After over a decade as a mobile-only service, Snapchat is coming to your desktop. CNBC reports: Snap, the parent of the popular photo and messaging app, said Monday that it's debuting Snapchat for Web, allowing users to send messages and make video calls to their contacts from their computers. The new desktop version of Snapchat will at first only be available to Australian and New Zealand users, in addition to Snapchat+ subscribers in the U.S., U.K. and Canada. Snap launched Snapchat+ in June, allowing users to pay $3.99 a month for more advanced features, like changing the style of their app icon and seeing who's viewed their content.

The web offering will be a more stripped-down version of the mobile app, primarily focusing on the app's messaging feature as opposed to its Stories feature. Like the core Snap app, messages will disappear after 24 hours, and any Snaps users watch from their desktop computers will delete right after viewing. Eventually, Snap says it will bring more features of the app to desktop version, including the ability for users to liven up their video calls with the use of Lenses. Currently, people will have to access Snapchat for Web via the Chrome browser, but the company said that it would soon support other browsers and could release a desktop app in the future.

An anonymous reader quotes a report from Wired: [R]esearchers from the New Jersey Institute of Technology are warning this week about a novel technique attackers could use to de-anonymize website visitors and potentially connect the dots on many components of targets' digital lives. The findings (PDF), which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.

When you visit a website, the page can capture your IP address, but this doesn't necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target's browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser. "If you're an average internet user, you may not think too much about your privacy when you visit a random website," says Reza Curtmola, one of the study authors and a computer science professor at NJIT. "But there are certain categories of internet users who may be more significantly impacted by this, like people who organize and participate in political protest, journalists, and people who network with fellow members of their minority group. And what makes these types of attacks dangerous is they're very stealthy. You just visit the website and you have no idea that you've been exposed."

How this de-anonymization attack works is difficult to explain but relatively easy to grasp once you have the gist. Someone carrying out the attack needs a few things to get started: a website they control, a list of accounts tied to people they want to identify as having visited that site, and content posted to the platforms of the accounts on their target list that either allows the targeted accounts to view that content or blocks them from viewing it -- the attack works both ways. Next, the attacker embeds the aforementioned content on the malicious website. Then they wait to see who clicks. If anyone on the targeted list visits the site, the attackers will know who they are by analyzing which users can (or cannot) view the embedded content. [...] Complicated as it may sound, the researchers warn that it would be simple to carry out once attackers have done the prep work. It would only take a couple of seconds to potentially unmask each visitor to the malicious site -- and it would be virtually impossible for an unsuspecting user to detect the hack. The researchers developed a browser extension that can thwart such attacks, and it is available for Chrome and Firefox. But they note that it may impact performance and isn't available for all browsers.

A new study from Germany has found that working in virtual reality does not increase productivity, comfort, or wellbeing, but does say the report will help identify opportunities for improving the experience of working in VR in the future. From a report: The project was headed by Dr Jens Grubert, a specialist in human-computer interaction at Coburg University, Germany. It involved 16 people who had to work for five days, eight hours a week (with 45 mins lunch break), in VR. The participants used Meta Quest 2 VR headsets combined with a Logitech K830 keyboard and Chrome Remote Desktop. The equipment was chosen specifically to create a realistic scenario of what users would be using in today's world.

Participants were also asked specific VR-related questions ('do you feel sick?' or 'are your eyes starting to hurt?'). The research team also monitored the worker's heartbeats and typing speed. The published paper, entitled 'Quantifying the Effects of Working in VR for One Week' found "concerning levels of simulator sickness, below average usability ratings and two participants dropped out on the first day using VR, due to migraine, nausea and anxiety." The study found that, as expected, VR results in significantly worse ratings across most measures. Each test subject scored their VR working experience versus working in a physical environment, many felt their task load had increased, on average by 35%. Frustration was by 42%, the 'negative affect' was up 11%, and anxiety rose by 19%. Mental wellbeing decreased by 20%., eye strain rose 48%, and VR ranked 36% lower on usability. Participants' self-rated workflow went down by 14% and their perceived productivity dropped by 16%.

Google is releasing Chrome OS Flex today, a new version of Chrome OS that's designed for businesses and schools to install and run on old PCs and Macs. From a report: Google first started testing Chrome OS Flex earlier this year in an early access preview, and the company has now resolved 600 bugs to roll out Flex to businesses and schools today. Chrome OS Flex is designed primarily for businesses running old Windows PCs, as Google has been testing and verifying devices from Acer, Asus, Dell, HP, Lenovo, LG, Toshiba, and many more OEMs. Flex will even run on some old Macs, including some 10-year-old MacBooks. The support of old hardware is the big selling point of Chrome OS Flex, as businesses don't have to ditch existing hardware to get the latest modern operating system. More than 400 devices are certified to work, and installation is as easy as using a USB drive to install Chrome OS Flex.

EU antitrust regulators are investigating the video licensing policy of the Alliance for Open Media (AOM), whose members include Alphabet Google, Amazon, Apple and Meta , the European Commission said on Thursday. Reuters reports: Founded in 2015, the group aims to create a new standard software for streaming higher-quality 4K video on browsers, devices, apps, and gaming, known as AV1. While the AV1 software is not yet adopted widely, Netflix and YouTube have started using it for some customers, and browsers such as Google Chrome and Firefox have started to support the new format. Intel, Huawei, Mozilla, Samsung and Nvidia are also AOM members, according to its website.

In a questionnaire sent to some companies earlier this year and seen by Reuters, the EU watchdog said it was investigating alleged anti-competitive behavior related to the license terms of AV1 by AOM and its members in Europe. "The Commission has information that AOM and its members may be imposing licensing terms (mandatory royalty-free cross licensing) on innovators that were not a part of AOM at the time of the creation of the AV1 technical, but whose patents are deemed essential to (its) technical specifications," the paper said. It said this action may be restricting the innovators' ability to compete with the AV1 technical specification, and also eliminate incentives for them to innovate.

The questionnaire also asked about the impact of an AOM patent license clause in which licensees would have their patent licenses terminated immediately if they launched patent lawsuits asserting that implementation infringes their claims. Companies risk fines of up to 10% of their global turnover for breaching EU antitrust rules.

Google is testing a method to boost the battery life of Chromebooks by changing how they work with the Chrome web browser. It's shaping up to be a potentially attractive update for users who leave a lot of tabs open on their Chromebooks. From a report: Google Chrome currently cuts the CPU time and throttles the CPU load for any tab you haven't touched or looked at for five minutes. Google calls this "intensive throttling of JavaScript timer wake up," and it's supposed to help conserve system battery life. The feature also makes the page wake up once every 60 seconds to check if you're actively using the tab again. It seems Google is interested in pushing the idea even further, at least for Chromebook users. About Chromebooks this week spotted a new flag in Chrome OS 105, currently being tested in the dev channel, that changes this five-minute period to 10 seconds.

As noted by a Reddit user and confirmed by Ars Technica, Microsoft's xCloud game streaming looks noticeable worse when running on Linux than Windows. From the report: With the Linux User-Agent, edges are generally less sharp and colors are a little more washed out. The difference is even more apparent if you zoom in on the Forza logo and menu text, which shows a significant reduction in clarity. Interestingly, the dip in quality seems to go away if you enable "Clarity Boost, an Edge-exclusive feature that "provid[es] the optimal look and feel while playing Xbox games from the cloud," according to Microsoft. That's great for Linux users who switched over to Microsoft Edge when it launched on Linux last November. But Linux users who stick with Firefox, Chrome, or other browsers are currently stuck with apparently reduced streaming quality.

That Linux quality dip has led some to speculate that Microsoft is trying to reserve the best xCloud streaming performance for Windows machines in an attempt to attract more users to its own operating system. But using a Macintosh User-Agent string provides streaming performance similar to that on Windows, which would seem to be a big omission if that theory were true. Microsoft also hasn't published any kind of "best on Windows"-style marketing in promoting xCloud streaming, which would seemingly be a key component of trying to attract new Windows users. (The quality difference could be a roundabout attempt to get Linux users to switch to the Edge browser, where Clarity Boost offers the best possible quality. But that still wouldn't fully explain why Windows users on other browsers, without Clarity Boost, also get better streaming quality than their Linux brethren.)

Others have suggested that the downgrade could simply be a bug caused by Microsoft's naive parsing of the User-Agent strings. That's because the User-Agent strings for Android browsers generally identify themselves as some version of Linux ("Linux; Android 11; HD1905," for example). Microsoft's xCloud code might simply see the "Linux" in that string, assume the user is running Android, then automatically throttle the streaming quality to account for the (presumably) reduced screen size of an Android phone or tablet.

Google today announced an update to its password manager that will finally introduce a consistent look-and-feel across the service's Chrome and Android implementations. From a report: Users will soon see a new unified user experience that will automatically group multiple passwords for the same sites or apps together, as well as a new shortcut on the Android home screen to get access to these passwords. In addition to this, Google is also now adding a new password-related feature to Chrome on iOS, which can now generate strong passwords for you (once you set Chrome as an autofill provider). Meanwhile, on Android, Google's password check can now also flag weak and re-used passwords and help you to automatically change them, while Chrome users across platforms will now see compromised password warnings.

At the end of 2008, Firefox was flying high. Twenty percent of the 1.5 billion people online were using Mozilla's browser to navigate the web. In Indonesia, Macedonia, and Slovenia, more than half of everyone going online was using Firefox. "Our market share in the regions above has been growing like crazy," Ken Kovash, Mozilla's data analytics team manager at the time, wrote in a blog post. Almost 15 years later, things aren't so rosy. From a report: Across all devices, the browser has slid to less than 4 percent of the market -- on mobile it's a measly half a percent. "Looking back five years and looking at our market share and our own numbers that we publish, there's no denying the decline," says Selena Deckelmann, senior vice president of Firefox. Mozilla's own statistics show a drop of around 30 million monthly active users from the start of 2019 to the start of 2022. "In the last couple years, what we've seen is actually a pretty substantial flattening," Deckelmann adds.

In the two decades since Firefox launched from the shadows of Netscape, it has been key to shaping the web's privacy and security, with staff pushing for more openness online and better standards. But its market share decline was accompanied by two rounds of layoffs at Mozilla during 2020. Next year, its lucrative search deal with Google -- responsible for the vast majority of its revenue -- is set to expire. A spate of privacy-focused browsers now compete on its turf, while new-feature misfires have threatened to alienate its base. All that has left industry analysts and former employees concerned about Firefox's future. Its fate also has larger implications for the web as a whole. For years, it was the best contender for keeping Google Chrome in check, offering a privacy-forward alternative to the world's most dominant browser.

Two years ago a college sophomore started "the Log Off movement." This week the New York Times explored its progress — starting with how their mission's been affected by negative news stories about social media: "The first article I read that really launched me into it was Have Smartphones Destroyed a Generation. I found study after study showing the possible correlation between increased rates of anxiety, suicide rates and eating disorders tracking alongside increased rates of usage... The most powerful thing to me was not the studies. It was the fact that personal stories were not being told and there was not an epicenter where people could come together and say: "Here's my personal experience." "Here's how I was harmed." "These were the accounts that made me feel worse about myself." I knew that was necessary. The genie's out of the bottle.

As members of Gen Z, we understand that there are positive attributes and there are negative attributes to social media, but right now, in its current usage, it can be really harmful.

Q: How does the Log Off Movement address these issues?

Through our podcast, a leadership council, an educational curriculum on how to use online spaces safely and blogs, we are discussing ways we can move forward with technology and allow it to become a tool again rather than a controller.

What we are asking for teens to do is to be comfortable talking about their experiences so that we can educate legislators to understand a Gen Z perspective, what we need from technology, what privacy concerns we're having, what mental health concerns we're having. We have an advocacy initiative through Tech[nically] Politics, which pushes for laws that help ensure teens have a safe online experience, specifically the California Age Appropriate Design Code Bill....

Q: How have you adjusted your own relationship to social media? What methods have worked?

Whenever I go through a stressful period with exams, I delete Instagram. I know that in periods of stress, I'm going to lean towards mindlessly using it as a form of coping. Another thing that's worked for me is Grayscale, which makes the phone appear only in black and white.

I always suggest Screentime Genie, which provides solutions on how to limit screen time. I use Habit Lab for Chrome, which helps you reduce your time online. It creates a level of friction between you and addictive technology.
One app they still enjoy is BeReal (which notifies you and your friends to take an unstaged picture of what you're genuinely doing at one randomly-chosen moment each day). But the group's founder still remembers the "horrific loop" of using social media apps six hours a day (starting with Instagram at the age of 12) — and "feeling as though I could not stop scrolling because it has this weird power over me..." One teenager who'd spent six hours a day on social media later shared their observation that logging off improved their vision — but also made the world more clear mentally.

The group's founder says the ultimate hope is their project "results in a kind of pivot prioritizing the well-being of users in these online environments."

From the MacRumors blog earlier this week: Germany's Federal Cartel Office, the Bundeskartellamt, has initiated proceedings against Apple to investigate whether its tracking rules and anti-tracking technology are anti-competitive and self-serving, according to a press release. The proceeding announced will review under competition law Apple's tracking rules and specifically its App Tracking Transparency Framework (ATT) in order to ascertain whether they are self-preferencing Apple or being an impediment to third-party apps...

Introduced in April 2021 with the release of iOS 14.5 and iPadOS 14.5, Apple's App Tracking Transparency Framework requires that all apps on âOEiPhoneâOE and âOEiPadâOE ask for the user's consent before tracking their activity across other apps. Apps that wish to track a user based on their device's unique advertising identifier can only do so if the user allows it when prompted.

Apple said the feature was designed to protect users and not to advantage the company... Earlier this year it commissioned a study into the impact of ATT that was conducted by Columbia Business School's Marketing Division. The study concluded that Apple was unlikely to have seen a significant financial benefit since the privacy feature launched, and that claims to the contrary were speculative and lacked supporting evidence.
The technology/Apple blog Daring Fireball offers its own hot take: In Germany, big publishing companies like Axel Springer are pushing back against Google's stated plans to remove third-party cookie support from Chrome. The notion that if a company has built a business model on top of privacy-invasive surveillance advertising, they have a right to continue doing so, seems to have taken particular root in Germany. I'll go back to my analogy: it's like pawn shops suing to keep the police from cracking down on a wave of burglaries....

The Bundeskartellamt perspective here completely disregards the idea that surveillance advertising is inherently unethical and Apple has studiously avoided it for that reason, despite the fact that it has proven to be wildly profitable for large platforms. Apple could have made an enormous amount of money selling privacy-invasive ads on iOS, but opted not to.

It's finally happening. Microsoft will be ending support for most versions of its Internet Explorer (IE) 11 browser on June 15. ZDNet: Microsoft announced more than a year ago that IE would be removed from most versions of Windows 10 this year and has spent months encouraging customers to get ready by proactively retiring the browser from their organizations. IE 11 will be retired for Windows 10 client SKUs (version 20H2 and later) and Windows 10 IoT (version 20H2 and later). Products not affected by this retirement include IE Mode in Edge; IE 11 desktop on Windows 8.1, Windows 7 (with Extended Security Updates), Windows Server LTSC (all versions), Windows Server 2022, Windows 10 client LTSC (all versions), Windows 10 IoT LTSC (all versions). The IE 11 desktop app is not available on Windows 11, as Edge is the default browser for Windows 11. IE Mode in Microsoft Edge will be supported through at least 2029 to give web developers eight years to modernize legacy apps and eventually remove the need for IE mode, officials have said. According to Net Applications, a web monitoring tool, Internet Explorer still has a market share of 5.21% on desktops and laptops, far behind Chrome at over 69%, to be sure, but still ahead of Apple's Safari, which commands 3.73% market share.

The UK's Competition and Markets Authority (CMA) has concluded that Google and Apple "hold all the cards" when it comes to mobile phones a year after taking a closer look at their "duopoly." It's now consulting on the launch of a market investigation into the tech giants' market power in mobile browsers, as well as into Apple's cloud gaming restrictions. From a report: In addition, the CMA has launched a separate investigation into Google's Play Store rules -- the one that requires certain app developers to use the tech giant's payment system for in-app purchases, in particular. The CMA has concluded after its year-long study that the tech giants do indeed exhibit an "effective duopoly" on mobile ecosystems. A total of 97 percent of all mobile web browsing in the UK is powered by Apple's and Google's browser engines. iPhones and Android devices typically come with Safari and Chrome pre-installed, which means their browsers have the advantage from the start. Further, Apple requires developers to make sure their iOS and iPadOS apps are using its WebKit engine to browse the web. That limits the incentives Apple may have to invest in Safari, the CMA said.

Google today announced a set of new and updated security features for Chrome, almost all of which rely on machine learning (ML) models, as well as a couple of nifty new ML-based features that aim to make browsing the web a bit easier, including a new feature that will suppress notification permission prompts when its algorithm thinks you're unlikely to accept them. From a report: Starting with the next version of Chrome, Google will introduce a new ML model that will silence many of these notification permission prompts. And the sooner the better. At this point, they have mostly become a nuisance. Even if there are some sites -- and those are mostly news sites -- that may offer some value in their notifications, I can't remember the last time I accepted one on purpose. Also, while legitimate sites love to push web notifications to remind readers of their existence, attackers can also use them to send phishing attacks or prompt users to download malware if they get users to give them permission. "On the one hand, page notifications help deliver updates from sites you care about; on the other hand, notification permission prompts can become a nuisance," Google admits in its blog post today. The company's new ML model will now look for prompts that users are likely to ignore and block them automatically. And as a bonus, all of that is happening on your local machine, so none of your browsing data makes it onto Google's servers.

"C++ allows for writing high-performance applications but this comes at a price, security..." So says Google's Chrome security team in a recent blog post, adding that in general, "While there is appetite for different languages than C++ with stronger memory safety guarantees, large codebases such as Chromium will use C++ for the foreseeable future."

So the post discusses "our journey of using heap scanning technologies to improve memory safety of C++." The basic idea is to put explicitly freed memory into quarantine and only make it available when a certain safety condition is reached. Microsoft has shipped versions of this mitigation in its browsers: MemoryProtector in Internet Explorer in 2014 and its successor MemGC in (pre-Chromium) Edge in 2015. In the Linux kernel a probabilistic approach was used where memory was eventually just recycled. And this approach has seen attention in academia in recent years with the MarkUs paper. The rest of this article summarizes our journey of experimenting with quarantines and heap scanning in Chrome.
In essence the C++ memory allocator (used by new and delete) is "intercepted." There are various hardening options which come with a performance cost:


- Overwrite the quarantined memory with special values (e.g. zero);

- Stop all application threads when the scan is running or scan the heap concurrently;

- Intercept memory writes (e.g. by page protection) to catch pointer updates;

- Scan memory word by word for possible pointers (conservative handling) or provide descriptors for objects (precise handling);

- Segregation of application memory in safe and unsafe partitions to opt-out certain objects which are either performance sensitive or can be statically proven as being safe to skip;

- Scan the execution stack in addition to just scanning heap memory...


Running our basic version on Speedometer2 regresses the total score by 8%. Bummer...

To reduce the regression we implemented various optimizations that improve the raw scanning speed. Naturally, the fastest way to scan memory is to not scan it at all and so we partitioned the heap into two classes: memory that can contain pointers and memory that we can statically prove to not contain pointers, e.g. strings. We avoid scanning memory that cannot contain any pointers. Note that such memory is still part of the quarantine, it is just not scanned....

[That and other] optimizations helped to reduce the Speedometer2 regression from 8% down to 2%.
Thanks to Slashdot reader Hari Pota for sharing the link

An anonymous reader quotes a report from Ars Technica: Apple's Safari web browser has more than 1 billion users, according to an estimate by Atlas VPN. Only one other browser has more than a billion users, and that's Google's Chrome. But at nearly 3.4 billion, Chrome still leaves Safari in the dust. It's important to note that these numbers include mobile users, not just desktop users. Likely, Safari's status as the default browser for both the iPhone and iPad plays a much bigger role than its usage on the Mac. Still, it's impressive given that Safari is the only major web browser not available on Android, which is the world's most popular mobile operating system, or Windows, the most popular desktop OS. "The statistics are based on the GlobalStats browser market share percentage, which was then converted into numbers using the Internet World Stats internet user metric to retrieve the exact numbers," explains Atlas VPN in a blog post.

This week Google began a rolling release for stable Chrome version 102 "with 32 security fixes for browser on Windows, Mac and Linux," reports ZDNet: Chrome 102 for the desktop includes 32 security fixes reported to Google by external researchers. There's one critical flaw, while eight are high severity, nine are medium severity, and seven are low severity. Google also creates other fixes for issues found through internal testing...

The critical flaw, labelled as CVE-2022-1853, is a 'use after free in IndexedDB', an interface for applications to store data in a user's browser.... "My guess is that an attacker could construct a specially crafted website and take over the visitor's browser by manipulating the IndexedDB," says Pieter Arntz, a malware intelligence researcher at Malwarebytes. None of the flaws fixed in this Chrome 102 stable release were zero days, meaning flaws that were exploited before Google released a patch for it.

Google's Project Zero (GPZ) team last year counted 58 zero-day exploits for popular software in 2021. Twenty-five of these were in browsers, of which 14 affected Chrome. Google engineers argue zero-day counts are rising because vendors are improving detection, fixes and disclosure. However, GPZ researchers argue the industry as a whole is not making zero days hard enough for attackers, who often rely on tweaking existing flaws rather than being forced to conjure up entirely new exploitation methods.
Linux/Mac/Windows users of Chrome can check Help/About to see if the update has already rolled out to their system — or if they need to update manually.

Google is highlighting how Chromebooks can work in "zero trust" corporate environments with its new Chrome Enterprise Connectors Framework. From a report: The new integration system is designed to make the Chrome browser and Chrome OS devices easier for IT departments to implement with existing security, endpoint, and authentication solutions as well as bother management solutions. Google Chrome OS exec John Solomon describes the new tools as a "plug and play" solution that lets other companies helm Chrome OS management functions like remote-wiping a Chromebook using BlackBerry Unified Endpoint Management or flagging malware downloads with Splunk. These types of management functions previously worked through the Google Admin console. Managing and enrolling Chrome OS devices in the enterprise will still rely on Google tools like Google Admin and Chrome Browser Cloud Management. But new tools like Chrome OS Data Controls give enterprises more options to allow or lock down actions like printing, screen capture, copy / paste, and other potential data loss situations. It might even give IT a better handle on buggy Chrome OS updates and is currently available through the Trusted Tester program.

GameStop said on Monday it has launched a digital asset wallet that will allow gamers to store, send and receive cryptocurrencies and nonfungible tokens. From a report: The digital wallet will be able to be used across decentralized apps, which run on a blockchain and aren't controlled by a central authority, without players having to leave their web browsers, the company said in a statement. The GameStop wallet is a self-custodial Ethereum wallet, meaning the user controls the keys to their assets, not a third party. The wallet extension can be downloaded from Google's Chrome web store and will allow transactions on GameStop's NFT marketplace, which is expected to launch in the second quarter of the company's fiscal year.

AMD announced the Ryzen 5000 C-series for Chromebooks today. "The top chip in the series has eight of AMD's Zen 3 cores, giving systems that use it more x86 CPU cores than any other Chromebook," reports Ars Technica. From the report: The 7nm Ryzen 5000 C-series ranges from the Ryzen 3 5125C with two Zen 3 cores and a base and boost clock speed of 3 GHz, up to the Ryzen 7 5825C with eight cores and a base clock speed of 2 GHz that can boost to 4.5 GHz. For comparison, Intel's Core i7-1185G7, found in some higher end Chromebooks, has four cores and a base clock speed of 3 GHz that can boost to 4.8 GHz.

On their own, the chips aren't that exciting. They seemingly offer similar performance to the already-released Ryzen 5000 U-series chips. The Ryzen 5000 C-series also uses years-old Vega integrated graphics rather than the upgraded RDNA 2 found in Ryzen 6000 mobile chips, which, upon release, AMD said are "up to 2.1 times faster." But for someone who's constantly pushing their Chromebook to do more than just open a Chrome tab or two, the chips bring potentially elevated performance than what's currently available.