Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Chrome

Every Upcoming Chromebook Will Run Android Apps (laptopmag.com) 62

Google announced last year that it will be bringing Android apps to Chromebooks. The company has now announced that moving forward all the new Chromebooks will have access to the Google Play Store, the marquee store for Android apps. From a report: The news comes from a single line of text in Google's list of Chromebooks that can support the programs: "All Chromebooks launching in 2017 and after as well as the Chromebooks listed below will work with Android apps in the coming future." We knew this would eventually come, and now isn't terribly surprising timing. There are more Chromebooks with touchscreens than ever, including the Asus Chromebook Flip C302CA and Samsung's upcoming Chromebook Plus and Pro, all of which were announced at CES in Las Vegas.
Security

Pwn2Own 2017 Offers Big Bounties For Linux, Browser, and Apache Exploits (eweek.com) 54

Now that TrendMicro owns TippingPoint, there'll be "more targets and more prize money" according to eWeek, and something special for Pwn2Own's 10th anniversary in March. Slashdot reader darthcamaro writes: For the first time in its ten-year history, the annual Pwn2Own hacking competition is taking direct aim at Linux. Pwn2Own in the past has typically focused mostly on web browsers, running on Windows and macOS. There is a $15,000 reward for security researchers that are able to get a local user kernel exploit on Ubuntu 16.10. The bigger prize though is a massive $200,000 award for exploiting Apache Web Server running on Ubuntu.
"We are nine weeks away," TrendMicro posted Wednesday, pointing out that they're giving out over $1 million in bounties, including the following:
  • $100,000 for escaping a virtualization hypervisor
  • $80,000 for a Microsoft Edge or Google Chrome exploit
  • $50,000 for an exploit of Adobe Reader, Microsoft Word, Excel or PowerPoint
  • $50,000 for an Apple Safari exploit
  • $30,000 for a Firefox exploit
  • $30,000, $20,000 and $15,000 for privilege-escalating kernel vulnerabilities on Windows, macOS and Linux (respectively)
  • $200,000 for an Apache Web Server exploit

Windows

Microsoft Targets Chrome Users With Windows 10 Pop-up Ad (pcmag.com) 171

Google Chrome users on Windows 10 are apparently being treated to a new experience: a pop-up ad. From a PCMag report: If you have Chrome installed and the icon present on the Windows Taskbar, chances are you're going to start seeing a pop-up advert appear suggesting you install Microsoft's Personal Shopping Assistant Chrome extension. Microsoft touts it as "Your smart shopping cart across the web." Opting to install the extension results in Microsoft monitoring which products you've searched for and viewed while using Chrome, and then offering to compare those products to find the best price. There's also alerts when prices change, and the ability to track products across all your devices. Of course, Microsoft will make money if you opt to purchase any products using the Assistant.
Youtube

Safari Users Unable to Play Newer 4K Video On YouTube in Native Resolution (macrumors.com) 124

It appears Google recently turned on VP9 codec on YouTube for delivering 4K video. However, because of this, Safari users are unable to watch videos uploaded to the service since early December in full 4K resolution. From a report: Specifically, YouTube appears to be storing video on its servers using either the more efficient VP9 codec or the older H.264 codec. Safari only supports the latter, which explains why recently uploaded 4K videos are only able to be viewed in up to 1440p. Funnily enough, the same videos can be streamed by Safari in native 4K as long as they're embedded in another website, suggesting that the VP9 codec support requirement only applies to videos viewed directly on YouTube's website. Until Apple updates Safari to support the VP9 codec, Mac users who want to access newer 4K video on YouTube in native 2160p resolution are advised to use a different browser.John Gruber of DaringFireball writes, "I'm curious what Google's thinking is here. My guess: a subtle nudge to get more Mac users to switch from Safari to Chrome. 4K playback is going to require H.264 support if they want it to work on iOS, though."
Opera

Opera Presto Source Code Leaks Online (bleepingcomputer.com) 71

Catalin Cimpanu, writing for BleepingComputer: An unknown third-party has leaked the source code of the old Opera Presto browser engine on GitHub, and later on Bitbucket, two services for hosting and sharing source code online. Opera Presto is the layout engine at the heart of the old Opera browser. Opera Software used Presto between Opera 7 and Opera 14 and replaced Presto with Blink, Chrome's layout engine, in Opera 15, released in May 2013. Despite its removal from the company's main product, Opera engineers continued to use Opera Presto for the Opera Mini and Opera Mobile browsers. According to timestamps, the Opera Presto source code was first uploaded on GitHub but was taken down last Friday, on January 13, after Opera's lawyers filed a DMCA request.
Chrome

Chrome is Getting the Ability To Play FLAC (theverge.com) 79

Audiophiles are getting a new way to listen to one of the top formats for lossless music. From a report: Google has begun adding FLAC support to Chrome, and it should be rolling out to the masses very soon. FLAC support is already live in Chrome's beta build and it's live in the current version of Chrome OS, too. If you have local FLAC files or come across one on the web, the added support allows Chrome to open it up in a completely bare-bones music player that takes over the entire tab. It's not exactly elegant, but it works. And it means that Mac users with Chrome installed will have an easy way to play back FLAC files should they come across one. While there are plenty of apps that can handle FLAC -- VLC being a popular one -- no native macOS app is capable of it. Windows 10, on the other hand, includes native support.
Privacy

Fingerprinting Methods Identify Users Across Different Browsers On the Same PC (bleepingcomputer.com) 88

An anonymous reader quotes a report from BleepingComputer: A team of researchers from universities across the U.S. has identified different fingerprinting techniques that can track users when they use different browsers installed on the same machine. Named "cross-browser fingerprinting" (CBF), this practice relies on new technologies added to web browsers in recent years, some of which had been previously considered unreliable for cross-browser tracking and only used for single browser fingerprinting. These new techniques rely on making browsers carry out operations that use the underlying hardware components to process the desired data. For example, making a browser apply an image to the side of a 3D cube in WebGL provides a similar response in hardware parameters for all browsers. This is because the GPU card is the one carrying out this operation and not the browser software. According to the three-man research team led by Assistant Professor Yinzhi Cao from the Computer Science and Engineering Department at Lehigh University, the following browser features could be (ab)used for cross-browser fingerprinting operations: [Screen Resolution, Number of CPU Virtual Cores, AudioContext, List of Fonts, Line, Curve, and Anti-Aliasing, Vertex Shader, Fragment Shader, Transparency via Alpha Channel, Installed Writing Scripts (Languages), Modeling and Multiple Models, Lighting and Shadow Mapping, Camera and Clipping Planes.] Researchers used all these techniques together to test how many users they would be able to pin to the same computer. For tests, researchers used browsers such as Chrome, Firefox, Edge, IE, Opera, Safari, Maxthon, UC Browser, and Coconut. Results showed that CBF techniques were able to correctly identify 99.24% of all test users. Previous research methods achieved only a 90.84% result.
Chrome

Latest Adobe Acrobat Reader Update Silently Installs Chrome Extension (bleepingcomputer.com) 145

An anonymous reader writes: The latest Adobe Acrobat Reader security update (15.023.20053), besides delivering security updates, also secretly installs the Adobe Acrobat extension in the user's Chrome browser. There is no mention of this "special package" on Acrobat's changelog, and surprise-surprise, the extension comes with anonymous data collection turned on by default. Bleeping Computer reports: "This extension allows users to save any web page they're on as a PDF file and share it or download it to disk. The extension is also Windows-only, meaning Mac and Linux Chrome users will not receive it. The extension requests the following permissions: Read and change all your data on the websites you visit; Manage your downloads; Communicate with cooperating native applications. According to Adobe, extension users 'share information with Adobe about how [they] use the application. The information is anonymous and will help us improve product quality and features,' Adobe also says. 'Since no personally identifiable information is collected, the anonymous data will not be meaningful to anyone outside of Adobe.'"
Mozilla

Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com) 112

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.

Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.

Windows

Windows 10 Gains 14% Desktop Market Share in 2016, Edge Continues to Struggle (petri.com) 280

From a report by long time Microsoft watcher Brad Sams on Petri.com: With 2016 now behind us, we can take a look at how far Windows 10 has come thanks to usage-share with statistics from Net Marketshare. At the end of December for 2016, Windows 10 is installed on roughly 24.5% of devices whereas, at the end of 2015, the OS was only installed on around 10% of machines. During the same period, Windows 7 declined from 55.68% to 48.34%, Windows 8.1 usage dropped from 10.3% to 6.9% and XP dropped slightly from 11% to about 9%. Also, released alongside Windows 10, is the company's new browser, Edge. While the market share of the desktop OS has grown steadily, Edge has not performed as well. At the end of 2015, Edge obtained a market share of 2.79% and at the end of 2016, it has climbed to 5.33%. But, Chrome, which had a market share of 32.33% at the end of 2015 now commands 56.43% of the market. During the same period, Internet Explorer dropped from 46.32% in 2015 to 20.84% in 2016.
Electronic Frontier Foundation

2016 Saw A Massive Increase In Encrypted Web Traffic (eff.org) 91

EFF's "Deeplinks" blog has published nearly two dozen "2016 in Review" posts over the last nine days, one of which applauds 2016 as "a great year for adoption of HTTPS encryption for secure connections to websites." An anonymous reader writes: In 2016 most pages viewed on the web were encrypted. And over 21 million web sites obtained security certificates -- often for the first time -- through Let's Encrypt. But "a sizeable part of the growth in HTTPS came from very large hosting providers that decided to make HTTPS a default for sites that they host, including OVH, Wordpress.com, Shopify, Tumblr, Squarespace, and many others," EFF writes. Other factors included the support of Transport Layer Security (TLS) 1.3 by Firefox, Chrome, and Opera.
Other "2016 in Review" posts from EFF include Protecting Net Neutrality and the Open Internet and DRM vs. Civil Liberties. Click through for a complete list of all EFF "2016 in Review" posts.
Stats

Slashdot's 10 Most-Visited Stories of 2016 (slashdot.org) 35

Slashdot's most-visited story of the year was "Microsoft Live Account Credentials Leaking From Windows 8 And Above," which was visited more than 330,910 times since we published it August 16. And our second and third most popular stories came in the spring -- Apple Is Fighting A Secret War To Keep You From Repairing Your Phone and Google Chrome To Disallow Backspace As a 'Back' Button. Click through for a complete list of Slashdot's 10 most-visited stories of 2016.
Google

Unannounced ASUS C302CA-DHM4 Chromebook Hits Newegg, and It Looks Great (betanews.com) 109

An anonymous reader shares a BetaNews article: If you have been looking for a new Chromebook with some modern specifications and features, I have some good news. An all-new convertible touchscreen ASUS Chromebook has hit Newegg. Apparently, the company has not yet announced the laptop, making it quite the surprise. Called "C302CA-DHM4," it has solid specifications, looks great, and best of all, it is reasonably priced. Also cool is the fact that the Chromebook has a backlit keyboard -- very useful for those that work in the dark. It even features dual USB-C ports (also used for charging), but neither are USB 3.1 Gen 2 -- both are Gen 1, which is essentially the slower USB 3.0. If 64GB of onboard storage isn't enough, you can expand using the microSD card port. Luckily, this ASUS Chromebook comes with 4GB of RAM, which I consider the bare minimum nowadays. While some folks may pooh-pooh the Intel Core m3 processor as underpowered, I disagree -- it is a very capable chip. For Chrome OS in particular, I expect it to be quite nimble.
Encryption

U2F Security Keys May Be the World's Best Hope Against Account Takeovers (arstechnica.com) 162

earlytime writes: Large scale account hacks such as the billion user Yahoo breach and targeted phishing hacks of gmail accounts during the U.S. election have made 2016 an infamous year for web security. Along comes U2F/web-security keys to address these issues at a critical time. Ars Technica reports that U2F keys "may be the world's best hope against account takeovers": "The Security Keys are based on Universal Second Factor, an open standard that's easy for end users to use and straightforward for engineers to stitch into hardware and websites. When plugged into a standard USB port, the keys provide a 'cryptographic assertion' that's just about impossible for attackers to guess or phish. Accounts can require that cryptographic key in addition to a normal user password when users log in. Google, Dropbox, GitHub, and other sites have already implemented the standard into their platforms. After more than two years of public implementation and internal study, Google security architects have declared Security Keys their preferred form of two-factor authentication. The architects based their assessment on the ease of using and deploying keys, the security it provided against phishing and other types of password attacks, and the lack of privacy trade-offs that accompany some other forms of two-factor authentication."

The researchers wrote in a recently published report: "We have shipped support for Security Keys in the Chrome browser, have deployed it within Google's internal sign-in system, and have enabled Security Keys as an available second factor in Google's Web services. In this work, we demonstrate that Security Keys lead to both an increased level of security and user satisfaction as well as cheaper support cost."
Portables (Apple)

2016 MacBook Pro Fails To Receive a Recommendation From Consumer Reports (9to5mac.com) 212

Consumer Reports has released its evaluation of the new MacBook Pro laptops, and it's not good. The 2016 MacBook Pro is the first MacBook to fail to receive a recommendation from the nonprofit organization dedicated to unbiased product testing. 9to5Mac reports: In a post breaking down the decision not to recommend the new MacBook Pros, Consumer Reports explains that while the new models held up well in terms of display quality and performance, the battery life issues were too big of an issue to overlook. The organization tested three MacBook Pro variants: a 13-inch Touch Bar model, a 15-inch Touch Bar model, and a 13-inch model without the Touch Bar. The general consensus was that "MacBook Pro battery life results were highly inconsistent from one trial to the next." Consumer Reports explains that the 13-inch Touch Bar model saw battery life of 16 hours in one test and 3.75 hours in another, while the non-Touch Bar model maxed out at 19.5 hours, but also lasted just 4.5 hours in another test. The 15-inch model ranged from 18.5 hours to 8 hours. Generally, according to the report, it's expected for battery life to vary from one trial to another by less than 5 percent, meaning that the battery life variances with the new MacBook Pro are very abnormal. Once that was completed, Consumer Reports experimented by conducting the same test using Chrome and "found battery life to be consistently high on all six runs." While the organization can't let that affect its final decision due to its protocol to only use the first-party browser, it's something users may want to try.
Firefox

Firefox Takes the Next Step Towards Rolling Out Multi-Process To Everyone (arstechnica.com) 154

An anonymous reader quotes a report from Ars Technica: With Firefox 50, Mozilla has rolled out the first major piece of its new multi-process architecture. Edge, Internet Explorer, Chrome, and Safari all have a multiple process design that separates their rendering engine -- the part of the browser that reads and interprets HTML, CSS, and JavaScript -- from the browser frame. They do this for stability reasons (if the rendering process crashes, it doesn't kill the entire browser) and security reasons (the rendering process can be run in a low-privilege sandbox, so exploitable flaws in the rendering engine are harder to take advantage of). Moreover, these browsers can all create multiple rendering engine processes and use different processes for different tabs. This means that the scope of a crash is narrowed even further, typically to a single tab. Internet Explorer and Chrome both implemented this long ago, in 2009. Firefox, however, has not offered a similar design. Although work on a multi-process browser was started in 2009, under the codename Electrolysis, that work was suspended between 2011 and 2013 as priorities within the organization shifted. In response, Mozilla started switching to a new extension system in 2015 that opened the door to a multi-process design. The first stage of Firefox's move to multi-process involves separating the browser shell from a single rendering process that's used by every tab. In Firefox 48, that feature was enabled for a small number of users who used no extensions. Firefox 49 was rolled out to include users running a limited selection of extensions. Now, in Firefox 50, a separate renderer process is used for most users and most extensions. Developers are now able to mark their extensions as explicitly multi-process compatible. Firefox 51 will extend this even further to cover all extensions, except those that are explicitly marked as incompatible. Mozilla says that, even with the limited changes made in Firefox 50, responsiveness of the browser has improved by 400 percent due to the separation between the renderer and the browser shell. During page loads, responsiveness will increase to 700 percent.
Chrome

Slashdot Asks: Why Are Browsers So Slow? (ilyabirman.net) 766

Designer Ilya Birman writes: I understand why rendering a complicated layout may be slow. Or why executing a complicated script may be slow. Actually, browsers are rather fast doing these things. If you studied programming and have a rough idea about how many computations are made to render a page, it is surprising the browsers can do it all that fast. But I am not talking about rendering and scripts. I am talking about everything else. Safari may take a second or two just to open a new blank tab on a 2014 iMac. And with ten or fifteen open tabs it eventually becomes sluggish as hell. Chrome is better, but not much so. What are they doing? The tabs are already open. Everything has been rendered. Why does it take more than, say, a thousandth of a second to switch between tabs or create a new one? Opening a 20-megapixel photo from disk doesn't take any noticeable amount of time, it renders instantaneously. Browsers store their stuff in memory. Why can't they just show the pixels immediately when I ask for them? [...] Unfortunately, modern browsers are so stupid that they reload all the tabs when you restart them. Which takes ages if you have a hundred of tabs. Opera was sane: it did not reload a tab unless you asked for it. It just reopened everything from cache. Which took a couple of seconds. Modern browsers boast their rendering and script execution performance, but that's not what matters to me as a user. I just don't understand why programmers spend any time optimising for that while the Chrome is laughably slow even by ten-years-old standards.Do you agree with Birman? If yes, why do you think browsers are generally slow today?
Advertising

Russian Hackers Stole $5 Million Per Day From Advertisers With Bots and Fake Websites (cnn.com) 93

Russian hackers have used fake websites and bots to steal millions of dollars from advertisers. According to researchers, the fraud has siphoned more than $180 million from the online ad industry. CNNMoney reports: Dubbed "Methbot," it is a new twist in an increasingly complex world of online crime, according to White Ops, the cybersecurity firm that discovered the operation. Methbot, so nicknamed because the fake browser refers to itself as the "methbrowser," operates as a sham intermediary advertising ring: Companies would pay millions to run expensive video ads. Then they would deliver those ads to what appeared to be major websites. In reality, criminals had created more than 250,000 counterfeit web pages no real person was visiting. White Ops first spotted the criminal operation in October, and it is making up to $5 million per day -- by generating up to 300 million fake "video impressions" daily. According to White Ops, criminals acquired massive blocks of IP addresses -- 500,000 of them -- from two of the world's five major internet registries. Then they configured them so that they appeared to be located all over the United States. They built custom software so that computers (at those legitimate data centers) acted like real people viewing those ads. These "people" even appeared to have Facebook accounts (they didn't), so that premium ads were served. Hackers fooled ad fraud blockers because they figured out how to build software that mimicked a real person who only surfed during the daytime -- using the Google Chrome web browser on a Macbook laptop.
Desktops (Apple)

Adobe Releases Flash Player 24 For Linux Four Years After the Last Major Update (bleepingcomputer.com) 88

An anonymous reader writes: Adobe released today Flash Player 24 for Linux, after previously abandoning the application without explanation in 2012. The NPAPI architecture of Flash Player for Linux is now on par with Windows and Mac releases on version 24, after spending the last few years stuck at version 11.2 and only receiving small patches and security fixes, but no new features. Today's Flash Player 24 for Linux release comes after Adobe teased its release on August 31, and later released a Beta version (v23) in October. Despite updating Flash Player for Linux to the same version number as its Windows and Mac alternatives, the Linux variant still lags behind on features. While Flash Player 24 includes all the security features included in the Windows and Mac versions, the Linux version doesn't support accelerated GPU 3D acceleration and video DRMs. If users need these features, Adobe says users should use Chrome for Linux, where Google's own port, the Pepper Flash plugin (PPAPI architecture) supports them.
Java

Oracle Begins Aggressively Pursuing Java Licensing Fees (theregister.co.uk) 295

Java SE is free, but Java SE Suite and various flavors of Java SE Advanced are not, and now Oracle "is massively ramping up audits of Java customers it claims are in breach of its licenses," reports the Register. Oracle bought Java with Sun Microsystems in 2010 but only now is its License Management Services division chasing down people for payment, we are told by people familiar with the matter. The database giant is understood to have hired 20 individuals globally this year, whose sole job is the pursuit of businesses in breach of their Java licenses... Huge sums of money are at stake, with customers on the hook for multiple tens and hundreds of thousands of dollars.
Slashdot reader rsilvergun writes, "Oracle had previously sued Google for the use of Java in Android but had lost that case. While that case is being appealed, it remains to be seen if the latest push to monetize Java is a response to that loss or part of a broader strategy on Oracle's part." The Register interviewed the head of an independent license management service who says Oracle's even targeting its own partners now.

But after acquiring Sun in 2010, why did Oracle's License Management Services wait a full six years? "It is believed to have taken that long for LMS to devise audit methodologies and to build a detailed knowledge of customers' Java estates on which to proceed."

Slashdot Top Deals