use two entirely different programs, one of which has a text-based interface only computer nerds will find palatable?
Communications

Linux Kernel 3.18 Reaches End of Life (softpedia.com) 101

prisoninmate quotes a report from Softpedia: Linux kernel 3.18.48 LTS is here and it's the last in the series, which was marked for a January 2017 extinction since mid-April last year. According to the appended shortlog, the new patch changes a total of 50 files, with 159 insertions and 351 deletions. It brings an updated networking stack with Bluetooth, Bridge, IPv4, IPv6, CAIF, and Netfilter improvements, a couple of x86 fixes, and a bunch of updated USB, SCSI, ATA, media, GPU, ATM, HID, MTD, SPI, and networking (Ethernet and Wireless) drivers. Of course, this being the last maintenance update in the series, you are urged to move to a newer LTS branch, such as Linux kernel 4.9 or 4.4, which are far more secure and efficient than Linux 3.18 was. But Linux 3.18 appears to be used by Google and other vendors on a bunch of Android-powered devices, and even some Chromebooks use Linux kernel 3.18 on Chrome OS, so here's what the kernel developer suggests you do if you can't upgrade. "If you are _stuck_ on 3.18 (/me eyes his new phone), well, I might have a plan for you, that first involves you yelling very loudly at your hardware vendor and refusing to buy from them again unless they cut this crap out. After you properly vent to them, drop me an email and let's see what we can come up with, you aren't in this sinking ship alone, and it's obvious your vendor isn't going to help out," said Greg Kroah-Hartman in the mailing list announcement.
Privacy

72% of 'Anonymous' Browsing History Can Be Attached To the Real User (thestack.com) 67

An anonymous reader quotes a report from The Stack: Researchers at Stanford and Princeton have succeeded in identifying 70% of web users by comparing their web-browsing history to publicly available information on social networks. The study "De-anonymizing Web Browsing Data with Social Networks" [PDF] found that it was possible to reattach identities to 374 sets of apparently anonymous browsing histories simply by following the connections between links shared on Twitter feeds and the likelihood that a user would favor personal recommendations over abstract web browsing. The test subjects were provided with a Chrome extension that extracted their browsing history; the researchers then used Twitter's proprietary URL-shortening protocol to identify t.co links. 81% of the top 15 results of each enquiry run through the de-anonymization program contained the correct re-identified user -- and 72% of the results identified the user in first place. Ultimately the trail only leads as far as a Twitter user ID, and if a user is pseudonymous, further action would need to be taken to affirm their real identity. Using https connections and VPN services can limit exposure to such re-identification attempts, though the first method does not mask the base URL of the site being connected to, and the second does not prevent the tracking cookies and other tracking methods which can provide a continuous browsing history. Additionally UTM codes in URLs offer the possibility of re-identification even where encryption is present. Further reading available via The Atlantic.
Chrome

Chrome 56 Quietly Added Bluetooth Snitch API (theregister.co.uk) 229

Richard Chirgwin, writing for The Register: When Google popped out Chrome 56 at the end of January it was keen to remind us it's making the web safer by flagging non-HTTPS sites. But Google made little effort to publicise another feature that's decidedly less friendly to privacy, because it lets websites ask about users' Bluetooth devices and harvest information from them through the browser. That's more a pitch to developers, as is clear in this YouTube video from Pete LePage of the Chrome Developers team. "Until now, the ability to communicate with Bluetooth devices has been possible only for native apps. With Chrome 56, your Web app can communicate with nearby Bluetooth devices in a private and secure manner, using the Web Bluetooth API," Google shares in the video. "The Web Bluetooth API uses the GATT [Generic Attribute Profile - ed] protocol, which enables your app to connect to devices such as light bulbs, toys, heart-rate monitors, LED displays and more, with just a few lines of JavaScript." In other words, the API lets websites ask your browser "what Bluetooth devices can you see," find out what your fridge, and so on, is capable of, and interact with it.
Operating Systems

First Screenshots of Microsoft's Windows 10 Cloud OS Leak Online (zdnet.com) 78

The first alleged screenshots of Microsoft's Windows 10 Cloud operating system have leaked, courtesy of Windows Blog Italia. "The screenshots seem to show a coming version of the operating system that is locked down in a way similar to the way Microsoft locked down Windows RT and, before that the Windows 8.1 with Bing version of Windows," reports ZDNet. From the report: According to Windows Blog Italia, which said they've had a chance to test the current version of Windows 10 Cloud, the product can run Windows Store apps only. The site noted that Windows Store apps built using Microsoft's "Centennial" Desktop bridge, which enables developers to move their Win32 apps to the Windows Store, work on the version of Windows 10 Cloud to which they have access. UWP apps and Windows Store apps have not been synonymous terms. But the important point here is Windows Cloud will be locked down so as to prevent users from installing apps that are not in the Windows 10 Store, which can be seen as a plus from a security and manageability standpoint, but a minus given the less-than-robust collection of UWP/Store apps available for Windows 10. Microsoft is believed to be planning to position Windows 10 Cloud, at least in part, as an alternative to Chrome OS and Chromebooks.
Chrome

Google To Force Basic HTML Gmail On Older Chrome Versions (computerworld.com) 67

Earlier this week, Google quietly announced that Gmail will only be partially supported on older versions of Chrome browser soon. From a report: Users of Chrome version 53 and older editions of the browser could start being redirected to the basic HTML version of Gmail as early as December, the company said in a blog post. Starting next week, users who will be affected by the change will start seeing a banner at the top of Gmail telling them to upgrade to an up-to-date version of Google's browser. The affected browser versions include Chrome v49, the last version of the software that supports XP and Vista. While Microsoft officially ended support for XP more than two and a half years ago, Gmail has continued to work with it. Vista Service Pack 2 will reach the end of its extended support period on April 11.
Android

Google Is Integrating Progressive Web Apps Deeper Into Android (chromium.org) 46

Yaron Friedman, a software engineer at Google, writes on Chromium blog: In 2015, we added a new feature to Chrome for Android that allows developers to prompt users to add their site to the Home screen for fast and convenient access. That feature uses an Android shortcut, which means that web apps don't show up throughout Android in the same way as installed native apps. In the next few weeks we'll be rolling out a new version of this experience in Chrome beta. With this new version, once a user adds a Progressive Web App to their Home screen, Chrome will integrate it into Android in a much deeper way than before. For example, Progressive Web Apps will now appear in the app drawer section of the launcher and in Android Settings, and will be able to receive incoming intents from other apps. Long presses on their notifications will also reveal the normal Android notification management controls rather than the notification management controls for Chrome.
Mozilla

Firefox Fail: Layoffs Kill Mozilla's Push Beyond the Browser (cnet.com) 319

So much for Mozilla's quest to bring Firefox to new and different places. From a report on CNET: The nonprofit organization told employees Thursday that it is eliminating the team tasked with bringing Firefox to connected devices. The cuts affect about 50 people. Ari Jaaksi, the senior vice president in charge of the effort, is leaving, and Bertrand Neveux, director of the group's software, has told coworkers he will depart too. Mozilla had about 1,000 employees at the end of 2016. The layoffs greatly curtail the nonprofit organization's ability to make Firefox relevant again. Once a dominant choice for internet browsing, it has long been overshadowed by Google's Chrome. Mozilla tried to take the web technology powering Firefox to other devices, but struggled to get acceptance. Its shrinking influence comes at a time when more people are browsing the internet on their phones -- an area where Firefox is particularly weak.
Cloud

Tim Sweeney Dislikes Windows 10 Cloud Rumors, Calls OS 'Crush Steam Edition' (arstechnica.com) 183

An anonymous reader quotes a report from Ars Technica: The rumor that Microsoft is building a version of Windows 10 that can only install apps from the Windows Store has drawn criticism before it's even official. Epic Games founder Tim Sweeney took to Twitter to attack the operating system. Although its real name is named Windows 10 Cloud, he's dubbing it "Windows 10 Crush Steam Edition." Sweeney is convinced that Microsoft wants to exercise total control over the Windows platform and destroy Valve's Steam. Last year, Sweeney attacked the Universal Windows Platform API. He claimed (incorrectly) that third-party stores such as Steam would be unable to sell and distribute UWP games, leaving them at a disadvantage relative to Microsoft's own store. He followed this statement with the claim that Microsoft would systematically modify Windows so as to make Steam work worse and worse, such that gamers grow tired of it and switch to the Windows Store. In his tweets, Sweeney recognizes that Microsoft wants to compete with Chrome OS. But he fails to understand what the company must do to actually offer that competition. He wrote that "it's great for Microsoft to compete with ChromeOS, but NOT BY LOCKING OUT COMPETING WINDOWS SOFTWARE STORES." This statement represents a failure to understand that "locking out competing Windows software stores" is, for this market, positively desirable. It's fundamental to preventing the hard-to-support free-for-all that a Windows system would otherwise represent. A later tweet does recognize the value of this lockdown, but Sweeney says that Windows 10's "great admin features to limit user software installs" should be used instead. This again suggests a misunderstanding of the target market: systems will be used with little to no supervision and with little to no administrative oversight. To compete against the Chromebook, Windows 10 Cloud needs to be locked down by default, and it must not offer any ready way to disable that lockdown. In his complaints, Sweeney also fails to consider what happens should the Chromebook threat go unaddressed: Chromebooks running Chrome OS will proliferate. These machines will not support third-party stores, they will not support Steam, and they will not support PC games at all. Sweeney may not want Microsoft to build this world, but even if Microsoft doesn't create it, Google already is doing so.
Security

HTTPS Adoption Has Reached the Tipping Point (troyhunt.com) 85

Security expert Troy Hunt, who is perhaps best known for creating Have I Been Pwned data breach service, argues that adoption of HTTPS has reached the tipping point, citing "some really significant things" that have happened in the past few months. From a blog post: We've already passed the halfway mark for requests served over HTTPS -- This was one of the first signs that we'd finally hit that tipping point and it came a few months ago. This is really significant -- Mozilla is now seeing more secure traffic than it is non-secure traffic. Now that doesn't mean that most sites are now HTTPS because that figure above has a huge portion of traffic served from a small number of big sites. Twitter, Facebook, Gmail etc. all do all their things over HTTPS and that keeps that number quite high. Hunt also cited security aficionado Scott Helme's recent analysis which found that the number of websites listed in Alexa's top one million websites that have adopted to HTTPS has more than doubled year from August 2015 to August 2016. Troy adds: Browsers are holding non-secure sites more accountable. Chrome 56 is now holding sites using bad security practices to account (by flagging a "not secure" label in the address bar when you visit such websites). Many sites you wouldn't expect are now going HTTPS by default. (He cites websites such as ArsTechnica, NYTimes as examples). Making more cases for his argument, Hunt adds that HTTPS sites are not slow as they used to be, and that services such as Let's Encrypt and Cloudflare have made it free and east to bring this security feature.
Security

Google Chrome Engineer Says Windows Defender 'the Only Well Behaved Antivirus', Cites 'Tons of Empirical Data' (onmsft.com) 231

Days after former Firefox developer Robert O'Callahan said that antivirus security suites are not necessary, and AV vendors are of little help. A Google Chrome engineer has echoed the same message, reaffirming that Microsoft's built-in software is indeed the most well-behaved security suite. From a report: Apparently the disdain for 3rd party AV solutions runs deep amongst browser developers, as in response to the threads a Google engineer, Justin Schuh, had this to say: "Browser makers don't complain about Microsoft Defender because we have tons of empirical data showing that it's the only well behaved AV."
Chrome

Google Open-Sources Chrome For iOS (venturebeat.com) 39

Google has uploaded its Chrome for iOS code into the open-source Chromium repository. In other words, Chrome for iOS has now been open-sourced like Chrome for other platforms, letting anyone examine, modify, and compile the project. From a report: Chromium is the open-source Web browser project that shares much of the same code as Google Chrome, and new features are often added there first. Google intended for Chromium to be the name of the open-source project, while the final product name would be Chrome, but developers have taken the code and released versions under the Chromium name. Eventually, many browser makers started using it as a starting point; Opera, for example, switched its browser base to Chromium in 2013. Since its inception, Chromium was a desktop-only affair. That changed in May 2015 with the open-sourcing of Chrome for Android.
Chrome

Google Quietly Makes 'Optional' Web DRM Mandatory In Chrome (boingboing.net) 95

JustAnotherOldGuy quotes a report from Boing Boing: The World Wide Web Consortium's Encrypted Media Extensions (EME) is a DRM system for web video, being pushed by Netflix, movie studios, and a few broadcasters. It's been hugely controversial within the W3C and outside of it, but one argument that DRM defenders have made throughout the debate is that the DRM is optional, and if you don't like it, you don't have to use it. That's not true any more. Some time in the past few days, Google quietly updated Chrome (and derivative browsers like Chromium) so that Widevine (Google's version of EME) can no longer be disabled; it comes switched on and installed in every Chrome instance. Because of laws like section 1201 of the U.S. Digital Millennium Copyright Act (and Canada's Bill C11, and EU implementations of Article 6 of the EUCD), browsers that have DRM in them are risky for security researchers to audit. These laws provide both criminal and civil penalties for those who tamper with DRM, even for legal, legitimate purposes, and courts and companies have interpreted this to mean that companies can punish security researchers who reveal defects in their products. Further reading: Boing Boing and Hacker News.
Chrome

Google Removes Plugin Controls From Chrome, Reports Claim (ghacks.net) 106

An anonymous reader shares a Ghacks report: Google made a change in Chrome 57 that removes options from the browser to manage plugins such as Google Widevine, Adobe Flash, or the Chrome PDF Viewer. If you load chrome://plugins in Chrome 56 or earlier, a list of installed plugins is displayed to you. You can use it, among other things, to disable plugins that you don't require. While you can do the same for some plugins, Flash and PDF Viewer, using Chrome's Settings, the same is not possible for the DRM plugin Widevine, and any other plugin Google may add to Chrome in the future. Starting with Chrome 57, that option is no longer available. This means essentially that Chrome users won't be able to disable -- some -- plugins anymore, or even list the plugins that are installed in the web browser. Please note that this affects Google Chrome and Chromium.Further report on BetaNews.
Chrome

'Here's Where Google Hid Chrome's SSL Certificate Information' (vortex.com) 105

"Google Chrome users have been contacting me wondering why they no longer could access the detailed status of Chrome https: connections, or view the organization and other data associated with SSL certificates for those connections," writes Slashdot reader Lauren Weinstein, adding "Google took a simple click in an intuitive place and replaced it with a bunch of clicks scattered around." Up to now for the stable version of Chrome, you simply clicked the little green padlock icon on an https: connection, clicked on the "Details" link that appeared, and a panel then opened that gave you that status, along with an obvious button to click for viewing the actual certificate data such as Organization, issuance and expiration dates, etc. Suddenly, that "Details" link no longer is present...

The full certificate data is available from the "Developers tools" panel under the "Security" label. In fact, that's where this info has been for quite some time, but since the now missing "Details" link took you directly to that panel, most users probably didn't even realize that they were deep in the Developers tools section of the browser.

On some systems you can just press F12, but the alternate route is to click on the three vertical dots in the upper right, then select "More Tools", and then "Developer Tools". (And if you don't then see "Security", click on the " >>".)
Chrome

Chrome Now Reloads Pages 28% Faster (techcrunch.com) 124

Google has announced that it has worked with Facebook and Mozilla to make page reloads in Chrome for desktop and mobile significantly faster. According to Google's data, reloading sites with the latest version of Chrome should now be about 28 percent faster. From a report: Typically, when you reload a page, the browser ends up making hundreds of network requests just to see if the images and other resources it cached the first time you went to a site are still valid. As Google engineer Takashi Toyoshima notes in today's announcement, users typically reload pages because they either look broken or because the content looks like it should have been updated (think old-school live blogs). He argues that when browser developers first added this feature, it was mostly because broken pages were common. Today, users mostly reload pages because the content of a site seems stale.

Slashdot Top Deals