Dan Goodin writes via Ars Technica: For almost three years, OpenWRT -- the open source operating system that powers home routers and other types of embedded systems -- has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital signature verifications are easy to bypass, a researcher said. Security researcher Guido Vranken, however, recently found that updates and installation files were delivered over unencrypted HTTPs connections, which are open to attacks that allow adversaries to completely replace legitimate updates with malicious ones. The researcher also found that it was trivial for attackers with moderate experience to bypass digital-signature checks that verify a downloaded update as the legitimate one offered by OpenWTR maintainers. The combination of those two lapses makes it possible to send a malicious update that vulnerable devices will automatically install.
[...]
The researcher said that OpenWRT maintainers have released a stopgap solution that partially mitigates the risk the bug poses. The mitigation requires new installations to be "set out from a well-formed list that would not sidestep the hash verification. However, this is not an adequate long-term solution because an attacker can simply provide an older package list that was signed by the OpenWRT maintainers." From there, attackers can use the same exploits they would use on devices that haven't received the mitigation. OpenWRT maintainers didn't immediately respond to questions asking why installation and update files are delivered over HTTP and when a longer-term fix might be available. In the meantime, OpenWRT users should install either version 18.06.7 or 19.07.1, both of which were released in February. These updates provide the stopgap mitigation.

An anonymous reader shares a report: Today, we learn some new details about the upcoming Linux Mint 20. While most of the newly revealed information is positive, there is one thing that is sure to upset many Linux Mint users. First things first, Linux Mint 20 will be based on the upcoming Ubuntu 20.04. This shouldn't come as a surprise, as Mint only uses Long Term Support versions of Ubuntu, and 20.04 will be an LTS. We also now know the name of Linux Mint 20. The Mint team always uses female names, and this time they chose "Ulyana." This is apparently a Russian name meaning "youthful." So far, all of the news is positive, so what exactly will upset some users? The Linux Mint developers are finally dropping 32-bit support and will only produce 64-bit ISOs.

An anonymous reader quotes a report from Bleeping Computer: A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private network (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users' data or leak their IP addresses. While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel as ProtonVPN disclosed.

The bug is due to Apple's iOS not terminating all existing Internet connections when the user connects to a VPN and having them automatically reconnect to the destination servers after the VPN tunnel is established. "Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own," ProtonVPN explains. "However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel." During the time the connections are outside of the VPN secure communication channels, this issue can lead to serious consequences. For instance, user data could be exposed to third parties if the connections are not encrypted themselves, and IP address leaks could potentially reveal the users' location or expose them and destination servers to attacks. Until Apple provides a fix, the company recommends using Always-on VPN to mitigate this problem. "However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN," the report adds.

An anonymous reader shares a report: Google paused Chrome updates last week when it canceled the Chrome 81 release in order to avoid causing severe disruptions to web developers, system administrators, and its own engineers, most working from home or having resources strained due to ever-worsening coronavirus (COVID-19) outbreak. In a blog post on the Chrome blog today, Google said it is now ready to resume work on Chrome. The company said that starting next week, the current Chrome 80 release will start receiving security updates once again. Chrome v81, initially scheduled to be released on March 17, was rescheduled for April 7, at which time, web developers and system administrators would have had the time to adapt to their new working conditions.

In response to high demand as a result of the COVID-19 coronavirus pandemic, Microsoft has started taking action to preserve overall performance by throttling some services. ZDNet reports: On March 16, Microsoft posted to Microsoft 365/Office 365 admin dashboardds a warning about "temporary feature adjustments" that it might take. That warning told customers that Microsoft was "making temporary adjustments to select non-essential capabilities." Officials said they did not expect these changes to have significan impact on users' experiences. Among the examples of the types of changes Microsoft might take would be things like how often its services check for presence; intervals in which other parties typing are displayed; and video resolution. Today, March 24, Microsoft started cautioning Microsoft 365/Office 365 commercial users of some other "temporary changes" they should expect. The list:

OneNote:
- OneNote in Teams will be read-only for commercial tenants, excluding EDU. Users can go to OneNote for the web for editing.
- Download size and sync frequency of file attachments has been changed.
- You can find details on these and other OneNote related updates at http://aka.ms/notesupdates.

SharePoint:
- We are rescheduling specific backend operations to regional evening and weekend business hours. Impacted capabilities include migration, DLP and delays in file management after uploading a new file, video or image.
- Reduced video resolution for playback videos

Stream:
- People timeline has been disabled for newly uploaded videos. Pre-existing videos will not be impacted.

Apple today officially released versions 13.4 of iOS, iPadOS, and tvOS to the public, alongside macOS 10.15.4 and watchOS 6.2. While many of their improvements are minor, there are a few standout features across the updates. From a report: One of the most noteworthy additions is a dramatic expansion of iPadOS 13's prior trackpad and mouse support, which was limited solely to an Accessibility option before evolving to full system-wide support across all iPad models capable of running iPadOS 13.4. Now, keyboard-trackpad hybrids (such as the upcoming Magic Keyboard for iPad), standalone trackpads, and standalone mice can create a cursor that highlights and selects on-screen text and objects, paving the way for more Mac-like apps on Apple's tablets. Another major improvement is cross-platform support for a new universal app purchase option, enabling a single app developed using Apple's shared Catalyst framework to be purchased and run across Macs, iPhones, iPads, and Apple TVs. This feature went live for developers yesterday, and it uses the iOS App Store as the base for universal apps. Standalone Mac App Store app listings will likely need to be abandoned for the transition to universal apps.

China's homegrown operating systems haven't made much of a dent on the global stage. Now there's a Linux-based system that's aimed at weaning the country off Windows. From a report: UOS, or Unified Operating System, hit a new milestone after its first stable release in January: Union Tech's OS can now boot in 30 seconds on China-made chips. It's an important step as Chinese tech companies look to reduce their dependence on US-made software and hardware. The struggles of ZTE and Huawei illustrate this clearly: The former was reliant on chips made in the US to produce smartphones, while the latter has the difficult task of selling Android handsets outside China without Google apps or services. The "current international climate" has made it imperative for China to have its own foundational software to avoid being cut off by the US, said the general manager of Union Tech, Liu Wenhan. While Chinese operating systems currently account for less than 1% of the market, Liu said he expects them to grow to 20% to 30% in the future. Integrating homegrown Chinese chips could be the biggest accomplishment of UOS if it pans out. Although Chinese computer chips still don't approach the sophistication of those created by US-based companies, Union Tech said that it is actively working with Chinese chipmakers like Loongson and Sunway to facilitate the gradual replacement of American technology in the Chinese government and pillar industries. In December, Beijing ordered all government offices and public institutions to remove foreign computer equipment and software within three years.

Microsoft has announced that it is pausing the rollout of Edge v81, citing the ongoing "global circumstances" surrounding the coronavirus outbreak. From a report: New Edge releases (or any other kind of software updates) usually entail security reviews and compatibility testing to ensure operating systems and internal web applications don't break. Due to the COVID-19 coronavirus outbreak, most system administrators are most likely busy handling the security of employees working from home and taking care of their families in these tough times. Microsoft said it does not want to put an extra strain on system administrators and other IT staff personnel by releasing a new Edge version at this particular time. Redmond's decision comes days after Google announced a similar measure for Chrome v81, postponing the v81 release indefinitely.

In celebration of Windows 10 hitting 1 billion users, Microsoft's chief product officer Panos Panay teased Windows 10's next UI refresh. Gizmodo reports: In the video posted to Instagram, Microsoft starts by showing the evolution of its OS throughout the years going as far back as Windows 1.01 all the way to Windows 10. However, where things start to get interesting is around 12 seconds in when Microsoft shows off a new set of updated icons followed by a redesigned look for Windows 10's Start Menu and Live Tiles. Instead of a bunch of brightly color rectangles, Microsoft is implementing a more unified color scheme that can adjust automatically to match your desktop background and potentially other UI elements.

Additionally, Microsoft also showed off a wide variety of accessibility options including a range of pointers in various sizes and colors, what looks like improved support for the Xbox Adaptive Controller, a tease for a new built-in snipping tool, and more. Then Microsoft capped everything off by showing light and dark themes for Windows 10 along with a bunch of windows resizing and snapping options, all designed to making multi-tasking just a bit faster and easier. Microsoft also made a point to mention support for both x86-based systems powered by chips from Intel and AMD and ARM-based systems like the Surface Pro X.

Google said today it is pausing upcoming Chrome and Chrome OS releases due to the ongoing coronavirus (COVID-19) outbreak. From a report: The company cited "adjusted work schedules" as the primary reason for the delay, as most of its engineers are now working from home. The company published an official statement today after ZDNet reached out for comment last night, when Google failed to release Chrome v81. YouTube videos, tweets, and blog posts announcing the new Chrome release were posted online yesterday -- most likely scheduled days or weeks in advance. However, the actual Chrome v81 release never made it to users' devices, and the same videos, tweets, and blog posts were removed shortly after Google's PR realized their mistake.

Today, we get another diminutive desktop option, but this one is designed for Linux and privacy. From a report: Yes, Purism is finally launching a tiny desktop, and it will come pre-installed with the Debian-based PureOS. Called "Librem Mini," the cute bugger has 4 USB-A ports on the front, along with a 3.5mm audio jack, and the power button. On the rear, there are two more USB-A ports, a single USB-C port, Ethernet, HDMI, DisplayPort, and the power port. "Announcing the Purism Librem Mini. Our small form-factor mini-PC that puts freedom, privacy and security first. We're really excited about the Librem Mini, it's a device our community have wanted and we've wanted to offer for some time. The Librem Mini is accessible, small, light and powerful featuring a new 8th gen quad core i7 processor, up to 64 GB of fast DDR4 memory and 4k 60 fps video playback. It's a desktop for your home or oïfce, a media center for your entertainment, or an expandable home server for your files and applications," says Purism.

ZDNet reports that there'll be some changes in Microsoft's second version of the Windows Subsystem for Linux, WSL2: Microsoft has decided to remove the Linux kernel from the Windows OS image with WSL2. Instead, the company will deliver it to users' machines using Windows Update. Users will be able to manually check for new kernel updates by clicking the "Check for Updates" button or by waiting for Windows to do this automatically. "Our end goal is for this change to be seamless, where your Linux kernel is kept up to date without you needing to think about it. By default this will be handled entirely by Windows, just like regular updates on your machine," said Microsoft Program Manager Craig Loewen in a blog post today outlining the coming change...

When Microsoft first introduced WSL in Windows 10 in 2016 WSL was more of an Linux interface at that point designed in partnership with Canonical. But Microsoft has been busy rearchitecting WSL with WSL 2 so that it actually will provide a Microsoft-written Linux kernel running in a lightweight virtual machine that's based on the subset of Hyper V. Users can put basically any Linux distribution of their choice on that kernel.
Engadget reports that the new version "should load and run faster, with reduced memory consumption to free up your RAM for other tasks." And they also speculate about Microsoft's motivations.

"Now that Microsoft is less dependent on Windows sales and more on services like Azure, it benefits when it treats Linux like a first-class citizen."

According to 9to5Google, Google is working on a native Chrome OS app for printing and scanning documents. From the report: While there are many ways to start printing on Chrome OS, there's no real way to see what you've currently got queued to print, when not using Cloud Print [which is shutting down at the end of the year]. This is particularly frustrating if you've accidentally printed a long document as there's no way to cancel. [...] Late last month, work began on a new "Print Management app," starting with a Chrome OS specific flag in chrome://flags. Print Management is still in the early stages of development but we know that, like many Chrome OS apps, it'll be a web-based System Web App (SWA), which you can launch from the printers section of the main Settings app. Inside, you'll see a list of your recent printing attempts, including useful information like the job's name, what time it started, whether it succeeded, and which printer it was sent to.

And then, of course, on the flip side of working with paper documents is scanning, which is by no means easy to do on Chrome OS. Thankfully, Print Management will also include a UI for scanning documents and photos. The Chromium team is already working on this behind yet another flag.

A vulnerability in version 3.1.1 of the Server Message Block (SMB) -- the service that's used to share files, printers, and other resources on local networks and over the internet -- can allow attacks to execute code of their choice on both servers and end-user computers that use the vulnerable protocol, Microsoft said in an advisory. Ars Technica reports: The flaw, which is tracked as CVE-2020-0796, affects Windows 10, versions 1903 and 1909 and Windows Server versions 1903 and 1909, which are relatively new releases that Microsoft has invested huge amounts of resources hardening against precisely these types of attacks. Patches aren't available, and Tuesday's advisory gave no timeline for one being released. Asked if there was a timeline for releasing a fix, a Microsoft representative said, "Beyond the advisory you linked, nothing else to share from Microsoft at this time."

In the meantime, Microsoft said vulnerable servers can be protected by disabling compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. Users can use the following PowerShell command to turn off compression without needing to reboot the machine: "Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force." That fix won't protect vulnerable client computers or servers if they connect to a malicious SMB service, but in that scenario, the attacks aren't wormable. Microsoft also recommended users block port 445, which is used to send SMB traffic between machines.

"Motherboard built and analyzed a database of over 500 iPhones seized by law enforcement," writes Slashdot reader em1ly. "It's a deep dive into the ongoing "Going Dark" conversation." Here's an excerpt from the report: Most of all, the records compiled by Motherboard show that the capability to unlock iPhones is a fluid issue, with an ebb and flow of law enforcement sometimes being able to access devices and others not. The data solidifies that some law enforcement officials do have trouble accessing data stored on iPhones. But ultimately, our findings lead experts to circle back to the fundamental policy question: should law enforcement have guaranteed access to iPhones, with the trade-offs in iPhone security that come with that?

Out of 516 analyzed cases, 295 were marked as executed. Officials from the FBI, DEA, DHS, Homeland Security and Investigations, the Bureau of Alcohol, Tobacco, Firearms and Explosives were able to extract data from iPhones in investigations ranging from arson, to child exploitation, to drug trafficking. And investigators executed warrants against modern iPhones, not just older models. In some cases, investigators obtained photos, text messages, call records, browsing data, cookies, and location data from seized iPhones. Some executed search warrants explicitly mention the type of extraction performed, such as so-called "Logical" or "Advanced Logical" extraction. The latter is a term with a meaning that varies between different phone data extraction companies, but generally it relates to creating a device backup as iTunes does normally and obtaining some more data on top of that, Vladimir Katalov, the CEO of iOS forensics firm Elcomsoft, told Motherboard. Katalov said those backups can contain the sorts of pieces of data that investigators obtained, and is available to all models of iPhone.

Amazon has sold millions of Fire TV streaming devices in recent years, but its efforts to expand the Fire TV platform to smart TVs and cable set-top boxes have been slow-going. That's not by accident, according to industry insiders: They say Google has long prevented consumer electronics manufacturers from doing business with Amazon, reports news outlet Protocol. From the report: At the center of Google's efforts to block Amazon's smart TV ambitions is the Android Compatibility Commitment -- a confidential set of policies formerly known as the Anti-Fragmentation Agreement -- that manufacturers of Android devices have to agree to in order to get access to Google's Play Store. Google has been developing Android as an open-source operating system, while at the same time keeping much tighter control of what device manufacturers can do if they want access to the Play Store as well as the company's suite of apps. For Android TV, Google's apps include a highly customized launcher, or home screen, optimized for big-screen environments, as well as a TV version of its Play Store.

Google policies are meant to set a baseline for compatible Android devices and guarantee that apps developed for one Android device also work on another. The company also gives developers some latitude, allowing them to build their own versions of Android based on the operating system's open source code, as long as they follow Google's compatibility requirements. However, the Android Compatibility Commitment blocks manufacturers from building devices based on forked versions of Android, such as Fire TV OS, that are not compatible with the Google-sanctioned version of Android. This even applies across device categories, according to two sources: Manufacturers that have signed on to the Android Compatibility Commitment for their mobile phone business are effectively not allowed to build Fire TV devices.

Apple Watch will add the ability to detect blood oxygen levels for the first time, 9to5Mac has learned based on an exclusive look at iOS 14 code snippets. From the report: Blood oxygen levels between 95 and 100% are considered healthy; blood oxygen levels below 80% may lead to compromised heart and brain functionality. Risk of respiratory or cardiac arrest is common after continued low blood oxygen saturation. To that end, Apple is developing a new health notification based on the vital measurement. When Apple Watch detects low blood oxygen saturation below a certain threshold, a notification will trigger alerting the user similar to current heart rate notifications.

It's unclear at this point what hardware and software will be required for blood oxygen detection and notifications. It's possible future Apple Watch Series 6 hardware will be required for the new health feature. It could also come to all or newer Apple Watch models with watchOS 7 in the fall. The original Apple Watch hardware is believed to be capable of measuring blood oxygen levels through the built-in heart rate monitor. Apple upgraded the heart rate monitor with Apple Watch Series 4, adding electrocardiogram features, but Apple Watch hasn't offered blood oxygen measurement features yet. Other hardware and software features have also been leaked, such as details about an upcoming iPad Pro with three cameras and Apple's Tile-like item trackers, called AirTags.

Sonos is reversing course on a plan to brick all trade-in devices, so if someone wants to give or sell you a used speaker, it will still work. For now. Ars Technica reports: Sonos launched its "trade up" program last October. Consumers who owned a handful of older devices would receive a 30 percent discount on newer models if they traded in their old versions -- a fairly typical program for expensive electronics, all things considered. The company drew customers' ire with one important deviation from others' trade-in programs, though. Although the company does indeed sell refurbished equipment, devices users traded in through the program were destined not to become part of that cycle. Instead, Sonos straight up bricked them.

Completing the trade-in process required putting your device in "recycle mode," which not only wipes all of the user's personal data but also permanently deactivates the product. Once a Sonos product has been deactivated, the company says, "the product cannot be re-added to any system or used to set up a new Sonos system, even if the product has been reset to its factory settings," and the decision to deactivate it is irreversible. Instead of bringing in old products and refurbishing or reselling them, Sonos tells users to bring them to an e-waste center or send it back to Sonos for component recycling. In recent days, however, Sonos quietly removed the recycle mode option from its app, replacing it with a prompt to call customer service. Additionally, the company now says it's working on posting a new trade-in flow to its website, which will remove recycle mode from the process.

An anonymous reader shares a report: FreeNAS is a free and open source operating system designed for network-attached storage (NAS) devices. For much of the past decade, the project has been led by the folks at iXsystems, which has also produced an enterprise version of the software called TrueNAS. Now iXsystems has announced that FreeNAS and TrueNAS are merging. Moving forward there will be a single operating system called TrueNAS rather than two different, but closely related operating systems. According to the company, the latest versions of the operating systems (FreeNAS 11.3 and TrueNAS 11.3) already share about 95-percent of the same source code. Starting with TrueNAS 12, there will only be a single OS image. But the company will offer two editions:
TrueNAS CORE: open source edition
TrueNAS Enterprise: commercial version with enterprise management and support.

According to a report from The Information, Apple plans to introduce a trackpad-equipped keyboard attachment for the iPad Pro alongside its new iPad Pro models sometime this year. Ars Technica reports: This would make Apple's iPad Pro compete more directly with Microsoft's Surface lineup, with 2-in-1 convertible laptops, and with various Chrome OS devices. Apple's iPad has sold well in the marketplace, but power users often complain that its interface is not always suitable for heavy duty work. According to The Information's source, the new keyboards would be made by Foxconn, a major manufacturing partner to Apple that operates primarily in China. The report did not provide much insight on how the spread of the coronavirus might affect this product's launch, though there have been other reports of supply-line problems with Foxconn and other Apple partners in China that may impact the launches of Apple products planned for 2020.

Numerous rumors previously suggested that the iPad Pro refresh was due in the next couple of months, but the coronavirus-related supply struggles have led to uncertainty about Apple's plans. The refreshed tablet is surely still coming, but the timeline is unclear. But if this report is true, it looks like this update could be about more than just nicer cameras and faster processors.