Month: January 2020

Enlarge / Chrome on Windows 10 as it Rickrolls the NSA. (credit: https://twitter.com/saleemrash1d/status/1217519809732259840/photo/1)

Less than a day after Microsoft disclosed one of the most critical Windows vulnerabilities ever, a security researcher has demonstrated how attackers can exploit it to cryptographically impersonate any website or server on the Internet.

Researcher Saleem Rashid on Wednesday tweeted images of the video "Never Gonna Give You Up," by 1980s heartthrob Rick Astley, playing on Github.com and NSA.gov. The digital sleight of hand is known as Rickrolling and is often used as a humorous and benign way to demonstrate serious security flaws. In this case, Rashid's exploit causes both the Edge and Chrome browsers to spoof the HTTPS verified websites of Github and the National Security Agency. Brave and other Chrome derivatives, as well as Internet Explorer, are also likely to fall to the same trick. (There's no indication Firefox is affected.)

Rashid's simulated attack exploits CVE-2020-0601, the critical vulnerability that Microsoft patched on Tuesday after receiving a private tipoff from the NSA. As Ars reported, the flaw can completely break certificate validation for websites, software updates, VPNs, and other security-critical computer uses. It affects Windows 10 systems, including server versions Windows Server 2016 and Windows Server 2019. Other versions of Windows are unaffected.

Enlarge / The "App" section of the Chrome Web Store. (credit: Google Chrome)

Chrome's Packaged Apps have been a dead platform for a while now, after a 2016 announcement that the "App" section of Chrome's Web store would be pulled from Windows, Mac, and Linux, leaving Chrome OS as the only supported OS. Today, Google announced that the last supported platform, Chrome OS, is losing access to Chrome apps, too, along with dates to strip the app feature out of Chrome's code base. Google writes it "will begin phasing out support for Chrome Apps across all operating systems as follows:"

• March 2020: Chrome Web Store will stop accepting new Chrome Apps. Developers will be able to update existing Chrome Apps through June 2022.
• June 2020: End support for Chrome Apps on Windows, Mac, and Linux. Customers who have Chrome Enterprise and Chrome Education Upgrade will have access to a policy to extend support through December 2020.
• December 2020: End support for Chrome Apps on Windows, Mac, and Linux.
• June 2021: End support for NaCl, PNaCl, and PPAPI APIs.
• June 2021: End support for Chrome Apps on Chrome OS. Customers who have Chrome Enterprise and Chrome Education Upgrade will have access to a policy to extend support through June 2022.
• June 2022: End support for Chrome Apps on Chrome OS for all customers.

Most Windows, Mac, and Linux users haven't been able to use Chrome packaged apps for years now, as the Web store was shut down for them in 2017. Users on those OSes shouldn't notice a thing, unless they were sideloading packaged apps or getting them though an enterprise management feature. Chrome OS is the real news here, and it will continue to cling to the feature until June 2022.

Chrome OS supports a number of platforms that get presented in the "app" style, so keep in mind only the "Chrome Packaged Apps" are going away. Chrome OS will still keep its app-like shortcuts to websites, along with support for "Progressive Web Apps (PWA)"—Web APIs that support app-style features like push notifications and offline functionality. There's still going to be support for Android apps, which bring the nearly 3 million apps in the Play Store to Chrome OS. Google also points out that "This change does not impact support for Chrome Extensions" and that "Fostering a robust ecosystem of extensions is critical to Chrome's mission, and we are committed to providing a useful extension platform for customizing the browsing experience for all users."

Enlarge / Mozilla's office in San Francisco. (credit: Getty Images | Iuliia Serova)

Mozilla has laid off 70 people, TechCrunch reports. It's a significant move for an organization that employs around 1,000 people worldwide.

"You may recall that we expected to be earning revenue in 2019 and 2020 from new subscription products as well as higher revenue from sources outside of search," wrote Mozilla interim CEO Mitchell Baker in a memo to staff obtained by TechCrunch. "This did not happen."

Baker said Mozilla had decided not to shelve Mozilla's $43 million innovation fund, which focuses on creating new Mozilla products. She said Mozilla would provide "generous exit packages and outplacement support" to those who were let go.

Enlarge / US President Donald Trump speaks about the impeachment inquiry during a tour of the Flextronics computer manufacturing facility where Apple's Mac Pros are assembled in Austin, Texas, on November 20, 2019. Now, he's ranting about Apple being unpatriotic. (credit: MANDEL NGAN/AFP via Getty Images)

On the eve of the House of Representatives' forwarding of articles of impeachment to the Senate, President Donald Trump took time to attack Apple. The president's outburst on Twitter appears to be about the FBI's inability to get access to the physical storage on two iPhones connected to last month's killings at Naval Air Station Pensacola in Florida. And it is the latest ratcheting up of rhetoric from the Trump administration on device encryption.

The phones are believed by the FBI to have been the property of  Mohammed Saeed Alshamrani, the Saudi Air Force officer who was the suspect in the shooting of three members of the US Navy in December. Alshamrani died after being shot by law enforcement, and the devices were locked.

But an Apple spokesperson said that Apple had provided the contents of the cloud backups of those devices to investigators within hours of the shooting, and Apple executives thought the FBI was satisfied with that—until the FBI came back a week ago and asked for additional assistance. It is not clear that Apple has refused that assistance, but the company has resisted providing a way for the government to break the encryption on devices in the past. Apple did this out of concern that breaking open devices would reduce the protection provided to law-abiding customers against theft of their personal data off stolen or otherwise targeted devices.

Enlarge / Huawei sign displayed at CES 2020 in Las Vegas on Wednesday, Jan. 8, 2020. (credit: Getty Images | Bloomberg)

The US government should spend at least $1.25 billion "to invest in Western-based alternatives to Chinese equipment providers Huawei and ZTE," a bipartisan group of six US senators said yesterday.

The senators submitted legislation called the Utilizing Strategic Allied (USA) Telecommunications Act to make that happen, arguing that the US must counter the Chinese government's investments in the telecom sector. The money would come from spectrum-auction proceeds, and the $1.25 billion in grants would be spread out over 10 years. The money would support development of new 5G technology, with a focus on equipment that complies with open standards to ensure "multi-vendor network equipment interoperability."

The senators' announcement said: