Privacy-focused search engine DuckDuckGo reached a major milestone in its 12-year-old history last week when it recorded on Monday its first-ever day with more than 100 million user search queries. From a report: The achievement comes after a period of sustained growth the company has been seeing for the past two years, and especially since August 2020, when the search engine began seeing more than 2 billion search queries a month on a regular basis. The numbers are small in comparison to Google's 5 billion daily search queries but it's a positive sign that users are looking for alternatives. DuckDuckGo's popularity comes after the search engine has expanded beyond its own site and now currently offers mobile apps for Android and iOS, but also a dedicated Chrome extension. More than 4 million users installed these apps and extension, the company said in a tweet in September 2020.

Besides the intended differences, web browsers based on Chromium offer an underlying experience that's mostly identical to Chrome. Google recently discovered that users of third-party Chromium browsers have inadvertently been able to access data and other sync features reserved for Chrome. From a report: "Some" Chromium browsers today can leverage features and APIs that are "only intended for Google's use." This includes Click to Call and, notably, Chrome Sync. The latter is responsible for syncing bookmarks, extensions, history, settings, and more across signed-in devices running the first-party browser. As a result, users logged into Google sites on Chromium browsers are able to see their old bookmarks and other data from previous Chrome usage. This inadvertent access was discovered during a recent audit and Google will be "limiting access to [its] private Chrome APIs" from March 15th.

Just ahead of its launch for commercial PC-like devices, an install image of Windows 10X for single screens has leaked, giving us an early peek at Microsoft's new OS. And yes, it's just like Chrome OS. From a report: Let's just get that out of the way. Microsoft has been working for years on a Chromebook competitor, but it has been largely unsuccessful. Windows 10 S, which was originally called Windows 10 Cloud, was Terry Myerson's approach, and that, of course, crashed and burned, in part because it looked identical to Windows 10 but couldn't run downloaded Windows 10 desktop applications. And now we have Windows 10X. Microsoft tried to hide its true intent with this product by pretending last year that it was aimed at a new generation of dual-display PCs, but the software giant really created 10X to compete with Chrome OS on inexpensive single-display PCs. So after failing to get its container-based Windows desktop application compatibility solution to work, Microsoft scaled back and repositioned Windows 10X as was originally intended: It will now ship only on new traditional PCs aimed at education and other commercial markets.

Google published a six-part report this week detailing a sophisticated hacking operation that the company detected in early 2020 and which targeted owners of both Android and Windows devices. From a report: The attacks were carried out via two exploit servers delivering different exploit chains via watering hole attacks, Google said. "One server targeted Windows users, the other targeted Android," Project Zero, one of Google's security teams, said in the first of six blog posts. Google said that both exploit servers used Google Chrome vulnerabilities to gain an initial foothold on victim devices. Once an initial entry point was established in the user's browsers, attackers deployed an OS-level exploit to gain more control of the victim's devices. The exploit chains included a combination of both zero-day and n-day vulnerabilities, where zero-day refers to bugs unknown to the software makers, and n-day refers to bugs that have been patched but are still being exploited in the wild.

When a user attempts to load a Flash game or content in a browser such as Chrome, the content now fails to load and instead displays a small banner that leads to the Flash end-of-life page on Adobe's website. While this day has long been coming, with many browsers disabling Flash by default years ago, it is officially the end of a 25-year era for Flash, first introduced by Macromedia in 1996 and acquired by Adobe in 2005. Mac Rumors reports: "Since Adobe will no longer be supporting Flash Player after December 31, 2020 and Adobe will block Flash content from running in Flash Player beginning January 12, 2021, Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems," the page reads. Adobe has instructions for uninstalling Flash on Mac, but note that Apple removed support for Flash outright in Safari 14 last year.

Adobe first announced its plans to discontinue Flash in 2017. "Open standards such as HTML5, WebGL, and WebAssembly have continually matured over the years and serve as viable alternatives for Flash content," the company explained. Adobe does not intend to issue Flash Player updates or security patches any longer, so it is recommended that users uninstall the plugin.

EFF special consultant/blogger/science fiction writer Cory Doctorow warns in Locus magazine about the dangers of what Bruce Schneier calls "feudal security": Here in the 21st century, we are beset by all manner of digital bandits, from identity thieves, to stalkers, to corporate and government spies, to harassers... To be safe, then, you have to ally yourself with a warlord. Apple, Google, Facebook, Microsoft, and a few others have built massive fortresses bristling with defenses, whose parapets are stalked by the most ferocious cybermercenaries money can buy, and they will defend you from every attacker — except for their employers. If the warlord turns on you, you're defenseless.

We see this dynamic playing out with all of our modern warlords. Google is tweaking Chrome, its dominant browser, to block commercial surveillance, but not Google's own commercial surveillance. Google will do its level best to block scumbag marketers from tracking you on the web, but if a marketer pays Google, and convinces Google's gatekeepers that it is not a scumbag, Google will allow them to spy on you. If you don't mind being spied on by Google, and if you trust Google to decide who's a scumbag and who isn't, this is great. But if you and Google disagree on what constitutes scumbaggery, you will lose, thanks, in part, to other changes to Chrome that make it much harder to block the ads that Chrome lets through.

Over in Facebook land, this dynamic is a little easier to see. After the Cambridge Analytica scandal, Facebook tightened up who could buy Facebook's surveillance data about you and what they could do with it. Then, in the runup to the 2020 US elections, Facebook went further, instituting policies intended to prevent paid political disinformation campaigns at a critical juncture. But Facebook isn't doing a very good job of defending its users from the bandits. It's a bad (or possibly inattentive, or indifferent, or overstretched) warlord, though...

Back to Apple. In 2017, Apple removed all effective privacy tools from the Chinese version of the iPhone/iPad App Store, at the behest of the Chinese government. The Chinese government wanted to spy on Apple customers in China, and so it ordered Apple to facilitate this surveillance... If Apple chose not to comply with the Chinese order, it would either have to risk fines against its Chinese subsidiary and possible criminal proceedings against its Chinese staff, or pull out of China and risk having its digital services blocked by China's Great Firewall, and its Chinese manufacturing subcontractors could be ordered to sever their relations with Apple. In other words, the cost of noncompliance with the order is high, so high that Apple decided that putting its customers at risk was an acceptable alternative.

Therein lies the problem with trusting warlords to keep you safe: they have priorities that aren't your priorities, and when there's a life-or-death crisis that requires them to choose between your survival and their own, they will throw you to the bandits...
"The fact that Apple devices are designed to prevent users from overriding the company's veto over their computing makes it inevitable that some government will demand that this veto be exercised in their favor..." Doctorow concludes. "As with feudal aristocrats, the state is happy to lend these warlords their legitimacy, in exchange for the power to militarize the aristocrat's holdings... "

His proposed solution? What if Google didn't collect or retain so much user data in the first place -- or gave its users the power to turn off data-collection and data-retention altogether? And "What if Apple — by design — made is possible for users to override its killswitches?"

Google is the U.K.'s first big post-Brexit antitrust target as regulators opened a probe into the company's planned changes to curb publishers' collection of advertising data. From a report: The Competition and Markets Authority said it's investigating Google's so-called privacy sandbox changes that could "undermine the ability of publishers to generate revenue and undermine competition in digital advertising, entrenching Google's market power." The probe adds to Google's legal headaches around the world. The Mountain View, California-based company faces lawsuits from the U.S. Department of Justice and multiple states over allegedly anticompetitive practices. The U.K. probe focuses on Google's decision last year to phase out third-party cookies that help advertisers monitor customers' browsing habits and pinpoint the effectiveness of different advertising. Google's Chrome is the dominant web browser and the changes will be followed by rival products based on Google technology, such as Microsoft's Edge.

Browser makers Apple, Google, Microsoft, and Mozilla, have banned a root certificate that was being used by the Kazakhstan government to intercept and decrypt HTTPS traffic for residents in the country's capital, the city of Nur-Sultan (formerly Astana). From a report: The certificate had been in use since December 6, 2020, when Kazakh officials forced local internet service providers to block Nur-Sultan residents from accessing foreign sites unless they had a specific digital certificate issued by the government installed on their devices. While users were able to access most foreign-hosted sites, access was blocked to sites like Google, Twitter, YouTube, Facebook, Instagram, and Netflix, unless they had the certificate installed. Kazakh officials justified their actions claiming they were carrying out a cybersecurity training exercise for government agencies, telecoms, and private companies. Officials cited that cyberattacks targeting "Kazakhstan's segment of the internet" grew 2.7 times during the current COVID-19 pandemic as the primary reason for launching the exercise. The government's explanation did, however, make zero technical sense, as certificates can't prevent mass cyber-attacks and are usually used only for encrypting and safeguarding traffic from third-party observers. After today's ban, even if users have the certificate installed, browsers like Chrome, Edge, Mozilla, and Safari, will refuse to use them, preventing Kazakh officials from intercepting user data.

This week Google "quietly acquired a company called Neverware Inc. that sells software to transform old personal computers and Macs into Chromebook devices," reports SiliconANGLE: The acquisition was announced by Neverware on Twitter, and Google later confirmed the news in a statement. Google had taken part in the company's Series B funding round three years ago.

Neverware's software is called CloudReady OS, and though it's primarily aimed at schools and enterprises that want to transform fleets of machines into Chromebooks, there's also a free Home edition that anyone can use... Google's plan is to make CloudReady an official product. "We can confirm that the Neverware team is joining the Google Chrome OS team," Google said in a statement.

More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, reports ZDNet, citing an announcement from cybersecurity company Avast: Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains. "For every redirection to a third party domain, the cybercriminals would receive a payment," the company said.

Avast said it discovered the extensions last month and found evidence that some had been active since at least December 2018, when some users first started reporting issues with being redirected to other sites. Jan Rubín, Malware Researcher at Avast, said they couldn't identify if the extensions had been created with malicious code from the beginning or if the code was added via an update when each extension passed a level of popularity. And many extensions did become very popular, with tens of thousands of installs. Most did so by posing as add-ons meant to help users download multimedia content from various social networks, such as Facebook, Instagram, Vimeo, or Spotify.

Avast said it reported its findings to both Google and Microsoft and that both companies are still investigating the extensions.
ZDNet's article includes Avast's lists of the 28 extensions which they're recommending be uninstalled by users.

ZDNet also notes that "A day after Avast published its findings, only three of the 15 Chrome extensions were removed, while all the Edge add-ons were still available for download. A source familiar with the investigation told ZDNet that Microsoft has not been able to confirm the Avast report."

The Verge reports: Firefox's latest update brings native support for Macs that run on Apple's Arm-based silicon, Mozilla announced on Tuesday. Mozilla claims that native Apple silicon support brings significant performance improvements: the browser apparently launches 2.5 times faster and web apps are twice as responsive than they were on the previous version of Firefox, which wasn't native to Apple's chips...

Firefox's support of Apple's Arm-based processors follows Chrome, which added support for Apple's new chips shortly after the M1-equipped MacBook Pro, MacBook Air, and Mac mini were released in November.
Firefox 84 will also be the very last release to support Adobe Flash, notes ZDNet, calling both developments "a reminder of the influence Apple co-founder Steve Jobs has had and continues to exert on software and hardware nine years after his death." Jobs wrote off Flash in 2010 as successful Adobe software but one that was a 'closed' product "created during the PC era — for PCs and mice" and not suitable for the then-brand-new iPad, nor any of its prior iPhones. Instead, Jobs said the future of the web was HTML5, JavaScript and CSS.

At the end of this year Google Chrome, Microsoft Edge and Apple Safari also drop support for Flash.

Senior Apple execs recently reflected in an interview with Om Malik what the M1 would have meant to Jobs had been alive today. "Steve used to say that we make the whole widget," Greg Joswiak, Apple's senior vice president of Worldwide Marketing told Malik.

"We've been making the whole widget for all our products, from the iPhone, to the iPads, to the watch. This was the final element to making the whole widget on the Mac."
ZDNet also notes that Firefox 84 offers WebRender, "Mozilla's faster GPU-based 2D rendering engine" for MacOS Big Sur, Windows devices with Intel Gen 6 GPUs, and Intel laptops running Windows 7 and 8. "Mozilla promises it will ship an accelerated rendering pipeline for Linux/GNOME/X11 users for the first time."

Firefox now also uses "more modern techniques for allocating shared memory on Linux," writes Mozilla, "improving performance and increasing compatibility with Docker."

And Firefox 85 will include a new network partitioning feature to make it harder for companies to track your web surfing.

As many as 3 million people have been infected by Chrome and Edge browser extensions that steal personal data and redirect users to ad or phishing sites, a security firm said on Wednesday. Ars Technica reports: In all, researchers from Prague-based Avast said they found 28 extensions for the Google Chrome and Microsoft Edge browsers that contained malware. The add-ons billed themselves as a way to download pictures, videos, or other content from sites including Facebook, Instagram, Vimeo, and Spotify. At the time this post went live, some, but not all, of the malicious extensions remained available for download from Google and Microsoft. Avast researchers found malicious code in the JavaScript-based extensions that allows them to download malware onto an infected computer.

In a post, the researchers wrote: "Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker's control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit. User's privacy is compromised by this procedure since a log of all clicks is being sent to these third party intermediary websites. The actors also exfiltrate and collect the user's birth dates, email addresses, and device information, including first sign in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user)."

The researchers don't yet know if the extensions came with the malicious code preinstalled or if the developers waited for the extensions to gain a critical mass of users and only then pushed a malicious update. It's also possible that legitimate developers created the add-ons and then unknowingly sold them to someone who intended to use them maliciously. [...] The list Avast provides in its blog post includes links to download locations for both Chrome and Edge. Anyone who has downloaded one of these add-ons should remove it immediately and run a virus scan.

This week, Google acquired a company called Neverware that allows users to turn their old PCs and Macs into a Chromebook with its CloudReady software. Now, Google is planning to make CloudReady into an official Chrome OS release. Engadget reports: When that happens, Neverware says its existing users will be able to seamlessly upgrade to the updated software. Moreover, once that transition is complete, Google will support CloudReady in the same way that it currently does Chrome OS. In the immediate future, Neverware says it's business as usual. The Home Edition of CloudReady isn't changing, and the company says it's committed to supporting its existing education and enterprise customers. Moreover, there's no plan to change pricing at the moment, and Google will honor any current multi-year licenses.

Not only does this acquisition make a lot of sense from Google's perspective, but it's hard to see a downside for CloudReady users. The fact the operating system wasn't officially supported by Google was one of the few downsides to the software. It meant you couldn't install Android apps on CloudReady devices, even though it's based on Chromium OS. With this acquisition, support for Android apps becomes much more likely. Direct support from Google will also make the software more appealing to schools and businesses since they can get help directly from the company if they have any technical issues.

CNET reports: With the next version of Chrome, Google is moving ahead with a plan to improve privacy and security by reining in some abilities of extensions used to customize the browser. The move had angered some developers who expected earlier it would cripple ad blockers. Manifest v3, the programming interface behind Google's security plans, will arrive with Chrome 88 in mid-January, Google said Wednesday at the Chrome Dev Summit. Extensions using the earlier Manifest v2 will still work for at least a year...

Among other things, Manifest v3 limits the number of "rules" that extensions may apply to a web page as it loads. Rules are used, for example, to check if a website element comes from an advertiser's server and should therefore be blocked. Google announced the changes two years ago. Reducing the number of rules allowed angered creators of extensions like the uBlock Origin ad blocker and the Ghostery tracking blocker. They said the rules limits will stop their extensions from running their full lists of actions to screen ads or block tracking. That could let websites bypass extensions — and the preferences of people who installed them...

The shift brought on by Manifest V3 will spread to all browsers, to the detriment of ad blocking software, predicted Andrey Meshkov, co-founder and chief technology officer of AdGuard, an ad-blocking extension... Ghostery is working to update its extension for Manifest V3 but would rather spend its time on "real privacy innovations," President Jeremy Tillman said in a statement Wednesday. "We still have real misgivings that these changes have more to do with Google protecting its bottom line than it does with improving security for Chrome users...."

The importance of the Chrome team's choices are magnified by the fact that other browsers, including Microsoft Edge, Vivaldi , Opera and Brave, are built on its Chromium open-source foundation. Microsoft said it will embrace Manifest v3, too.
"Another Manifest v3 change is that extensions no longer may update their abilities by downloading code from third-party sites.

"The entire extension now must be distributed through the Chrome Web Store, a measure Google says improves security screens and speeds reviews."

Microsoft has raised the alarm today about a new malware strain that infects users' devices and then proceeds to modify browsers and their settings in order to inject ads into search results pages. From a report: Named Adrozek, the malware has been active since at least May 2020 and reached its absolute peak in August this year when it controlled more than 30,000 browsers each day. But in a report today, the Microsoft 365 Defender Research Team believes the number of infected users is much, much higher. Microsoft researchers said that between May and September 2020, they observed "hundreds of thousands" of Adrozek detections all over the globe. Based on internal telemetry, the highest concentration of victims appears to be located in Europe, followed by South and Southeast Asia. Microsoft says that, currently, the malware is distributed via classic drive-by download schemes. Users are typically redirected from legitimate sites to shady domains where they are tricked into installing malicious software. The boobytrapped software installs the Androzek malware, which then proceeds to obtain reboot persistence with the help of a registry key.

Google, Dell, Intel and a handful of other major tech companies in the IT and cloud computing industries have banded together to tackle joint problems around security, remote work, and other enterprise issues that have only become more important during the coronavirus pandemic. From a report: The consortium these companies have formed is called the Modern Computing Alliance, and its founding members also include Box, Cirtrix, Imprivata, Okta, RingCentral, Slack, VMWare, and Zoom. The Modern Computing Alliance will initially be focused on four areas: performance; security and identity; remote work, productivity, and collaboration; and health care. The goal is to pool knowledge and resources toward solving shared problems around how companies perform work in the cloud and the tools they use to do so. The alliance will focus on developing new standards and interoperable technologies that can be used by any company that relies on one of the partners' platforms or products. In particular, Google is engaged in the effort with its Chrome browser and Chrome OS teams, as well as the division responsible for Google Workplace. "Today, we're excited to announce Google's membership in the Modern Computing Alliance -- to address the biggest IT challenges facing companies today with integration from silicon to cloud," says John Solomon, Google's vice president of Chrome OS. "Working with a group of forward-thinking industry leaders, we're aligning standards and technologies to provide companies with the choice of high-performance, cloud-first computing solutions from the vendor of their choice who provide modern solutions for the modern era of business."

At Chrome Dev Summit 2020 today, Google announced it will change how extensions access data and how extension permissions work in 2021. On January 18, a day before the release of Chrome 88, Google will require that every extension publicly display its privacy practices and will limit what developers can do with the data they collect. From a report: The first change means that Chrome users next year will determine which websites an extension can access when they browse the web. Once you grant an extension permission to access a website's data, that preference can be saved for that domain. Today, the extension makes that call. In 2021, you will still be able to grant an extension access to all the websites you visit, but that won't be the default. Google outlined the second change last month: "each extension's detail page in the Chrome Web Store will show developer-provided information about the data collected by the extension, in clear and easy to understand language." The company also updated its user data privacy policy with an addition to how extension developers use data they collect.

Engadget reports: The Wall Street Journal has learned that Google is considering "severe penalties" against internet giant IAC (InterActive Corp) over allegedly deceptive practices in its Chrome extensions. The browser extras reportedly promise features that never materialize, point users toward additional ads, or even trick users into installing them.

A Google audit reportedly found that some of IAC's voting ads not only didn't take users to voter info, but installed the Ask.com toolbar and changed users' default home pages. IAC kept running those ads even after Google told the company to stop.

The full range of potential punishments isn't clear, but Google is considering banning them, according to WSJ sources and leaked documents

Chrome OS 87 starting rolling out on Thursday, adding the ability to search tabs, view the battery levels of your Bluetooth devices, and more. 9to5Google reports: Tab Groups help people better manage (and collapse/hide) tabs, but it doesn't always reduce the number open. Google is now introducing Tab Search to let users find what pages they have open across all windows. Tapping the circular dropdown button in the top-right corner -- also accessible with Ctrl+Shift+A -- first shows a list of everything open. It includes the favicon, page name, and domain, as well as an individual close button. This feature is first rolling out to Chromebooks before coming to desktop browsers.

Chrome OS 87 will list the Bluetooth battery levels of accessories in Settings and Quick Settings. Just navigate to the Bluetooth menu. This feature is primarily meant for wireless headphones and will show a notification with the current level in the bottom-right corner of your screen upon connection. Chrome OS 87 also adds 36 new backgrounds created by four different artists. To set, right-click on the desktop or shelf and select "Set wallpaper."

Other features in this release include:
- Saving to Google Drive has been updated with the ability to rename the file and selecting what folder to store it in
- Chrome OS devices now support switch accessibility devices
- Google has updated language settings to be easier for multilingual users to navigate
- The Alt+Tab window switcher now supports mouse, touch screen, and stylus input
- Version 87 makes visual improvements when renaming Virtual Desks and Launcher folders

A change made in the Google Chrome browser in October has impacted the performance of the Google Fonts service for millions of websites. From a report: The change is an update to Chrome's internal cache system. A browser's cache system works by serving as a temporary storage system for images, CSS, and JavaScript files used by websites. Files stored in the cache are typically reused across multiple sites instead of having the browser re-download each file for every page/tab load. But with the release of Chrome 86 in early October 2020, Google has overhauled how Chrome's entire caching system works. Instead of using one big cache for all websites, Google has "partitioned" the Chrome cache, which will now be storing resources on a per-website and per-resource basis. While this is a big win for user security, preventing some forms of web attacks, this change has affected web services designed around the old cache system.