A Bug in Browser Extension Grammarly, Now Patched, Could Have Allowed an Attacker To Read Everything Users Wrote Online ( 57

Copyediting app Grammarly included a gaping security hole that left users of its browser extension open to more embarrassment than just misspelled words. From a report: The Grammarly browser extension for Chrome and Firefox contained a "high severity bug" that was leaking authentication tokens, according to a bug report by Tavis Ormandy, a security researcher with Google's Project Zero. This meant that any website a Grammarly user visited could access the user's "documents, history, logs, and all other data," according to Ormandy. Grammarly provides automated copyediting for virtually anything you type into a browser that has the extension enabled, from blogs to tweets to emails to your attorney. In other words, there is an unfathomable number of scenarios in which this kind of major vulnerability could result in disastrous real-world consequences. Grammarly has approximately 22 million users, according to Ormandy, and the company told Gizmodo in an email that it "has no evidence that any user information was compromised" by the security hole. "We're continuing to monitor actively for any unusual activity," a Grammarly spokesperson said.

Chrome OS Is Almost Ready To Replace Android On Tablets ( 61

Several news features rolling out to Chromebooks paint a picture of the future of Chrome OS as the rightful replacement for Android tablet software. Those include a new split-screen feature for multitasking while in tablet mode, and a screenshot feature borrowed from Android. The Verge reports: As it stands now, Chrome OS is very close to taking up the mantle there, and features like this push it ever closer to becoming the hybrid OS for all types of Google-powered screens. This has been in the works for quite a while as Google's Chrome and Android teams have coordinated closely to ensure the influx of low-cost, hybrid computing devices like 2-in-1 Chromebooks get the best of both worlds. There is, of course, Android app compatibility on Chrome OS, an initiative that first arrived somewhat half-baked last year and has taken months to fully jell as Google worked out the kinks. For instance, just last month Google added the ability for Android apps on Chromebooks run in the background. In July of last year, Google also began embarking on a touch-focused redesign of Chrome OS to make the software more functional in tablet mode. We're likely not getting the full-blown merging of the two divisions and their respective platforms anytime soon, or perhaps ever, as Google has played with the idea for years without ever seeming to decide that one platform should supersede the other. In essence, however, Android remains Google's dominant mobile OS, while Chrome OS has been taking on more responsibility as Chromebooks have steadily become more capable and tablet-like.

Google Chrome To Feature Built-In Image Lazy Loading ( 131

An anonymous reader writes: Future versions of Google Chrome will feature built-in support for lazy loading, a mechanism to defer the loading of images and iframes if they are not visible on the user's screen at load time. This system will first ship with Chrome for Android and Google doesn't rule out adding it to desktop versions if tests go as planned. The feature is called Blink LazyLoad, and as the name hints, it will implement the principle of "lazy loading" inside Chrome itself.

Google engineers reported page load speed improvements varying from 18% to 35%, depending on the underlying network. Other browser makers have been notified of the Chrome team's plan, but none have provided input if they plan to implement a similar feature. Compared to most JS-based lazy loading scripts that only target images, Google implementation will also target iframes.


Ask Slashdot: How Can I Build a Private TV Channel For My Kids? 163

Long-time Slashdot reader ljw1004 writes: I want to assemble my OneDrive-hosted mp4s into a "TV channel" for my kids -- so at 7am while I sleep in, they know they can turn the TV on, it will show Mr Rogers then Sesame Street then grandparents' story-time, then two hand-picked cartoons, and nothing for the rest of the day. How would you do this? With Chromecast and write a JS Chrome plugin to drive it? Write an app for FireTV? Is there any existing OSS software for either the scheduling side (done by parents) or the TV-receiver side? How would you lock down the TV beyond just hiding the remote?
"There are good worthwhile things for them to see," adds the original submission, "but they're too young to be given the autonomy to pick them, and I can do better than Nickeloden or CBBC or Amazon Freetime Unlimited."

Slashdot reader Rick Schumann suggested putting the video files on an external hard drive (or burning them to a DVD), while apraetor points out many TVs now play files from flash drives -- and also suggests a private Roku channel. But what's the best way to build a private TV channel for kids?

Leave your best answers in the comments.

Should Apps Replace Title Bars with Header Bars? ( 362

Gnome contributor Tobias Bernard is on a crusade against title bars -- "the largely empty bars at the top of some application windows [that] contain only the window title and a close button." Instead he wants to see header bars -- "a newer, more flexible pattern that allows putting window controls and other UI elements in the same bar." Tobias Bernard writes: Header bars are client-side decorations (CSD), which means they are drawn by the app rather than the display server. This allows for better integration between application and window chrome. All GNOME apps (except for Terminal) have moved to header bars over the past few years, and so have many third-party apps. However, there are still a few holdouts.
He's announcing the CSD Initiative, "an effort to get apps (both GNOME and third-party) to drop title bars and adopt GNOME-style client-side decorations... The only way to solve this problem long-term is to patch applications upstream to not use title bars. So this is what we'll have to do."
  • Talk to the maintainers and convince them that this is a good idea
  • Do the design work of adapting the layout and make mockups
  • Figure out what is required at a technical level
  • Actually implement the new layout and get it merged

Implementation is already in progress for Firefox, though it has not yet been started for other high-priority apps like LibreOffice, GNOME Terminal, and Skype. "If you want to help with any of the above tasks," writes Tobias, "come talk to us on #gnome-design on IRC/Matrix."


DuckDuckGo App and Extension Upgrades Offer Privacy 'Beyond the Search Box' ( 48

An anonymous reader quotes the Verge: DuckDuckGo is launching updated versions of its browser extension and mobile app, with the promise of keeping internet users safe from snooping "beyond the search box." The company's flagship product, its privacy-focused search engine, will remain the same, but the revamped extension and app will offer new tools to help users keep their web-browsing as safe and private as possible. These include grade ratings for websites, factoring in their use of encryption and ad tracking networks, and offering summaries of their terms of service (with summaries provided by third-party Terms of Service Didn't Read). The app and extension are available for Firefox, Safari, Chrome, iOS, and Android.

The ability to block ad tracking networks is probably the most important feature here. These networks are used by companies like Google and Facebook to follow users around the web, stitching together their browsing history to create a more accurate profile for targeted advertising.

DuckDuckGo calls it "a major step to simplify online privacy," adding that without it, "It's hard to use the Internet without it feeling a bit creepy -- like there's a nosey neighbor watching everything you do from across the street."

PSA: Google Chrome Now Lets You Permanently Mute Websites That Autoplay Videos ( 89

Google is releasing a new version of Chrome this week and it includes a number of new features, such as an improved ad blocker and Spectre mitigations. The best new feature in Chrome 64 is the ability to permanently mute websites that autoplay videos. This feature was teased for several months, but now it's finally here. The Independent reports: To mute a site that automatically plays videos, users will need click the View Site Information symbol, which may look like a green padlock, on the left-hand edge of the omnibar -- the address bar combined with the Google search box. Then they will need to select Sound. Once the website is muted, it will not automatically play videos with sound again until you unmute it.

Chrome 64 Released With Stronger Popup Blocker, Spectre Mitigations ( 102

Google on Thursday pushed an update to its marquee Web browser Chrome, now at v64, which offers a handful of new features including an improved ad blocker. From a report: Most of the new features included with Chrome 64 are meant to improve the browser's support for the ever-changing web standards that drive the modern Internet. For example, Chrome 64 is choke full of support for new browser APIs, new CSS properties, new JavaScript (ECMAScript) features, and changes to Chrome's V8 JavaScript engine. [...] Other big changes that shipped with Chrome 64 are on the browser's security side. For starters, Chrome 64 includes mitigations against the web-exploitable Spectre flaw. Further, Chrome 64 also comes with a bolstered popup blocker that can now block tab-under behavior, being much more efficient at blocking malvertising redirects.

Microsoft Unveils Windows 10 S Laptops Starting at $189 and New Office 365 Tools for Students ( 107

An anonymous reader shares a report: Microsoft today unveiled new Windows 10 S devices from Lenovo and JP, starting at $189, aimed at the education market. The company also announced new Office 365 learning tools for students. The news mirrors Microsoft's firstline workers push in September, which saw new Windows 10 S devices starting at $275. The company is now simply doing the same as part of its latest EDU push, and it's not mincing words when it comes to explaining its target audience: "schools who don't want to compromise on Chromebooks."

Microsoft unveiled four new Windows 10 devices that are all supposed to offer more than Chrome OS. Two are standard laptops: the Lenovo 100e powered by Intel Celeron Apollo Lake for $189 and JP's Classmate Leap T303 with Windows Hello for $199. The other two are 2-in-1s: the Lenovo 300e convertible with pen support for $279 and the Trigono V401 with pen and touch for $299. All four are spill resistant, ruggedized for students, and promise long battery life to avoid having wires all over the classroom.

Desktops (Apple)

Ask Slashdot: What's the Fastest Linux Distro for an Old Macbook 7,1? 248

Long-time Slashdot reader gr8gatzby writes: I have an old beautiful mint condition white Macbook 7,1 with a 2.4Ghz Core 2 Duo and 5GB RAM. Apple cut off the upgrade path of this model at 10.6.8, while a modern-day version of any browser requires at least 10.9 these days, and as a result my browsing is limited to Chrome version 49.0.2623.112.

So this leaves me with Linux. What is the fastest, most efficient and powerful distro for a Mac of this vintage?

It's been nearly eight years since its release, so leave your best thoughts in the comments. What's the best Linux distro for an old Macbook 7,1?

Opinion: Chrome is Turning Into the New Internet Explorer 6 ( 294

Tom Warren, writing for The Verge: Chrome now has the type of dominance that Internet Explorer once did, and we're starting to see Google's own apps diverge from supporting web standards much in the same way Microsoft did a decade and a half ago. Whether you blame Google or the often slow moving World Wide Web Consortium (W3C), the results have been particularly evident throughout 2017. Google has been at the center of a lot of "works best with Chrome" messages we're starting to see appear on the web. Google Meet, Allo, YouTube TV, Google Earth, and YouTube Studio Beta all block Windows 10's default browser, Microsoft Edge, from accessing them and they all point users to download Chrome instead. Some also block Firefox with messages to download Chrome. Hangouts, Inbox, and AdWords 3 were all in the same boat when they first debuted.

It's led to one developer at Microsoft to describe Google's behavior as a strategic pattern. "When the largest web company in the world blocks out competitors, it smells less like an accident and more like strategy," said a Microsoft developer in a now-deleted tweet. Google also controls the most popular site in the world, and it regularly uses it to push Chrome. If you visit in a non-Chrome browser you're prompted up to three times if you'd like to download Chrome. Google has also even extended that prompt to take over the entire page at times to really push Chrome in certain regions. Microsoft has been using similar tactics to convince Windows 10 users to stick with Edge. The troubling part for anyone who's invested in an open web is that Google is starting to ignore a principle it championed by making its own services Chrome-only -- even if it's only initially.


Windows 10's Edge vs Chrome: We're Faster and Win in Battery Face-off, Says Microsoft ( 157

Microsoft has kicked off 2018 with two new ads promoting Windows 10 Edge's battery efficiency and speed compared with Google Chrome. From a report: Microsoft published the two new ads on New Year's Eve, pitting Edge against Chrome, the world's most popular browser. "Microsoft Edge is up to 48 percent faster than Google Chrome," Microsoft says in one of the 30-second ads. Not only that, but Microsoft argues that Edge is safer too, thanks to SmartScreen, its built-in equivalent of Google's Safe Browsing anti-phishing technology. Microsoft says: "Edge blocks 18 percent more phishing sites than Google Chrome." Microsoft doesn't cite the source of this statistic, but in October, NSS Labs released a report comparing Edge on the locked-down Windows 10 S with Chrome on Chromebooks, suggesting that Edge blocks more phishing URLs than Chrome.

Google's Mysterious Fuchsia OS Can Now Run On the Pixelbook ( 60

Google's mysterious operating system, dubbed Fuchsia, has been in the works for more than a year now with very few details about the OS made public. According to a new report from Chrome Unboxed, we have learned that Google has released documentation to allow developers to load Fuchsia onto the company's Pixelbook. The Verge reports: This isn't your typical developer operating system, and you'll need two machines to host and target a Pixelbook to load the OS. It's very much a work in progress, with early hints at a user interface and functions. It's still interesting that Google has chosen its own Pixelbook to experiment with, though. Fuchsia has mostly been linked to embedded systems like wearables and Internet of Things devices in the past, but testing was expanded to Intel's NUC and Acer's Switch Alpha 12 Chromebooks. Fuchsia has been created from the Google-built Zircon microkernel, and not the typical Linux kernels that hold Android and Chrome OS together. It's not immediately clear exactly why Google is building a new operating system, nor what devices it will run on. As testing spreads to more Chromebooks, some are now speculating this could be a successor to the "Andromeda" project that never materialized.
Electronic Frontier Foundation

EFF Applauds 'Massive Change' to HTTPS ( 214

"The movement to encrypt the web reached milestone after milestone in 2017," writes the EFF, adding that "the web is in the middle of a massive change from non-secure HTTP to the more secure, encrypted HTTPS protocol." In February, the scales tipped. For the first time, approximately half of Internet traffic was protected by HTTPS. Now, as 2017 comes to a close, an average of 66% of page loads on Firefox are encrypted, and Chrome shows even higher numbers. At the beginning of the year, Let's Encrypt had issued about 28 million certificates. In June, it surpassed 100 million certificates. Now, Let's Encrypt's total issuance volume has exceeded 177 million certificates...

Browsers have been pushing the movement to encrypt the web further, too. Early this year, Chrome and Firefox started showing users "Not secure" warnings when HTTP websites asked them to submit password or credit card information. In October, Chrome expanded the warning to cover all input fields, as well as all pages viewed in Incognito mode. Chrome has eventual plans to show a "Not secure" warning for all HTTP pages... The next big step in encrypting the web is ensuring that most websites default to HTTPS without ever sending people to the HTTP version of their site. The technology to do this is called HTTP Strict Transport Security (HSTS), and is being more widely adopted. Notably, the registrar for the .gov TLD announced that all new .gov domains would be set up with HSTS automatically...

The Certification Authority Authorization (CAA) standard became mandatory for all CAs to implement this year... [And] there's plenty to look forward to in 2018. In a significant improvement to the TLS ecosystem, for example, Chrome plans to require Certificate Transparency starting next April.


Chrome Extension with 100,000 Users Caught Pushing Cryptocurrency Miner ( 47

Catalin Cimpanu, reporting for BleepingComputer: A Chrome extension with over 105,000 users has been deploying an in-browser cryptocurrency miner to unsuspecting users for the past few weeks. The extension does not ask for user permission before hijacking their CPUs to mine Monero all the time the Chrome browser is open. Named "Archive Poster," the extension is advertised as a mod for Tumblr that allows users an easier way to "reblog, queue, draft, and like posts right from another blog's archive." According to users reviews, around the start of December the extension has incorporated the infamous Coinhive in-browser miner in its source code.

Windows 10 Visits To US Government Sites Surpass Windows 7 For the First Time ( 111

In what may be a signal of changing attitudes for Windows 10, visits to U.S. government sites via Windows 10 have surpassed Windows 7 for the first time. On MSFT reports: This United States government website reports that of the 2.54 billion visits to U.S. Government websites over the past 90 days, 20.9% came from Windows 10, and 20.7% from Windows 7. Interestingly, Windows 8.1 came in at 2.7%, Windows 8 .05%, and other OS 0.8%. The numbers are a bit niche and could be just from a holiday bump based on the sites 90-day average, but they still do give a solid number comparison for the state of various OS and browser stats. When it comes to browser share, Edge was not popularly used to visit U.S. Government websites. Chrome was on top with 44.4%, Followed up Safari with 27.6%, Internet Explorer at 12.3%, and then Firefox at 5.9% and Edge at 3.9%. Though all these government percentages may be bleak for Microsoft, the latest AdDuplex December report also shows strong adoption for Windows 10 Fall Creators Update, so things can only go up from Microsoft from here on out.

Google Stops Selling the Pixel C Android Tablet ( 48

Google is no longer selling the Pixel C, its flagship Android tablet released about two years ago. "Google's commitment to Android on tablets wasn't strong even then, and now the Pixel C is gone from the Google Store -- the listing page redirects you to the Pixelbook," reports Android Police. From the report: The Pixel C was an odd device. By all accounts, the hardware was originally intended to run Chrome OS, but Google couldn't get the platform ready for an all-touch device in time. So, the Pixel C became an Android slate. Google has been selling the device continuously since late 2015. It even offered some discounts on the tablet via the Google Store, which it almost never does for other devices. The 32GB Pixel C was pulled a while back, but Google kept the 64GB variant around. At a whopping $599, I doubt many people were buying it. Now, the Pixel C is completely gone from the Google Store, and there's no new tablet to replace it.

Chrome OS Will Finally Run Android Apps in the Background ( 42

An anonymous reader shares a report: While it's no longer a novelty to run Android apps on your Chromebook, that doesn't mean they run well. To date, most of those apps pause when you switch away -- fine for a phone, but not what you'd expect on a computer with a multi-window interface. However, they're about to become far more functional. Chrome Unboxed has learned that the Chrome OS 64 beta introduces Android Parallel Tasks, which lets Android apps run at full bore regardless of what you're doing. You could watch a video in a mobile app while you're surfing the web, or take a break from a mobile game without jarring transitions. There's no guarantee that Android Parallel Tasks will reach the stable Chrome OS 64, so you might not want to plan a purchase around the feature.

Beware: 'Digmine' Cryptocurrency Bot Is Spreading Via Facebook Messenger ( 96

Cybersecurity firm Trend Micro has discovered a cryptocurrency bot that is being spread through Facebook Messenger. The bot, dubbed Digmine, was discovered in South Korea and has since been found in Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela. TechSpot explains: Victims receive a file named "" from one of their Facebook Messenger contacts. Opening it will load Chrome along with a malicious browser extension. Extensions can only be downloaded from the Chrome Web Store, but this is bypassed using the command line. Once the malware infects a system, a modified version of XMRig -- a Monero mining tool -- is installed. This mines the cryptocurrency in the background using a victim's CPU, sending all profits back to the hackers. Additionally, the Chrome extension is also used to spread Digmine. If someone has their Facebook account set to log in automatically, the fake video file link will be sent to all their friends via Messenger. The malware could also be used to take over a Facebook account entirely. The good news is that Digmine only works through the Chrome desktop version of Messenger. Right now, opening the malicious file via the Facebook/Messenger app or mobile webpage won't have the same effect. After Trend Micro revealed its findings, Facebook said it had taken down any links connected to Digmine.

Established Players in Tech Industry Are Displaced By New Technologies and Companies Often When They Are Operating At Their Peak ( 57

In a column, Steven Sinofsky, former President of the Windows Division at Microsoft, cites various examples from the past to suggest that it is often when incumbents in technology space have established market dominance that new startups rise and displace them: While the tech incumbents are clearly generating massive revenue and profits, nearly all of this comes from products developed long ago. In fact, as we now know in hindsight, it is exactly when conventional wisdom conflates today's economic success with forward-looking product innovation that seeds are being planted for the next massive wave of innovation. Google was formed at time when the incumbents of AOL and even Yahoo were stronger than ever. Facebook came just after the dot com bubble burst. Even the reincarnation of Apple took place after the bubble burst with products being developed as the bubble peaked. And for what it is worth, the PC ecosystem, particularly Windows, was relatively "flat" mired in Windows Vista while Firefox dominated and Google Chrome was appeared (Windows 7 wouldn't come out for a year after Chrome). In the infrastructure space, the seeds were planted for both AWS and VMWare in the shadow of the dot com bubble. In an historical context it is highly likely that the next wave of innovation in new technologies and new companies will happen right under the noses of big companies operating at what the public markets think of as peak (earnings) potential.

Slashdot Top Deals