Google said this week that it will begin to phase out traditional Chrome apps starting in June, and winding down slowly over two years' time. Chrome extensions, though, will live on. From a report: Google said Tuesday in a blog post that it would stop accepting new Chrome apps in March. Existing apps could continue to be developed through June, 2022. The important dates start in June of this year, when Google will end support for Chrome Apps on the Windows, Mac, and Linux platforms. Education and Enterprise customers on these platforms will get a little more time to get their affairs in order, until December, 2020. Google had actually said four years ago that it would phase out Chrome apps on Windows, Mac, and Linux in 2018. The company appears to have waited longer than announced before beginning this process. The other platform that's affected by this, of course, is Google's own Chrome OS and Chromebooks, for which the apps were originally developed.

Security researchers have published proof-of-concept (PoC) code for exploiting a recently-patched vulnerability in the Windows operating system, a vulnerability that has been reported to Microsoft by the US National Security Agency (NSA). From a report: The bug, which some have started calling CurveBall, impacts CryptoAPI (Crypt32.dll), the component that handles cryptographic operations in the Windows OS. According to a high-level technical analysis of the bug from cyber-security researcher Tal Be'ery, "the root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft's code." According to both the NSA, the DHS, and Microsoft, when exploited, this bug (tracked as CVE-2020-0601) can allow an attacker to: 1. Launch MitM (man-in-the-middle) attacks and intercept and fake HTTPS connections. 2. Fake signatures for files and emails. 3. Fake signed-executable code launched inside Windows.

Microsoft on Tuesday patched an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. The vulnerability was spotted and reported by the NSA. CNBC reports: The flaw affected encryption of digital signatures used to authenticate content, including software or files. If exploited, the flaw could allow criminals to send malicious content with fake signatures that make it appear safe. The finding was reported earlier by The Washington Post. It is unclear how long the NSA knew about the flaw before reporting it to Microsoft. The cooperation, however, is a departure from past interactions between the NSA and major software developers such as Microsoft. In the past, the top security agency has kept some major vulnerabilities secret in order to use them as part of the U.S. tech arsenal.

In a statement, Microsoft declined to confirm or offer further details. "We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available." Jeff Jones, a senior director at Microsoft said in a statement Tuesday: "Customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible." Microsoft told CNBC that it had not seen any exploitation of the flaw "in the wild," which means outside a lab testing environment.

Google has announced plans today to phase out the usage of user-agent strings in its web browser Chrome. From a report: UA strings have been developed part of the Netscape browser in the 90s, and have been in use ever since. For decades, websites have used UA strings to fine-tune features based on a visitor's technical specifications. But now, Google says that this once-useful mechanism has become a constant source of problems, on different fronts. For starters, UA strings have been used by online advertisers as a way to track and fingerprint website visitors. "On top of those privacy issues, User-Agent sniffing is an abundant source of compatibility issues, in particular for minority browsers, resulting in browsers lying about themselves (generally or to specific sites) , and sites (including Google properties) being broken in some browsers for no good reason," said Yoav Weiss, a Google engineer working on the Chrome browser.

To address these issues, Google said it plans to phase out the importance of UA strings in Chrome by freezing the standard as a whole. Google's plan is to stop updating Chrome's UA component with new strings (the UA string text that Chrome shares with websites). The long-term plan is to unify all Chrome UA strings into generic values that don't reveal too much information about a user. This means that new Chrome browser releases on new platforms such as new smartphone models or new OS releases will use a generic UA string, rather than one that's customised for that specific platform.

The UK's National Cyber Security Centre (NCSC) is warning people of using online banking or accessing sensitive accounts from devices running Windows 7 from Tuesday, 14 January, when Microsoft ends support for the operating system. From a report: The NCSC, the government body for cybersecurity, is encouraging people to upgrade from Windows 7 as soon as possible, due to Microsoft's 2019 decision to stop providing technical support for the software. "The NCSC would encourage people to upgrade devices currently running Windows 7, allowing them to continue receiving software updates which help protect their devices," the NCSC spokesperson said. "We would urge those using the software after the deadline to replace unsupported devices as soon as possible, to move sensitive data to a supported device and not to use them for tasks like accessing bank and other sensitive accounts. They should also consider accessing email from a different device."

This week a former engineer for the Microsoft Windows Core OS Division shared an insightful (and very entertaining) list with "some changes I have noticed over the last 20 years" in the computer programming world. Some excerpts: - Some programming concepts that were mostly theoretical 20 years ago have since made it to mainstream including many functional programming paradigms like immutability, tail recursion, lazily evaluated collections, pattern matching, first class functions and looking down upon anyone who don't use them...

- 3 billion devices run Java. That number hasn't changed in the last 10 years though...

- A package management ecosystem is essential for programming languages now. People simply don't want to go through the hassle of finding, downloading and installing libraries anymore. 20 years ago we used to visit web sites, downloaded zip files, copied them to correct locations, added them to the paths in the build configuration and prayed that they worked.

- Being a software development team now involves all team members performing a mysterious ritual of standing up together for 15 minutes in the morning and drawing occult symbols with post-its....

- Since we have much faster CPUs now, numerical calculations are done in Python which is much slower than Fortran. So numerical calculations basically take the same amount of time as they did 20 years ago...

- Even programming languages took a side on the debate on Tabs vs Spaces....

- Code must run behind at least three levels of virtualization now. Code that runs on bare metal is unnecessarily performant....

- A tutorial isn't really helpful if it's not a video recording that takes orders of magnitude longer to understand than its text.

- There is StackOverflow which simply didn't exist back then. Asking a programming question involved talking to your colleagues.

- People develop software on Macs.
In our new world where internet connectivity is the norm and being offline the exception, "Security is something we have to think about now... Because of side-channel attacks we can't even trust the physical processor anymore."

And of course, "We don't use IRC for communication anymore. We prefer a bloated version called Slack because we just didn't want to type in a server address...."

Samsung's "Galaxy XCover Pro" rugged smartphone includes a feature that all but disappeared from the market: a removable battery. "There are a handful of very low-end smartphones that still have removable batteries, but as a mid-ranger, this would be the highest-end removable-battery phone on the market," reports Ars Technica. From the report: It's hard to say if the XCover Pro is currently official or not. Samsung's Nordic division posted a CES press release that detailed the never-before-seen XCover Pro, complete with specs and pictures, alongside several other previously announced phones. A later update scrubbed all mention of the XCover from the press release. The release said the phone would be for sale in Finland on January 31 for $554, but since the release was pulled, it's unclear if that is still accurate.

Samsung Nordic listed the phone with a Samsung Exynos 9611 SoC, an eight-core, 10nm chip with four Cortex A73 cores and four Cortex A53 cores. This would make it a mid-range phone on par with the "Galaxy A" series. The phone has 4GB of RAM, 64GB of storage that's expandable thanks to a microSD slot, and that sweet 4050mAh removable battery. The display design is... interesting. The display is a 6.3-inch 2400x1000 LCD, which is strange, as most Samsung phones use the company's OLED panels. Like most modern Samsung phones, this device also has a circular cutout in the display for the camera, and while this makes sense on devices with slim top bezels, the XCover's top bezel seems like it would have had plenty of room for a camera. As far as the "rugged" features go, the device features an IP69 water- and dust-resistance rating. There's also a push-to-talk button, side-mounted fingerprint sensor, two rear cameras (25MP + 8MP sensors), and a 13MP front sensor. Strangely, it appears to be running Android 9 Pie instead of the newer Android 10 OS.

New submitter profi shares a report from Computing: Huawei has released the source code of openEuler, its distribution of Linux based on CentOS. The operating system was formally launched by Huawei in September 2019 in response to U.S. sanctions, which had briefly affected the company's access to Windows and Android operating systems. The source code has now been published on Gitee, the Chinese version of Github.

OpenEuler comprises two organizations on Gitee, one for source code and one for package sources. The openEuler organization was keen to highlight two particular packages, iSulad and A-Tune, among the openEuler source code. "iSulad is a lightweight gRPC service-based container runtime. Compared to runc, iSulad is written in C, but all interfaces are compatible with OCI. A-Tune is a system software to auto-optimize the system adaptively to multiple scenarios with embedded AI-engine." The announcement continues: "You will also see several infrastructure-supported projects that set up the community's operating systems... these systems are built on the Huawei Cloud through script automation."

Among the package sources, covered by the src-openeuler organization on Gitee, are around 1,000 packages with versions in both ARM64 and X86 architecture packages. Huawei claims its developers have made a number of enhancements to ARM64 openEuler code to improve multi-core efficiency. It is also working on a "green computing" ecosystem with Linaro and the Green Industry Alliance. At the moment, the organization claims, there are more than 50 contributors and just under 600 commits. The openEuler community has around 20 SIGs or project groups.

Speaking of Chromebooks, David Ruddock, opines at AndroidPolice: Chrome OS' problems really became apparent to me when Android app compatibility was introduced, around five years ago. Getting Android apps to run on Chrome OS was simultaneously one of the Chrome team's greatest achievements and one of its worst mistakes. In 2019, two things are more obvious than ever about the Android app situation on Chrome. The first is that the "build it and they will come" mantra never panned out. Developers never created an appreciable number of Android app experiences designed for Chrome (just as they never did for Android tablets). The second is that, quite frankly, Android apps are very bad on Chrome OS. Performance is highly variable, and interface bugs are basically unending because most of those apps were never designed for a point-and-click operating system. Sure, they crash less often than they did in the early days, but anyone saying that Android apps on Chrome OS are a good experience is delusional.

Those apps are also a crutch that Chrome leans on to this day. Chrome OS doesn't have a robust photo editor? Don't worry, you can download an app! Chrome doesn't have native integration with cloud file services like Box, Dropbox, or OneDrive? Just download the app! Chrome doesn't have Microsoft Office? App! But this "solution" has basically become an insult to Chrome's users, forcing them to live inside a half-baked Android environment using apps that were almost exclusively designed for 6" touchscreens, and which exist in a containerized state that effectively firewalls them from much of the Chrome operating system. As a result, file handling is a nightmare, with only a very limited number of folders accessible to those applications, and the task of finding them from inside those apps a labyrinthine exercise no one should have to endure in 2019. This isn't a tenable state of affairs -- it's computing barbarism as far as I'm concerned. And yet, I've seen zero evidence that the Chrome team intends to fix it. It's just how it is. But Android apps, so far as I can tell, are basically the plan for Chrome. Certainly, Linux environment support is great for enthusiasts and developers, but there are very few commonly-used commercial applications available on Linux, with no sign that will change in the near future. It's another dead end. And if you want an even more depressing picture of Chrome's content ecosystem, just look at the pitiable situation with web apps.

An anonymous reader shares a report: The Samsung Galaxy Chromebook is one of the nicest pieces of laptop hardware I've touched in a very long time. Not since Google's 2017 Pixelbook has there been a ChromeOS device this good looking, this powerful, or -- here's the rub -- this expensive. Available sometime in the first quarter, the Galaxy Chromebook starts at $999 and could go much higher if you fully upgrade its RAM and storage. The central conceit of this laptop is that there really is demand for a high-end Chromebook, and while that may be more true in 2020 than it was in 2017, it's not a sure thing. Chrome OS still has a nagging inability to do some of the things you'd want a device that costs more than a thousand dollars to do: run full desktop apps, easily edit photos and video, or play more premium games.

Despite those limitations, Google and Samsung are looking for ways to get Chromebooks to escape the classroom and start appearing in boardrooms. The Galaxy Chromebook could be part of a revitalized effort to do just that. Running down the specs of the Galaxy Chromebook is like hitting a laundry list of the things you might want in a top-tier Windows ultrabook. It has a 13.3-inch 4K AMOLED display and an Intel 10th-gen Core-i5 Processor. There's a fingerprint sensor for unlocking, two USB-C ports, and expandable storage via microSD. The screen rotates 360-degrees and there's an included S-Pen stylus that can be stored in a silo on the device itself. It's built out of aluminum instead of plastic, has a large trackpad, and is less than 10mm thick.

Microsoft announced today that it successfully took down 50 web domains previously used by a North Korean government-backed hacking group. From a report: The OS maker said the 50 domains were used to launch cyberattacks by a group the company has been tracking as Thallium (also known as APT37). Microsoft said the Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) teams have been monitoring Thallium for months, tracking the group's activities, and mapping its infrastructure. On December 18, the Redmond-based company filed a lawsuit against Thallium in a Virginia court. Shortly after Christmas, US authorities granted Microsoft a court order, allowing the tech company to take over 50 domains that the North Korean hackers have been using as part of their attacks. The domains were used to send phishing emails and host phishing pages.

Long-time Slashdot reader twocows writes: Hyperbola GNU/Linux, a FSF-approved distribution of GNU/Linux, has declared their intent to fork OpenBSD and become HyperbolaBSD..."
The news came earlier this week in a roadmap announcement promising "a completely new OS derived from several BSD implementations" (though Hyperbola was originally based on Arch snapshots and Debian development).

"This was not an easy decision to make, but we wish to use our time and resources to create a viable alternative to the current operating system trends which are actively seeking to undermine user choice and freedom." In 2017 Hyperbola dropped its support for systemd -- but its concerns go far beyond that: This will not be a "distro", but a hard fork of the OpenBSD kernel and userspace including new code written under GPLv3 and LGPLv3 to replace GPL-incompatible parts and non-free ones.

Reasons for this include:

- Linux kernel forcing adaption of DRM, including HDCP.

- Linux kernel proposed usage of Rust (which contains freedom flaws and a centralized code repository that is more prone to cyber attack and generally requires internet access to use.)

- Linux kernel being written without security and in mind. (KSPP is basically a dead project and Grsec is no longer free software)

- Many GNU userspace and core utils are all forcing adaption of features without build time options to disable them. E.g. (PulseAudio / SystemD / Rust / Java as forced dependencies....)

HyperbolaBSD is intended to be modular and minimalist so other projects will be able to re-use the code under free license.

From a report: Calculate Linux 20, a Gentoo-based operating system, is ready to be installed on your computer. Calculate Linux 20 is based on Gentoo 17.1 and comes with several desktop environment choices, such as Cinnamon, KDE, Xfce, MATE, and more. Unfortunately for some users, the operating system is now 64-bit only. Yes, with version 20, the developers have chosen to kill the 32-bit variants. While some people will be upset, it is definitely the correct choice -- 32-bit only processors are very old at this point. You can likely get a better 64-bit machine for a steal at a thrift store these days.

Computer engineer George Hilliard says he has built an electronic business card running Linux. From his blog post: It is a complete, minimal ARM computer running my customized Linux firmware built with Buildroot. It has a USB port in the corner. If you plug it into a computer, it boots in about 6 seconds and shows up over USB as a flash drive and a virtual serial port that you can use to log into the card's shell. The flash drive has a README file, a copy of my resume, and some of my photography. The shell has several games and Unix classics such as fortune and rogue, a small 2048, and a small MicroPython interpreter.

All this is accomplished on a very small 8MB flash chip. The bootloader fits in 256KB, the kernel is 1.6MB, and the whole root filesystem is 2.4MB. So, there's plenty of space for the virtual flash drive. It also includes a writable home directory, on the off chance that anyone creates something they want to keep. This is also saved on the flash chip, which is properly wear leveled with UBI. The whole thing costs under $3. It's cheap enough to give away. If you get one from me, I'm probably trying to impress you. In a detailed write-up, Hilliard goes on to explain how he came up with the design and assembled all the components. Naturally, there were some problems that arose during the construction that he had to troubleshoot: "first, the USB port wasn't long enough to reliably make contact in many USB ports. Less critically, the flash footprint was wrong, which I worked around by bending the leads under the part by hand..."

Impressively, the total cost of the card (not including his time) was $2.88 -- "cheap enough that I don't feel bad giving it away, as designed!"

b-dayyy shared this article from Linux Security: The United States government's respect for and acceptance of open-source development has steadily grown stronger over the past decade, and the U.S. government is increasingly using open-source software as a way to roll out advanced, highly secure technology in an economical manner. On August 8, 2016, the White House CIO released a Federal Source Code Policy that calls for new software to be built, shared, and adapted using open-source methods to capitalize on code that is "secure, reliable, and effective in furthering our national objectives."

The United States Department of Defense recognizes the key benefits associated with open-source development and trusts Linux as its operating system. In fact, the U.S. Army is the single largest installed base for Red Hat Linux and the U.S. Navy nuclear submarine fleet runs on Linux, including their sonar systems. Moreover, the Department of Defense just recently enlisted Red Hat, Inc., the world's largest provider of open-source solutions, to help improve squadron operations and flight training.
In a comment on the original submission, long-time Slashdot reader bobs666 remembers setting up Minix 30 years ago "for running email for a part of the U.S. Army. It's too bad the stupid people made me stop working on the project."

But the world may be changing. The article notes that Linux has now already been certified to meet the three different security certifications required by the United States Department of Defense.

Socguy shares a report from Electrek: Germany's Manager Magazine reports today that Volkswagen is struggling with software problems for its ID3 all-electric car. According to the report, the ID3 will be built for months with an incomplete software architecture that could affect up to 20,000 electric cars. These units, intended for sales in Europe and not the U.S., will require a manual software update.

The nature of the software problem -- how it affects vehicles or the sales timeline -- was not disclosed. The magazine reported the issue as "massive." And unfortunately, the fix is cumbersome. Thousands of ID3 cars will be parked in dedicated rented spaces until the spring when service teams will be deployed with mobile computer stations. New software will be manually installed in this manner for the first 10,000 or so ID3s. A total of 20,000 ID3 vehicles will need to be reworked until the second wave of production begins in May. At that time, further software updates can be deployed over-the-air.

At its developer conference in June this year, Apple introduced Project Catalyst that aims to help developers swiftly bring their iOS apps to Macs. Developers have had more than half a year to play with Catalyst. Here's where things stand currently: The crux of the issue in my mind is that iOS and Mac OS are so fundamentally different that the whole notion of getting a cohesive experience through porting apps with minimal effort becomes absurd. The problem goes beyond touch vs pointer UX into how apps exist and interact within their wider OSes. While both Mac OS and iOS are easy to use, their ease stem from very different conventions. The more complicated Mac builds ease almost entirely through cohesion. Wherever possible, Mac applications are expected to share the same shortcuts, controls, windowing behavior, etc... so users can immediately find their bearings regardless of the application. This also means that several applications existing in the same space largely share the same visual and UX language. Having Finder, Safari, BBEdit and Transmit open on the same desktop looks and feels natural.

By comparison, the bulk of iOS's simplicity stems from a single app paradigm. Tap an icon on the home screen to enter an app that takes over the entire user experience until exited. Cohesion exists and is still important, but its surface area is much smaller because most iOS users only ever see and use a single app at a time. For better and worse, the single app paradigm allows for more diverse conventions within apps. Having different conventions for doing the same thing across multiple full screen apps is not an issue because users only have to ever deal with one of those conventions at a given time. That innocuous diversity becomes incongruous once those same apps have to live side-by-side. Columnist John Gruber of DaringFireball adds: I think part of the problem is Catalyst itself -- it just doesn't feel like nearly a full-fledged framework for creating proper Mac apps yet. But I think another problem is the culture of doing a lot of nonstandard custom UI on iOS. As Wellborn points out, that flies on iOS -- we UI curmudgeons may not like it, but it flies -- because you're only ever using one app at a time on iOS. It cracks a bit with split-screen multitasking on iPadOS, but I've found that a lot of the iPad apps with the least-standard UIs don't even support split-screen multitasking on iPadOS, so the incongruities -- or incoherences, to borrow Wellborn's well-chosen word -- don't matter as much. But try moving these apps to the Mac and the nonstandard UIs stick out like a sore thumb, and whatever work the Catalyst frameworks do to support Mac conventions automatically doesn't kick in if the apps aren't even using the standard UIKit controls to start with. E.g. scrolling a view with Page Up, Page Down, Home, and End. Further reading: Apple's Merged iPad, Mac Apps Leave Developers Uneasy, Users Paying Twice (October 2019).

Facebook doesn't want its hardware like Oculus and Portal to be at the mercy of Google because they rely on its Android operating system. From a report: That's why Facebook has tasked a co-author of Microsoft's Windows NT named Mark Lucovsky with building the social network an operating system from scratch, according the The Information's Alex Heath. "We really want to make sure the next generation has space for us," says Facebook's VP of hardware Andrew 'Boz' Bosworth. "We don't think we can trust the marketplace or competitors to ensure that's the case. And so we're gonna do it ourselves."

By moving to its own OS, Facebook could have more freedom to bake social interaction -- and hopefully privacy -- deeper into its devices. It could also prevent a disagreement between Google and Facebook from derailing the roadmaps of Oculus, Portal, or future gadgets. One added bonus of moving to a Facebook-owned operating system? It could make it tougher to force Facebook to spin out some of its acquisitions, especially if Facebook goes with Instagram branding for its future augmented reality glasses.

As spotted by MSPoweruser, Microsoft has started showing non-removable banner ads in the Windows 10 Mail and Calendar apps. From the report: We last saw these ads in November last year, when Microsoft said they were an experiment. Then the ads only showed for those who were not Office 365 subscribers, but on this occasion, they are present for everyone and appear non-removable. The ads are not fixed -- when you read your Gmail if offers to let you read your Gmail on mobile, and for Outlook.com accounts it offers the Outlook app for mobile. Most annoyingly, the ads are still present, even if you use the Outlook app on mobile, and take up considerable vertical space in the menu. Microsoft said in a statement: "The ads within the app itself will be displayed regardless of which email address you use it with. It is not removable, but you can submit it as a suggestion within the Feedback Hub on Windows 10 here: https://msft.it/6012TVPXG."

Microsoft quietly released some new documentation recently, detailing how the company plans to launch its new Chrome-based Microsoft Edge browser. From a report: The company has been working on this new browser for a little while, and we are less than a month away from the public release. [...] The changes here are pretty obvious, but it is still important to understand exactly how Microsoft is going to replace the older Edge browser on a technical level. Microsoft says it has already made changes to Windows 10 and the older Edge browser to support the migration.

All start menu pins, tiles, and shortcuts for the current version of Microsoft Edge will migrate to the next version of Microsoft Edge.
All taskbar pins and shortcuts for the current version of Microsoft Edge will migrate to the next version of Microsoft Edge.
The next version of Microsoft Edge will be pinned to the taskbar. If the current version of Microsoft Edge is already pinned, it will be replaced.
The next version of Microsoft Edge will add a shortcut to the desktop. If the current version of Microsoft Edge already has a shortcut, it will be replaced.
Most protocols that Microsoft Edge handles by default will be migrated to the next version of Microsoft Edge.
Current Microsoft Edge will be hidden from all UX surfaces in the OS, including settings, all apps, and any file or protocol support dialogs.
All attempts to launch the current version of Microsoft Edge will redirect to the next version of Microsoft Edge.