The release candidate for Winamp version 5.9.1 builds on the groundwork laid by August's 5.9 update to fix some bugs and add new features to the reanimated music player. "Most of these are straightforward updates or improvements to existing features, but because it's 2022, one of the only new features is support for music NFTs," reports Ars Technica. From the report: "Winamp's latest version lets music fans link their Metamask wallet via Brave, Chrome, or Firefox to Winamp. It then connects their favorite music NFTs to their tried-and-true player," the company said in a press release provided to Ars. "Winamp supports audio and video files distributed under both the ERC-721 and ERC-1155 standards, and is launching this new feature for Ethereum and Polygon/Matic protocols." To directly display websites needed to download these NFT playlists, according to the release notes, would require an updated rendering engine for Winamp's in-app browser, which is currently based on Internet Explorer 10.

There's still plenty here for legacy Winamp fans to like, and it's nice to see that all the modernization work done in the 5.9 update is paying off in the form of faster updates. Among many other fixes, the new release includes a "memory footprint reduction," a bandwidth increase for streamed music, an update to OpenSSL 3.0.5, and a few other updates for the underlying codecs and other software that Winamp uses to do its thing. As for the NFT support, Winamp developer Eddy Richman (who goes by the handle "DJ Egg" on the Winamp forums) wrote that people who don't want it can remove it, either during the install process or after Winamp is installed.

An anonymous reader quotes a report from the Washington Post: Major web browsers moved Wednesday to stop using a mysterious software company that certified websites were secure, three weeks after The Washington Post reported its connections to a U.S. military contractor. Mozilla's Firefox and Microsoft's Edge said they would stop trusting new certificates from TrustCor Systems that vouched for the legitimacy of sites reached by their users, capping weeks of online arguments among their technology experts, outside researchers and TrustCor, which said it had no ongoing ties of concern. Other tech companies are expected to follow suit.

The Post reported on Nov. 8 that TrustCor's Panamanian registration records showed the same slate of officers, agents and partners as a spyware-maker identified this year as an affiliate of Arizona-based Packet Forensics, which has sold communication interception services to U.S. government agencies for more than a decade. One of those contracts listed the "place of performance" as Fort Meade, Md., the home of the National Security Agency and the Pentagon's Cyber Command. The case has put a new spotlight on the obscure systems of trust and checks that allow people to rely on the internet for most purposes. Browsers typically have more than a hundred authorities approved by default, including government-owned ones and small companies, to seamlessly attest that secure websites are what they purport to be."Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware," Mozilla's Kathleen Wilson wrote to a mailing list for browser security experts. "Trustcor's responses via their Vice President of CA operations further substantiates the factual basis for Mozilla's concerns."

Firefox developer Mozilla is making a rare foray into the world of mergers and acquisitions, with news that it has snapped up recently-shuttered California-based productivity startup Pulse. From a report: Terms of the deal haven't been disclosed, but the deal is tantamount to an "acqui-hire," with Mozilla looking to deploy the Pulse team across an array of machine learning (ML) projects. "We're acquiring Pulse for the incredible team they have built," Mozilla chief product officer Steve Teixeira told TechCrunch. "As we look to continue to improve user experiences across all of our products, ML will be a core part of that."

Founded out of Menlo Park in 2019, Pulse in its initial guise was a "virtual office" platform called Loop Team, but after honing the idea for a couple of years it pivoted and rebranded last November. Pulse, essentially, was an automated status-updating tool that used signals based on pre-configured integrations and preferences set by the user. For example, users could synchronize Pulse with their calendar and Slack, setting rules to stipulate what their status and corresponding emoji should be based on keywords in their calendar event title. If their schedule for a particular time says "hair appointment" from 12-1pm, then the person's Slack status update might display a scissors emoji alongside the word "haircut." Or, it might say "birthday" alongside a cake emoji if that's what is in their calendar.

Google researchers say they have linked a Barcelona, Spain-based IT company to the sale of advanced software frameworks that exploit vulnerabilities in Chrome, Firefox, and Windows Defender. From a report: Variston IT bills itself as a provider of tailor-made Information security solutions, including technology for embedded SCADA (supervisory control and data acquisition) and Internet of Things integrators, custom security patches for proprietary systems, tools for data discovery, security training, and the development of secure protocols for embedded devices.

According to a report from Google's Threat Analysis Group, Variston sells another product not mentioned on its website: software frameworks that provide everything a customer needs to surreptitiously install malware on devices they want to spy on. Researchers Clement Lecigne and Benoit Sevens said the exploit frameworks were used to exploit n-day vulnerabilities, which are those that have been patched recently enough that some targets haven't yet installed them. Evidence suggests, they added, that the frameworks were also used when the vulnerabilities were zero-days. The researchers are disclosing their findings in an attempt to disrupt the market for spyware, which they said is booming and poses a threat to various groups.

The Browser Company's Chromium-based Arc browser "isn't perfect, and it takes some getting used to," writes the Verge. "But it's full of big new ideas about how we should interact with the web — and it's right about most of them." Arc wants to be the web's operating system. So it built a bunch of tools that make it easier to control apps and content, turned tabs and bookmarks into something more like an app launcher, and built a few platform-wide apps of its own. The app is much more opinionated and much more complicated than your average browser with its row of same-y tabs at the top of the screen. Another way to think about it is that Arc treats the web the way TikTok treats video: not as a fixed thing for you to consume but as a set of endlessly remixable components for you to pull apart, play with, and use to create something of your own. Want something to look better or have an idea for what to do with it? Go for it.

This is a fun moment in the web browser industry. After more than a decade of total Chrome dominance, users are looking elsewhere for more features, more privacy, and better UI. Vivaldi has some really clever features; SigmaOS is also betting on browsers as operating systems; Brave has smart ideas about privacy; even Edge and Firefox are getting better fast. But Arc is the biggest swing of them all: an attempt to not just improve the browser but reinvent it entirely....

Right now, Arc is only available for the Mac, but the company has said it's also working on Windows and mobile versions, both due next year. It's still in a waitlisted beta and is still very much a beta app, with some basic features missing, other features still in flux, and a few deeply annoying bugs. But Arc's big ideas are the right ones. I don't know if The Browser Company is poised to take on giants and win the next generation of the browser wars, but I'd bet that the future of browsers looks a lot like Arc....

In a way, Arc is more like ChromeOS than Chrome. It tries to expand the browser to become the only app you need because, in a world where all your apps are web apps and all your files are URLs, who really needs more than a browser?
The article describes Arc as a power user tool with vertical sidebar combining bookmarks, tabs, and apps. (And sets of these can apparently be combined into different "spaces".) These are enhanced with a hefty set of keyboard shortcuts (including tab searching), along with built-in media controls for Twitch/Spotify/Google Meet (as well as a picture-in-picture mode).
BR. Arc even has a shareable, collaborative whiteboard app "Easel". And it also offers powerful features like the ability to rewrite how your browser displays any site's CSS. ("I have one that removes the Trending sidebar from Twitter and another that cleans up my Gmail page.")

Mozilla today released its annual "State of Mozilla" report and for the most part, the news here is positive. From a report: Mozilla Corporation, the for-profit side of the overall Mozilla organization, generated $585 million from its search partnerships, subscriptions and ad revenue in 2021 -- up 25% from the year before. And while Mozilla continues to mostly rely on its search partnerships, revenue from its new products like the Mozilla VPN, Mozilla Developer Network (MDN) Plus, Pocket and others now accounts for $57 million of its revenue, up 125% compared to the previous year. For the most part, that's driven by ads on the New Tab in Firefox and in Pocket, but the security products now also have an annual revenue of $4 million.

With the launch of this year's report, the Mozilla leadership team is also taking some time to look ahead, because in many ways, this is an inflection point for Mozilla. When Mozilla was founded, the internet was essentially the web and the browser was the way to access it. Since then, the way we experience the internet has changed dramatically and while the browser is still one of the most important tools around, it's not the only one. With that, Mozilla, too, has to change. Its Firefox browser has gone from dominating the space to being something of a niche product, but the organization's mission ("to ensure the internet is a global public resource, open and accessible to all") is just as important today -- and maybe more so -- as it was almost 25 years ago when Mozilla was founded.

whoever57 writes: Would you trust your communications to a company that has links to a spyware company and claims that its address is a UPS store in Toronto? You probably already do. Washington Post reports: An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews. Google's Chrome, Apple's Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what's known as a root certificate authority, a powerful spot in the internet's infrastructure that guarantees websites are not fake, guiding users to them seamlessly.

The company's Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade. One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics. Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it. whoever57 has also shared a unpaywalled link to the story.

An anonymous reader quotes a report from The Verge: Darin Fisher has built a lot of web browsers. A lot of web browsers. He was a software engineer at Netscape early in his career, working on Navigator and then helping turn that app into Firefox with Mozilla. Then, he went to Google and spent 16 years building Chrome and ChromeOS into massively successful products. Last year, he left Google for Neeva, where he worked on ways to build a browser around the startup's search engine. And now, he's leaving Neeva to join The Browser Company and work on Arc, one of the hottest new browsers on the market. Arc, which has been in an invite-only beta for more than a year, is trying to rethink the whole browser UI. It has a sidebar instead of a row of tabs, offers a lot of personalization options, and is meant for people who live their computing life in a browser (which is increasingly most people). CEO Josh Miller often talks about building "the internet computer," too, and using the browser as a way to make the internet more useful.

Fisher has been an advisor to The Browser Company for a while, but Monday is his first official day at the company as a software engineer. Ahead of his new gig, Fisher and I got on a call to talk about why he thinks browsers are due for a reinvention -- and why he thinks a startup is the best place to do it. The answer starts with the browser's defining feature: tabs. Fisher doesn't hate tabs -- in fact, he helped popularize them. But he hates that using a modern browser involves opening a million of them, not being able to find them again, and eventually just giving up and starting all over again. "I remember when tabbed browsing was novel," Fisher says, "and helped people feel less cluttered because you don't have as many windows." But now, "even when I use Chrome," Fisher says, "I get a bunch of clutter. At some point, I just say, 'Forget it, I'm not even going to bother trying to sort through all these tabs. If it's important, I'll open it again.'" Browsers need better systems for helping you manage tabs, not just open more of them.

The best way to improve the browser, Fisher ultimately decided, is to just start from scratch. Arc is full of new ideas about how web browsers can work: it combines bookmarks and tabs into one app switcher-like concept; it makes it easy to search among your open tabs; it has built-in tools for taking notes and making shareable mini websites. The experience can be jarring because it's so different, but Fisher says that's part of what he's excited about. "This is not stuff people haven't talked about before," he says, "but actually putting it together and focusing on it and thinking about the small steps that go a long way, I think that's where there's so much opportunity." Fisher likes to compare a browser to an operating system, which matches with The Browser Company's idea that Arc isn't just a browser but rather an iOS-like system for the open web. "It has task management UI, it has UI for creating and starting a journey, but there's so much more in between," he says. What the iPhone did for native apps, Arc hopes to do for web apps. Fisher says he's interested in improving the way files move around the internet, for instance, finding a better way than the constant downloading and uploading we all do all day. He likes that Arc has a picture-in-picture mode that works by default, pulling your YouTube video out when you switch tabs. All these make the web feel more connected and cohesive rather than just a bunch of tabs in a horizontal line. The Browser Company also plans to reinvent the internet browser for mobile, too. On mobile, in particular, he says, "there are so many opportunities because the starting point is so archaic."

"He's vague on the details of his plans -- and The Browser Company hasn't really started working on a mobile browser yet anyway -- but says that's a big focus for him going forward," adds The Verge.

Firefox 106 is now available for download, bringing various new features and enhancements, such as a new PDF editing feature and new way to organize recently closed tabs. 9to5Linux reports: Mozilla says that Firefox 106 finally brings the long-anticipated two-finger swipe horizontal gesture for navigating back and forward on a website without having to hold down the Alt key. [...] Firefox 106 also introduces annotation capabilities to the built-in PDF viewer so you can write text, draw, or add signatures on PDF files. You'll be able to change the size and color of the text tool, as well as the thickness, opacity, and color of the draw tool.

Another interesting new feature of the Firefox 106 release is called Firefox View, which is implemented as a pinned tab, promising to help you get back to the content you've previously discovered by allowing you to switch seamlessly between your devices running Firefox. On top of all that, Firefox 106 also brings major WebRTC changes to improve Windows and Wayland screen sharing, RTP performance and reliability, statistics, and more. There are also the usual bug and security fixes to make Firefox more stable and reliable on your system.

Firefox Relay, a Mozilla service designed to hide your "real" email address by giving you virtual ones to hand out, is expanding to offer virtual phone numbers. From a report: In a blog post Mozilla product manager Tony Amaral-Cinotto explains that the relay service generates a phone number for you to give out to companies if you suspect they might use it to send you spam messages in the future, or if you think they might share it with others who will. The idea is that handing out this alternative phone number makes it easier to block spam phone calls or texts in the future. You can either block all calls or texts sent to your relay number, or just block specific contacts. Importantly it lets you keep your "real" phone number private, which is something you might want to consider if it's a number you use to receive sensitive information like two-step verification codes via SMS. Once you've signed up, the Firefox phone number masking service offers 50 minutes of incoming calls and 75 text messages a month. The phone number masking service is also more expensive at $4.99 a month (or $3.99 a month when paid annually), while the email service offers a choice between a free tier and a premium tier costing $1.99 a month ($0.99 a month when paid annually).

An anonymous reader quotes a report from Consumer Reports: A Consumer Reports investigation finds that TikTok, one of the country's most popular apps, is partnering with a growing number of other companies to hoover up data about people as they travel across the internet. That includes people who don't have TikTok accounts. These companies embed tiny TikTok trackers called "pixels" in their websites. Then TikTok uses the information gathered by all those pixels to help the companies target ads at potential customers, and to measure how well their ads work. To look into TikTok's use of online tracking, CR asked the security firm Disconnect to scan about 20,000 websites for the company's pixels. In our list, we included the 1,000 most popular websites overall, as well as some of the biggest sites with domains ending in ".org," ".edu," and ".gov." We wanted to look at those sites because they often deal with sensitive subjects. We found hundreds of organizations sharing data with TikTok.

If you go to the United Methodist Church's main website, TikTok hears about it. Interested in joining Weight Watchers? TikTok finds that out, too. The Arizona Department of Economic Security tells TikTok when you view pages concerned with domestic violence or food assistance. Even Planned Parenthood uses the trackers, automatically notifying TikTok about every person who goes to its website, though it doesn't share information from the pages where you can book an appointment. (None of those groups responded to requests for comment.) The number of TikTok trackers we saw was just a fraction of those we observed from Google and Meta. However, TikTok's advertising business is exploding, and experts say the data collection will probably grow along with it.

After Disconnect researchers conducted a broad search for TikTok trackers, we asked them to take a close look at what kind of information was being shared by 15 specific websites. We focused on sites where we thought people would have a particular expectation of privacy, such as advocacy organizations and hospitals, along with retailers and other kinds of companies. Disconnect found that data being transmitted to TikTok can include your IP address, a unique ID number, what page you're on, and what you're clicking, typing, or searching for, depending on how the website has been set up. What does TikTok do with all that information? "Like other platforms, the data we receive from advertisers is used to improve the effectiveness of our advertising services," says Melanie Bosselait, a TikTok spokesperson. The data "is not used to group individuals into particular interest categories for other advertisers to target." If TikTok receives data about someone who doesn't have a TikTok account, the company only uses that data for aggregated reports that they send to advertisers about their websites, she says. There's no independent way for consumers or privacy researchers to verify such statements. But TikTok's terms of service say its advertising customers aren't allowed to send the company certain kinds of sensitive information, such as data about children, health conditions, or finances. "We continuously work with our partners to avoid inadvertent transmission of such data," TikTok's Bosselait says. What can you do to protect your personal information? Consumer Reports recommends using privacy-protecting browser extensions like Disconnect, changing your browser's privacy settings to block trackers, and trying a more private browser like Firefox and Brave.

Developer Asahi Lina with the Asahi Linux project was successfully able to get GNOME running on the Apple M1, including "Firefox with YouTube video playback, the game Neverball, various KDE applications, and more," reports Phoronix. From the report: This is some great progress especially with the driver being written in Rust -- the first within the Direct Rendering Manager subsystem -- and lots of work there with the Rust infrastructure in early form. It won't be until at least Linux 6.2 before this driver could be mainlined while we'll see how quickly it tries to go mainline before it can commit to a stable user-space interface. At the moment there is also a significant driver "hack" involved but will hopefully be sorted out soon. Over in user-space, the AGX Gallium3D driver continues being worked on for OpenGL support with hopes of having OpenGL 2.1 completed by year's end. Obviously it will be longer before seeing the Apple graphics suitable for modern gaming with Vulkan, etc but progress is being made across the board in reverse-engineered, open-source Apple Silicon support under Linux. You can watch a video of the driver working here.

Martin Brinkmann writes via gHacks: From next year onward, extensions for Google Chrome and most other Chromium-based browsers, will have to rely on a new extension manifest. Manifest V3 defines the boundaries in which extensions may operate. Current Chromium extensions use Manifest V2 for the most part, even though the January 2023 deadline is looming over the heads of every extension developer. Google is using its might to push Manifest v3, and most Chromium-based browsers, including Microsoft Edge, will follow. [...]

Mozilla announced early on that it will support Manifest v3 as well, but that it would continue to support important APIs that Google limited in Manifest v3. Probably the most important of them all is the WebRequest API. Used by content blockers extensively to filter certain items, it has been replaced by a less powerful option in Manifest v3. While Manifest v3 does not mean the end for content blocking on Chrome, Edge and other Chromium-based browsers, it may limit abilities under certain circumstances. Users who install a single content blocker and no other extension that relies on the same relevant API may not notice much of a change, but those who like to add custom filter lists or use multiple extensions that rely on the API, may run into artificial limits set by Google.

Mozilla reaffirmed this week that its plan has not changed. In "These weeks in Firefox: issue 124," the organization confirms that it will support the WebRequst API of Manifest v2 alongside Manifest v3. Again, a reminder that Mozilla plans to continue support for the Manifest v2 blocking WebRequest API (this API powers, for example, uBlock Origin) while simultaneously supporting Manifest v3.

As antitrust regulators around the world dial up scrutiny of platform power, Mozilla has published a piece of research digging into the at times subtle yet always insidious ways operating systems exert influence to keep consumers locked to using their own-brand browsers rather than seeking out and switching to independent options -- while simultaneously warning that competition in the browser market is vital to ensure innovation and choice for consumers and, more broadly, protect the vitality of the open web against the commercial giants trying to wall it up. TechCrunch: "Billions of people across the globe are dependent on operating systems from the largest technology companies. Amazon, Apple, Google, Microsoft and Meta each provide their own browser on their operating systems and each of them uses their gatekeeper position provider to preference their own browsers over independent rivals. Whether it is Microsoft pushing Firefox users to switch their default on Windows computers, Apple restricting the functionality of rival browsers on iOS smartphones or Google failing to apply default browser settings across Android, there are countless examples of independent browsers being inhibited by the operating systems on which they are dependent," Mozilla writes in a summary of its findings. "This matters because American consumers and society as a whole suffer. Not only do people lose the ability to determine their own online experiences but they also receive less innovative and lower quality products. In addition, they can be forced to accept poorer privacy outcomes and even unfair contracts. By contrast, competition from independent browsers can help to drive new features, as well as innovation in areas like privacy and security."

An anonymous reader quotes a story from the Linux/Open Source news site It's FOSS: While Firefox is still the default web browser in Debian, you can find the Chromium browser in the repositories. Chromium is the open source project upon which Google has built its Chrome web browser. It is also preferred by many Linux users as it provides almost the same features as Google Chrome.

Earlier, Chromium used Google as the default search engine in Debian. However, Debian is going to use DuckDuckGo as the default search engine for Chromium.

It all started when bug report #956012 was filed in April 2020, stating to use DuckDuckGo as the default search engine for the Chromium package. You can see the decision was not taken in any hurry, as the maintainers took more than two years to close the bug report.

The reason for the change goes as stated in the official package update announcement.

Change default search engine to DuckDuckGo for privacy reasons. Set a different search engine under Settings -> Search Engine (closes: #956012).

Slashdot reader storagedude writes: Hackers are stealing cookies from current or recent web sessions to bypass multi-factor authentication (MFA), according to an eSecurity Planet report.

The attack method, reported by Sophos researchers, is already growing in use. The "cookie-stealing cybercrime spectrum" is broad, the researchers wrote, ranging from "entry-level criminals" to advanced adversaries, using various techniques.

Cybercriminals collect cookies or buy stolen credentials "in bulk" on dark web forums. Ransomware groups also harvest cookies and "their activities may not be detected by simple anti-malware defenses because of their abuse of legitimate executables, both already present and brought along as tools," the researchers wrote.

Browsers allow users to maintain authentication, remember passwords and autofill forms. That might seem convenient, but attackers can exploit this functionality to steal credentials and skip the login challenge.

Behind the scenes, browsers use SQLite database files that contain cookies. These cookies are composed of key-value pairs, and the values often contain critical information such as tokens and expiration dates.

Adversaries know the exact name and location of these files for all major browsers such as Chrome, Firefox, and even Brave, on various operating systems. That's why the attack can be scripted. It's not uncommon to find such scripts along with other modules in info-stealing and other malware.

For example, the latest version of the Emotet botnet targets cookies and credentials stored by browsers, which include saved credit cards. According to the Sophos researchers, "Google's Chrome browser uses the same encryption method to store both multi-factor authentication cookies and credit card data."

To gain initial access, attackers can also perform phishing and spear-phishing campaigns to implant droppers that can deploy cookie-stealer malware stealthily.

The cookies are then used for post-exploitation and lateral movements. Cybercriminals can use them to change passwords and emails associated with user accounts, or trick the victims into downloading additional malware, or even deploy other exploitation tools such as Cobalt Strike and Impacket kit.

Users should not use built-in features to save passwords unless the browser encrypts them with, at least, a master password. It's recommended that users uncheck the setting called "remember passwords," and users should probably not allow persistent sessions as well.

Developers can be part of the problem if they don't secure authentication cookies properly. Such cookies must have a short expiration date. Otherwise, the persistent authentication could turn into a persistent threat. You can have great security processes and still get hacked because the cookies do not have the necessary flags (e.g., HttpOnly, Secure attribute). For example, authentication cookies must be sent using SSL/TLS channels. Otherwise the data could be sent in plain text and attackers would only have to sniff traffic to intercept credentials.

Meta, the owner of Facebook and Instagram, has been rewriting websites its users visit, letting the company follow them across the web after they click links in its apps, according to new research from an ex-Google engineer. The Guardian reports: The two apps have been taking advantage of the fact that users who click on links are taken to webpages in an "in-app browser," controlled by Facebook or Instagram, rather than sent to the user's web browser of choice, such as Safari or Firefox. "The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers," says Felix Krause, a privacy researcher who founded an app development tool acquired by Google in 2017.

Krause discovered the code injection by building a tool that could list all the extra commands added to a website by the browser. For normal browsers, and most apps, the tool detects no changes, but for Facebook and Instagram it finds up to 18 lines of code added by the app. Those lines of code appear to scan for a particular cross-platform tracking kit and, if not installed, instead call the Meta Pixel, a tracking tool that allows the company to follow a user around the web and build an accurate profile of their interests. The company does not disclose to the user that it is rewriting webpages in this way. No such code is added to the in-app browser of WhatsApp, according to Krause's research. [...] It is unclear when Facebook began injecting code to track users after clicking links. "We intentionally developed this code to honor people's [Ask to track] choices on our platforms," a Meta spokesperson told The Guardian in a statement. "The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels."

They added: "For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill."

"Nineteen new GNU releases in the last month," reads a "July GNU Spotlight" announcement from the Free Software Foundation.

Here's (edited and condensed) descriptions of some of the highlights:

• GNU Datamash (version 1.8) — a command-line program performing basic numeric, textual, and statistical operations on input textual data files (designed to work within standard pipelines).

• GNUnet (version 0.17.2) — a framework for secure peer-to-peer networking. "The high-level goal is to provide a strong foundation of free software for a global, distributed network that provides security and privacy. GNUnet in that sense aims to replace the current internet protocol stack. Along with an application for secure publication of files, it has grown to include all kinds of basic applications for the foundation of a GNU internet."

• GnuTLS (version 3.7.7) — A secure communications library implementing the SSL, TLS and DTLS protocols, provided in the form of a C library.

• Jami (version 20220726.1515.da8d1da) — a GNU package for universal communication that respects the freedom and privacy of its users, using distributed hash tables for establishing communication. ("This avoids keeping centralized registries of users and storing personal data.")

• LibreJS (version 7.21.0) — an add-on for GNU Icecat and other Firefox-based browsers that detects non-trivial and non-free JavaScript code from being loaded without your consent when you browse the web. "JavaScript code that is free or trivial is allowed to be loaded."

• GNU Nettle (version 3.8.1) — a low-level cryptographic library. It is designed to fit in easily in almost any context. It can be easily included in cryptographic toolkits for object-oriented languages or in applications themselves.

• GNU Octave (version 7.2.0) — a high-level interpreted language specialized for numerical computations, for both linear and non-linear applications and with great support for visualizing results.

• R (version 4.2.1) — a language and environment for statistical computing and graphics, along with robust support for producing publication-quality data plots. "A large amount of 3rd-party packages are available, greatly increasing its breadth and scope."

• TRAMP (version 2.5.3) — a GNU Emacs package allowing you to access files on remote machines as though they were local files. "This includes editing files, performing version control tasks and modifying directory contents with dired. Access is performed via ssh, rsh, rlogin, telnet or other similar methods."

Click here to see the other new releases and download information.

The FSF announcement adds that "A number of GNU packages, as well as the GNU operating system as a whole, are looking for maintainers and other assistance."

"Facebook has started to use a different URL scheme for site links," writes the technology blog Ghacks, "to combat URL stripping technologies that browsers such as Firefox or Brave use to improve privacy and prevent user tracking." Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties. Mozilla introduced support for URL stripping in Firefox 102, which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser's Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes, but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well....

It is no longer possible to remove the tracking part of the URL, as Facebook merged it with part of the required web address.

An anonymous reader quotes a report from Wired: [R]esearchers from the New Jersey Institute of Technology are warning this week about a novel technique attackers could use to de-anonymize website visitors and potentially connect the dots on many components of targets' digital lives. The findings (PDF), which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.

When you visit a website, the page can capture your IP address, but this doesn't necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target's browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser. "If you're an average internet user, you may not think too much about your privacy when you visit a random website," says Reza Curtmola, one of the study authors and a computer science professor at NJIT. "But there are certain categories of internet users who may be more significantly impacted by this, like people who organize and participate in political protest, journalists, and people who network with fellow members of their minority group. And what makes these types of attacks dangerous is they're very stealthy. You just visit the website and you have no idea that you've been exposed."

How this de-anonymization attack works is difficult to explain but relatively easy to grasp once you have the gist. Someone carrying out the attack needs a few things to get started: a website they control, a list of accounts tied to people they want to identify as having visited that site, and content posted to the platforms of the accounts on their target list that either allows the targeted accounts to view that content or blocks them from viewing it -- the attack works both ways. Next, the attacker embeds the aforementioned content on the malicious website. Then they wait to see who clicks. If anyone on the targeted list visits the site, the attackers will know who they are by analyzing which users can (or cannot) view the embedded content. [...] Complicated as it may sound, the researchers warn that it would be simple to carry out once attackers have done the prep work. It would only take a couple of seconds to potentially unmask each visitor to the malicious site -- and it would be virtually impossible for an unsuspecting user to detect the hack. The researchers developed a browser extension that can thwart such attacks, and it is available for Chrome and Firefox. But they note that it may impact performance and isn't available for all browsers.