Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Chrome

Chrome is Getting the Ability To Play FLAC (theverge.com) 76

Audiophiles are getting a new way to listen to one of the top formats for lossless music. From a report: Google has begun adding FLAC support to Chrome, and it should be rolling out to the masses very soon. FLAC support is already live in Chrome's beta build and it's live in the current version of Chrome OS, too. If you have local FLAC files or come across one on the web, the added support allows Chrome to open it up in a completely bare-bones music player that takes over the entire tab. It's not exactly elegant, but it works. And it means that Mac users with Chrome installed will have an easy way to play back FLAC files should they come across one. While there are plenty of apps that can handle FLAC -- VLC being a popular one -- no native macOS app is capable of it. Windows 10, on the other hand, includes native support.
Privacy

Fingerprinting Methods Identify Users Across Different Browsers On the Same PC (bleepingcomputer.com) 88

An anonymous reader quotes a report from BleepingComputer: A team of researchers from universities across the U.S. has identified different fingerprinting techniques that can track users when they use different browsers installed on the same machine. Named "cross-browser fingerprinting" (CBF), this practice relies on new technologies added to web browsers in recent years, some of which had been previously considered unreliable for cross-browser tracking and only used for single browser fingerprinting. These new techniques rely on making browsers carry out operations that use the underlying hardware components to process the desired data. For example, making a browser apply an image to the side of a 3D cube in WebGL provides a similar response in hardware parameters for all browsers. This is because the GPU card is the one carrying out this operation and not the browser software. According to the three-man research team led by Assistant Professor Yinzhi Cao from the Computer Science and Engineering Department at Lehigh University, the following browser features could be (ab)used for cross-browser fingerprinting operations: [Screen Resolution, Number of CPU Virtual Cores, AudioContext, List of Fonts, Line, Curve, and Anti-Aliasing, Vertex Shader, Fragment Shader, Transparency via Alpha Channel, Installed Writing Scripts (Languages), Modeling and Multiple Models, Lighting and Shadow Mapping, Camera and Clipping Planes.] Researchers used all these techniques together to test how many users they would be able to pin to the same computer. For tests, researchers used browsers such as Chrome, Firefox, Edge, IE, Opera, Safari, Maxthon, UC Browser, and Coconut. Results showed that CBF techniques were able to correctly identify 99.24% of all test users. Previous research methods achieved only a 90.84% result.
Chrome

Latest Adobe Acrobat Reader Update Silently Installs Chrome Extension (bleepingcomputer.com) 144

An anonymous reader writes: The latest Adobe Acrobat Reader security update (15.023.20053), besides delivering security updates, also secretly installs the Adobe Acrobat extension in the user's Chrome browser. There is no mention of this "special package" on Acrobat's changelog, and surprise-surprise, the extension comes with anonymous data collection turned on by default. Bleeping Computer reports: "This extension allows users to save any web page they're on as a PDF file and share it or download it to disk. The extension is also Windows-only, meaning Mac and Linux Chrome users will not receive it. The extension requests the following permissions: Read and change all your data on the websites you visit; Manage your downloads; Communicate with cooperating native applications. According to Adobe, extension users 'share information with Adobe about how [they] use the application. The information is anonymous and will help us improve product quality and features,' Adobe also says. 'Since no personally identifiable information is collected, the anonymous data will not be meaningful to anyone outside of Adobe.'"
Mozilla

Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com) 112

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.

Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.

Windows

Windows 10 Gains 14% Desktop Market Share in 2016, Edge Continues to Struggle (petri.com) 280

From a report by long time Microsoft watcher Brad Sams on Petri.com: With 2016 now behind us, we can take a look at how far Windows 10 has come thanks to usage-share with statistics from Net Marketshare. At the end of December for 2016, Windows 10 is installed on roughly 24.5% of devices whereas, at the end of 2015, the OS was only installed on around 10% of machines. During the same period, Windows 7 declined from 55.68% to 48.34%, Windows 8.1 usage dropped from 10.3% to 6.9% and XP dropped slightly from 11% to about 9%. Also, released alongside Windows 10, is the company's new browser, Edge. While the market share of the desktop OS has grown steadily, Edge has not performed as well. At the end of 2015, Edge obtained a market share of 2.79% and at the end of 2016, it has climbed to 5.33%. But, Chrome, which had a market share of 32.33% at the end of 2015 now commands 56.43% of the market. During the same period, Internet Explorer dropped from 46.32% in 2015 to 20.84% in 2016.
Electronic Frontier Foundation

2016 Saw A Massive Increase In Encrypted Web Traffic (eff.org) 91

EFF's "Deeplinks" blog has published nearly two dozen "2016 in Review" posts over the last nine days, one of which applauds 2016 as "a great year for adoption of HTTPS encryption for secure connections to websites." An anonymous reader writes: In 2016 most pages viewed on the web were encrypted. And over 21 million web sites obtained security certificates -- often for the first time -- through Let's Encrypt. But "a sizeable part of the growth in HTTPS came from very large hosting providers that decided to make HTTPS a default for sites that they host, including OVH, Wordpress.com, Shopify, Tumblr, Squarespace, and many others," EFF writes. Other factors included the support of Transport Layer Security (TLS) 1.3 by Firefox, Chrome, and Opera.
Other "2016 in Review" posts from EFF include Protecting Net Neutrality and the Open Internet and DRM vs. Civil Liberties. Click through for a complete list of all EFF "2016 in Review" posts.
Stats

Slashdot's 10 Most-Visited Stories of 2016 (slashdot.org) 35

Slashdot's most-visited story of the year was "Microsoft Live Account Credentials Leaking From Windows 8 And Above," which was visited more than 330,910 times since we published it August 16. And our second and third most popular stories came in the spring -- Apple Is Fighting A Secret War To Keep You From Repairing Your Phone and Google Chrome To Disallow Backspace As a 'Back' Button. Click through for a complete list of Slashdot's 10 most-visited stories of 2016.
Google

Unannounced ASUS C302CA-DHM4 Chromebook Hits Newegg, and It Looks Great (betanews.com) 109

An anonymous reader shares a BetaNews article: If you have been looking for a new Chromebook with some modern specifications and features, I have some good news. An all-new convertible touchscreen ASUS Chromebook has hit Newegg. Apparently, the company has not yet announced the laptop, making it quite the surprise. Called "C302CA-DHM4," it has solid specifications, looks great, and best of all, it is reasonably priced. Also cool is the fact that the Chromebook has a backlit keyboard -- very useful for those that work in the dark. It even features dual USB-C ports (also used for charging), but neither are USB 3.1 Gen 2 -- both are Gen 1, which is essentially the slower USB 3.0. If 64GB of onboard storage isn't enough, you can expand using the microSD card port. Luckily, this ASUS Chromebook comes with 4GB of RAM, which I consider the bare minimum nowadays. While some folks may pooh-pooh the Intel Core m3 processor as underpowered, I disagree -- it is a very capable chip. For Chrome OS in particular, I expect it to be quite nimble.
Encryption

U2F Security Keys May Be the World's Best Hope Against Account Takeovers (arstechnica.com) 162

earlytime writes: Large scale account hacks such as the billion user Yahoo breach and targeted phishing hacks of gmail accounts during the U.S. election have made 2016 an infamous year for web security. Along comes U2F/web-security keys to address these issues at a critical time. Ars Technica reports that U2F keys "may be the world's best hope against account takeovers": "The Security Keys are based on Universal Second Factor, an open standard that's easy for end users to use and straightforward for engineers to stitch into hardware and websites. When plugged into a standard USB port, the keys provide a 'cryptographic assertion' that's just about impossible for attackers to guess or phish. Accounts can require that cryptographic key in addition to a normal user password when users log in. Google, Dropbox, GitHub, and other sites have already implemented the standard into their platforms. After more than two years of public implementation and internal study, Google security architects have declared Security Keys their preferred form of two-factor authentication. The architects based their assessment on the ease of using and deploying keys, the security it provided against phishing and other types of password attacks, and the lack of privacy trade-offs that accompany some other forms of two-factor authentication."

The researchers wrote in a recently published report: "We have shipped support for Security Keys in the Chrome browser, have deployed it within Google's internal sign-in system, and have enabled Security Keys as an available second factor in Google's Web services. In this work, we demonstrate that Security Keys lead to both an increased level of security and user satisfaction as well as cheaper support cost."
Portables (Apple)

2016 MacBook Pro Fails To Receive a Recommendation From Consumer Reports (9to5mac.com) 212

Consumer Reports has released its evaluation of the new MacBook Pro laptops, and it's not good. The 2016 MacBook Pro is the first MacBook to fail to receive a recommendation from the nonprofit organization dedicated to unbiased product testing. 9to5Mac reports: In a post breaking down the decision not to recommend the new MacBook Pros, Consumer Reports explains that while the new models held up well in terms of display quality and performance, the battery life issues were too big of an issue to overlook. The organization tested three MacBook Pro variants: a 13-inch Touch Bar model, a 15-inch Touch Bar model, and a 13-inch model without the Touch Bar. The general consensus was that "MacBook Pro battery life results were highly inconsistent from one trial to the next." Consumer Reports explains that the 13-inch Touch Bar model saw battery life of 16 hours in one test and 3.75 hours in another, while the non-Touch Bar model maxed out at 19.5 hours, but also lasted just 4.5 hours in another test. The 15-inch model ranged from 18.5 hours to 8 hours. Generally, according to the report, it's expected for battery life to vary from one trial to another by less than 5 percent, meaning that the battery life variances with the new MacBook Pro are very abnormal. Once that was completed, Consumer Reports experimented by conducting the same test using Chrome and "found battery life to be consistently high on all six runs." While the organization can't let that affect its final decision due to its protocol to only use the first-party browser, it's something users may want to try.
Firefox

Firefox Takes the Next Step Towards Rolling Out Multi-Process To Everyone (arstechnica.com) 154

An anonymous reader quotes a report from Ars Technica: With Firefox 50, Mozilla has rolled out the first major piece of its new multi-process architecture. Edge, Internet Explorer, Chrome, and Safari all have a multiple process design that separates their rendering engine -- the part of the browser that reads and interprets HTML, CSS, and JavaScript -- from the browser frame. They do this for stability reasons (if the rendering process crashes, it doesn't kill the entire browser) and security reasons (the rendering process can be run in a low-privilege sandbox, so exploitable flaws in the rendering engine are harder to take advantage of). Moreover, these browsers can all create multiple rendering engine processes and use different processes for different tabs. This means that the scope of a crash is narrowed even further, typically to a single tab. Internet Explorer and Chrome both implemented this long ago, in 2009. Firefox, however, has not offered a similar design. Although work on a multi-process browser was started in 2009, under the codename Electrolysis, that work was suspended between 2011 and 2013 as priorities within the organization shifted. In response, Mozilla started switching to a new extension system in 2015 that opened the door to a multi-process design. The first stage of Firefox's move to multi-process involves separating the browser shell from a single rendering process that's used by every tab. In Firefox 48, that feature was enabled for a small number of users who used no extensions. Firefox 49 was rolled out to include users running a limited selection of extensions. Now, in Firefox 50, a separate renderer process is used for most users and most extensions. Developers are now able to mark their extensions as explicitly multi-process compatible. Firefox 51 will extend this even further to cover all extensions, except those that are explicitly marked as incompatible. Mozilla says that, even with the limited changes made in Firefox 50, responsiveness of the browser has improved by 400 percent due to the separation between the renderer and the browser shell. During page loads, responsiveness will increase to 700 percent.
Chrome

Slashdot Asks: Why Are Browsers So Slow? (ilyabirman.net) 766

Designer Ilya Birman writes: I understand why rendering a complicated layout may be slow. Or why executing a complicated script may be slow. Actually, browsers are rather fast doing these things. If you studied programming and have a rough idea about how many computations are made to render a page, it is surprising the browsers can do it all that fast. But I am not talking about rendering and scripts. I am talking about everything else. Safari may take a second or two just to open a new blank tab on a 2014 iMac. And with ten or fifteen open tabs it eventually becomes sluggish as hell. Chrome is better, but not much so. What are they doing? The tabs are already open. Everything has been rendered. Why does it take more than, say, a thousandth of a second to switch between tabs or create a new one? Opening a 20-megapixel photo from disk doesn't take any noticeable amount of time, it renders instantaneously. Browsers store their stuff in memory. Why can't they just show the pixels immediately when I ask for them? [...] Unfortunately, modern browsers are so stupid that they reload all the tabs when you restart them. Which takes ages if you have a hundred of tabs. Opera was sane: it did not reload a tab unless you asked for it. It just reopened everything from cache. Which took a couple of seconds. Modern browsers boast their rendering and script execution performance, but that's not what matters to me as a user. I just don't understand why programmers spend any time optimising for that while the Chrome is laughably slow even by ten-years-old standards.Do you agree with Birman? If yes, why do you think browsers are generally slow today?
Advertising

Russian Hackers Stole $5 Million Per Day From Advertisers With Bots and Fake Websites (cnn.com) 93

Russian hackers have used fake websites and bots to steal millions of dollars from advertisers. According to researchers, the fraud has siphoned more than $180 million from the online ad industry. CNNMoney reports: Dubbed "Methbot," it is a new twist in an increasingly complex world of online crime, according to White Ops, the cybersecurity firm that discovered the operation. Methbot, so nicknamed because the fake browser refers to itself as the "methbrowser," operates as a sham intermediary advertising ring: Companies would pay millions to run expensive video ads. Then they would deliver those ads to what appeared to be major websites. In reality, criminals had created more than 250,000 counterfeit web pages no real person was visiting. White Ops first spotted the criminal operation in October, and it is making up to $5 million per day -- by generating up to 300 million fake "video impressions" daily. According to White Ops, criminals acquired massive blocks of IP addresses -- 500,000 of them -- from two of the world's five major internet registries. Then they configured them so that they appeared to be located all over the United States. They built custom software so that computers (at those legitimate data centers) acted like real people viewing those ads. These "people" even appeared to have Facebook accounts (they didn't), so that premium ads were served. Hackers fooled ad fraud blockers because they figured out how to build software that mimicked a real person who only surfed during the daytime -- using the Google Chrome web browser on a Macbook laptop.
Desktops (Apple)

Adobe Releases Flash Player 24 For Linux Four Years After the Last Major Update (bleepingcomputer.com) 88

An anonymous reader writes: Adobe released today Flash Player 24 for Linux, after previously abandoning the application without explanation in 2012. The NPAPI architecture of Flash Player for Linux is now on par with Windows and Mac releases on version 24, after spending the last few years stuck at version 11.2 and only receiving small patches and security fixes, but no new features. Today's Flash Player 24 for Linux release comes after Adobe teased its release on August 31, and later released a Beta version (v23) in October. Despite updating Flash Player for Linux to the same version number as its Windows and Mac alternatives, the Linux variant still lags behind on features. While Flash Player 24 includes all the security features included in the Windows and Mac versions, the Linux version doesn't support accelerated GPU 3D acceleration and video DRMs. If users need these features, Adobe says users should use Chrome for Linux, where Google's own port, the Pepper Flash plugin (PPAPI architecture) supports them.
Java

Oracle Begins Aggressively Pursuing Java Licensing Fees (theregister.co.uk) 295

Java SE is free, but Java SE Suite and various flavors of Java SE Advanced are not, and now Oracle "is massively ramping up audits of Java customers it claims are in breach of its licenses," reports the Register. Oracle bought Java with Sun Microsystems in 2010 but only now is its License Management Services division chasing down people for payment, we are told by people familiar with the matter. The database giant is understood to have hired 20 individuals globally this year, whose sole job is the pursuit of businesses in breach of their Java licenses... Huge sums of money are at stake, with customers on the hook for multiple tens and hundreds of thousands of dollars.
Slashdot reader rsilvergun writes, "Oracle had previously sued Google for the use of Java in Android but had lost that case. While that case is being appealed, it remains to be seen if the latest push to monetize Java is a response to that loss or part of a broader strategy on Oracle's part." The Register interviewed the head of an independent license management service who says Oracle's even targeting its own partners now.

But after acquiring Sun in 2010, why did Oracle's License Management Services wait a full six years? "It is believed to have taken that long for LMS to devise audit methodologies and to build a detailed knowledge of customers' Java estates on which to proceed."
Security

Zero-Days Hitting Fedora and Ubuntu Open Desktops To a World of Hurt (arstechnica.com) 164

An anonymous reader writes: It's the year of the Linux desktop getting pwned. Chris Evans (not the red white and blue one) has released a number of linux zero day exploits, the most recent of which employs specially crafted audio files to compromise linux desktop machines. Ars Technica reports: "'I like to prove that vulnerabilities are not just theoretical -- that they are actually exploitable to cause real problems,' Evans told Ars when explaining why he developed -- and released -- an exploit for fully patched systems. 'Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out.' Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them."
Advertising

Malvertising Campaign Infects Your Router Instead of Your Browser (bleepingcomputer.com) 137

An anonymous reader quotes a report from BleepingComputer: Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Unlike previous malvertising campaigns that targeted users of old Flash or Internet Explorer versions, this campaign focused on Chrome users, on both desktop and mobile devices. The malicious ads included in this malvertising campaign contain exploit code for 166 router models, which allow attackers to take over the device and insert ads on websites that didn't feature ads, or replace original ads with the attackers' own. Researchers haven't yet managed to determine an exact list of affected router models, but some of the brands targeted by the attackers include Linksys, Netgear, D-Link, Comtrend, Pirelli, and Zyxel. Because the attack is carried out via the user's browser, using strong router passwords or disabling the administration interface is not enough. The only way users can stay safe is if they update their router's firmware to the most recent versions, which most likely includes protection against the vulnerabilities used by this campaign. The "campaign" is called DNSChanger EK and works when attackers buy ads on legitimate websites and insert malicious JavaScript in these ads, "which use a WebRTC request to a Mozilla STUN server to determine the user's local IP address," according to BleepingComputer. "Based on this local IP address, the malicious code can determine if the user is on a local network managed by a small home router, and continue the attack. If this check fails, the attackers just show a random legitimate ad and move on. For the victims the crooks deem valuable, the attack chain continues. These users receive a tainted ad which redirects them to the DNSChanger EK home, where the actual exploitation begins. The next step is for the attackers to send an image file to the user's browser, which contains an AES (encryption algorithm) key embedded inside the photo using the technique of steganography. The malicious ad uses this AES key to decrypt further traffic it receives from the DNSChanger exploit kit. Crooks encrypt their operations to avoid the prying eyes of security researchers."
Android

Android Chief Squashes Rumors of Android Merging With Chrome OS (pcworld.com) 43

If you were holding out hope that Android and Chrome would one day merge into some kind of super OS that marries the desktop and mobile worlds once and for all, Google's senior vice president for Android, Chrome, and Chromecast Hiroshi Lockheimer has some bad news for you: It's not happening. From a PCWorld report: Speaking on the All About Android podcast, the mobile chief threw a giant bucket of cold water on the idea that the two platforms would eventually converge, despite recent rumors that suggest such a project is already in development at Google. "There's no point in merging them," Lockheimer said, pointing out sales of that Chromebooks overtook Macs in the first quarter of this year. "They're both successful." He added, Google's aim is "to make sure that both sides benefit from each other. ... You'll see a lot more of that happening, where we're cross-pollinating, but not a merge."
Chrome

Google Starts Using HTML5 By Default Instead of Flash For Some Chrome Users (venturebeat.com) 40

Google announced in a blog post today that it will be rolling out a feature over the next few months that starts disabling Flash and displaying HTML5 content instead on certain websites. Google notes, "This change disables Adobe Flash Player unless there's a user indication that they want Flash content on specific sites, and eventually all websites will require the user's permission to run Flash." VentureBeat reports: Google has deployed the change for half of the people who are using Chrome 56 beta, which rolled out yesterday, Google technical program manager Eric Deily wrote in a blog post. Then, "in the next few days," Deily wrote, the feature will be active for 1 percent of users of Chrome 55 stable. And by February 2016 it will be live for all users in Chrome 56 stable, Deily wrote. The idea is to lessen the dependence on a web component that can cause a drag on CPU and memory usage and shorten battery life as a result. Flash also has a track record of security issues.
Media

Netflix Keeping Bandwidth Usage Low By Encoding Its Video With VP9 and H.264/AVC Codecs (slashgear.com) 76

Netflix announced last week that it is getting offline video downloads support. The company has since shared that it is using VP9 video compression codec to ensure that the file sizes don't weigh a lot. An anonymous reader shares an article on Slashgear (edited): For streaming content, Netflix largely relies on H.264/AVC to reduce the bandwidth, but for downloading content, it uses VP9 encoding. VP9 can allow better quality videos for the same amount of data needed to download. The challenge is that VP9 isn't supported by all streaming providers -- it is supported on Android devices and via the Chrome browser. So to get around that lack of support on iOS, Netflix is offering downloads in H.264/AVC High whereas streams are encoded in H.264/AVC Main on such devices. Netflix chooses the optimal encoding format for each title on its service after finding, for instance, that animated films are easier to encode than live-action. Netflix says that H.264 High encoding saves 19% bandwidth compared to other encoding standards while VP9 saves 36%.

Slashdot Top Deals