"Google said Thursday it's funding a project to increase Linux security by writing parts of the operating system's core in the Rust programming language, a modernization effort that could bolster the security of the internet and smartphones," reports CNET: If the project succeeds, it'll be possible to add new elements written in Rust into the heart of Linux, called the kernel. Such a change would mark a major technological and cultural shift for an open-source software project that's become foundational to Google's Android and Chrome operating systems as well as vast swaths of the internet. Miguel Ojeda, who's written software used by the Large Hadron Collider particle accelerator and worked on programming language security, is being contracted to write software in Rust for the Linux kernel. Google is paying for the contract, which is being extended through the Internet Security Research Group, a nonprofit that's also made it easier to secure website communications through the Let's Encrypt effort.

Adding Rust modules to the Linux kernel would improve security by closing some avenues for hackers can use to attack phones, computers or servers. Since it was launched in 1991, Linux has been written solely in the powerful but old C programming language. The language was developed in 1972 and is more vulnerable to hacks than contemporary programming languages...

Google credits the Linux community programmers who began the Rust for Linux project. "The community had already done and continues to do great work toward adding Rust support to the Linux kernel build system," Google said in a blog post...

[Rust] has been the most loved programming language for five years running in Stack Overflow's annual developer survey. "Rust represents the best alternative to C and C++ currently available," Microsoft's security team concluded in 2019. The team said Rust would have prevented memory problems at fault in 70% of its significant security issues. And because Rust's checks happen while software is being built, the safety doesn't come at the expense of performance when the software is running.

The goal of the Linux on Rust project isn't to replace all of Linux's C code but rather to improve selective and new parts.

Google said Thursday it's funding a project to increase Linux security by writing parts of the operating system's core in the Rust programming language, a modernization effort that could bolster the security of the internet and smartphones. From a report: If the project succeeds, it'll be possible to add new elements written in Rust into the heart of Linux, called the kernel. Such a change would mark a major technological and cultural shift for an open-source software project that's become foundational to Google's Android and Chrome operating systems as well as vast swaths of the internet.

Miguel Ojeda, who's written software used by the Large Hadron Collider particle accelerator and worked on programming language security, is being contracted to write software in Rust for the Linux kernel. Google is paying for the contract, which is being extended through the Internet Security Research Group, a nonprofit that's also made it easier to secure website communications through the Let's Encrypt effort. Adding Rust modules to the Linux kernel would improve security by closing some avenues for hackers can use to attack phones, computers or servers. Since it was launched in 1991, Linux has been written solely in the powerful but old C programming language. The language was developed in 1972 and is more vulnerable to hacks than contemporary programming languages.

In a blog post this morning, Google announced plans to increase its update cadence for Chromebooks. Like Chrome, its operating system will now also follow a four-week Stable channel before moving to the next major milestone release. Android Police reports: Google will deliver fresh features more rapidly to Chromebooks starting with Chrome OS 96 -- all while keeping it stable, secure, and speedy. To adapt to the rigorous update release schedule, Google will skip Chrome OS 95, which will help it bridge the gap between M94 and Chrome's new four-week rollout strategy. Enterprise and education folks can opt enroll in an Extended Stable option for Chromebooks, which will update every 6 months. In light of the new rollout strategy, Google updated its documentation and pushed an update to its release calendar. The company will share plans about the choices Chrome OS administrators will have for milestone updates "in the coming months."

Google's experiment to hide parts of a site's URL in the Chrome address bar (the Omnibox) has failed and has been removed from the browser earlier this week. From a report: The experiment ran from June 2020 to June 2021. It consisted of a series of options that Google added to the chrome://flags options page that, when enabled, only showed the main domain name of a site (therecord.media) instead of the full page URL (therecord.media/category/article/title).

An anonymous reader quotes a report from Engadget: Google will jettison an auction system that forces other providers to bid for the right to be featured as a default search engine option on Android. Following a $5 billion fine and antitrust enforcement action in 2018, people in Europe have been able to choose which core apps and services they use on Android by default, instead of having to use Google products at first. Users in the region see an Android choice screen while setting up a device or after performing a factory reset. They can select their default search engine from a number of options. However, the three providers that are presented alongside Google Search have been determined by a sealed bidding process.

The revamped choice screen will feature up to 12 search engine options. The one you pick is the default for searches on the home screen and Chrome, if you use that as your browser. Your device will also install that provider's search app. Only general search engines are eligible, and they need to have a free search app on the Play store. Vertical search engines (i.e. specialist or subject-specific ones) will be locked out. Providers that syndicate search results and ads from Google won't be featured on the list either. The changes will come into effect for new Android devices sold in the UK and European Economic Area by September 1st. "Following further feedback from the Commission, we are now making some final changes to the Choice Screen including making participation free for eligible search providers," Oliver Bethell, Google's head of competition for Europe, the Middle East and Africa, wrote in a blog post. "We will also be increasing the number of search providers shown on the screen. These changes will come into effect from September this year on Android devices."

Today ZDNet's "Technically Incorrect" columnist Chris Matyszczyk discussed a new pop-up message that's now appearing in Windows 10's notification center.

It's warning Windows users that "Microsoft recommends different browser settings. Want to change them?" The notification adds that you'll get "Search that gives you back time and money." And "fast and secure search results with Bing." Oh, yes. Bing, the MySpace to Google's Facebook, is still being pushed.

I learned that this Bing-pushing is pushing Windows users' buttons. There's a little Reddit thread where you'll see laments such as: "You're not the first to have this Microsoft Annoyance. Apparently, there are thousands in front of you." The most poignant, perhaps, was this: "Miserably I get this despite using Edge AND having Bing set as my default search engine... (the latter of which for Microsoft Rewards). I think the 'problem' is that not ALL of my browsers had Bing as the default search engine? Which is ridiculous because I never use Chrome or Firefox anyway. But after clicking the popup, it ludicrously opened up all my browsers...."

What's most distressing is the lack of any attempt at charm or humor in these notifications. Are they all written by engineers? Or robots, perhaps...? Perhaps Microsoft believes that irritation works. Perhaps it simply has no better ideas to persuade anyone to try Bing.

And really, it's not as if Redmond is alone in pursuing this sort of communication. Why, I've even had Apple notifying me of its angry feelings whenever I open, oh, Microsoft Edge.

Google says it will scan the extensions users install in their Chrome browsers and warn users if they are adding an extension from a new or untrusted developer. From a report: The new extension scanning feature will be part of a Google security feature called Enhanced Safe Browsing, which Google added to Chrome in May last year. Google says trusted developers are those who adhere to the Chrome Web Store Developer Program Policies. "For new developers, it will take at least a few months of respecting these conditions to become trusted," the browser maker said in a blog post today. Currently, Google said that almost 75% of all extensions hosted on the Chrome Web Store were developed by "trusted developers." For the rest, the browser will show an alert like the one below if users had enabled Enhanced Safe Browsing in their Chrome settings page.

Brian Krebs: Fake, positive reviews have infiltrated nearly every corner of life online these days, confusing consumers while offering an unwelcome advantage to fraudsters and sub-par products everywhere. Happily, identifying and tracking these fake reviewer accounts is often the easiest way to spot scams. Here's the story of how bogus reviews on a counterfeit Microsoft Authenticator browser extension exposed dozens of other extensions that siphoned personal and financial data.

After hearing from a reader about a phony Microsoft Authenticator extension that appeared on the Google Chrome Store, KrebsOnSecurity began looking at the profile of the account that created it. There were a total of five reviews on the extension before it was removed: Three Google users gave it one star, warning people to stay far away from it; but two of the reviewers awarded it between three and four stars. "It's great!," the Google account Theresa Duncan enthused, improbably. "I've only had very occasional issues with it." "Very convenient and handing," assessed Anna Jones, incomprehensibly.

Google is losing one of its strongest champions of the web. Alex Russell, who has led the Fugu project to make web apps as powerful as those running on Google's Android or Apple's iOS software, is leaving the company on Wednesday. From a report: Russell announced his departure on Twitter. He's not quitting in anger or being pushed out. But after 12 years at Google pushing his vision for a more powerful web, "I need some time off," he said in an interview. Russell has been an outspoken advocate for the web, using Chrome's dominant position to help test and introduce new abilities that let programmers build interactive apps on the web, not just relatively static websites. Project Fugu embodies this effort, as does the broader progressive web app, or PWA, movement that lets you install and launch web apps more like those that run natively on smartphones and PCs.

Security researcher Gabi Cirlig's findings, verified for Forbes by two other independent researchers, reveal that on both Android and iOS versions of UC Browser, every website a user visits, regardless of whether they're in incognito mode or not, is sent to servers owned by UCWeb. From a report: Cirlig said IP addresses -- which could be used to get a user's rough location down to the town or neighborhood of the user -- were also being sent to Alibaba-controlled servers. Those servers were registered in China and carried the .cn Chinese domain name extension, but were hosted in the U.S. An ID number is also assigned to each user, meaning their activity across different websites could effectively be monitored by the Chinese company, though it's not currently clear just what Alibaba and its subsidiary are doing with the data.

"This could easily fingerprint users and tie them back to their real personas," Cirlig wrote in a blog post handed to Forbes ahead of publication on Tuesday. Cirlig was able to uncover the problem by reverse engineering some encrypted data he spotted being sent back to Beijing. Once the key had been cracked, he was able to see that every time he visited a website, it was being encrypted and transmitted back to the Alibaba company. On Apple's iOS, he didn't even need to reverse engineer the encryption because there effectively was none on the device (though it was encrypted when in transit). "This kind of tracking is done on purpose without any regard for user privacy," Cirlig told Forbes. When compared to Google's own Chrome browser, for instance, it does not transfer user web browsing habits when in incognito. Cirlig said he'd looked at other major browsers and found none did the same as UC Browser.

Mozilla's Firefox 89 releases to the general public today complete with the new Proton interface which simplifies the browser's menus and alters the tabs bar beyond anything we've seen from previous Firefox releases or other web browsers. From a report: This update also improves macOS integration and includes further privacy enhancements. The first thing that people will notice in this update is the Proton interface, the browser chrome and toolbar have been simplified so that redundant and less frequently used features have been removed, menus have been altered so that the most used features are prominent and visual noise has been reduced.

Proton also updates prompts so they have a cleaner appearance and unnecessary alerts and messages have been removed. The attached tabs have also been supplanted by floating tabs; Mozilla says the rounded design of the active tab "signals the ability to easily move the tab as needed." While almost everyone will support cleaner menus, the new tabs are drawing the ire of some who are not pleased with the radical departure from the traditional look and feel of tabs.

One of the internet's foundations just got an upgrade. From a report: Quic, a protocol for transmitting data between computers, improves speed and security on the internet and can replace Transmission Control Protocol, or TCP, a standard that dates back to Ye Olde Internet of 1974. Last week, the Internet Engineering Task Force, which sets many standards for the global network, published Quic as a standard. Web browsers and online services have been testing the technology for years, but the IETF's imprimatur is a sign the standard is mature enough to embrace fully.

It's extremely hard to improve the internet at the fundamental level of data transmission. Countless devices, programs and services are built to use the earlier infrastructure, which has lasted decades. Quic has been in public development for nearly eight years since Google first announced Quic in 2013 as an experimental addition to its Chrome browser. But upgrades to the internet's foundations are crucial to keep the world-spanning communication and commerce backbone humming. That's why engineers spend so much effort on titanic transitions like Quic, HTTPS for secure website communications, post-quantum cryptography to protect data from future quantum computers, and IPv6 for accommodating vastly more devices on the internet.

"The web browser is a crucial part of modern life, and yet it hasn't really been revised since the '90s," writes Protocol. "That may be about to change." The browser tab is an underrated thing. Most people think of them only when there are too many, when their computer once again buckles under Chrome's weight. Even the developers who build the tabs — the engineers and designers working on Chrome, Firefox, Brave and the rest — haven't done much to them. The internet has evolved in massive, earth-shaking ways over the last two decades, but tabs haven't really changed since they became a browser feature in the mid '90s.

Josh Miller, however, has big plans for browser tabs. Miller is the CEO of a new startup called The Browser Company, and he wants to change the way people think about browsers altogether. He sees browsers as operating systems, and likes to wonder aloud what "iOS for the web" might look like. What if your browser could build you a personalized news feed because it knows the sites you go to? What if every web app felt like a native app, and the browser itself was just the app launcher? What if you could drag a file from one tab to another, and it just worked? What if the web browser was a shareable, synced, multiplayer experience? It would be nothing like the simple, passive windows to the web that browsers are now. Which is exactly the goal.

The Browser Company (which everyone on the team just calls Browser) is one of a number of startups that are rethinking every part of the browser stack. Mighty has built a version of Chrome that runs on powerful server hardware and streams the browser itself over the web. Brave is building support for decentralized protocols like IPFS, and experimenting with using cryptocurrencies as a new business model for publishers. Synth is building a new bookmarks system that acts more like a web-wide inbox. Sidekick offers a vertical app launcher and makes tabs easier to organize. "A change is coming," said Mozilla CEO Mitchell Baker. "The question is just the time frame, and what's actually required to make it happen."

They have lots of different ideas, but they share a belief that the browser can, and should, be more than it is. "We don't need a new web browser," Miller said. "We need a new successor to the web browser."

While he was at the White House, Chief Digital Officer (and Miller's boss) Jason Goldman said something Miller couldn't forget. "Platforms have all the leverage," is how Miller remembers it. "And if you care about the future of the internet, or the way we use our computers, or want to improve any of the things that are broken about technology ... you can't really just build an application. Platforms, whether it's iOS or Windows or Android or Mac OS, that's where all the control is."

Google has shipped a new JavaScript compiler for its V8 JavaScript engine in Chrome called Sparkplug that promises a much faster web experience -- and it does it by 'cheating', according to the engineers on the project. From a report: Sparkplug is part of Chrome 91, which Google released on Tuesday with security updates but also some key changes under the hood that improve its powerful JavaScript engine, V8. Microsoft relies on V8 these days too after ditching its Chakra JavaScript engine from legacy Edge and moving to Chromium for the new Edge browser and switching to V8. Google says Chrome 91 has 23% faster performance thanks to Sparkplug's integration into V8's JavaScript pipeline.

The next release of Edge will be the "best performing" browser available on Windows 10 when it arrives later this week, Microsoft claimed at its Build 2021 event. It said that version 91 contains new features, specifically "startup boost and sleeping tabs" that will push it ahead of Chrome and all other browsers. From a report: Startup boost was introduced in March and works by "running a core set of Microsoft Edge processes in the background," according to the post. At the same time, it supposedly won't use any additional resources when Microsoft Edge browser windows are open. That feature has boosted startup speeds by up to 41 percent, the company claims. In the upcoming build, Microsoft will introduce a "sleeping tabs" feature that immediately puts ads to sleep when you switch to another tab, allowing for "instance resource savings." That promises to boost browser performance and free up memory for other apps, as ads can be highly memory- and processor-intensive.

An anonymous reader quotes a report from The Record: Thousands of Google Chrome extensions available on the official Chrome Web Store are tampering with security headers on popular websites, putting users at risk of a wide range of web-based attacks. While they are a little-known technical detail, security headers are an important part of the current internet landscape. At a technical level, a security header is an HTTP response sent by the server to a client app, such as a browser. [...] In a paper presented at the MADWeb workshop at the NDSS 2021 security conference, researchers from the CISPA Helmholtz Center for Information Security said they tried to assess the number of Chrome extensions tampering with security headers for the very first time. Using a custom framework they built specifically for their study, the research team said they analyzed 186,434 Chrome extensions that were available on the official Chrome Web Store last year. Their work found that 2,485 extensions were intercepting and modifying at least one security header used by today's Top 100 most popular websites (as available in the Tranco list).

The study didn't focus on all security headers, but only on the four most common ones, such as: Content-Security Policy (CSP), HTTP Strict-Transport-Security (HSTS), X-Frame-Options, and X-Content-Type-Options. While 2,485 extensions disabled at least one, researchers said they found 553 disabling all the four security headers they analyzed in their research. The most commonly disabled security header was CSP, a security header that was developed to allow site owners to control what web resources a page is allowed to load inside a browser and a typical defense that can protect websites and browsers against XSS and data injection attacks. According to the research team, in most of the cases they analyzed, the Chrome extensions disabled CSP and other security headers "to introduce additional seemingly benign functionalities on the visited webpage," and didn't look to be malicious in nature. However, even if the extensions wanted to enrich a user's experience online, the German academics argued that by tampering with security headers, all the extensions did was to expose users to attacks from other scripts and sites running inside the browser and on the web.

Big under-the-hood changes are coming to Google's original Nest Hub, even if most users won't ever be aware of what's happening. From a report: Starting today, the open-source Fuchsia OS will start rolling out to first-gen Nest Hub displays, according to 9to5Google. In the works since 2016, Fuchsia will land first on Nest Hub devices enrolled in Google's Preview Program, before arriving more widely on non-Preview Program displays. Don't expect the user experience to change much, though. 9to5Google notes that the look and feel of Fuchsia OS-powered Nest Hubs will be "essentially identical" to what it was before.

OK, so what's the big deal about Fuchsia, then? It's a new, open-source OS that's decidedly not based on the Linux kernel, as Android and Chrome OS are. Instead, Fuchsia is based on Magneta, which (as we described it back in 2016) is "combination microkernel and set of user-space services and hardware drivers" with a "physics based renderer" that can power graphical user interfaces. Because it's an open-source project, Fuchsia's existence has been well publicized over the years, although its purpose has been harder to fathom; "out in the open" yet "shrouded in mystery" is how we aptly put it. With its arrival on the original Nest Hub, Fuchsia is taking its first tentative steps out of the lab and into the hands of actual users, even if those users aren't aware of the new OS.

Linux on Chromebooks is finally coming out of beta with the release of Chrome OS 91, Google said at its developer I/O conference. From a report: The company had offered Linux apps on Chrome OS alongside Android apps, hoping to reach an audience of developers with IDEs and so on. However, the Linux Development Environment, as Google had dubbed it, had been in beta ever since while first launched. The company had added new features at a steady cadence, enabling things like GPU acceleration, better support for USB drives, and so on so people could be more productive while using Linux apps. Alongside Linux, Google also announced that it would be bringing Android 11 to Chromebooks. Technically, the update has already started with Chrome OS 90 for select Chromebooks, and it'll come with a host of new features including increased optimization of Android apps and a new dark theme. Google's increased support of Android is no coincidence. The company says that the operating system sees 3x increased usage of Android apps, and the new Android 11 update will see Android move to a virtual machine rather than the current container based method, making it easier to update in the future.

Chrome, at least in its experimental Canary version on Android (and only for users in the U.S.), is getting an interesting update in the coming weeks that brings back RSS, the once-popular format for getting updates from all the sites you love in Google Reader and similar services. From a report: In Chrome, users will soon see a 'Follow' feature for sites that support RSS and the browser's New Tab page will get what is essentially a (very) basic RSS reader -- I guess you could almost call it a "Google Reader." Now we're not talking about a full-blown RSS reader here. The New Tab page will show you updates from the sites you follow in chronological order, but it doesn't look like you can easily switch between feeds, for example. It's a start, though.

"Today, people have many ways to keep up with their favorite websites, including subscribing to mailing lists, notifications and RSS. It's a lot for any one person to manage, so we're exploring how to simplify the experience of getting the latest and greatest from your favorite sites directly in Chrome, building on the open RSS web standard," Janice Wong, Product Manager, Google Chrome, writes in today's update. "Our vision is to help people build a direct connection with their favorite publishers and creators on the web." A Google spokesperson told me that the way the company has implemented this is to have Google crawl RSS feeds "more frequently to ensure Chrome will be able to deliver the latest and greatest content to users in the Following section on the New Tab page."

The same technology that powers Google Duplex to call businesses and make appointments for you is being used to help you automatically change your password to a website that's been compromised in a security breach. TechCrunch reports: This new feature will start to roll out slowly to Chrome users on Android in the U.S. soon (with other countries following later), assuming they use Chrome's password-syncing feature. It's worth noting that this won't work for every site just yet. As a Google spokesperson told us, "the feature will initially work on a small number of apps and websites, including Twitter, but will expand to additional sites in the future."