Google today released Chrome 79 for Windows, Mac, Linux, Chrome OS, Android, and iOS users. This release comes with security and bug fixes, but also with new features such as built-in support for the Password Checkup tool, real-time blacklisting of malicious sites via the Safe Browsing API, general availability of Predictive Phishing protections, a ban on loading HTTPS "mixed content," support for tab freezing, a new UI for the Chrome Sync profile section, and support for a back-forward caching mechanism. ZDNet has outlined each new feature in-depth.

WireGuard has now been committed to the mainline Linux kernel. "While there are still tests to be made and hoops to be jumped through, it should be released in the next major Linux kernel release, 5.6, in the first or second quarter of 2020," reports ZDNet. From the report: WireGuard has been in development for some time. It is a layer 3 secure VPN. Unlike its older rivals, which it's meant to replace, its code is much cleaner and simple. The result is a fast, easy-to-deploy VPN. While it started as a Linux project, WireGuard code is now cross-platform, and its code is now available on Windows, macOS, BSD, iOS, and Android. It took longer to arrive than many wished because WireGuard's principal designer, Jason Donenfeld, disliked Linux's built-in cryptographic subsystem on the grounds its application programming interface (API) was too complex and difficult. He suggested it be supplemented with a new cryptographic subsystem: His own Zinc library. Many developers didn't like this. They saw this as wasting time reinventing the cryptographic well.

But Donenfeld had an important ally. Torvalds wrote, "I'm 1000% with Jason on this. The crypto/ model is hard to use, inefficient, and completely pointless when you know what your cipher or hash algorithm is, and your CPU just does it well directly." In the end, Donenfeld compromised. "WireGuard will get ported to the existing crypto API. So it's probably better that we just fully embrace it, and afterward work evolutionarily to get Zinc into Linux piecemeal." That's exactly what happened. Some Zine elements have been imported into the legacy crypto code in the forthcoming Linux 5.5 kernel. This laid the foundation for WireGuard to finally ship in Linux early next year.

An anonymous reader writes: Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams. They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard. The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android. A currently incomplete list of vulnerable operating systems and the init systems they came with is available below, with more to be added once they are tested and found to be affected: Ubuntu 19.10 (systemd), Fedora (systemd), Debian 10.2 (systemd), Arch 2019.05 (systemd), Manjaro 18.1.1 (systemd), Devuan (sysV init), MX Linux 19 (Mepis+antiX), Void Linux (runit), Slackware 14.2 (rc.d), Deepin (rc.d), FreeBSD (rc.d), and OpenBSD (rc.d).

This security flaw "allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website," according to William J. Tolley, Beau Kujath, and Jedidiah R. Crandall, Breakpointing Bad researchers at University of New Mexico. "Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections," the researchers said.

Apple's Activation Lock is an anti-theft feature built into iOS, watchOS, and macOS Catalina that prevents people from restoring your Apple devices without your permission. "With the release of macOS Catalina earlier this fall, any Mac that's equipped with Apple's new T2 security chip now comes with Activation Lock," writes iFixit's Craig Lloyd. What this means is that there will likely be thousands of perfectly good Macs being parted out or scrapped instead of being put into the hands of people who could really use them. From the report: Activation Lock was designed to prevent anyone else from using your device if it's ever lost or stolen, and it's built into the "Find My" service on iPhones, iPads, and other Apple devices. When you're getting rid of an old phone, you want to use Apple's Reset feature to wipe the phone clean, which also removes it from Find My iPhone and gets rid of the Activation Lock. But if you forget, and sell your old iPhone to a friend before you properly wipe it, the phone will just keep asking them for your Apple ID before they can set it up as a new phone. In other words, they won't be able to do much with it besides scrap it for parts.

That seems like a nice way to thwart tech thieves, but it also causes unnecessary chaos for recyclers and refurbishers who are wading through piles of locked devices they can't reuse. This reduces the supply of refurbished devices, making them more expensive -- oh, and it's an environmental nightmare. [...] The T2 security chip, however, erases any hope and makes it impossible to do anything on a Mac without the proper Apple ID credentials. Attempting any kind of hardware tinkering on a T2-enabled Mac activates a hardware lock, which can only be undone by connecting the device to Apple-authorized repair software. It's great for device security, but terrible for repair and refurbishment. While recyclers may not be dealing with as many locked Macs as locked iPhones (especially since Activation Lock on Macs is still very new, and there are specific software criteria that need to be met), it's only a matter of time before thousands upon thousands of perfectly working Macs are scrapped or shredded, for lack of an unknown password.

Mozilla today released Firefox 71 for Windows, Mac, Linux, Android, and iOS. Firefox 71 includes Lockwise password manager improvements, Enhanced Tracking Protection tweaks, and Picture-in-Picture video on Windows.

Security researcher Ivan Rodriguez has proposed a new security standard for iOS apps, which he named Security.plist. From a report: The idea is simple. App makers would create a property list file (plist) named security.plist that they would embed inside the root of their iOS apps. The file would contain all the basic contact details for reporting a security flaw to the app's creator. Security researchers analyzing an app would have an easy way to get in contact with the app's creators. Rodriguez said the idea for Security.plist came from Security.txt, a similar standard for websites, that was proposed in late 2017. Security.txt is currently going through an official standardization process at the Internet Engineering Task Force (IETF), but it has been widely adopted already, and companies like Google, GitHub, LinkedIn, and Facebook, all have a security.txt file hosted on their sites, so bug hunters can get in touch with their respective security teams. Rodriguez, who is an amateur bug hunter in iOS apps, said he decided to propose a similar thing for iOS apps because getting in touch with an app's dev or security team has been a problem in the past. "I spend most of my free time poking mobile applications which has lead me to find many vulnerabilities and I have yet to find one that has an easy way to find the correct channel to responsibly disclose these issues,"Rodriguez told ZDNet.

Facebook and Twitter announced on Monday that the companies were notified about malicious software development kits (SDKs) that allowed certain apps to collect users' data from the apps without their permission. Paul Thurrott reports: The main culprits here are One Audience and Mobiburn, developers of the malicious SDKs that apparently paid developers to use the SDKs and secretly collect users data. Twitter noted that the issue isn't due to a vulnerability in its software. The breach was caused by "the lack of isolation between SDKs within an application," according to the company. The company also said that the malicious SDKs could allow apps to access personal information like your email, username, and your last tweet without your permission. "We have evidence that this SDK was used to access people's personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS," the company said. The two social networks said that they will notify the affected users about the breach.

hackingbear writes: In a talk with ABC News, Apple CEO Tim Cook discussed Apple's investment in the United States, his relationship with President Trump, China and more. When asked if there was a line Apple would not cross if China pressured the company [to violate user's privacy and rights], Cook said they have never been asked in China by authorities to unlock an iPhone, but added, referring to the U.S., "I have here. And we stood up against that, and said we can't do it," he added. "Our privacy commitment is a worldwide one." When asked why Apple still builds the iPhone in China, Cook said that he actually thinks "the iPhone is made everywhere." "If you look at the glass of the iPhone, which everybody touches all day long, that glass is made in Kentucky. If you were to take apart the iPhone you would see many of the silicone components that are made in the United States as well," he added. "The iPhone is the product of a global supply chain." John Gruber of DaringFireball adds: If China hasn't pressured Apple, why was the Taiwanese flag emoji removed from iOS devices in Hong Kong? It's far from the biggest issue surrounding China. I get that. It's just a flag emoji, and we're talking about a regime that has put over a million people into concentration camps. But it is bullshit. Under the one-country-two-systems arrangement China itself agreed to regarding Hong Kong, there is nothing illegal about the Taiwanese flag. It's flat-out wrong that Apple removed the Taiwanese flag emoji in Hong Kong. But if they did so at the behest of China at least we'd have a reason why. If China hasn't pressured Apple on this point, small though it may be, why in the world did Apple remove the flag? It reeks of cowardice. Further reading: Apple Has No Backbone.

Apple is overhauling how it tests software after a swarm of bugs marred the latest iPhone and iPad operating systems, Bloomberg reported Thursday. From the report: Software chief Craig Federighi and lieutenants including Stacey Lysik announced the changes at a recent internal "kickoff" meeting with the company's software developers. The new approach calls for Apple's development teams to ensure that test versions, known as "daily builds," of future software updates disable unfinished or buggy features by default. Testers will then have the option to selectively enable those features, via a new internal process and settings menu dubbed Flags, allowing them to isolate the impact of each individual addition on the system. When the company's iOS 13 was released alongside the iPhone 11 in September, iPhone owners and app developers were confronted with a litany of software glitches.

Apps crashed or launched slowly. Cellular signal was inconsistent. There were user interface errors in apps like Messages, system-wide search issues and problems loading emails. Some new features, such as sharing file folders over iCloud and streaming music to multiple sets of AirPods, were either delayed or are still missing. This amounted to one of the most troubled and unpolished operating system updates in Apple's history. The new development process will help early internal iOS versions to be more usable, or "livable," in Apple parlance. Prior to iOS 14's development, some teams would add features every day that weren't fully tested, while other teams would contribute changes weekly. "Daily builds were like a recipe with lots of cooks adding ingredients," a person with knowledge of the process said.

Guilherme Rambo, one of the top Apple secret-spillers, says Apple locked him out of his developer account, preventing him from accessing critical tools needed to create and update iOS and Mac apps. From a report: In a blog post detailing his problem, Rambo revealed that Apple locked him out in August. Since then, all his attempts to resolve the issue met a dead end, he says. Rambo's post doesn't mention that he digs through Apple beta software looking for clues about unreleased Apple products -- and publishes his findings on 9to5Mac. That might be the precise reason why he's locked out. A famously secretive company, Apple historically took harsh measures against leakers and rumor mongers.

DoNotPay, the "robot lawyer" service that helps you contest parking tickets and even sue people, is launching a new tool to help customers understand license agreements. From a report: Called "Do Not Sign," the service is included with DoNotPay's monthly $3 subscription fee, and it lets users upload, scan, or copy and paste the URLs of any license agreements they'd like to check. The service uses machine learning to highlight clauses it thinks users need to know about, including options to opt out from data collection. It's available starting today, November 20th, on the web and via DoNotPay's app on iOS. Agreeing to lengthy license agreements is an almost weekly occurrence for many people, with modern smart devices forcing you to hit "agree" on every new contract. Do Not Sign isn't a replacement for a real lawyer, but it's better than accepting a license agreement sight unseen so you can start using a shiny new gadget, service, or app without delay.

At Microsoft's Ignite conference this month, the company announced a new vision for its personal productivity assistant, Cortana -- one which aimed to make it more useful in your day-to-day work, including email, but one which also saw Microsoft scaling its ambitions back from Cortana as a true Siri, Alexa or Google Assistant competitor. Now, the other shoe has dropped, as Microsoft says it's planning to shut down its standalone Cortana mobile apps across a number of markets. From a report: The company quietly revealed its plans to wind down support for Cortana on iOS and Android in several regions, with an end-of-life date of January 31st, 2020. After this point, Cortana mobile app will no longer be supported. Microsoft also said it will release an updated version of its Microsoft Launcher, that will have Cortana removed. Microsoft tells us the impacted markets include Great Britain, Australia, Germany, Mexico, China, Spain, Canada, and India. While the U.S. isn't in this list today, it would not be surprising to see its support pulled at a later date. The Cortana app for iOS is only ranked No. 254 in the Productivity category on the App Store, and only No. 145 on Google Play, according to current data from Sensor Tower.

"Mozilla is no longer fighting for market share of its browser: it is fighting for the future of the web," writes the Guardian, citing Mozilla Project co-founder Mitchell Baker: Baker's pitch is that only Mozilla is motivated, first and foremost, to make using the web a pleasurable experience. Google's main priority is to funnel user data into the enormous advertising engine that accounts for most of its revenue. Apple's motivation is to ensure that customers continue to buy a new iPhone every couple of years and don't switch to Android...."

Firefox now runs sites such as Facebook in "containers", effectively hiving the social network off into its own little sandboxed world, where it can't see what's happening on other sites. Baker says: "It reduces Facebook's ability to follow you around the web and track you when you're not on Facebook and just living your life...." Mozilla has launched Monitor, a data-breach reporting service; Lockwise, a password manager; and Send, a privacy-focused alternative to services such as WeSendit. It's also beta-testing a VPN (virtual private network) service, which it hopes to market to privacy-conscious users...

Apple's iOS (mobile operating system) is an acknowledged disaster for Mozilla. Safari is the default and, while users can install other browsers, they come doubly hindered: they can never be set as the default, meaning any link clicked in other applications will open in Safari; and they must use Safari's "rendering engine", a technical limitation that means that even the browsers that Firefox does have on the platform are technically just fancy wrappers for Apple's own browser, rather than full versions of the service that Mozilla has built over the decades... "Even if you do download a replacement, iOS drops you back into the default. I don't know why that's acceptable. Every link you open on a phone is the choice of the phone maker, even if you, as a user, want something else."
Summarizing Baker's concerns, the Guardian writes that "It is perfectly possible to build a browser that prevents advertising companies from aggregating user data. But it is unlikely that any browser made by an advertising company would offer such a feature..."

And an activist for the Small Technology Foundation tells them that Google "wants the web to go through Google. It already mostly does: with eyes on 70% to 80% of the web."

First, Instagram killed Snapchat when it cribbed its Stories feature. Now, the social media platform is reportedly gunning for TikTok with a new format called Reels. From a report: Reels is currently being rolled out in Brazil. Available on both iOS and Android, the feature lets users record 15-second clips that can then be set to music. Users can adjust speed, as well as borrow audio from other videos to remix and riff content. It also appears Instagram is adding video editing tools, like the ability to add timed captions and ghost overlays for transitions. Once a user is finished editing, the video can then be posted to their Stories -- and may also be shared to a new "Top Reels" section in the Explore tab. At the moment, there's no concrete timeline for when we might see Reels stateside. An Instagram spokesperson told Gizmodo that the company is simply excited to test the feature in Brazil for now, and "incorporate learnings and feed back from the community as [it] goes."

"The hit programming language Python has climbed over once-dominant Java to become the second most popular language on Microsoft-owned open-source code-sharing site GitHub," reports ZDNet: Python now outranks Java based on the number of repository contributors, and by that metric Python is now second only to JavaScript, which has been in top spot since 2014, according to GitHub's 'State of the Octoverse' report for 2019...

Another interesting aspect of GitHub's report is its ranking of fastest-growing languages. Google's Dart programming language and Flutter, for building UIs for iOS and Android apps, are getting major traction with developers on GitHub. Dart was the fastest-growing language between 2018 and 2019, with usage up a massive 532%. It was followed by the Mozilla-developed Rust, which grew a respectable 235%. Microsoft is experimenting with Rust in its Windows code base because it was designed to address memory-related security bugs -- the dominant flaw-type in Microsoft software over the past decade.

Last year Kotlin, the Google-endorsed programming language for Android app development, was the fastest-growing language on GitHub. It's not a top-10 language yet, but it still grew 182% over the year. Microsoft-backed TypeScript, its superset of JavaScript, is also growing fast, up 161% over the past year as more developers use it to grapple with large-scale JavaScript apps.

Other languages making up the top 10 fastest-growing category are HCL, PowerShell, Apex, Python, Assembly, and Go.

Dustin Curtis writes about Apple TV: Apple TV is a hardware device. Apple TV is an app on Apple TV that curates content you can buy from Apple and also content you can stream through other installed apps (but not all apps, and there is no way to tell which ones). Apple TV is an app on iOS/iPadOS devices that operates similarly to Apple TV on Apple TV. Apple TV on iOS/iPadOS syncs playback and watch history with Apple TV on Apple TV, but only if the iOS/iPadOS device has the same apps installed as the Apple TV -- and not all apps are available on all platforms. Apple TV is also an app on macOS, but it does not show content that can only be streamed from external apps on an Apple TV or iOS/iPadOS device.

Apple TV is an app or built-in feature of other devices, like smart TVs and streaming set-top boxes, but when Apple TV is running on a third party device, it does not show content from other installed apps on that device. Apple TV Channels is a feature on all Apple TV apps that lets you subscribe to external services like HBO and Showtime, which then display content within Apple TV. When Apple TV is on Apple TV or iOS/iPadOS, though, most Apple TV Channel services also have their own app. If you are logged into the app, the service's content already shows up in Apple TV. Apple TV Channels can only be viewed within Apple TV; you cannot watch an Apple TV Channel service's content on any non-Apple TV device, app, or the web. [...] Apple TV+ is a subscription streaming service from Apple that functions like an Apple TV Channel but is not an Apple TV Channel. Apple TV+ content can also be viewed in a web browser at tv.apple.com; no other Apple TV apps, devices, or features can be used in a web browser. He adds, "other than that, though, Apple TV is relatively straightforward."

Apple's iOS 13 has had a rocky start since its release last month, with it being among the most buggy Apple software releases in recent memory. Now, iPhone owners are complaining of yet another issue that may be bug-related. From a report: A growing number of iPhone and iPad users have complained about poor RAM management on iOS 13 and iPadOS 13, leading to apps like Safari, YouTube, and Overcast reloading more frequently upon being reopened. We've lightly edited some of the comments to correct things like capitalization.

A bug in Apple's App Store removed more than 20 million ratings from apps both big and small. "The issue began on October 23, 2019 and wasn't resolved until yesterday, October 29," reports TechCrunch. "Apple hasn't yet explained how such a sizable and impactful change to app ratings occurred." From the report: This massive ratings drop was spotted by the mobile app insights platform Appfigures. The firm found that more than 300 apps from over 200 developers were affected by the sweep, which wiped out a total of 22 million app reviews from the App Store. On average, apps saw a 50% decrease in ratings in the affected countries, which included the U.S.

The U.S. was hit the hardest, however, as some 10 million ratings disappeared. But the sweep was global in nature, hitting all 155 countries Apple supports. China, the U.K., South Korea, Russia and Australia also felt a noticeable impact. A few apps were hit harder than others. Hulu, for example, lost a whopping 95% of ratings in the U.S., while Dropbox and Chase lost 85%. Several companies affected by the bug declined to comment, but told us that the rating removals weren't done at their request -- they were just as surprised as everyone else. Of the more than 300 apps that got hit, about half (154) saw a drop of more than 100 ratings, Appfigures said. Some of the impacted companies (and Appfigures) confirmed to TechCrunch the missing ratings were restored as of yesterday.

A startup that makes replicas of the iPhone that help hackers find vulnerabilities is accusing Apple of suing it in an attempt to shut it down. Corellium also fired back at Apple and claimed the company owes it $300,000. From a report: On Monday, Corellium, the startup that was sued by Apple for alleged copyright infringement in August, filed its response to the lawsuit. Apple alleged that Corellium's product is illegal, and helps researchers sell hacking tools based on software bugs found in iOS to government agencies that then use them to hack targets. The cybersecurity world was shocked by Apple's lawsuit, which was seen as an attempt to use copyright as an excuse to control the thriving, and largely legal, market for software vulnerabilities. The lawsuit was filed just a few days after Apple announced it would give researchers special "pre-hacked" devices to allow them to find and report more bugs to the company.

"Through its invitation-only research device program and this lawsuit, Apple is trying to control who is permitted to identify vulnerabilities, if and how Apple will address identified vulnerabilities, and if Apple will disclose identified vulnerabilities to the public at all," Corellium argues in its response, echoing arguments made by the security research community. In its response, Corellium essentially argues that using Apple's code in Corellium is fair use and its product makes the world a better place by helping security researchers inspect the iPhone's operating system, find flaws in it, and help Apple fix them. With Corellium, researchers can more easily find bugs by creating virtual instances of iOS and test them more quickly, as opposed to having to use actual physical devices. Corellium attempts to illustrate this by including "before" and "after" images in its response that demonstrate what it was like to try to hack the iPhone before it released its software.

Apple this year differentiated the iPad by creating a superset of iOS that only works on the company's tablet, the cleanly named iPadOS. In theory, iPadOS fixes the many shortcomings of previous iOS versions that tried to serve two masters, the iPad and the iPhone. But some fundamental issues remain. From a column: Apple's iPadOS page is adamant that a world of possibilities is now "ours." The "Features" section provides a long, long list of new iPad talents. Without getting into the embarrassing details about the klutziness that makes me a good product tester because I tend to do things that knowledgeable users already know how to do, I'm confused and frustrated by all of these "possibilities." For relatively simple tasks such as using multiple apps side by side or opening more than one window for an app such as Pages, the iPad support site is cryptic and, in some cases, just plain wrong. As just one example, the on-line guidance advises: "go to Settings > General > Multitasking & Dock..." Trouble is, the General section of Settings on my iPad Pro doesn't have a Multitasking & Dock section. A little bit of foraging gets me to the Home Screen & Dock section where, yes, the Multitasking adjustments are available.

On the positive side, one now has a real Safari browser, equivalent in most regards to the "desktop" version, and the ability to open two independent windows side by side. Because I feel self-conscious about my mental and motor skills, I compared notes with a learned friend, a persistent fellow who forced himself to learn touch typing by erasing the letters on his keyboard. He, too, finds iPadOS discoverability to be severely lacking. There are lot of new and possibly helpful features but, unlike the 1984 Mac, not enough in the way of the hints that menu bars and pull-down menus provide. It all feels unfinished, a long, long list of potentially winning features that are out of the reach of this mere mortal and that I assume will remain undiscovered by many others. Kvetching aside, we know that Apple plays the long game. Today's stylus equipped and mouse-capable iPad shows great promise. (I connected my trusted Microsoft Mouse and its two buttons and wheel -- no problem.) It clearly has the potential to become a multifaceted device capable of a wide range of interactions. From the simplest one-finger control enjoyed by children and adults alike to the windows and pointing device interactions "power users" hope for, the iPad shows great potential -- and the need for more work to make the new features more discoverable.