Google released Chrome 88 this week — and besides improving its dark mode support, they removed support for both Adobe Flash and FTP.

PC World calls it “the end of two eras.”

The most noteworthy change in this update is what’s not included. Chrome 88 lays Adobe Flash and the FTP protocol to rest. RIP circa-2000 Internet.
Neither comes as a surprise, though it’s poetic that they’re being buried together. Adobe halted Flash Player downloads at the end of 2020, making good on a promise made years before, and began blocking Flash content altogether a couple weeks later. Removing Flash from Chrome 88 is just Google’s way of flushing the toilet.

On the other hand, FTP isn’t dead, but it is now for Chrome users. The File Transport Protocol has helped users send files across the Internet for decades, but in an era of prolific cloud storage services and other sharing methods, its use has waned. Google started slowly disabling FTP support in Chrome 86, per ZDNet, and now you’ll no longer be able to access FTP links in the browser. Look for standalone FTP software instead if you need it, such as FileZilla.

That’s not all. Mac users should be aware that Chrome 88 drops support for OS X 10.10 (OS X Yosemite). Yosemite released in 2014 and received its last update in 2017…

But Google killing Flash and FTP might be the footnotes that hit old-school web users in the feels.

Chrome 88 will also block non-encrypted downloads originating from an encrypted page, the article reports. And the Verge notes Chrome also offers less intrusive website permission requests (as an experimental feature enabled from chrome://flags/#permission-chip ), while Bleeping Computer describes Chrome 88’s new experimental feature for searching through all your open tabs.

And Chrome’s blog points out some additional features under the hood:

Chrome 88 will heavily throttle chained JavaScript timers for hidden pages in particular conditions. This will reduce CPU usage, which will also reduce battery usage. There are some edge cases where this will change behavior, but timers are often used where a different API would be more efficient, and more reliable.

Read more of this story at Slashdot.

Source: Slashdot – Chrome 88 Released, Removing Adobe Flash — and FTP

Long-time Slashdot reader SonicSpike shares a recent Wired.com article that purports to reveal “how law enforcement gets around your smartphone’s encryption.”

Lawmakers and law enforcement agencies around the world, including in the United States, have increasingly called for backdoors in the encryption schemes that protect your data, arguing that national security is at stake. But new research indicates governments already have methods and tools that, for better or worse, let them access locked smartphones thanks to weaknesses in the security schemes of Android and iOS.

Cryptographers at Johns Hopkins University used publicly available documentation from Apple and Google as well as their own analysis to assess the robustness of Android and iOS encryption. They also studied more than a decade’s worth of reports about which of these mobile security features law enforcement and criminals have previously bypassed, or can currently, using special hacking tools…

once you unlock your device the first time after reboot, lots of encryption keys start getting stored in quick access memory, even while the phone is locked. At this point an attacker could find and exploit certain types of security vulnerabilities in iOS to grab encryption keys that are accessible in memory and decrypt big chunks of data from the phone. Based on available reports about smartphone access tools, like those from the Israeli law enforcement contractor Cellebrite and US-based forensic access firm Grayshift, the researchers realized that this is how almost all smartphone access tools likely work right now. It’s true that you need a specific type of operating system vulnerability to grab the keys — and both Apple and Google patch as many of those flaws as possible — but if you can find it, the keys are available, too…

Forensic tools exploiting the right vulnerability can grab even more decryption keys, and ultimately access even more data, on an Android phone.

The article notes the researchers shared their findings with the Android and iOS teams — who both pointed out the attacks require physical access to the target device (and that they’re always patching vulnerabilities).

Read more of this story at Slashdot.

Source: Slashdot – How Law Enforcement Gets Around Your Smartphone’s Encryption

NBC News reports:

A number of pro-Trump extremists used Facebook to plan their attack on the U.S. Capitol, a watchdog organization has found, contradicting claims by Facebook’s leadership that such planning was largely done on other sites.

Private Facebook groups spent months advising one another about how to “take down” the U.S. government, particularly after Joe Biden was elected president, according to a report from the nonprofit Tech Transparency Project, which tracked several of them. Many of the groups specifically talked about traveling to the Capitol on Jan. 6, the date Congress counted the electoral votes that affirmed Biden’s victory.”Calls to ‘occupy Congress’ were rampant on Facebook in the weeks leading up to the deadly Capitol riot, making no secret of the event’s aims,” the report found… A sample recruitment call by a page called “Florida Patriots” said, “We are actively seeking well armed citizens to join our emergency response unit in all zones.”
BuzzFeed News notes the report contradicts earlier remarks from Sheryl Sandberg deflecting blame for the event:

Last week, Facebook Chief Operating Officer Sheryl Sandberg said the company had acted appropriately to prevent election misinformation and the incitement of violence, and attempted to pin the blame on smaller websites and apps with less content moderation. “I think these events were largely organized on platforms that don’t have our abilities to stop hate, don’t have our standards, and don’t have our transparency,” Sandberg said in an interview with Reuters.

Facebook spokespeople have since tried to walk this statement back, noting that Sandberg made the point earlier in the interview that the platform played a role in fomenting the unrest.

Read more of this story at Slashdot.

Source: Slashdot – Report Finds Extremists Did Use Facebook to Plan Capitol Attack

David Leonhardt won a Pulitzer Prize for commentary in 2011. This week in a New York Times newsletter, he argues that early in the pandemic experts around the world mistakenly discouraged mask use because of “a concern that people would rush to buy high-grade medical masks, leaving too few for doctors and nurses. The experts were also [at the time] unsure how much ordinary masks would help.”

But are they now spreading a similarly misguided pessimism about vaccines?

Right now, public discussion of the vaccines is full of warnings about their limitations: They’re not 100 percent effective. Even vaccinated people may be able to spread the virus. And people shouldn’t change their behavior once they get their shots…

“It’s going to save your life — that’s where the emphasis has to be right now,” Dr. Peter Hotez of the Baylor College of Medicine said. The Moderna and Pfizer vaccines are “essentially 100 percent effective against serious disease,” Dr. Paul Offit, the director of the Vaccine Education Center at Children’s Hospital of Philadelphia, said. “It’s ridiculously encouraging.”

Here’s my best attempt at summarizing what we know:

– The Moderna and Pfizer vaccines — the only two approved in the U.S. — are among the best vaccines ever created, with effectiveness rates of about 95 percent after two doses. That’s on par with the vaccines for chickenpox and measles. And a vaccine doesn’t even need to be so effective to reduce cases sharply and crush a pandemic.
– If anything, the 95 percent number understates the effectiveness, because it counts anyone who came down with a mild case of Covid-19 as a failure. But turning Covid into a typical flu — as the vaccines evidently did for most of the remaining 5 percent — is actually a success. Of the 32,000 people who received the Moderna or Pfizer vaccine in a research trial, do you want to guess how many contracted a severe Covid case? One.

Although no rigorous study has yet analyzed whether vaccinated people can spread the virus, it would be surprising if they did.

The article suggests less-positive messages are being conveyed in part because “As academic researchers, they are instinctively cautious, prone to emphasizing any uncertainty.”

But the article ultimately concludes that in fact, “the evidence so far suggests that the vaccines are akin to a cure.”

Read more of this story at Slashdot.

Source: Slashdot – Are Experts Underselling the Effectiveness of Covid-19 Vaccines?

Earlier this week security experts disclosed details on seven vulnerabilities impacting Dnsmasq, “a popular DNS software package that is commonly deployed in networking equipment, such as routers and access points,” reports ZDNet. “The vulnerabilities tracked as DNSpooq, impact Dnsmasq, a DNS forwarding client for *NIX-based operating systems.”

Slashdot reader Joe2020 shared Help Net Security’s quote from Shlomi Oberman, CEO and researcher at JSOF. “Some of the bigger users of Dnsmasq are Android/Google, Comcast, Cisco, Red Hat, Netgear, and Ubiquiti, but there are many more. All major Linux distributions offer Dnsmasq as a package, but some use it more than others, e.g., in OpenWRT it is used a lot, Red Hat use it as part of their virtualization platforms, Google uses it for Android hotspots (and maybe other things), while, for example Ubuntu just has it as an optional package.”

More from ZDNet:
Dnsmasq is usually included inside the firmware of various networking devices to provide DNS forwarding capabilities by taking DNS requests made by local users, forwarding the request to an upstream DNS server, and then caching the results once they arrive, making the same results readily available for other clients without needing to make a new DNS query upstream. While their role seems banal and insignificant, they play a crucial role in accelerating internet speeds by avoiding recursive traffic…

Today, the DNSpooq software has made its way in millions of devices sold worldwide [including] all sorts of networking gear like routers, access points, firewalls, and VPNs from companies like ZTE, Aruba, Redhat, Belden, Ubiquiti, D-Link, Huawei, Linksys, Zyxel, Juniper, Netgear, HPE, IBM, Siemens, Xiaomi, and others. The DNSpooq vulnerabilities, disclosed today by security experts from JSOF, are dangerous because they can be combined to poison DNS cache entries recorded by Dnsmasq servers. Poisoning DNS cache records is a big problem for network administrators because it allows attackers to redirect users to clones of legitimate websites…

In total, seven DNSpooq vulnerabilities have been disclosed today. Four are buffer overflows in the Dnsmasq code that can lead to remote code execution scenarios, while the other three bugs allow DNS cache poisoning. On their own, the danger from each is limited, but researchers argue they can be combined to attack any device with older versions of the Dnsmasq software…

The JSOF exec told ZDNet that his company has worked with both the Dnsmasq project author and multiple industry partners to make sure patches were made available to device vendors by Tuesday’s public disclosure.

Read more of this story at Slashdot.

Source: Slashdot – How DNSpooq Attacks Could Poison DNS Cache Records