Google said Wednesday it was changing the defaults on its services in an effort to store less browser history and location data on its servers. NBC News reports: Google CEO Sundar Pichai said in a blog post that the first time a person turns on location history, the default option would be for the data to be stored for 18 months. Activity from the web and from apps would also default to 18 months for new accounts, he said. "This means your activity data will be automatically and continuously deleted after 18 months, rather than kept until you choose to delete it," Pichai said. There will be no automatic change for existing accounts and people who already have location history turned on in their Google settings, but the company plans to inform existing users of the option to set up auto-delete after three to 18 months, he said. People also have the option to turn the setting off.

Safari 14, scheduled to be released later this fall with iOS 14 and macOS 11, is a release that is packed choke-full with features. From a report: The biggest and most important of the new additions is support for WebExtensions, a technology for creating browser extensions. What this means for Safari users is that starting this fall, they'll see a huge influx of new Safari extensions as add-on developers are expected to port their existing Chrome and Firefox extensions to work on Apple's browser as well. Apple said that, for now, WebExtensions will only be available for Safari on macOS.

Safari 14 is also an end of an era, as this will be the first version of Safari that won't support Adobe Flash Player content. But while old stuff is being removed, new stuff is also being added. One of the new technologies added to Safari is support for HTTP/3, a new web standard that will make loading websites faster and safer. Another important addition in Safari is support for WebP, a lightweight image format that has been gaining widespread adoption across the internet. The format, created by Google, serves as an alternative to the older JPEG format, and Safari has been the last browser to add support for it. [...] But Safari hasn't been lagging behind other browsers just in terms of HTTP/3 and WebP support. Apple has also added support for another cool feature, namely breach alerts, already present in both Chrome and Firefox. Starting this fall, Apple says that Safari 14 will scan a user's locally-stored passwords and show a prompt if one or more of the user's credentials are present in publicly available lists of breached accounts.

Some Firefox users have discovered that the new default Windows 10 browser, which is shipped to their devices via Windows Update, sometimes imports the data from Mozilla's application even if they don't give their permission. Softpedia reports: Some of these Firefox users decided to kill the initial setup process of Microsoft Edge, only to discover that despite the wizard shutting down prematurely, the browser still copied data stored by Mozilla's browser. Several users confirmed on reddit that this behavior happened on their computers too. Microsoft has remained tight-lipped on this, so for the time being, it's still not known why Edge imports Firefox data despite the initial wizard actually killed off manually by the user. Users who don't want to be offered the new Edge on Windows Update can turn to the dedicated toolkit that Microsoft released earlier this year, while removing the browser is possible by just uninstalling the update from the device.

Apple has unveiled the next version of macOS: Big Sur. From a report: The new operating system brings the biggest redesign since the introduction of macOS 10, according to Apple. Big Sur borrows a number of elements from Apple's iOS, including a customizable Control Center, where you can change brightness and toggle Do Not Disturb, and a new notification center, which groups related notifications together. Both interfaces are translucent, like their iOS counterparts. A number of apps have received streamlined new redesigns, including Mail, Photos, Notes, and iWork. Apple has introduced a new search feature to Messages (which organizes results into links, photos, and matching terms), as well as inline replies for group chats, a new photo-selection interface, and Memoji stickers. There's a new version of Maps for Mac that borrows features from the iOS app, including custom Guides, 360-degree location views, cycling and electric vehicle directions (which you can send directly to an iPhone), and indoor maps. Apple introduced a number of new Catalyst apps as well. Dock buttons have also been redesigned to look more similar to their iOS counterparts, in an effort to "be more consistent with icons across Apple's ecosystem while retaining their Mac personality," according to the company.

Apple also announced the biggest update to Safari since the browser was first introduced. The company claims its browser is 50 percent faster than Chrome and can show more tabs on-screen. Hovering over a tab now gives users a preview of its page, and right-clicking on the tab will give you the option to close all the tabs to its right. The new Safari also has a customizable start page and a built-in automatic translation feature that can interpret entire webpages in seven languages, Apple says. Safari is also getting support for extensions made for other browsers, and a dedicated extension store. (Unlike many other browsers, Safari will allow you to customize which sites your extensions run on). And there are new privacy features, including a Privacy Report that details actions the browser has taken to prevent tracking on the websites you visit.

"All the pieces are coming together for Microsoft to launch a direct competitor to Chromebooks..." argues an industry analyst writing for ZDNet: Since adopting the Chromium rendering engine, Microsoft Edge has featured virtually perfect compatibility with Chrome, right down to being able to install extensions from the Chrome app store. It's also enabled Microsoft to more easily support operating systems that Edge didn't previously support such as macOS and Linux. But now that Edge is working well, might Microsoft try to go after Chrome OS? While a "lite" version of Windows has been rumored for years, many of the other pieces are already in place or announced.

First, Microsoft has made no secret of how it covets the education market that has embraced Chromebooks. It has fought back with low-cost Windows notebooks from partners that are competitively priced with such devices but may lack Chrome OS' perception of simplicity and security.

Second, after years of having the web apps of office.com languish as Microsoft emphasized the PC versions, the online suite will be the first to take advantage of Fluid Framework, the company's open-source component framework that allows the embedding of applet functionality and collaboration into a range of container documents such as Edge pages. Third, while the idea of Microsoft limiting the opportunity for Windows developers on a platform might have been unthinkable years ago, times have changed. Many developers, Microsoft included, have made web apps mainstream. Outside of the Windows-boosting Surface team, Microsoft seems indifferent as to where you access its subscription-based client and cloud offerings.

Finally, Microsoft now has the cross-processor architecture support to take the battle to Google -- although, at least for now, it has exclusively focused on high-performance Qualcomm Snapdragon designs as opposed to Mediatek or Allwinner ARM-based chips in budget Chromebooks...

Microsoft's strongest competitive point would be the greater focus on privacy, one of the best reasons to use Edge versus Chrome today.

A new feature in Windows 10 might allow Google to streamline Chrome, and we know it works because Microsoft is already using it. From a report: According to Microsoft, its recent update implemented a new memory management feature in Edge known as SegmentHeap. In the latest version of Windows, developers can opt into SegmentHeap to lower the RAM usage of a program. Microsoft says it already added support to the new Edge browser, and it has seen a 27 percent drop in the browser's memory footprint.

After Motherboard discovered multiple servers on Discord containing pirated porn, the chat platform removed them and banned the owners of each. From a report: "Discord prohibits the sale, dissemination, and promotion of cracked accounts," a spokesperson told Motherboard. "We ban users and shut down servers that are responsible for this behavior. In cases of copyrighted material, we respond promptly to DMCA takedown requests and take the appropriate action." The bans are permanent, and the owners can no longer access their accounts for any purpose. Former members of those servers can no longer access those servers, either.

During Motherboard's reporting, Google removed an OnlyFans scraping Chrome extension when approached for comment. Stolen content is a problem that has plagued the adult industry for as long as porn has existed on the internet. Several owners of premium platforms similar to OnlyFans urged the industry to do better in how it safeguards content, by protecting models from theft using more advanced fingerprinting, watermarking, copyright takedown support, and technology that could prevent scrapers from using these tools to begin with.

A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google's market-leading Chrome web browser, researchers at Awake Security told Reuters, highlighting the tech industry's failure to protect browsers as they are used more for email, payroll and other sensitive functions. From a report: Google said it removed more than 70 of the malicious add-ons from its official Chrome Web Store after being alerted by the researchers last month. "When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses," Google spokesman Scott Westover told Reuters.

Most of the free extensions purported to warn users about questionable websites or convert files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools. Based on the number of downloads, it was the most far-reaching malicious Chrome store campaign to date, according to Awake co-founder and chief scientist Gary Golomb.

For years, Parallels has provided virtualization software so you could run full Windows installs on a Mac, but today they're tackling a new OS. From a report: The company just announced that it is partnering with Google to work on bringing full Windows application support to Chrome OS enterprise devices. That's a big deal for the many businesses out there that run various pieces of legacy Windows software -- or just any business that wants to run Microsoft's Office software natively. It could Chrome OS devices a lot more viable in a variety of workspaces that may have previously had to rely on Windows hardware, though of course that'll depend on how well it is implemented. How exactly this will work remains to be seen; Parallels only said that partnership would "seamlessly add full-featured Windows apps, including Microsoft Office, to Chromebook Enterprise devices."

Google is pressing on with new plans to hide all parts of web addresses except the domain name. Android Police reports: A few new feature flags have appeared in Chrome's Dev and Canary channels (V85), which modify the appearance and behavior of web addresses in the address bar. The main flag is called "Omnibox UI Hide Steady-State URL Path, Query, and Ref" which hides everything in the current web address except the domain name. For example, "https://www.androidpolice.com/2020/06/07/lenovo-ideapad-flex-5-chromebook-review/" is simply displayed as "androidpolice.com." There are two additional flags that modify this behavior. One reveals the full address once you hover over the address bar (instead of having to click it), while the other only hides the address bar once you interact with the page. An issue page on the Chromium Bug tracker has also been created for keeping track of the changes, though there aren't any additional details there.

There's no public explanation yet for why Google is pressing ahead with these changes, but the company has said in the past that it believes showing the full address can make it harder to tell if the current site is legitimate. "Showing the full URL may detract from the parts of the URL that are more important to making a security decision on a webpage," Chromium software engineer Livvie Lin said in a design document earlier this year. Google has since clarified how the experiment will work and what opt-out options will be available.

"We think this is an important problem area to explore because phishing and other forms of social engineering are still rampant on the web," a Chromium developer on the bug tracker for the change said, "and much research shows that browsers' current URL display patterns aren't effective defenses. We're implementing this simplified domain display experiment so that we can conduct qualitative and quantitative research to understand if it helps users identify malicious websites more accurately."

It was also confirmed that Google will keep the opt-out mechanism that is already present -- an 'Always show full URLs' setting that appears when you right-click the address bar. "We plan to support this opt-out option indefinitely," the same developer said.

The site Android Police is calling out new feature flags in Chrome's early-release Dev and Canary channels (V85) "which modify the appearance and behavior of web addresses in the address bar." The main flag is called "Omnibox UI Hide Steady-State URL Path, Query, and Ref" which hides everything in the current web address except the domain name... There are two additional flags that modify this behavior. One reveals the full address once you hover over the address bar (instead of having to click it), while the other only hides the address bar once you interact with the page...

There's no public explanation yet for why Google is pressing ahead with these changes, but the company has said in the past that it believes showing the full address can make it harder to tell if the current site is legitimate. "Showing the full URL may detract from the parts of the URL that are more important to making a security decision on a webpage," Chromium software engineer Livvie Lin said in a design document earlier this year.

However, it's also worth considering that making the web address less important, as this feature does, benefits Google as a company. Google's goal with Accelerated Mobile Pages (AMP) and similar technologies is to keep users on Google-hosted content as much as possible, and Chrome for Android already modifies the address bar on AMP pages to hide that the pages are hosted by Google. Modifying addresses on the desktop is another step towards making them irrelevant, which hurts the decentralized nature of the internet as a whole.

In the "quick launch bar" of Windows 10, native app icons "support a shortcut menu for commonly or frequently performed tasks in the app. This menu can be invoked by right-clicking the app's quick launch bar icon," writes the Windows Club site -- adding that Mac users can use similar functionality when opening a web browser from the MacOS dock.

But now Google Chrome and Microsoft Edge are working on similar "App Shortcuts" that allow users to do things like send email or composing tweets directly from the Windows 10 taskbar or macOS dock. Slashdot reader techtsp shares their report: Right now, Chromium does not allow users to start a key task within a progressive web app through the Windows 10 taskbar. This is exactly what Chromium-based web browsers are now trying to change.

This feature will enable web developers to add support in Chromium for shortcuts defined in a Web App Manifest. As a result, Chromium progressive web apps can offer App shortcuts for their quick launch bar icon much like native apps.

The App shortcuts feature is currently in development on Microsoft Edge. Meanwhile, Google Chrome 85 is in the Dev channel.

"The terms 'allowlist' and 'blocklist' describe their purpose, while the other words use metaphors to describe their purpose," reads a change description on the source code for Android -- from over a year ago. 9to5Mac calls it "a shortened version of Google's (internal-only) explanation" for terminology changes which are now becoming more widespread.

And Thursday GitHub's CEO said they were also "already working on" renaming the default branches of code from "master" to a more neutral term like "main," reports ZDNet: GitHub lending its backing to this movement effectively ensures the term will be removed across millions of projects, and effectively legitimizes the effort to clean up software terminology that started this month.

But, in reality, these efforts started years ago, in 2014, when the Drupal project first moved in to replace "master/slave" terminology with "primary/replica." Drupal's move was followed by the Python programming language, Chromium (the open source browser project at the base of Chrome), Microsoft's Roslyn .NET compiler, and the PostgreSQL and Redis database systems... The PHPUnit library and the Curl file download utility have stated their intention to replace blacklist/whitelist with neutral alternatives. Similarly, the OpenZFS file storage manager has also replaced its master/slave terms used for describing relations between storage environments with suitable replacements. Gabriel Csapo, a software engineer at LinkedIn, said on Twitter this week that he's also in the process of filing requests to update many of Microsoft's internal libraries.
A recent change description for the Go programming language says "There's been plenty of discussion on the usage of these terms in tech. I'm not trying to have yet another debate." It's clear that there are people who are hurt by them and who are made to feel unwelcome by their use due not to technical reasons but to their historical and social context. That's simply enough reason to replace them.

Anyway, allowlist and blocklist are more self-explanatory than whitelist and blacklist, so this change has negative cost.
That change was merged on June 9th -- but 9to5Mac reports it's just one of many places these changes are happening. "The Chrome team is beginning to eliminate even subtle forms of racism by moving away from terms like 'blacklist' and 'whitelist.' Google's Android team is now implementing a similar effort to replace the words 'blacklist' and 'whitelist.'" And ZDNet reports more open source projects are working on changing the name of their default Git repo from "master" to alternatives like main, default, primary, root, or another, including the OpenSSL encryption software library, automation software Ansible, Microsoft's PowerShell scripting language, the P5.js JavaScript library, and many others.

Security and software development company Quarkslab played around with Google's new Fuchsia operating system, which could one day replace Android on smartphones and Chrome OS on laptops. The researchers "decided to give a quick look at Fuchsia, learn about its inner design, security properties, strengths and weaknesses, and find ways to attack it." Here's what they concluded: Fuchsia's micro kernel is called Zircon. It is written in C++. [...] Contrary to every other major OS, it appears rather difficult to target the Zircon kernel directly. A successful RCE (Remote Code Execution) on the world-facing parts of the system (USB, Bluetooth, network stack, etc) will only give you control over the targeted components, but they run in independent userland processes, not in the kernel. From a component, you then need to escalate privileges to the kernel using the limited number of syscalls you can access with the handles you have. Overall, it seems easier to target other components rather than the kernel, and to focus on components that you can talk to via IPC and that you know have interesting handles.

Overall, Fuchsia exhibits interesting security properties compared to other OSes such as Android. A few days of vulnerability research allowed us to conclude that the common programming bugs found in other OSes can also be found in Fuchsia. However, while these bugs can often be considered as vulnerabilities in other OSes, they turn out to be uninteresting on Fuchsia, because their impact is, for the most part, mitigated by Fuchsia's security properties. We note however that these security properties do not -- and in fact, cannot -- hold in the lowest layers of the kernel related to virtualization, exception handling and scheduling, and that any bug here remains exploitable just like on any other OS. All the bugs we found were reported to Google, and are now fixed.

Again, it is not clear where Fuchsia is heading, and whether it is just a research OS as Google claims or a real OS that is vowed to be used on future products. What's clear, though, is that it has the potential to significantly increase the difficulty for attackers to compromise devices.

An anonymous reader quotes a report from ZDNet: Mint's programmers, led by lead developer, Clement "Clem" Lefebvre, has dropped support for Ubuntu's Snap software packing system. [...] So, what's not to like? Well, a lot, thinks Clem. As he wrote in July 2019, the idea is fine: "When snap was announced it was supposed to be a solution, not a problem. It was supposed to make it possible to run newer apps on top of older libraries and to let third-party editors publish their software easily towards multiple distributions, just like Flatpak and AppImage." But, he said, "What we didn't want it to be was for Canonical to control the distribution of software between distributions and third-party editors, to prevent direct distribution from editors, to make it so software worked better in Ubuntu than anywhere else and to make its store a requirement."

Clem was worried then that Canonical was moving in that direction because: "Ubuntu is planning to replace the Chromium [Google's open-source browser and foundation for Chrome] repository package with an empty package, which installs the Chromium snap. In other words, as you install APT [Debian's program for installing and managing DEB files] updates, Snap becomes a requirement for you to continue to use Chromium and installs itself behind your back. This breaks one of the major worries many people had when Snap was announced and a promise from its developers that it would never replace APT. A self-installing Snap Store which overwrites part of our APT package base is a complete NO-NO. It's something we have to stop and it could mean the end of Chromium updates and access to the snap store in Linux Mint."

Fast forward to now, and that's still the case with Chromium, and Clem has had enough: "In the Ubuntu 20.04 package base, the Chromium package is indeed empty and acting, without your consent, as a backdoor by connecting your computer to the Ubuntu Store. Applications in this store cannot be patched, or pinned. You can't audit them, hold them, modify them, or even point snap to a different store. You've as much empowerment with this as if you were using proprietary software, i.e. none. This is in effect similar to a commercial proprietary solution, but with two major differences: It runs as root, and it installs itself without asking you."

U.S. federal and state authorities are asking detailed questions about how to limit Google's power in the online search market as part of their antitrust investigations into the tech giant, according to rival DuckDuckGo. From a report: Gabriel Weinberg, chief executive officer of the privacy-focused search engine, said he has spoken with state regulators, and talked with the U.S. Justice Department as recently as a few weeks ago. Justice Department officials and state attorneys general asked the CEO about requiring Google to give consumers alternatives to its search engine on Android devices and in Google's Chrome web browser, Weinberg said in an interview. "We've been talking to all of them about search and all of them have asked us detailed search questions," he added. Weinberg's comments shine a light into how the inquiry is examining Google's core business -- online search.

Websites are still capable of detecting when a visitor is using Chrome's incognito (private browsing) mode, despite Google's efforts last year to disrupt the practice. From a report: It is still possible to detect incognito mode in Chrome, and all the other Chromium-based browsers, such as Edge, Opera, Vivaldi, and Brave, all of which share the core of Chrome's codebase. Furthermore, developers have taken the scripts shared last year and have expanded support to non-Chrome browsers, such as Firefox and Safari, allowing sites to block users in incognito mode across the board. Currently, there is no deadline for a new Chrome update to block incognito mode detections, however, today, Google might be interested more than ever in fixing this issue.

techtsp quotes The Windows Club: In a major breakthrough, Microsoft Edge now supports Native File System API, which will take progressive web apps and their usage to a whole new level.

An official roadmap entry points towards the new development, which only means one thing: Bridging the native app gap using modern web technologies... This is exactly where Microsoft Edge's Native File System API support comes into play, and Edge is already rolling out a native PDF editing support that uses this Native File System API. In the future, Microsoft Edge users can easily save edits made to PDF documents back to the file instead of saving a copy each time...

Starting in Google Chrome 83, a new origin trial has started for the Native File System API for all desktop platforms including Windows, Linux, and macOS. We saw it in action in the text editor demo....

Over the last few years, the web has evolved into an incredibly powerful platform in itself, and with the introduction and significant adoption of Progressive Web Apps (PWAs), the cross-device software delivery became much easier. But no matter how great PWAs are, they have certain limitations that we can't possibly ignore. And these limitations prevent users from replacing native apps with progressive web apps. In short, PWAs can't do everything that native apps can do.

Google announced this week plans to enable its new anti-notification spam system in Chrome over the summer, with the release of Chrome 84, on July 12, 2020. From a report: Known internally as the "quieter notification permission UI," this Chrome component works by blocking sites from showing notification requests, which are hidden under an icon in the Chrome URL bar (on desktop) or under a toolbar (on mobile). Google first announced the "quieter notification permission UI" in January, and shipped it in February, in Chrome 80, in a limited, user opt-in fashion. But in a blog post, Google said the new UI and its ability to detect spammy notification popups has been improved and will roll out enabled by default for all users in July, with the release of Chrome 84.

Chrome and Firefox are blocking direct access to the movie download pages of popular torrent site YTS. According to Google's safe browsing report, YTS.mx is a "deceptive site" that may trick visitors into doing dangerous things. The warning is likely the result of malicious advertisements. TorrentFreak reports: While the site's homepage can be visited just fine, navigating to a torrent detail page throws up the following warning in Chrome. "Deceptive site ahead. Attackers on yts.mx may trick you into doing something dangerous like installing software or revealing your personal information (for example, passwords, phone numbers, or credit cards)." Firefox shows a similar alert and also prevents people from going directly to the download pages. In both browsers, people can, however, accept the risk and visit the page they were looking for.

It's not clear what the exact problem is but the Chrome warning mentions that YTS was caught phishing. This is also reflected in Google's Safe Browsing report, which states the torrent site recently tried to trick visitors into sharing personal info or downloading software. Whether any of this is intentional remains a question. It seems more likely that the warning was triggered by some type of malicious advertisement.