Google backtracks—a bit—on controversial Chrome sign-in feature

Privacy-conscious users were unhappy at being signed in to browser without consent.

Article intro image

Enlarge (credit: Google Chrome)

Google will partially revert a controversial change made in Chrome 69 that unified signing in to Google's online properties and Chrome itself and which further preserved Google's cookies even when users chose to clear all cookies. Chrome 70, due in mid-October, will retain the unified signing in by default, but it will allow those who want to opt out to do so.

Chrome has long had the ability to sign in with a Google account. Doing this offers a number of useful features; most significantly, signed-in users can enable syncing of their browser data between devices, so tabs open on one machine can be listed and opened on another, passwords saved in the browser can be retrieved online, and so on. This signing in uses a regular Google account, the same as would be used to sign in to Gmail or the Google search engine.

Prior to Chrome 69, signing in to the browser was independent of signing in to a Google online property. You could be signed in to Gmail, for example, but signed out of the browser to ensure that your browsing data never gets synced and stored in the cloud. Chrome 69 unified the two: signing in to Google on the Web would automatically sign you in to the browser, using the same account. Similarly, signing out of a Google property on the Web would sign you out of the browser.

Read 6 remaining paragraphs | Comments

Meltdown and Spectre: Here’s what Intel, Apple, Microsoft, others are doing about it

Enlarge (credit: Jen)
The Meltdown and Spectre flaws—two related vulnerabilities that enable a wide range of information disclosure from every mainstream processor, with particularly severe flaws for Intel and some ARM chips—were originally revealed…

Enlarge (credit: Jen)

The Meltdown and Spectre flaws—two related vulnerabilities that enable a wide range of information disclosure from every mainstream processor, with particularly severe flaws for Intel and some ARM chips—were originally revealed privately to chip companies, operating system developers, and cloud computing providers. That private disclosure was scheduled to become public some time next week, enabling these companies to develop (and, in the case of the cloud companies, deploy) suitable patches, workarounds, and mitigations.

With researchers figuring out one of the flaws ahead of that planned reveal, that schedule was abruptly brought forward, and the pair of vulnerabilities was publicly disclosed on Wednesday, prompting a rather disorderly set of responses from the companies involved.

There are three main groups of companies responding to the Meltdown and Spectre pair: processor companies, operating system companies, and cloud providers. Their reactions have been quite varied.

Read 52 remaining paragraphs | Comments

Cops: Lottery terminal hack allowed suspects to print more winning tickets

Terminals were manipulated to produce more winning, and fewer losing, tickets.

Six people have been charged in what prosecutors say was a scheme to hack Connecticut state lottery terminals so they produced more winning tickets and fewer losing ones.

At least two of the suspects have been charged with felonies, including first-degree larceny, first-degree computer crimes, and rigging a game, according to an article published by The Hartford Courant. The suspects allegedly owned or worked at retail stores that produced winning tickets in numbers that were much higher than the state average. Of tickets generated at one liquor store, for instance, 76 percent were instant winners in one sample and 59 percent in another sample. The state-wide average, meanwhile, was just 24 percent. After manipulating the terminals, the suspects cashed the tickets and took the proceeds, prosecutors alleged.

The charges come several months after lottery officials suspended a game called the 5 Card Cash after they noticed it was generating more winning tickets than its parameters should have allowed. The game remains suspended. Investigators say more arrests may be made in the future. Almost a year ago, prosecutors in Iowa presented evidence indicating the former head of computer security for the state's lottery association tampered with lottery computers prior to buying a ticket that won a $14.3 million jackpot.

Read 2 remaining paragraphs | Comments

Malwarebytes Bug Bounty Program Goes Live

So Malwarebytes bug bounty program is live, the official name is actually Malwarebytes Coordinated Vulnerability Disclosure Program – what a mouthful (guidelines here). It’s good to see, bug bounty programs typically tend to have a nett positive effect and end in win-win situations for researchers and software vendors alike. In an…

Read the full post at darknet.org.uk

So Malwarebytes bug bounty program is live, the official name is actually Malwarebytes Coordinated Vulnerability Disclosure Program – what a mouthful (guidelines here). It’s good to see, bug bounty programs typically tend to have a nett positive effect and end in win-win situations for researchers and software vendors alike. In an...

Read the full post at darknet.org.uk