Google planning changes to Chrome that could break ad blockers
The APIs that ad blockers depend on are also popular among malicious extensions. ...
To replace webRequest, Google has proposed a new API, declarativeNetRequest. With this new API, instead of having the browser ask the extension what to do with each and every request, the extension declares to the browser "block requests that look like X, redirect requests that look like Y, and allow everything else." These declarations can use some simple wildcards but are otherwise very simple. Chrome itself can then compare each URL to X and Y and take appropriate action.
The new API also offers no way to modify the response at all.
Not every ad blocker will necessarily fall afoul of the new restrictions. The syntax for declaring blocked URLs for the new declarativeNetRequest API is very similar to that already used by AdBlock Plus, for example, so that blocker should be able to adapt to the new API easily enough. But anything with more rules, or more complex rules, is going to be out of luck. In a bug tracking Manifest V3's progress and related discussion thread, authors of, among other things, NoScript and uBlock Origin both say that the new API is not sufficient for their extensions.
Developers of other blocking tools have also expressed concern. The same API is used by a range of anti-phishing/anti-malware extensions. These extensions work in much the same way as the ad blockers—matching URLs against a blacklist—but they have additional secrecy concerns. As the developer of anti-phishing extension blockade.io explains, the URLs for their extension blocks are stored only in a hashed form. The new API requires the URLs to be provided in plain, readable text. Using a plaintext list would make it easier for malware distributors and phishers to see that their sites have been blacklisted; it would also make the list a useful resource for anyone on the lookout for sites actively exploiting browser flaws.
- Posts: 22090
- Joined: Sat Mar 02, 2013 4:44 pm
- Location: Texas Gulf Coast and North Fork of Long Island
- Occupation: Retired Mechanical Engineer
Today's Google Dooddle-
Celebrating the 225th birthday of Friedlieb Ferdinand Runge the chemist who identified caffeine.
Celebrating the 225th birthday of Friedlieb Ferdinand Runge the chemist who identified caffeine.
“If everyone fought for their own convictions there would be no war.”
― Leo Tolstoy, War and Peace
― Leo Tolstoy, War and Peace
freshly revealed in a email newsletter
About Chrome is within the Help submenu of the options pulldown.Stop what you're doing and update Chrome. Do it now.
Just as we were going to send, a days late this week and perhaps fortunately so, news broke of a Chrome 0-day vulnerability that allows remote attackers to execute arbitrary code on the victim’s computers and take control of the device. This vulnerability has been assigned CVE-2019-5786 and is being actively exploited in the wild right now:
"Without revealing technical details of the vulnerability, the Chrome security team only says the issue is a use-after-free vulnerability in the FileReader component of the Chrome browser, which leads to remote code execution attacks.”
If you haven’t done this before, just open Chrome, click on the “Chrome” pulldown and select “About Chrome”, at the top of that box it will show you your version and whether there is an update available. While you’re in there you could enable automatic updates.
Read: https://thehackernews.com/2019/03/updat ... -hack.html
And: https://cve.mitre.org/cgi-bin/cvename.c ... -2019-5786
EU regulators hit Google with $1.7 billion fine for blocking ad rivals
PUBLISHED 3 HOURS AGO | UPDATED AN HOUR AGO
EU regulators slap the Alphabet unit with a fine for stifling ad competition.
It’s the third antitrust fine from Brussels to hit Google.
The European Union on Wednesday ordered Google to pay 1.49 billion euros ($1.69 billion) for stifling competition in the online advertisement sector.
The European Commission said Google had placed exclusivity contracts on website owners, stopping them from including search results from Google’s rivals. It said these clauses were replaced in 2009 by premium payments and in the same year, Google had asked publishers to seek permission on how rival ads were displayed.
The EU’s competition commissioner, Margrethe Vestager, said Google had prevented rivals from being able to “compete and innovate fairly” in the online ad market.
“Google has cemented its dominance in online search adverts and shielded itself from competitive pressure by imposing anti-competitive contractual restrictions on third-party websites. This is illegal under EU antitrust rules,” Vestager said in Brussels.
https://www.cnbc.com/2019/03/20/eu-vest ... e-for.html
PENTAGON SAYS ALL OF GOOGLE’S WORK ON DRONES IS EXEMPT FROM THE FREEDOM OF INFORMATION ACT
March 25 2019, 7:54 p.m.
IN SEPTEMBER 2017, Aileen Black wrote an email to her colleagues at Google. Black, who led sales to the U.S. government, worried that details of the company’s work to help the military guide lethal drones would become public through the Freedom of Information Act. “We will call tomorrow to reinforce the need to keep Google under the radar,” Black wrote.
According to a Pentagon memo signed last year, however, no one at Google needed worry: All 5,000 pages of documents about Google’s work on the drone effort, known as Project Maven, are barred from public disclosure, because they constitute “critical infrastructure security information.”
One government transparency advocate said the memo is part of a recent wave of federal decisions that keep sensitive documents secret on that same basis — thus allowing agencies to quickly deny document requests.
“It is the path of least resistance that enables the agency to avoid detailed review of records.”
It’s been a full year since the first reports of Google’s work on Project Maven, and the public still knows precious little beyond the basic gist of the story: that Maven would use artificial intelligence to help pick out drone targets faster and more easily, and that Google backed out of its Maven contract amid staff outcry. (Maven is now linked to defense startup Anduril Industries.) Black’s email was obtained and partially published by The Intercept last year.
https://theintercept.com/2019/03/25/goo ... agon-foia/
YouTube TV adds channels and raises price—you can’t opt out of either change
YouTube TV raises price from $40 to $50 for new and existing customers.
JON BRODKIN - 4/11/2019, 5:44 PM
YouTube launched its competitor to cable TV two years ago, charging $35 a month, but it's now over 40 percent more expensive.
Google raised the price of YouTube TV to $40 in March 2018 and yesterday announced it's raising the price again, this time to $49.99. In both cases, the Google-owned streaming TV service paired the price hike with extra channels, but subscribers have to pay the new, higher price whether they want the new channels or not.
"To keep bringing you the best service possible, we are also updating our membership pricing," YouTube TV told subscribers in an email yesterday. "The price for new and existing members will be $49.99/month."
The new price is effective immediately for people who sign up for new YouTube TV service, Google said. Existing subscribers will pay the higher rate "in their subsequent billing cycle after May 13."
The price is higher still for customers who get billed through Apple—they'll pay $54.99/month to account for the fees Apple charges distributors. But you can order service on YouTube's website to avoid the $5 markup.
https://arstechnica.com/information-tec ... er-change/
Google reportedly ends business with Huawei, will cut it off from Play Store [Updated]
Trump's Huawei ban means no early access to Android Q, no Google app ecosystem.
RON AMADEO - 5/20/2019, 3:47 PM
Update: Statements from Google and Huawei, other companies join the ban
Huawei sent a statement to Ars Technica and others about the ban, saying "Huawei will continue to provide security updates and after-sales services to all existing Huawei and Honor smartphone and tablet products, covering those that have been sold and that are still in stock globally. We will continue to build a safe and sustainable software ecosystem, in order to provide the best experience for all users globally."
View more stories Google issued only a terse one-liner, saying "We are complying with the order and reviewing the implications." On Twitter, the company's official Android account was a bit friendlier, saying "For Huawei users' questions regarding our steps to comply w/ the recent US government actions: We assure you while we are complying with all US gov't requirements, services like Google Play & security from Google Play Protect will keep functioning on your existing Huawei device."
https://arstechnica.com/gadgets/2019/05 ... lay-store/
Google recalls Titan Security Key due to hijack risk
Google has offered free replacements to owners of the Bluetooth Low Energy version of the Titan Security Key, after a vulnerability was discovered in the device.
Google introduced the Titan Security Key at its Cloud Next ’18 convention as a physical USB device that eliminated the need to input usernames and passwords. The security key is easy to set up, taking only a few minutes to provide better protection against phishing attacks compared to other two-step authentication methods.
The technology was developed by Google and Yubico, which also helped build a security key with a Bluetooth Low Energy component. Yubico, however, decided not to release such a product because it did not meet the company’s standards for “security, usability, and durability,” and that it was not as secure as NFC and USB.
Yubico’s concern turned out to be well-founded and is exactly what happened with the Bluetooth version of the Titan Security Key, which is sold alongside the USB version. According to Google, a misconfiguration in its Bluetooth pairing protocols makes it possible for an attacker to communicate with the security key or communicate with the device to which the security key is being paired.
https://www.digitaltrends.com/computing ... rity-keys/
Gmail logs your purchase history, undermining Google’s commitment to privacy
Google tracks many of your online purchases, even if they are bought from a non-Google affiliated store like Amazon, according to a report from CNBC this week — a troubling example of the way that Google collects data from the services you use without you being aware of it.
Google has recently tried to portray itself as more focused on privacy; CEO Sundar Pichai wrote a May 7 op-ed in the New York Times saying that “privacy should not be a luxury good.” Yet the reality is that Google, like many internet companies, makes its money from your data. The more data a company has on you, the more accurately it can target advertisements to you specifically.
The “Purchases” page on Google keeps track of many of the purchases that you have made, using digital receipts sent to your Gmail inbox. It seems to track both physical purchases and digital ones, meaning both actual items like clothes or groceries, and services like Apple Care or music MP3s.
https://www.digitaltrends.com/web/gmail ... y-privacy/
Audit suggests Google favors a small number of major outlets
IN THE LAST WEEK OF APRIL, nearly 23 percent of all traffic to news sites tracked by web analytics firm Parse.ly came from search engines. Google alone accounts for nearly half of external referral traffic—traffic, that is, that comes from platforms, apps, and other outside sources— to news sites. Together with the fact that Facebook referral traffic is on the wane, this means that Google’s search algorithm is now perhaps the most powerful mediator of online attention to news.
But for all the influence Google has in directing attention, we know painfully little about how its algorithm selects and curates news. Which sites does it direct traffic toward? And how does Google’s news curation impact the diversity of information found?
To find out, the Computational Journalism Lab at Northwestern, including Daniel Trielli and I, undertook an audit study of the “Top Stories” box on Google search. Top Stories often shows up in the prime real-estate at the top of search results, presenting a carousel of news articles relevant to the query.
https://www.cjr.org/tow_center/google-n ... orithm.php
even the best...
Google says some G Suite user passwords were stored in plaintext since 2005
Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext.
The search giant disclosed the exposure Tuesday but declined to say exactly how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey.
Passwords are typically scrambled using a hashing algorithm to prevent them from being read by humans. G Suite administrators are able to manually upload, set and recover new user passwords for company users, which helps in situations where new employees are on-boarded. But Google said it discovered in April that the way it implemented password setting and recovery for its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext.
Google has since removed the feature.
https://techcrunch.com/2019/05/21/googl ... plaintext/
Google Is in U.S. Antitrust Sights as DOJ Gears Up for Probe
By David McLaughlin
June 1, 2019, 2:31 AM GMT+2 Updated on June 1, 2019, 6:20 AM GMT+2
Deal reached with FTC to take over Google-related matters
Enforcers are under pressure to step up scrutiny of big tech
The U.S. Justice Department is preparing to open an antitrust investigation into Alphabet Inc.’s Google, according to a person familiar with the matter, marking the Trump administration’s first major step to scrutinize the potentially anti-competitive conduct of a giant technology firm.
The move comes after the Justice Department reached an agreement with the Federal Trade Commission that scrutiny of the company’s conduct would fall to the department’s antitrust division, according to two people who declined to be identified discussing a confidential matter.
Representatives of Google didn’t immediately respond to a request for comment late Friday. The Justice Department declined to comment.
American antitrust officials are under increasing pressure from both Democratic and Republican lawmakers and advocates of tougher enforcement to step up scrutiny of technology giants like Google and Facebook Inc. While European officials have aggressively pursued antitrust cases against American tech firms, including Google, the U.S. has been mostly hands-off.
https://www.bloomberg.com/news/articles ... l-with-ftc