Somebody got a little trigger happy with the big red Windows Update button last week as a broken Intel audio driver was unleashed on users “by mistake”.

It has been a hellish couple of weeks for the Windows giant following the launch of the troubled October update for its flagship operating system. Not content with Display Audio issuesmysterious file deletions and borking HP computers thanks to a “known incompatibility” with drivers for an obscure bit of hardware (aka the “keyboard”), it seems audio is next in the firing line.

The issue was an updated driver, taking the Intel Audio Controller to version, which left some users shouting on social media while their PCs remained stubbornly silent.

As a sad-faced engineer in a high-visibility vest reset the “days without a Windows Update incident” clock back to zero, Microsoft rapidly pulled the update to work out what was happening.

According to the software giant, the Intel driver was “incorrectly pushed to devices via Windows Update” and advice was published on manually rolling back the borked update.

Microsoft pushed out an update to fix the broken update for version 1709, 1803 and 1809 of Windows 10 over the weekend in the form of KB4468550. Some users, however, may believe that letting the Windows Update bull loose in their OS china shop to glue back together what it broke last time may be a step too far.

Microsoft is to be commended for its swift action in identifying and dealing with the problem. This does not, however, excuse the pushing out of code via Windows Update that, once again, left a portion of users with broken computers. We’ve contacted Microsoft to find out how this driver found its way into the update package and will update when we get a response.


'Do Not Track,' the Privacy Tool Used by Millions of People, Doesn't Do Anything

When you go into the privacy settings on your browser, there’s a little option there to turn on the “Do Not Track” function, which will send an invisible request on your behalf to all the websites you visit telling them not to track you. A reasonable person might think that enabling it will stop a porn site from keeping track of what she watches, or keep Facebook from collecting the addresses of all the places she visits on the internet, or prevent third-party trackers she’s never heard of from following her from site to site. According to a recent survey by Forrester Research, a quarter of American adults use “Do Not Track” to protect their privacy. (Our own stats at Gizmodo Media Group show that 9% of visitors have it turned on.) We’ve got bad news for those millions of privacy-minded people, though: “Do Not Track” is like spray-on sunscreen, a product that makes you feel safe while doing little to actually protect you.

“Do Not Track,” as it was first imagined a decade ago by consumer advocates, was going to be a “Do Not Call” list for the internet, helping to free people from annoying targeted ads and creepy data collection. But only a handful of sites respect the request, the most prominent of which are Pinterest and Medium. (Pinterest won’t use offsite data to target ads to a visitor who’s elected not to be tracked, while Medium won’t send their data to third parties.) The vast majority of sites, including this one, ignore it.

Screenshot: Do Not Track option on various browsers (From top to bottom: Firefox, Safari, Chrome, Brave)

Yahoo and Twitter initially said they would respect it, only to later abandon it. The most popular sites on the internet, from Google and Facebook to Pornhub and xHamster, never honored it in the first place. Facebook says that while it doesn’t respect DNT, it does “provide multiple ways for people to control how we use their data for advertising.” (That is of course only true so far as it goes, as there’s some data about themselves users can’t access.) From the department of irony, Google’s Chrome browser offers users the ability to turn off tracking, but Google itself doesn’t honor the request, a fact Google added to its support page some time in the last year. A Google spokesperson says Chome lets users “control their cookies” and that they can also “opt out of personalized ads via Ad Settings and the AdChoices industry program” which results in a user not having “ads targeted based on inferred interests, and their user identifier will be redacted from the real-time bid request.”

There are other options for people bothered by invasive ads, such as an obscure opt-out offered by an alliance of online advertising companies, but that only stops advertising companies from targeting you based on what they know about you, not from collecting information about you as you browse the web, and if a person who opts out clears their cookies—a good periodic privacy practice—it clears the opt-outs too, which is why technologists suggested the DNT signal as an easier, clearer way of stopping tracking online.

“It is, in many respects, a failed experiment,” said Jonathan Mayer, an assistant computer science professor at Princeton University. “There’s a question of whether it’s time to declare failure, move on, and withdraw the feature from web browsers.”

That’s a big deal coming from Mayer: He spent four years of his life helping to bring Do Not Track into existence in the first place.

Why do we have this meaningless option in browsers? The main reason why Do Not Track, or DNT, as insiders call it, became a useless tool is that the government refused to step in and give it any kind of legal authority. If a telemarketer violates the Do Not Call list, they can be fined up to $16,000 per violation. There is no penalty for ignoring Do Not Track.

Percentage of visitors to Gizmodo Media Group’s sites whose browsers are requesting they not be tracked

In 2010, the Federal Trade Commission endorsed the idea of Do Not Track, but rather than mandating its creation, the Obama administration encouraged industry to figure out how it should work via a “multistakeholder process” that was overseen by W3C, an international non-governmental organization that develops technical standards for the web. It wound up being an absolutely terrible idea.

Technologists quickly came up with the code necessary to say “Don’t track me,” by having the browser send out a “DNT:1" signal along with other metadata, such as what machine the browser is using and what font is being displayed. It was a tool similar to “robots.txt,” which can be inserted into the HTML of a web page to tell search engines not to index that page so it won’t show up in search results. The “stakeholders” involved in the DNT standard-setting process—mainly privacy advocates, technologists, and online advertisers—couldn’t, though, come to an agreement about what a website should actually do in response to the request. (The W3C did come up with a recommendation about what websites and third parties should do when a browser sends the signal—namely, don’t collect their personal data, or de-identify it if you have to—but the people that do the data collection never accepted it as a standard.)

“Do Not Track could have succeeded only if there had been some incentive for the ad tech industry to reach a consensus with privacy advocates and other stakeholders—some reason why a failure to reach a negotiated agreement would be a worse outcome for the industry,” said Arvind Narayanan, a professor at Princeton University who was one of the technologists at the table. “Around 2011, the threat of federal legislation brought them to the negotiating table. But gradually, that threat disappeared. The prolonged negotiations, in fact, proved useful to the industry to create the illusion of a voluntary self-regulatory process, seemingly preempting the need for regulation.”

It is, in many respects, a failed experiment.The biggest obstacle was advertisers who didn’t want to give up delicious data and revenue streams; they insisted that DNT would “kill online growth” and stymied the process. (You can chart the death of Do Not Track by the declining number of emails sent around on the W3C list-serv.) By the time the debate was winding down at the end of 2013, it wasn’t even about not tracking people, just not targeting them, meaning trackers could still collect the data but couldn’t use it to show people intrusive ads based on what they’d collected. The inability to reach a compromise on what DNT should be led sites like Reddit to declare “there is no accepted standard for how a website should respond to [the Do Not Track] signal, [so] we do not take any action in response to this signal.”

To demonstrate their theoretical support for DNT—or from a more skeptical perspective, to garner some positive press—Google, Microsoft, Apple, Mozilla, and others started offering the “Do Not Track” option in their respective browsers, but absent a consensus around the actions required in response to the DNT:1 signal, these browsers are just screaming for privacy into a void.

“It’s really sad that companies are not listening to their users and put weak and misleading pretexts to not respect their choice of privacy,” said Andrés Arrieta, tech projects manager at the Electronic Frontier Foundation, who attempted in 2017 to breathe life back into Do Not Trackby establishing a new standard for what websites should do when they see someone send the DNT:1 signal. (Everyone ignored it.)

“It would have been better for the web if DNT had worked. It was the polite option: Users could signal their preferences and websites would honor those preferences,” said Mayer by phone. “The alternative is the non-polite option of ad-blocking and cookie blocking, which is the way the conversation is now moving. In a world without DNT, ad-blocking has taken off.”

Every year, more people turn on adblockers, much to websites’ chagrin, causing publishers to institute paywalls and use pop-up requests to beg people to turn the blockers off. (You can see the latter by browsing our sites here at Gizmodo Media Group). Apple and Mozilla are both building tools into their browsers to block third-party tracking; in Firefox’s case, it will be by default.

Dennis Buchheim, a senior vice president at online advertising group IAB’s Tech Lab, said in a statement that DNT, as designed, was too blunt an instrument and didn’t allow users to “exempt their trusted sites, effectively limiting users to all-or-nothing.” He calls Apple’s and Mozilla’s new anti-tracking offerings “a poor but logical evolution of the intentions of DNT” and hopes for a more “collaborative approach” that involves users telling sites one-by-one what tracking they’re willing to allow.

Meanwhile, tracking is becoming even more intrusive and spilling over into the real world, with phones emitting ultrasonic sounds and Google tracking Android users’ locations despite their stated preferences. By not giving people a real choice about whether they are willing to be tracked, the internet remains locked in an arms race over privacy, with new tools and methods constantly being created to try to subvert the desires of the party on the other side of the data divide. Meanwhile, lawmakers in D.C. continue their decades of empty talk about passing a federal privacy lawto regulate online data-brokering. If they finally succeed this year, the primary motivation is to overrule a robust privacy law recently passed in California, which is not the purest of motives.

Given that most people involved see Do Not Track as a failed experiment, what do we do with it now? At least one browser is considering getting rid of the option.

“Mozilla has been a strong supporter of the DNT concept but is disappointed by the low rate of adoption across the industry,” said Firefox product lead Peter Dolanjski in a statement sent via email. “That is why we have announced plans for a stronger set of default protections that do not depend on sites independently deciding whether to respect user intent. We will be evaluating what to do with the DNT setting as we implement these protections.”

Many of the technologists and privacy advocates who pushed for the Do Not Track option a decade ago admit that the setting could give users a false expectation of privacy, but they remain stubbornly attached to it.

“The flag gives websites a strong signal of the demand for privacy from their users,” said Narayanan by email.

Some think “Do Not Track” shouldn’t be abandoned because of the hope that it might one day finally be empowered to actually do something.

“We have seen strong Do Not Track adoption by users, rather than by companies, with millions of users’ privacy requests ignored,” said Aleecia McDonald, an assistant professor at Carnegie Mellon University, who helped oversee the DNT process. “The push for privacy in Europe could use Do Not Track as a technical mechanism, as could California’s new Consumer Privacy law.”

In other words, we have a tool that works for telling the internet that a person wants privacy. The problem is that the companies that dominate the internet are, for the most part, plugging their ears and saying, “Nah, nah, nah, nah, I don’t hear you, nah, nah, nah, nah, I don’t hear you,” and will continue to do so until the government forces them to take their fingers out of their ears.

Gabe Weinberg, the founder of the private search engine DuckDuckGo, which doesn’t track any of its users, may have framed it best. He thinks that unless a federal law that “gives some real regulatory teeth to Do Not Track” passes, the option “should be removed from all browsers because it is otherwise misleading, giving people a false sense of security.”

Until that happens, please know that if you turn on “Do Not Track,” it’s not doing anything to protect you unless you’re surfing Pinterest or reading Medium while logged out. It’s one thing to tell someone you want to be left alone, and another to get them to care.


Fake Adobe Flash Updates Hide Malicious Crypto Miners

A fake Adobe update actually updates victims’ Flash – but also installs malicious cryptomining malware.

While fake Flash updates that push malware have traditionally been easy to spot and avoid, a new campaign has employed new tricks that stealthily download cryptocurrency miners on Windows systems.

To the average user, the newly discovered samples, which have been active as early as August, seem legitimate. The samples act as Flash updates, borrowing pop-up notifications from the official Adobe installer, and even actually updating a victim’s Flash Player to the latest version.

Unbeknownst to the victims, while the legitimate Flash update has occurred, a tricky XMRig cryptocurrency miner is quietly downloaded and runs in the background of the infected Windows computers.

“A recent type of fake Flash update has implemented additional deception,” said Brad Duncan Threat Intelligence Analyst with Palo Alto Networks’ Unit 42 group, in a post about the new campaign Thursday. “As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer. These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.”

While searching for fake Flash updates, researchers noticed Windows executable file names starting with AdobeFlashPlayer, from non-Adobe, cloud-based web servers. The downloads always contain the string “flashplayer_down.php?clickid=” in the URL.

Duncan said he could not determine how potential victims were arriving at the URLs delivering the fake Flash updates, however.

Network traffic during the infection process consists mainly of the Flash update. Interestingly, the infected Windows host generate an HTTP POST request to [osdsoft[.]com], a domain associated with updaters or installers pushing cryptocurrency miners.

But, the research team noticed that their infected systems soon generated traffic associated with the XMRig cryptocurrency mining over TCP port 14444 – as the malicious cryptominer began to take sway and utilize the systems’ power for mining.

While the Adobe pop-up and update features make the fake installer seem more legitimate, potential victims will still receive warning signs about running downloaded files on their Windows computer, said Duncan.

“This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs,” the research team said. “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.

Read Original Article...

RIP, Google+: long ailing and finished off by a security bug

There was a time when you could get the smartest people at Google to do the stupidest things you could imagine by getting Yahoo to do them first; thankfully that era ended -- only to be replaced by an era in which every stupid thing Facebook did became a bucket-list item for Google management.

The peak of this was when Google set out to create a social network and tasked every googler with making it a success. The company decided to call this network Google+, and decided that the longstanding, widely used plus-sign (which historically was used in search queries to mean "must have" as in +cory +doctorow) would be unilaterally repurposed for use in its social network.

Googlers' bonuses were tied to their ability to integrate Google+ into every product Google offered, creating an ever-tightening noose around Google users who had no interest in using G+.

To make matters worse, Google decided to ape Facebook's privacy-invading, nonsensical "real names" policy, insisting that every user use their legal name and putting Google in the unenviable position of deciding (for example) when a trans person could stop using their deadname, or when an indigenous person's name was "real" enough for use, or when people fleeing domestic violence could use an alias.

By the time Google+ rolled out, there was already nascent discontent with Facebook. Google+ offered all the downsides of Facebook, but with fewer of the people you wanted to connect with.

Years later, G+ is a sad also-ran. What's more, the company just discovered an extremely grave bug in the system - -- that would have allowed for serious privacy violations. Though the company says it has fixed the bug, it's taken the opportunity to simply shut down G+ for "consumers" (the service will persist for enterprise users, who apparently use it).

In the product's obituary, Google wrote that Google+ "has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps."

One bright spot in all this: the defect in Google+ was discovered through "Project Strobe," a serious privacy and security audit of every Google product.

Our review showed that our Google+ APIs, and the associated controls for consumers, are challenging to develop and maintain. Underlining this, as part of our Project Strobe audit, we discovered a bug in one of the Google+ People APIs:

* Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.

* The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.

* This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. (See the full list on our developer site.) It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.

Read Original Article...

Microsoft now faces a big Windows 10 quality test after botched update

Microsoft has pulled its latest Windows 10 update offline after some users complained of missing files. It’s the latest in a string of incidents with regular patches and Microsoft’s larger Windows 10 updates that have been causing issues for some PC users this year. While Microsoft tests Windows 10 with millions of beta testers, there are signs that this public feedback loop isn’t always working. Earlier this year Microsoft delayed its April 2018 Windows 10 update due to last minute Blue Screen of Death issues, and then had to fix desktop and Chrome freezing issues after it was shipped to more than 600 million machines.

Microsoft now faces questions over how these updates have caused big issues, and why the company didn’t pick them up in testing. These questions are especially relevant as it appears Microsoft was warned about both of these major bugs before the company shipped the April and October 2018 updates. Reports of the desktop freezing bug were submitted multiple times by testers earlier this year, but don’t appear to have been flagged as a bigger problem because they weren’t up voted.


Likewise, the recent data deletion issue was flagged in feedback reports from monthsbefore Microsoft released the October 2018 Update last week. It’s still not clear how many are affected by this current issue, but it’s enough to have forced Microsoft to pull the update entirely — an unusual step for the company.

Microsoft’s big change for Windows 10 was listening to its customers after the Windows 8 disaster. Instead of developing the operating system behind closed doors, the company opened it up for everyone to test early access to builds and help report issues. It was a daunting prospect for then-Windows chief Terry Myerson, who admitted in a 2015 interview with The Verge that “you’re putting it out there when it’s not done, then you’re getting all kinds of feedback and stuff that you know is broken.”

Microsoft may have been relying on its Windows Insider program too much for Windows 10, though. Microsoft largely phased out its dedicated Software Test Engineer (STE) roles for Windows during a huge round of layoffs a year ahead of the Windows 10 release. Instead, it has favored developers testing their own work, or reports from the Windows Insider feedback program.

Hal Berenson, who spent years working at Microsoft as a distinguished engineer, believes there are three possibilities for this latest data deletion bug shipping to the public. “(1) They couldn’t isolate the problem and decided it was rare enough to ship anyway. (2) Automated filtering tools failed to catch that this was a serious issue despite rarity. (3) They put in a fix, but it didn’t fix all cases,” says Berenson in tweet. “My actual vote is on #3, because I’ve seen that happen many times in my career.”

Microsoft has not yet revealed exactly why this deletion bug made it into the Windows 10 October 2018 Update, but it’s unlikely the company ever will. A support article reveals Microsoft is investigating “isolated reports” of documents going missing after the Windows 10 October 2018 Update is installed. Microsoft’s Windows Insider chief, Dona Sarkar, saysaffected users should call Microsoft’s support line as the company has “the tools to get you back to a good state.”

Either way, it’s not a good look for Microsoft’s Windows 10 feedback program. Microsoft was bold in its move to allow anyone to test Windows 10, but it now needs to recognize some of these issues with Windows software quality. Windows 10 is also facing a number of issues related to regular monthly security update patches, and those even forced enterprise patching veteran Susan Bradley to write an open letter to Microsoft earlier this year. The company’s response to these issues is now a big test for Windows 10, which has been generally well received. If Microsoft is truly listening to customers then now is the time to prove it.

Read Original Article...
Apple Repairs and Service
Member of the Internet Defense League

BitcoinCash Accepted