From TechRadar

[janus]

Google Chrome is reportedly riddled with security issues
By Sead Fadilpašić published October 06, 2022

Google Chrome has already seen 303 discovered vulnerabilities in 2022

Google Chrome is littered with potential security issues that could be putting millions of users at risk, a report has said.

New research from Atlas VPN citing data provided by the VulDB vulnerability database(opens in new tab) claims Google’s famed browser has so far had 303 discovered vulnerabilities, and is an “all-time leader with a total of 3,159 cumulative vulnerabilities.”

What’s more, of all the most commonly-used browsers(opens in new tab) around today, Chrome is the only one that already has already seen newly-discovered vulnerabilities in October 2022.

Safari performing well
The report noted Mozilla’s Firefox browser had seen 117 vulnerabilities in 2022 so far, while Microsoft Edge has had 103 discovered year-to-date.

The figures are 61% more than in the entirety of last year, with AtlasVPN noting that this is, "an unusually high number" for a browser with only 806 total vulnerabilities since its release.

Apple’s Safari, on the other hand, has had “some of the lowest vulnerability numbers in years”. The world’s second-largest browser had 26 documented vulnerabilities in the first nine months of the year, while cumulatively, it has had “just” 1,139 identified flaws.

Opera has had zero documented vulnerabilities this year, and a total of 344 flaws.

While Atlas VPN did not say it in a definitive manner, it did state that Chrome, Edge, and Opera are all built on the Chromium engine, hinting that Chromium flaws might impact all of these browsers.

To keep your endpoints safe, the company says, users should always make sure their browser is up to date, and should be extra careful when choosing which plug-ins to install. What’s more, they should always be wary of phishing, as cybercriminals will often use communications channels to distribute malicious code capable of exploiting various flaws in browsers.

TechRadar Pro has reached out to Google for a comment on the findings, and will update this article if we hear back from them.

[janus]

The company that verifies safe websites in your browser works for the US government
By Luke Hughes published November 09, 2022
The ghost of 9/11 hysteria lives on

A company that several major web browsers rely on to verify safe and secure websites has links to U.S intelligence agencies and law enforcement, new research has claimed.

An expose by the Washington Post(opens in new tab) (TWP) (paywall), which draws its conclusions from documentation, records, and interviews with security researchers.

TrustCor Systems’ Panamanian registration records reveal that it shares personnel with a spyware developer previously identified as having links to Arizona company Packet Forensics, which public records have previously unveiled to have sold “communication interception services” to US agencies “for more than a decade.”

Root certificate infrastructure
Google Chrome, Apple Safari, Mozilla’s supposedly secure browser Firefox, and several others all allow TrustCor to sign root certificates for websites it deems as safe and legitimate, directing users to them, instead of potentially convincing fakes.

TrustCor maintains that it has never cooperated with government information requests or monitored users on behalf of a third party. However, the Pentagon is refusing to comment, and Mozilla is demanding answers from TrustCor while threatening to remove its authority.

The revelations surrounding TrustCor pose a PR nightmare for browsers like Firefox who market themselves as privacy tools, but its own products can now also no longer be considered safe for its end users.

MsgSafe, an email provider from TrustCor that purports to offer end-to-end encryption, has been denounced by security experts speak to TWP, claiming that an early version of the software contained spyware developed by a company linked to Packet Forensics.

An expert familiar with Packet Forensics’ work explicitly confirmed that it had used TrustCor’s certificate process and MsgSafe to intercept communications and “help the US government catch suspected terrorists”.

He also claimed that TrustCor’s products and services were only being used to seek out these “high-profile targets”, and there have been no reports of root certificates being used to vouch for impostor websites for purposes such as data collection.

However, the doubt seeded by the revelations may cause reputational damage to the web browsers involved, as there’s no way of knowing if TrustCor’s strategy will change.

[janus]

This creepy Android flaw can detect your identity and even gender
By Sead Fadilpašić published about 12 hours ago

Hopefully you’ll never encounter it

A new malware variant has been detected that is capable of listening to a users’ calls, recognizing a callers’ gender and identity, and even recognizing, to some degree, what’s being said.

Fortunately, the good news is that the malware is part of a research experiment done by white hats and poses no risk to smartphone users (at the time).

Researchers from five universities in the United States - Texas A&M University, New Jersey Institute of Technology, Temple University, University of Dayton, and Rutgers University - teamed up and built EarSpy.

EarSpy is a side-channel attack that abuses the fact that smartphone speakers, motion sensors, and gyroscopes, had gotten better over the years.

The malware tries to read the data captured by motion sensors, as the endpoint’s ear speakers reverberate during a conversation. In earlier years, this wasn’t a viable attack vector as the speakers and sensors weren’t that powerful.

To prove their point, the researchers used two smartphones - one from 2016, and one from 2019. The difference in the amount of data gathered was quite obvious.

To test if the data could be used to identify the caller’s gender and recognize the speech, the researchers used a OnePlus 7T device, and a OnePlus 9 device.

Caller gender identification on the former was between 77.7% and 98.7%, while the caller’s identification between 63.0% and 91.2%. Speech recognition danced between 51.8% and 56.4%.

“As there are ten different classes here, the accuracy still exhibits five times greater accuracy than a random guess, which implies that vibration due to the ear speaker induced a reasonable amount of distinguishable impact on accelerometer data,” the researchers explained in the whitepaper.

The researchers were also able to guess the caller’s gender quite well on the OnePlus 9 smartphone (88.7% on average), but identification fell to an average of 73.6%. Speech recognition fell between 33.3% and 41.6%.


The End Is Nigh .. :greetings-clappingorange:

[janus]

Netgear Wi-Fi routers need to be patched immediately
By Sead Fadilpašić published about 13 hours ago

A serious flaw found affecting almost a dozen Netgear Wi-Fi routers

Netgear has issued a patch for a high-severity vulnerability found in almost a dozen of its Wi-Fi routers(opens in new tab) and urged its users to apply the fix immediately.

Given the destructive potential of the flaw, Netgear did not disclose the details, other than saying that it’s a pre-authentication buffer overflow vulnerability, which could be used for all kinds of malicious activity, from crashing the device after a denial of service, to arbitrary code execution.

To abuse the vulnerability, the attackers do not need user permission or user interaction. The flaw can be used in low-complexity attacks, it was said.

Issuing a security advisory(opens in new tab) about the flaw, Netgear said it “strongly recommends” users download and install the latest firmware as soon as possible.

"The pre-authentication buffer overflow vulnerability remains if you do not complete all recommended steps," Netgear added. "Netgear is not responsible for any consequences that could have been avoided by following the recommendations in this notification."

The list of all of the affected devices, which includes multiple Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC models, can be found on this link(opens in new tab).

Those looking to patch up their routers should navigate to the Netgear Support(opens in new tab) website, and type in their Wi-Fi router’s model number in the search box. Once the right version is identified, press Downloads, and under Current Versions, select the first download with “Firmware Version” in the beginning of the title.

Detailed instructions on how to apply the fix can be found in the Release Notes file accompanying the firmware download.

Wi-Fi routers are a popular target for cybercriminals due to the fact that all of a user's traffic must go through the device. What’s more, users rarely change the factory settings, and update the firmware even less frequently.

[janus]

:handgestures-thumbdown:

Windows 11 Start menu gets a mysterious new feature – but you’ll have to search for it
By Darren Allan published 1 day ago

Taskbar has also got a new search box, too, but both features are hidden away

Windows 11 just got a couple of sizeable new additions with its latest patch, although these flew under the radar, as they’re hidden and need to be enabled using a special configuration tool.

Neowin flagged up that PhantomOcean3, an avid Windows tester and leaker on Twitter, posted about the hidden search features that come with Windows 11’s KB5022303 patch (which has just been deployed for January).

They consist of a search bar along the top of the Start menu, and a search box for the taskbar (Windows 10 style, as seen in Windows 11 preview builds already).

With the search box for the taskbar, not only can you enable this, but there are a few options available to choose from, such as having the full box or just an icon.

As mentioned, you won’t see these additional search functions in Windows 11 as they’re lurking behind the scenes. They can, however, be enabled using the Windows configuration utility ViVeTool, as Neowin describes. However, you’re probably best off not turning these things on just yet, as we’ll discuss next.

Analysis: Features are hidden for a reason
So why not turn on these search functions? For starters, you’ll need to be a little tech-savvy to use ViVeTool (it’s not particularly difficult to turn on a hidden feature using its assigned ID in the tool, but less confident computing types may feel a bit intimidated by the process).

Moreover, though, once you’ve turned on these features, they could behave oddly and mess with your Windows 11 environment, and that’s not something you want on your main PC. Remember, these features are tucked away for a reason – they aren’t ready for release yet, and may cause problems. As PhantomOcean3 points out in their tweet, you might be able to turn them on, but that doesn’t mean you should.

What this does show us is that Microsoft is likely on the cusp of introducing these features to Windows 11 soon enough. As ever, though, there are no guarantees anything in testing or still behind the scenes will make the eventual cut for inclusion in the OS.

[janus]

Google thinks a US Supreme Court case could radically change the internet
By Luke Hughes published about 9 hours ago

The tech giant is going to bat for AI's role in keeping the internet safe

Google has warned that a ruling against it in an ongoing Supreme Court (SC) case could put the entire internet at risk by removing a key protection against lawsuits over content moderation decisions that involve artificial intelligence (AI).

Section 230 of the Communications Decency Act of 1996(opens in new tab) currently offers a blanket ‘liability shield’ in regards to how companies moderate content on their platforms.

However, as reported by CNN, Google wrote in a legal filing that, should the SC rule in favour of the plaintiff in the case of Gonzalez v. Google, which revolves around YouTube’s algorithms recommending pro-ISIS content to users, the internet could become overrun with dangerous, offensive, and extremist content.

Being part of an almost 27-year-old law, already targeted for reform by US President Joe Biden(opens in new tab), Section 230 isn’t equipped to legislate on modern developments such as artificially intelligent algorithms, and that’s where the problems start.

The crux of Google’s argument is that the internet has grown so much since 1996 that incorporating artificial intelligence into content moderation solutions has become a necessity. “Virtually no modern website would function if users had to sort through content themselves,” it said in the filing.

“An abundance of content” means that tech companies have to use algorithms in order to present it to users in a manageable way, from search engine results, to flight deals, to job recommendations on employment websites.

Google also addressed that under existing law, tech companies simply refusing to moderate their platforms is a perfectly legal route to avoid liability, but that this puts the internet at risk of being a “virtual cesspool”.

The tech giant also pointed out that YouTube’s community guidelines expressly disavow terrorism, adult content, violence and “other dangerous or offensive content” and that it is continually tweaking its algorithms to pre-emptively block prohibited content.

It also claimed that “approximately” 95% of videos violating YouTube’s ‘Violent Extremism policy’ were automatically detected in Q2 2022.

Nevertheless, the petitioners in the case maintain that YouTube has failed to remove all Isis-related content, and in doing so, has assisted “the rise of ISIS” to prominence.

In an attempt to further distance itself from any liability on this point, Google responded by saying that YouTube’s algorithms recommends content to users based on similarities between a piece of content and the content a user is already interested in.

This is a complicated case and, although it’s easy to subscribe to the idea that the internet has gotten too big for manual moderation, it’s just as convincing to suggest that companies should be held accountable when their automated solutions fall short.

After all, if even tech giants can’t guarantee what’s on their website, users of filters and parental controls can’t be sure that they’re taking effective action to block offensive content.

[janus]

Windows 11 preview build makes it easier to learn why your computer crashes
By Cesar Cadenas published about 10 hours ago

Microsoft testing out new memory dump tool for real time troubleshooting

Windows 11 Preview Build 25276 is currently available for download from the Windows Insider Program. The big draw is a new diagnostic tool that will help with troubleshooting. Also in Microsoft's latest package are some design tweaks and several bug fixes.

The new tool will allow users to create a live kernel memory dump(opens in new tab) (LKD) of their system to help diagnose problems. A memory dump, also known as a core dump, is a record of your computer’s memory at a certain time, usually when the OS or an app is having some performance problems. Microsoft states you’ll be able to get a record of those problems as they happen in real-time without interrupting Windows 11 from operating as normal. The goal is to speed up troubleshooting for “high-impact failures and hangs.”

The LKD tool will have its home in the Task Manager under the Details section. Right-click the System process and there will be an entry that reads “Create live kernel memory dump file” in the context menu. You can also configure the tool to capture Hypervisor pages or abort the process if there is insufficient memory.

It’s important to point out that not everyone will get this feature. Microsoft says it’ll see a limited release to Insider Program members so it can monitor feedback. And from that feedback, the company will decide then whether or not the LKD tool will go out to everyone.

Regarding the design tweaks, they’re nothing major. The Settings app will now feature “Outlook attachment data” as part of the new visuals introduced back in November for Microsoft 365 subscription. And the Network Troubleshooter is getting replaced with the more “modern” Get Help app to help you get “specific recommendations” for fixes.

The fixes cover a wide variety of native Windows 11 features. Just to name a few, users can expect a search layout fix for text in right-to-left languages like Arabic, Voice Access to work properly with the Calculator app, and the File Explorer should no longer crash when loading recent files. Microsoft is currently investigating other known issues, including the reports of Insider Program members experiencing system freezes after downloading new builds.

But one of the more interesting aspects of Build 25276 is what’s not being shown officially. Users across the internet(opens in new tab) have discovered Microsoft's plans for retiring the Microsoft Support Diagnostic Tool (MSDT) within the next two years. This is probably for the best as MSDT has had several zero-day vulnerabilities crop up in recent years with Microsoft dragging its feet to fix them. The last fix happened back in August 2022 when the company patched the DogWalk security flaw on MSDT, over two years after it was first discovered.

At face value, it looks like the company is no longer interested in supporting MSDT and is preparing to move on. Currently, it’s unknown what the future replacement will be – assuming there will be one.

Also in the build are preview versions for both Apple Music and Apple TV on Windows 11, although they’re missing some major features. Be sure to check out TechRadar’s coverage of these beta apps.

[janus]

Tiny11 is out, promising to be Windows 11 without steep hardware requirements
By Darren Allan published 7 days ago
But on balance, we wouldn’t recommend installing this new spin on the OS

Windows 11 is renowned for the relatively steep system requirements that put it out of reach for many PCs that quite happily run Windows 10, but there’s a fix for that: a new version of the OS called Tiny11, which not only lowers the hardware bar for entry considerably but also strips away a lot of bloat.

Tiny11 is made by NTDEV and is essentially an ISO based on Windows 11 Pro 22H2, with the release being announced on Twitter, as highlighted by Neowin(opens in new tab). (Note that it follows on from Tiny10, which is much the same idea for Windows 10).

As the developer states, it has “everything you need for a comfortable computing experience without the bloat and clutter of a standard Windows installation.”

This alternative take on Windows 11 has been in development for some time, with early preview versions available for download in the past, but this is the final release candidate and should hopefully run smoothly as a result.

The system requirements are just 2GB of RAM (you need at least 4GB for Windows 11 itself) and 8GB of storage space, plus Tiny11 dispenses with the security requirements like TPM and Secure Boot, which prove problematic for many PCs.

As mentioned, the operating system is very much pared-down with Tiny11, so you get core apps like Calculator, Notepad, and Paint, but Microsoft Edge, for example, has been ditched.

Analysis: Security concerns are the main stumbling block
What is Tiny11 exactly, then? Basically, a DIY project where the dev has tinkered and produced their own Windows 11 ISO – with a ton of stuff stripped out – that you can download to install this ‘lite’ version of the OS. Note that this isn’t a pirate thing: you still need a valid license key to run the operating system, just as with normal Windows.

The catch is that you have to trust the developer hasn’t done anything shady, as in the past, some of these kinds of projects have been carriers for spyware or other even worse malware.

We’re not suggesting that Tiny11 is doing anything nefarious, of course, but the point is we can’t really be sure what’s been done to the operating system here – and even with a legitimate project carried out in good faith, there’s always the possibility there could be unintentional hiccups.

The biggest worry here, though, is that Tiny11 is clearly less secure than Windows 11. It strips away a lot of security measures as observed above, and Microsoft put these in place for good reasons – by and large – plus it could be less secure in other aspects we don’t know about (that could certainly be one of the possible hiccups we just mentioned).

In summary, we just don’t know how secure Tiny11 is, and for that reason, it’s best to err on the side of caution in our humble opinion, and give this one a swerve. That said, it’s a nice idea, we can’t deny that, and doubtless some of the braver inhabitants of the desktop computing world may want to give this a try on an old PC just to see how it works.

[janus]

The new Mac mini destroys the Mac Pro, and Apple fans should be furious
By John Loeffler published about 2 hours ago
A $2,300 mini PC wrecks a three-year-old $15,000 workstation


Apple's new Mac mini has been turning a lot of heads since it's release, and that's not the least bit surprising.

The Mac mini has always been a popular mini PC and with the introduction of the Apple M2 and M2 Pro chips, it is honestly the best computer you can buy that isn't running Windows — and if a new benchmark result is true, it's even better than some configurations of the 2019 Mac Pro that cost significantly more.

A new video by Max Tech(opens in new tab) put the 2023 Mac Mini with M2 Pro head-to-head with Apple's 2019 workstation PC, and the results are both shocking and not a little infuriating for those who dropped the down payment on a house's worth of cash to buy Apple's premier workstation just three years ago.


As Digital Trends notes, the Mac mini with M2 Pro in Max Tech's video only costs 15% of what you'd have spent on the 2019 Mac Pro with a respectable configuration, including a then-top-of-the-line GPU and an Apple Afterburner card.

Despite that, the Mac mini was roughly 50% faster creating HDR photos in Photoshop, 44% faster compiling an Xcode project, and an absolutely shocking 40% faster than the Afterburner-powered Mac Pro in exporting 4K ProRes RAW video to ProRes, which is exactly the kind of workload that you'd spend $15,000 to do as quickly as possible in an industry setting.

A fully configured Mac Pro can come with a 28-core Intel Xeon W processor, two AMD Radeon Pro W6800X Duo GPUs with a total of 128GB GDDR6 VRAM, and 1.5TB of DDR4 ECC memory. To be clear, this system would absolutely destroy anything on the market right now, including the Apple Mac Studio with M1 Ultra. You simply can't compete with two industrial-grade discrete GPUs and 1.5TB of RAM.

But that configuration runs you about $50,000 right now on Apple's website, and few people would be ready to put down that much cash on a workstation outside of a major Hollywood studio, so its likely that most users were at least a bit more restrained in their spec choices and budget, and they are the ones who are most likely to get pretty badly burned by this new comparison.

Apple had to know its lower-level 2019 Mac Pro configs were going to quickly become obsolete

What's so shocking about these results is that, honestly, Apple knew in 2019 when it was selling the Mac Pro that Apple Silicon was just around the bend. Processor roadmaps take years to plan, and while there's going to be some degree of obsolescence risk whenever you buy any computer, this has to be a gut punch for a lot of people who bought a Mac Pro.

It's one thing for a next-gen Pro workstation to hit the scene and make your very expensive purchase four years ago look downright wheak in contrast, but a Mac mini? If I'd bought a Mac Pro in 2019 or 2020, it'd be the last Mac Pro product I ever bought from Apple, simply out of pique.

Now, some will rightfully point out that the 2019 Mac Pro uses non-Apple hardware pretty much throughout. It has AMD Radeon graphics and an Intel Xeon chip, so the cost of the Mac Pro is going to be highly dependent on what Intel and AMD are charging Apple for their components.

In fact, Apple being able to produce a mini PC capable of competing with these companies' workstation-class products for significantly less is a great thing for customers, without question, just not the customers who bought a $15,000 Mac Pro back in 2019 and 2020. Once bitten, twice shy, after all.

Pity the poor Mac Pro users?
Now, it's also true that anyone who spend $15,000 on a Mac Pro workstation in 2019 has probably made that money back already, so what's the issue? These are also businesses or freelance professionals, after all, who can write off the cost of high-end products like a Mac Pro quite easily. It's also not like anyone's grandmother got conned into taking out a mortgage on their house to buy one or anything.

But there is something audacious about charging this much money for a professional workstation that gets badly beat out just three and a half years into its working life, if that. Not to mention the fact that Apple is still selling these lower end configurations is metaphorically criminal at this point.

It's the nature of tech though that this year's best laptop or best workstation will be 2026's latest clearance item, but still, this one hurts — even if I never had any intention of using, much less buying, a Mac Pro in my life. In the end, at least it should serve as an object lesson as to why investing so much money into any technology is inherently risky and needs to be considered carefully.

[janus]

Opera may soon get its own version of ChatGPT
By Allisa James published about 2 hours ago
Opera could be getting ChatGPT integration soon

Opera’s web browsers, including its Opera GX, may soon be next to receive the ChatGPT upgrade if its parent firm has anything to say about it.

According to CNBC and reported on by Neowin, Opera's parent company Kunlun Tech plans on integrating the hugely popular OpenAI program ChatGPT into its own products. So far there have been no confirmations on which products those would be, or whether that includes its Opera and Opera GX web browsers.

This announcement comes on the heels of Microsoft and Google revealing their own ChatGPT-like products, with the former integrating it into both Bing and Edge while the latter’s Bard AI will be attached to Google Search. And it’s been revealed that both the Chinese search engine Baidu and Chinese firm Alibaba are set to release their own ChatGBT clones.

Why use ChatGPT?
As ChatGPT grows in popularity, tech giants have been rushing to get their own versions of the OpenAI program out the door, whether as completely separate programs or attached to existing services.

According to the latest data from Statcounter, Opera’s current market share in the desktop browser market is 3.41%, the lowest of the major browsers. Integrating its browsers with its own version of ChatGBT could most certainly bump up that percentage, especially if it offers a higher quality experience than its competitors.

Of course, this is pure speculation as we don’t know which of Kunlun Tech’s products will be getting the AI program treatment, but considering how many browsers have already rolled out similar ones, it makes the most sense for Opera to be next in line.

There's a risk to investing in such new technology, as we've seen how much damage bad actors can cause with it. Not to mention plagiarism, dangerous misinformation spreading, and other major issues because of it. Still, it's already energized the nearly terminal Microsoft Bing search engine, so it's likely to help give Opera a shot in the arm as well.