Last week open-source advocate Eric S. Raymond argued Microsoft was quietly switching over to a Linux kernel that emulates Windows. "He's on to something," says ZDNet's contributing editor Steven J. Vaughan-Nichols: I've long thought that Microsoft was considering migrating the Windows interface to running on the Linux kernel. Why...? [Y]ou can run standard Linux programs now on WSL2 without any trouble.

That's because Linux is well on its way to becoming a first-class citizen on the Windows desktop. Multiple Linux distros, starting with Ubuntu, Red Hat Fedora, and SUSE Linux Enterprise Desktop (SLED), now run smoothly on WSL2. That's because Microsoft has replaced its WSL1 translation layer, which converted Linux kernel calls into Windows calls, with WSL2. With WSL2 Microsoft's own Linux kernel is running on a thin version of the Hyper-V hypervisor. That's not all. With the recent Windows 10 Insider Preview build 20211, you can now access Linux file systems, such as ext4, from Windows File Manager and PowerShell. On top of that, Microsoft developers are making it easy to run Linux graphical applications on Windows...

[Raymond] also observed, correctly, that Microsoft no longer depends on Windows for its cash flow but on its Azure cloud offering. Which, by the way, is running more Linux instances than it is Windows Server instances. So, that being the case, why should Microsoft keep pouring money into the notoriously trouble-prone Windows kernel — over 50 serious bugs fixed in the last Patch Tuesday roundup — when it can use the free-as-in-beer Linux kernel? Good question. He thinks Microsoft can do the math and switch to Linux.

I think he's right. Besides his points, there are others. Microsoft already wants you to replace your existing PC-based software, like Office 2019, with software-as-a-service (SaaS) programs like Office 365. Microsoft also encourages you to move your voice, video, chat, and texting to Microsoft's Azure Communication Services even if you don't use Teams. With SaaS programs, Microsoft doesn't care what operating system you're running. They're still going to get paid whether you run Office 365 on Windows, a Chromebook, or, yes, Linux.

I see two possible paths ahead for Windows. First, there's Linux-based Windows. It simply makes financial sense. Or, the existing Windows desktop being replaced by the Windows Virtual Desktop or other Desktop-as-a-Service (DaaS) offerings.... Google chose to save money and increase security by using Linux as the basis for Chrome OS. This worked out really well for Google. It can for Microsoft with — let's take a blast from the past — and call it Lindows as well.

Facebook has filed a lawsuit against two companies for creating and distributing malicious browser extensions that scraped user data without authorization from the Facebook and Instagram websites. From a report: Named in the lawsuit are BrandTotal, an Israeli-based company with a Delaware subsidiary, and Unimania, incorporated in Delaware. The two companies are behind UpVoice and Ads Feed, two Chrome extensions available on the official Chrome Web Store since September and November 2019, where they racked up more than 5,000 and 10,000 installs, respectively. "BrandTotal enticed users to install the UpVoice extension from the Google Chrome Store by offering payments in exchange for installs, in the form of online gift cards, and claiming that the users who installed the extension became 'panelists . . . [who] impact the marketing decisions and brand strategies of multi-billion dollars (sic) corporations'," Facebook said in court documents filed today.

Forbes looks at new features Microsoft added to Edge "as it looks to beat Chrome in the browser wars." It's now going to be possible to search for work files directly inside the Edge browser directly from the address bar. To use this you need Microsoft Search configured, then type "work" and press the Tab key to search your company's network for your work files. Another work-related Microsoft Edge update is also about to launch to let IT admins manage specific work related apps on user devices as well as the browsing users do from their Work Profile in Edge.

Integration with other Microsoft products is a key factor as the IT giant looks to entice more business users to use the updated Edge browser. Edge now supports native policies for Microsoft Endpoint Data Loss Prevention, which are used to find and protect sensitive items across Microsoft 365 services, Microsoft said in a blog highlighting the firm's security credentials. Another soon to launch feature of note highlighted by Bleeping Computer is Sleeping Tabs, which Microsoft says can improve memory usage by up to 26%. It can also reduce CPU usage by 29% potentially resulting in battery savings...

The browser is also adding security features such as alerts for the Edge password monitor if a compromised password is detected.

Engadget reports: One big benefit of iOS 14 is that you can set non-Apple-made apps as your default, including for email and web browsing. Hot on the heels of you being able to set Chrome and Gmail as your clients of choice, Firefox is enabling you to make its browser the default on iPhones and iPads. Naturally, you'll need to have both the latest version of the operating system and the apps, and then just make the switch inside settings.
Meanwhile, Bleeping Computer profiles some of the new features in this week's release of Firefox 81, including:

• The ability to control videos via your headset and keyboard even if you're not using Firefox at the time

• A new credit card autofill feature for Firefox users in the U.S. and Canada

• A new theme called AlpenGlow

• Firefox can now be set as the default system PDF viewer

Wired has highlighted several browser extensions that "are a simple first step in improving your online privacy." Other steps to take include adding a privacy-first browser and VPN to further mask your web activity. An anonymous reader shares the report: Privacy Badger is one of the best options for blocking online tracking in your current browser. For a start, it's created by the Electronic Frontier Foundation, a US-based non-profit digital rights group that's been fighting online privacy battles since 1990. It's also free. Privacy Badger tracks all the elements of web pages you visit -- including plugins and ads placed by external companies. If it sees these appearing across multiple sites you visit then the extension tells your browser not to load any more of that content.

DuckDuckGo is best-known for its anonymous search engine that doesn't collect people's data. DuckDuckGo also makes an extension for Chrome. The Privacy Essentials extension blocks hidden third-party trackers, showing you which advertising networks are following you around the web over time. The tool also highlights how websites collect data through a partnership with Terms of Service Didn't Read and includes scores for sites' privacy policies. It also adds its non-tracking search to Chrome.

The Ghostery browser extension blocks trackers and shows lists of which ones are blocked for each site (including those that are slow to load), allows trusted and restricted sites to be set up and also lets people you block ads. The main Ghostery extension is free but there's also a paid for $49 per month subscription that provides detailed breakdowns of all trackers and can be used for analysis or research. There are Ghostery extensions for Chrome, Firefox, Microsoft Edge and Opera.

Unlike other tools here, Adblock Plus is primarily marketed as an ad blocking tool -- the others don't necessarily block ads by default but aim to be privacy tools that may limit the most intrusive types of ads. Using an ad blocker comes with a different set of ethical considerations to tools that are designed to stop overly intrusive web tracking; ad blockers will block a much wider set of items on a webpage and this can include ads that don't follow people around the web. Adblock Plus is signed up to the Acceptable Ads project that shows non-intrusive ads by default (although this can be turned off). On a privacy front Adblock Plus's free extensions block third party trackers and allow for social media sharing buttons that send information back to their owners to be disabled.

Google has announced that paid Chrome extensions will no longer be available and will be phased out over the next year. 9to5Google reports: Following a temporary suspension on paid extensions this year due to fraudulent transactions, Google will pull the plug on paid extensions entirely over the next several months. Developers haven't been able to submit new paid extensions since March, but this week's announcement confirms that paid extensions won't be coming back at all. Further, the free trial option offered by the Chrome Web Store will go away on December 1. On February 21, 2020, all paid Chrome extensions will lose access to payments through the Web Store. Sometime later in the year, too, Google will pull the plug on its licensing API that enables developers to verify that a user has actually paid for the extension.

For developers who still want to monetize their extensions, Google says they'll need to migrate to both another payment processor and a new licensing API: "The Chrome Web Store payments system is now deprecated and will be shut down over the coming months. There are many other ways to monetize your extensions, and if you currently use Chrome Web Store payments, you'll need to migrate to one of them."

Users have found a major bug in Apple's iOS 14 iPhone software. The free software upgrade, which Apple made publicly available last week, includes features many users had long asked for, such as better ways to organize apps, living programs called widgets on the home screen, and the ability to change which default apps the phone uses to browse the web or send an email. That last one doesn't appear to work. From a report: A growing chorus of Twitter users has been posting about the bug in Apple's default email and default web browser options. What happens is that whenever they set the default browser to Google's Chrome, for example, it works as expected, and tapping any link in an app or browser will open Chrome on the iPhone. But then if they restart the phone, iOS 14 changes that default back to Apple's Safari. "We are aware of an issue that can impact default email and browser settings in iOS 14 and iPadOS 14. A fix will be available to users in a software update," Apple said in a statement.

Slashdot reader Hmmmmmm quotes Ghacks: Raymond Hill, known online as gorhill, has set the status of the uMatrix GitHub repository to archived; this means that it is read-only at the time and that no updates will become available.

The uMatrix extension is available for several browsers including Firefox, Google Chrome, and most Firefox and Chromium-based browsers. It is a privacy and security extensions for advanced users that provides firewall-like capabilities when it is installed...

Hill suggests that developers could fork the extension to continue development under a new name. There is also the chance that Hill might resume development in the future but there is no guarantee that this is going to happen.

For now, uMatrix is no longer in active development.

How-To Geek has discovered three of the world's most popular web browsers contain Easter Eggs: It seems like every browser has a hidden game these days. Chrome has a dinosaur game, Edge has surfing, and Firefox has . . . unicorn pong? Yep, you read that right — here's how to play it.

First, open Firefox. Click the hamburger menu (the three horizontal lines) at the upper right, and then click "Customize." On the "Customize Firefox" tab, you'll see a list of interface elements to configure the toolbar. Click and drag all the toolbar items except "Flexible Space" into the "Overflow Menu" on the right.

Click the Unicorn button that appears at the bottom of the window....
There's screenshots in the article illustrating all of the steps — and the result.

This week Krebs on Security reported that Microsoft "released updates to remedy nearly 130 security vulnerabilities in its Windows operating system and supported software." None of the flaws are known to be currently under active exploitation, but 23 of them could be exploited by malware or malcontents to seize complete control of Windows computers with little or no help from users. The majority of the most dangerous or "critical" bugs deal with issues in Microsoft's various Windows operating systems and its web browsers, Internet Explorer and Edge. September marks the seventh month in a row Microsoft has shipped fixes for more than 100 flaws in its products, and the fourth month in a row that it fixed more than 120.

Among the chief concerns for enterprises this month is CVE-2020-16875, which involves a critical flaw in the email software Microsoft Exchange Server 2016 and 2019. An attacker could leverage the Exchange bug to run code of his choosing just by sending a booby-trapped email to a vulnerable Exchange server. "That doesn't quite make it wormable, but it's about the worst-case scenario for Exchange servers," said Dustin Childs, of Trend Micro's Zero Day Initiative. "We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We'll likely see this one in the wild soon. This should be your top priority."

Also not great for companies to have around is CVE-2020-1210, which is a remote code execution flaw in supported versions of Microsoft Sharepoint document management software that bad guys could attack by uploading a file to a vulnerable Sharepoint site. Security firm Tenable notes that this bug is reminiscent of CVE-2019-0604, another Sharepoint problem that's been exploited for cybercriminal gains since April 2019.
The article points out that Google also shipped a critical update for Chrome this week "that resolves at least five security flaws that are rated high severity."

Mozilla will add a new security feature to Firefox in October that will make it harder for malicious web pages to initiate automatic downloads and plant malware-laced files on a user's computer. From a report: Called a drive-by download, this type of attack has been around for two decades and usually takes place when users visit a website that contains malicious code placed there by an attacker. The role of the malicious code is to abuse legitimate features in browsers and web standards to initiate an automatic file download or download prompt, in the hopes of tricking the user into running a malicious file. There are multiple forms of drive-by downloads, depending on the browser feature attackers decide to use. Browsers like Chrome, Firefox, and Internet Explorer have, across the years, gradually deployed various forms of protections against automatic drive-by downloads, but 100% protection can't be fully achieved because browser makers can't fully block legitimate web features and also because of the shifting landscape of web attacks, with attackers always finding a new hole to poke at.

An anonymous reader shares a report: The Chromium browser -- open source, upstream parent to both Google Chrome and the new Microsoft Edge -- is getting some serious negative attention for a well-intentioned feature that checks to see if a user's ISP is "hijacking" non-existent domain results. The Intranet Redirect Detector, which makes spurious queries for random "domains" statistically unlikely to exist, is responsible for roughly half of the total traffic the world's root DNS servers receive. Verisign engineer Matt Thomas wrote a lengthy APNIC blog post outlining the problem and defining its scope. DNS, or the Domain Name System, is how computers translate relatively memorable domain names like arstechnica.com into far less memorable IP addresses, like 3.128.236.93.

Without DNS, the Internet couldn't exist in a human-usable form -- which means unnecessary load on its top-level infrastructure is a real problem. Loading a single modern webpage can require a dizzying number of DNS lookups. When we analyzed ESPN's front page, we counted 93 separate domain names -- from a.espncdn.com to z.motads.com -- which needed to be performed in order to fully load the page! In order to keep the load manageable for a lookup system that must service the entire world, DNS is designed as a many-stage hierarchy. At the top of this pyramid are the root servers -- each top-level domain, such as .com, has its own family of servers that are the ultimate authority for every domain beneath it. One step above those are the actual root servers, a.root-servers.net through m.root-servers.net.

Google today launched Chrome 85 for Windows, Mac, Linux, Android, and iOS. Chrome 85 brings tab management changes, 10% faster page loads, PDF improvements, and a slew of developer features. From a report: Google is promising under-the-hood performance improvements with Chrome 85. You can expect two types of speed gains: Profile Guided Optimization, which delivers up to 10% faster page loads, and Tab Throttling, which helps reduce the impact of idle background tabs. The latter, however, is coming to the Beta channel meaning it's not yet ready. Profile Guided Optimization is a compiler optimization technique where the most performance-critical parts of the code can run faster. Profile Guided Optimization prioritizes the most common tasks using real usage scenarios that match the workflows of Chrome users around the world.

Last October, Microsoft unveiled a transcription feature -- Transcribe in Word -- that is designed to let users leverage the power of the cloud to transcribe audio. After nearly a year in development, Transcribe in Word is now generally available in U.S. English at no cost to existing Microsoft 365 subscribers. It will come to Android and iOS later this year. From a report: You could say Microsoft is late to the party -- speech-to-text is hardly novel, after all. But Microsoft project manager Dan Parish says the company is "uniquely positioned" to provide a one-stop shop for transcription. "You don't have to worry about fussing around with different Windows apps," he said during a briefing with reporters. "What we're trying to do with all of our investments in the natural user interface space -- whether they have touch or voice, you name it -- is enable everyone to work in the way that's best for them so that they can be more effective, they can spend less time and energy creating the best work, and they can really focus on what matters most." Microsoft 365 subscribers using Edge or Chrome will now see a Dictate menu under the Home tab when they create a new Word document from Office.com. Selecting Transcribe will start a recording, which can be paused at any time, while hitting the "Save and transcribe now" button will send the recording to the Azure cloud for transcription. Prerecorded files in .wav, .mp4, .m4a, and .mp3 formats can be uploaded via the new Upload audio option.

ZDNet reports: In an effort to detect whether a network will hijack DNS queries, Google's Chrome browser and its Chromium-based brethren randomly conjures up three domain names between 7 and 15 characters to test, and if the response of two domains returns the same IP, the browser believes the network is capturing and redirecting nonexistent domain requests. This test is completed on startup, and whenever a device's IP or DNS settings change.

Due to the way DNS servers will pass locally unknown domain queries up to more authoritative name servers, the random domains used by Chrome find their way up to the root DNS servers, and according to Verisign principal engineer at CSO applied research division Matthew Thomas, those queries make up half of all queries to the root servers. Data presented by Thomas showed that as Chrome's market share increased after the feature was introduced in 2010, queries matching the pattern used by Chrome similarly increased.

"In the 10-plus years since the feature was added, we now find that half of the DNS root server traffic is very likely due to Chromium's probes," Thomas said in an APNIC blog post. "That equates to about 60 billion queries to the root server system on a typical day."

Thomas added that half the DNS traffic of the root servers is being used to support a single browser function, and with DNS interception being "certainly the exception rather than the norm", the traffic would be a distributed denial of service attack in any other scenario.

While there's wide HTTPS adoption today, HTTP content on secure pages still persists. Google has been working to stamp that out, and Chrome is now turning its attention to and warning about insecure forms. "These 'mixed forms' (forms on HTTPS sites that do not submit on HTTPS) are a risk to users' security and privacy," says Google in a blog post. "Information submitted on these forms can be visible to eavesdroppers, allowing malicious parties to read or change sensitive form data." 9to5Google reports: The Google browser today removes the address bar's lock icon from sites with mixed forms. However, this proved to deliver an "unclear" experience that "did not effectively communicate the risks associated with submitting data in insecure forms." Starting in version 86, due to hit stable in October, Chrome will provide a more aggressive warning about insecure forms. Autofill will be disabled, but the built-in password manager will continue to offer "unique passwords." The company argues it's safer than reusing credentials. Next, the form will show red warning text underneath the field: "This form is not secure. Autofill has been turned off. The last measure will throw up a full-page warning communicating the potential risks. It gives users an option to cancel the action, but there will be a "Send anyway" button.

The website of Notepad++ is banned in China as of Monday, "obviously due to" its release of editions named "Free Uyghur" and "Stand with Hong Kong," the source code and text editor announced on Twitter. TechCrunch reports: First released in 2003 by France-based developer Don Ho, free-to-use Notepad++ operates on Windows and supports some 90 languages. In his release notices for the two editions, Ho openly voiced his concerns over "human rights" conditions, respectively in the Xinjiang autonomous region and Hong Kong. Tests by TechCrunch found that the Notepad++ ban only applies to its Download page -- which showcases the special editions and thus politically sensitive language -- when one tries to reach it from Chinese browsers developed by Tencent (QQ Browser and WeChat's built-in browser), Alibaba (UC Browser), 360 and Sogou. These services flag the page as containing content "prohibited" by local regulators.

Notepad++'s home page, on the other hand, remains unblocked through these local browsers. One can still access the full site from Chrome and DuckDuckGo in China. The ban began as early as August 12 when a user notified Ho of the ban, the developer told TechCrunch. He has never been contacted by any Chinese government authority and does not plan to take measures to cope with the website restriction.

An anonymous reader writes: Google today announced Chrome for Android's context menu will show "Fast page" labels for webpages deemed to have good performance. The label will be determined using Google's Web Vitals, an initiative the company announced in May to provide web developers and website owners with a unified set of metrics for building websites with user experience and performance in mind. Core Web Vitals, Google's attempt to spell out the metrics it considers critical for all web experiences, will measure a webpage's responsiveness and visual stability.

"Even with another infusion of cash from Google, you have to wonder just how long Firefox will survive as a viable, mainstream web browser," argues ZDNet contributing editor Steven J. Vaughan-Nichols: I've been using Mozilla's Firefox browser since it was still in beta. In 2004, for a while, it was my favorite web browser. Not because it was open-source, but because it was so much better and more secure than Internet Explorer. That was then. This is now. Firefox is in real danger of dying off...

Mozilla and Firefox still produced important work. You need to look no further than the JavaScript, Rust, and WebAssembly languages. They were also champions of security and privacy. Projects such as embracing DNS-over-HTTPS (DoH) and overall security improvements were great, but users didn't care. With the arrival of Google's Chrome browser, users turned from Firefox to Chrome as their favorite browser...

Firefox is on its way to irrelevance. Making matters even worse, Mozilla's just had its second round of layoffs... As technology writer Matthew MacDonald put it, "Mozilla "." Firefox's security and development teams have also been hard hit. This is bad. In January. Mitchell Baker, Mozilla Corporation CEO and Mozilla Foundation chairperson, said it let people go because of declining interest in Firefox, and thus reduced earnings, and that Mozilla was looking for more revenue from "sources outside of search" but "this did not happen." It still isn't happening. According to Mozilla's latest annual report, the majority of its revenue is still generated from global browser search partnerships. This includes the deal negotiated with Google in 2017... Baker assured onlookers that Mozilla would "ship new products faster and develop new revenue streams." These include its bookmarking app Pocket; its virtual rooms Hubs; and its $4.99-a-month Firefox VPN. Excuse me if I don't buy any of these new revenue sources....

Firefox will live on in one way or the other. It's open source after all. But Firefox as an important browser, or Mozilla as a significant open-source developer hub? No. I can't see it. Those days are done. Firefox is officially on my endangered species list.
Technology writer Matthew MacDonald ended his Medium essay on a more hopeful note. "If you have the skills and time, the best possible support is to join the Mozilla community and contribute to their code base."

A reporter for Medium's tech site OneZero recently spotted an especially bizarre ad on Instagram: The ad features a GIF of a person wearing a Fitbit-style wristband, with the text "Eliminate Cravings." Across the frame from their hand sits a giant slice of cake. As the person reaches towards the cake, the wristband turns red and zaps them with electricity. You can tell it's zapping them because the whole frame vibrates, and little lightning bolts shoot out of the wristband, like in an old-school Batman movie. All that's missing is an animated "POW!"

At first, I thought it must be either a joke or a metaphor...

Nope. It turns out the Pavlok is exactly what the ad suggests: a Bluetooth-connected, wearable wristband that uses accelerometers, a connected app, and a "snap circuit" to shock its users with 450 volts of electricity when they do something undesirable. The device costs $149.99 and is available on Amazon. The company says it has over 100,000 customers who use the device to help kill food cravings, quit smoking, and to stop touching their face... I immediately saw two fundamental truths at the exact same time. Firstly, the mere existence of an automated self-flagellation wristband is proof that we've reached Peak Wearables. And second, this is the perfect device for Our Times...

Pavlok's founder says he came up with the idea for the company after paying an assistant to slap him every time he went on Facebook.... Through a Chrome extension, it can also (Doom scrollers rejoice) automatically punish actions like spending too much time on Facebook, Twitter, and other potentially time-wasting websites. It can zap you when you open too many Chrome tabs — a use case I'd love to recommend to several programmer friends... But perhaps the most relevant feature for today's world is the ability to program the device to shock you every time you touch your face. This is something which humans do alarmingly often — up to 16 times per hour. The practice has been implicated in spreading coronavirus, or at least contaminating face masks and leading to wasted PPE...

Pavlok may sound bizarre, but it's just the logical extension of an overall trend toward using tech to tweak and prod our brains into new ways of thinking... Pavlok acts as the metaphorical stick to these apps' carrots, giving you the option to beat your brain into submission instead of just tweaking it.
In 2016 Mark Cuban called Pavlok "everything but a legitimate product" in what was probably one of the least-success Shark Tank appearances ever. But Medium's reporter seems convinced it's the appropriate response to this moment in time. "I only need to look at Twitter to feel that I'm being jolted awake with a powerful electrical shock...

"The real thing feels kind of appropriate."