Microsoft

Biggest Targets at Pwn2Own Event: Microsoft's Windows, Teams, and Ubuntu Desktop (hothardware.com) 17

As Pwn2Own Vancouver comes to a close, a whopping $1,115,000 has been awarded by Trend Micro and Zero Day Initiative. The 15th anniversary edition saw 17 "contestants" attacking 21 targets, reports Hot Hardware — though "the biggest payouts were for serious exploits against Microsoft's Teams utility." While Teams isn't technically a part of Windows, it does come bundled with all new installs of Windows 11, which means that these exploits are practically Windows exploits. Hector "p3rr0" Peralta, Masato Kinugawa, and STAR Labs each earned $150,000 for major exploits of the utility.

Windows 11 itself wasn't spared, though. Marcin Wiazowski and STAR Labs each earned $40,000 for privilege escalation exploits on Microsoft's operating system on day one, and on day two, TO found a similar bug for a $40,000 payout of his own. Day three saw no less than three more fresh exploits against Windows 11, all in the serious privilege escalation category; all three winners pocketed another $40,000....

Other targets attacked at Pwn2Own 2022 included Mozilla Firefox (hacked), Apple Safari (hacked), and Ubuntu Desktop (hacked)... Of course, details of the hacks aren't made public, because they're zero-days, after all. That means that they haven't been patched yet, so releasing details of the exploits could allow malicious actors to make use of the bugs. Details will be revealed 3 months from now, during which time Microsoft, Tesla, Apple, and others should have their software all sewn up.

With all the points totalled, the winner was Singapore-based cybersecurity company Star Labs, which was officially crowned "Master of Pwn" on Saturday. "They won $270,000 and 27 points during the contest," explains the official Twitter feed for Zero Day Initiative (the judges for the event).

A blog post from Zero Day Initiative describes all 21 attacks, including six successful attacks against Windows, three successful attacks against Teams — and four against Ubuntu Desktop.
Programming

Security Expert Nabs Expired Domain for a Popular NPM Library's Email Address (theregister.com) 16

"Security consultant Lance Vick recently acquired the expired domain used by the maintainer of a widely used NPM package," reports the Register, "to remind the JavaScript community that the NPM Registry still hasn't implemented adequate security." "I just noticed 'foreach' on NPM is controlled by a single maintainer," wrote Vick in a Twitter post on Monday. "I also noticed they let their domain expire, so I bought it before someone else did. I now control 'foreach' on npm, and the 36,826 projects that depend on it."

That's not quite the full story — he probably could have taken control but didn't. Vick acquired the lapsed domain that had been used by the maintainer to create an NPM account and is associated with the "foreach" package on NPM. But he said he didn't follow through with resetting the password on the email account tied to the "foreach" package, which is fetched nearly six million times a week. In an email to the Register, Vick explained... "I did not log into the account, as again, that crosses a line. I just sent a password reset email and bailed.

"Regardless of how much control I have over this particular package, which is unclear, NPM admits this particular expired domain problem is a known issue, citing this 2021 [research paper] which says, 'We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the NPM accounts.' In other words, anyone poking around is going to find accounts easy to take over in this way. I was not lucky or special." His point, which he has been trying for several years to communicate to those overseeing NPM — a part of GitHub since March 2020 — is that taking over the NPM account of a popular project to conduct a software supply chain attack continues to be too easy.

Part of the problem is that JavaScript developers often use packages that implement simple functions that are either already built into the language, like forEach, or ought to be crafted manually to avoid yet another dependency, like left-pad (now built-in as padStart). These trivial packages get incorporated into other packages, which may in turn become dependencies in different packages, thereby making the compromise of something like "foreach" a potentially far-reaching security incident.

But Vick argues that with so many upstream attack vectors, "We are all just trusting strangers on the internet to give us good candy from their truck," according to the Register. Their article points out that on Tuesday GitHub launched a beta test of improved 2FA security for all its NPM accounts — which Vick calls "a huge win... [T]hat is the best way to protect accounts. We in the security community have been demanding this for years."

But he's still worried about the possibility of email addresses with weak two-factor authentication or compromised NPM employees, and would like to see NPM implement cryptographic signatures for code. "I am talking with a member of their team tomorrow and we will see where this goes."
The Internet

Microsoft Edge Overtakes Safari As World's Second Most Popular Desktop Browser (macrumors.com) 100

Microsoft Edge has overtaken Apple's Safari to become the world's second most popular desktop browser, based on data provided by web analytics service StatCounter. MacRumors reports: According to the data, Microsoft Edge is now used on 10.07 percent of desktop computers worldwide, 0.46 percent ahead of Safari, which stands at 9.61 percent. Google Chrome remains in first place with a dominant 66.64 percent share, and Mozilla's Firefox stands in fourth with 7.86 percent. As the default Windows 11 browser, the popularity of Edge has crept up in recent months, with the first concrete signs that it would surpass Safari to take second place coming in February, when it was used on 9.54 percent of desktops globally. Back in January 2021, Safari held a 10.38 percent market share, indicating a gradual slippage in popularity over the last 14 months.

Meanwhile, first-placed Chrome has seen its user base increase incrementally over that time, but perhaps surprisingly, Firefox has leaked users since the beginning of the year, despite regular updates and improvements. That suggests Safari's hold on third place isn't in immediate danger, having lost only 0.23 percent share since February, but things could always change fast if Apple decides to introduce sweeping changes to the way Safari works in macOS 13 later this year.
It's a different story when it comes to mobile platforms, notes MacRumors. "In StatCounter's analysis, Edge doesn't even make it into the top six browsers on mobile, but first-placed Chrome commands 62.87 of usage share, with Safari on iPhones and iPads taking a comfortable 25.35 percent in second place, 20.65 percent ahead of third-placed Samsung Internet, with 4.9 percent."
Firefox

Mozilla Celebrates the Release of Firefox 100 (mozilla.org) 77

vm shares the blogpost of Mozilla releasing Firefox 100, and outlines some of thoughts: Out of the ashes of Netscape/AOL, Firebird rose as a promising new browser. A significant name change and a hundred releases later, Firefox 100 is still the underdog that keeps on fighting. With my mounting annoyance at all the Google services underpinning Chrome, I've since discovered and used Ungoogled Chromium, Waterfox, LibreWolf, and a handful of other lesser known spins on Chrome or Firefox. On mobile, Brave really does the best job at ad blocking whether you're on iOS or Android but the Mozilla Foundations is probably still the largest dev group fighting the good fight when it comes to both privacy and security enhancements.That's not to say that the Chromium team isn't security savvy -- I only wish they were just a little less Google. Anyhow, tell us about your favorite browser in the comments and have a look at Mozilla's latest release while you're at it.
Privacy

Mental Health Apps Have Terrible Privacy Protections, Report Finds (theverge.com) 22

As a category, mental health apps have worse privacy protections for users than most other types of apps, according to a new analysis from researchers at Mozilla. Prayer apps also had poor privacy standards, the team found. From a report: "The vast majority of mental health and prayer apps are exceptionally creepy," Jen Caltrider, the Mozilla *Privacy Not Included guide lead, said in a statement. "They track, share, and capitalize on users' most intimate personal thoughts and feelings, like moods, mental state, and biometric data." In the latest iteration of the guide, the team analyzed 32 mental health and prayer apps. Of those apps, 29 were given a "privacy not included" warning label, indicating that the team had concerns about how the app managed user data. The apps are designed for sensitive issues like mental health conditions, yet collect large amounts of personal data under vague privacy policies, the team said in the statement. Most apps also had poor security practices, letting users create accounts with weak passwords despite containing deeply personal information.
EU

Apple's Grip On iOS Browser Engines Disallowed Under Latest Draft EU Rules (theregister.com) 74

Europe's Digital Markets Act -- near-finalized legislation to tame the internet's gatekeepers -- contains language squarely aimed at ending Apple's iOS browser restrictions. The Register reports: The Register has received a copy of unpublished changes in the proposed act, and among the various adjustments to the draft agreement is the explicit recognition of "web browser engines" as a service that should be protected from anti-competitive gatekeeper-imposed limitations. Apple requires that competing mobile browsers distributed through the iOS App Store use its own WebKit rendering engine, which is the basis of its Safari browser. The result is that Chrome, Edge, and Firefox on iOS are all, more or less, Safari.

That requirement has been a sore spot for years among rivals like Google, Mozilla, and Microsoft. They could not compete on iOS through product differentiation because their mobile browsers had to rely on WebKit rather than their own competing engines. And Apple's browser engine requirement has vexed web developers, who have been limited to using only the web APIs implemented in WebKit for their web apps. Many believe this barrier serves to steer developers toward native iOS app development, which Apple controls.

The extent to which Apple profits from the status quo has prompted regulatory scrutiny in Europe, the UK, the US, and elsewhere. [...] Now those efforts have been translated into the text of the DMA, which, alongside the Digital Services Act (DSA), defines how large technology gatekeepers will be governed in Europe. [...] In short, when the DMA takes effect in 2024, it appears that Apple will be required to allow browser competition on iOS devices.
"The potential for a capable web has been all but extinguished on mobile because Apple has successfully prevented it until now," said Alex Russell, partner program manager on Microsoft Edge who worked previously as Google Chrome's first web standards tech lead. "Businesses and services will be able to avoid building 'apps' entirely when enough users have capable browsers."

"There's a long road between here and there," he added. "Apple has spent enormous amounts to lobby on this, and they aren't stupid. Everyone should expect them to continue to play games along the lines of what they tried in Denmark and South Korea."
Unix

OpenBSD 7.1 Released with Support for Apple M1, Improvements for ARM64 and RISC-V (openbsd.org) 26

"Everyone's favorite security focused operating system, OpenBSD 7.1 has been released for a number of architectures," writes long-time Slashdot reader ArchieBunker, "including Apple M1 chips."

Phoronix calls it "the newest version of this popular, security-minded BSD operating system." With OpenBSD 7.1, the Apple Silicon support is now considered "ready for general use" with keypad/touchpad support for M1 laptops, a power management controller driver added, I2C and SPI controller drivers, and a variety of other driver additions for supporting the Apple Silicon hardware.

OpenBSD 7.1 also has a number of other improvements benefiting the 64-bit ARM (ARM64) and RISC-V architectures. OpenBSD 7.1 also brings SMP kernel improvements, support for futexes with shared anonymous memory, and more. On the graphics front there is updating the Linux DRM code against the state found in Linux 5.15.26 as well as now enabling Intel Elkhart Lake / Jasper Lake / Rocket Lake support.

The Register notes OpenBSD now "supports a surprisingly wide range of hardware: x86-32, x86-64, ARM7, Arm64, DEC Alpha, HP PA-RISC, Hitachi SH4, Motorola 88000, MIPS64, SPARC64, RISC-V 64, and both Apple PowerPC and IBM POWER." The Register's FOSS desk ran up a copy in VirtualBox, and we were honestly surprised how quick and easy it was. By saying "yes" to everything, it automatically partitioned the VM's disk into a rather complex array of nine slices, installed the OS, a boot loader, an X server and display manager, plus the FVWM window manager. After a reboot, we got a graphical login screen and then a rather late-1980s Motif-style desktop with an xterm.

It was easy to install XFCE, which let us set the screen resolution and other modern niceties, and there are also KDE, GNOME, and other pretty front-ends, plus plenty of familiar tools such as Mozilla apps, LibreOffice and so on....

We were expecting to have to do a lot more work. Yes, OpenBSD is a niche OS, but the project gave the world OpenSSH, LibreSSL, the PF firewall as used in macOS, much of Android's Bionic C library, and more besides.... In a world of multi-gigabyte OSes, it's quite refreshing. It felt like stepping back into the early 1990s, the era of Real Unix, when you had to put in some real effort and learn stuff in order to bend the OS to your will — but in return, you got something relatively bulletproof.

Wikipedia

Wikipedia Community Votes To Stop Accepting Cryptocurrency Donations (arstechnica.com) 40

waspleg writes: More than 200 long-time Wikipedia editors have requested that the Wikimedia Foundation stop accepting cryptocurrency donations. The foundation received crypto donations worth about $130,000 in the most recent fiscal year -- less than 0.1 percent of the foundation's revenue, which topped $150 million last year. In her proposal for the Wikimedia Foundation, GorillaWarfare added that 'Bitcoin and Ethereum are the two most highly used cryptocurrencies, and are both proof-of-work, using an enormous amount of energy.' According to one widely cited estimate, the bitcoin network consumes around 200 TWh of energy per year. That's about as much energy as is consumed by 70 million people in Thailand. And it works out to around 2,000 kWh per bitcoin transaction.

Bitcoin defenders countered that bitcoin's energy usage is driven by its mining process, which consumes about the same amount of energy regardless of the number of transactions. So accepting any given bitcoin donation won't necessarily lead to more carbon emissions. But cryptocurrency critics argued that Wikimedia's de facto endorsement of cryptocurrencies may help to push up their price. And the more expensive bitcoin is, the more energy miners will devote to creating new ones. If the foundation complies with the community's request, it wouldn't be the first organization to stop using cryptocurrencies due to environmental concerns. Earlier this month, the Mozilla Foundation announced it would stop accepting cryptocurrencies that use the energy-intensive proof-of-work consensus process. These include bitcoin and ether -- though the latter is expected to convert to a proof-of-stake model in the future.

Microsoft

Microsoft is Finally Making it Easier To Switch Default Browsers in Windows 11 (theverge.com) 39

Microsoft is finally making it easier to change your default browser in Windows 11. A new update (KB5011563) has started rolling out this week that allows Windows 11 users to change the default browser with a single click. After testing the changes in December, this new one-click method is rolling out to all Windows 11 users. From a report: Originally, Windows 11 shipped without a simple button to switch default browsers that was always available in Windows 10. Instead, Microsoft forced Windows 11 users to change individual file extensions or protocol handlers for HTTP, HTTPS, .HTML, and .HTM, or you had to tick a checkbox that only appeared when you clicked a link from outside a browser. Microsoft defended its decision to make switching defaults harder, but rival browser makers like Mozilla, Brave, and even Google's head of Chrome criticized Microsoft's approach.
Mozilla

Mozilla Launches Paid Subscriptions To Its Developer Network (techcrunch.com) 23

Mozilla today launched MDN Plus, a paid subscription product on top of the existing (and recently re-designed) Mozilla Developer Network (MDN), one of the web's most popular destinations for finding documentation and code samples related to web technologies like CSS, HTML and JavaScript. From a report: The new subscription offering will introduce features like notifications, collections (think lists of articles you want to save) and MDN offline for when you want to access MDN when you're not online. There will be three subscription tiers: MDN core, a free limited version of the paid plans; MDN Plus 5, with access to notifications, collections and MDN offline for $5 per month or $50 per year; and MDN Supporter 10 for those who are willing to pay a bit more to support the platform in addition to getting a direct feedback channel to the MDN team (as well as "pride and joy," Mozila says). As the name implies, that more expensive plan will cost $10 a month or $100 for an annual subscription.
Firefox

Two Years After Chrome and Edge, Firefox is Getting AV1 Hardware Acceleration (neowin.net) 44

Firefox is finally gaining proper AV1 support. Neowin reports: According to an update made to a post on Bugzilla, the Mozilla Foundation is finally ready to add hardware acceleration for the AV1 video format. Developers plan to implement improved AV1 support in the upcoming release of Firefox 100, scheduled to arrive on May 3, 2022. Hardware acceleration for AV1 video brings several noticeable benefits to customers. The standard developed by Alliance for Open Media and initially released in March 2018 offers better video compression than H.264 (about 50%) and VP9 (about 20%). Shifting AV1 video processing from software to hardware improves efficiency and reduces energy consumption, resulting in better battery life on tablets and laptops. Google and Microsoft announced hardware-accelerated AV1 video in Chrome and Edge in late 2020. Mozilla, on the other hand, did not rush to introduce improved AV1 support in Firefox. While it is easy to dunk on Firefox, there is a reason why developers took their time. Hardware-accelerated AV1 video is not something you can add to any computer with Windows 10, and it requires a PC with the most recent and powerful hardware.
Twitter

Twitter Leads Call for EU Lawmakers To 'Think Beyond Big Tech' (techcrunch.com) 23

In a formalization of an earlier Twitter-led push to try to exert influence over fast-forming European digital regulations, the social media firm has used its Twitter Spaces platform to host the official kick off of a policy advocacy lobby group that's being branded the Open Internet Alliance (OIA). From a report: Alongside Twitter, video streaming platform Vimeo; Automattic, the company behind WordPress.com, WooCommerce and Tumblr; the Czech and Slovak focused search engine company, Seznam; and Jodel, a Berlin-based (profile-less) social network, are named as founding members. Twitter said the establishment of this formal lobbying alliance has been some two years in the making. Notably Mozilla -- which had joined Twitter, Auttomatic and Vimeo in a earlier call for incoming EU digital regulations to support better user controls to tackle bad speech rather than hone in on content censorship -- is not being named as a founding member so appears to be sitting this one out. At the time of writing it's unclear why Mozilla is missing. But the Alliance is putting out a wider call for other "middle-layer" Internet companies to join the initiative -- so the grouping may grow in size.

Albeit -- very clearly -- big tech need not apply.

Speaking during a Twitter Spaces event today to discuss the formation of the alliance, Sinead McSweeney, Twitter's global policy VP, said the group is making a plea to lawmakers to think about the wider web ecosystem -- rather than see the Internet as "a monolith" comprised of just a handful of tech giants. "Our plea in aid of the open Internet is that [lawmakers] not view the Internet as a monolith, nor indeed view it as fixing the Internet solving all of societies problems," she said, urging policymakers to: "Take a wider focus when they're looking at solutions -- not look at the Internet just through the lens of a handful of companies. And really think about the entire ecosystem -- and get away from this sense 'oh big tech is the problem.' Because -- in actual fact, in their efforts to tackle so called 'big tech -- that is all we may end up with."

Open Source

Arch Linux Turns 20 (neowin.net) 29

"Arch Linux, the rolling Linux distribution that powers Valve's Steam Deck is now 20 years old," reports Neowin.

Slashdot reader segaboy81 writes that "What's cool to see here is that everything changed behind the scenes, but on the surface, things are the same." From the article: Announced on March 11th, 2002, and codenamed Homer, version 0.1 was released to minor fanfare. The release notes were a far cry from today's, essentially announcing it had broken ground and the foundation was going in, as it were.

Homer's release notes:

I've finally got a bootable iso image on the ftp site. The bad news is that you don't get a pretty interactive installer. But if you wanted one of those, you would have gone with RedHat, right? ;)

I'll try to get the docs up for ABS (Arch Build System) which, IMHO, is one of the best advantages of Arch. With ABS, you can easily create new packages, and it's trivial to rebuild existing packages with your own customizations....


It shipped with Linux kernel 2.4.18 which many of the Linux old-timers (myself included) will remember was right before we started to get nice things like auto-mounting USB drives in kernel 2.6. XFree86 4.2.0 was also in stow, which is what we now call Xorg. If you wanted to build software, you had to use an absolutely ancient gcc toolchain (2.95.3). Web browsing was covered by the ghost of Netscape Navigator, Mozilla 0.9.9. Heady days, these were!

Chrome

Google Says Chrome on macOS is Now Faster Than Safari (techcrunch.com) 44

As Google announced today, version 99 of Chrome on macOS manages to score 300 points on the Speedometer benchmark, which was originally developed by Apple's WebKit team. This, Google points out, is the fastest performance of any browser yet. TechCrunch: Speedometer 2.0 tests for responsiveness, which makes it a good proxy for user experience. It's been a while since competition in the browser market focused on speed, especially now that most vendors bet on the same Chromium codebase to build their browsers (with the exception of Mozilla's Firefox and Apple's WebKit-based Safari). But that doesn't mean that the various development teams stopped thinking about how to speed up the user experience. As with a lot of mature technologies, we're just not seeing major breakthroughs these days. That doesn't mean the rivalry between the different vendors has stopped, even as they are now getting together as part of Interop 2022 to better align their browsers with web standards.
Media

Qualcomm Will Support AV1 Video Codec In 2023, Report Says (arstechnica.com) 36

Protocol reports that Qualcomm will finally jump on the AV1 video codec bandwagon next year. Ars Technica reports: AV1 is the web's next open, royalty-free video codec, and widespread adoption will require hardware support from the world's chip vendors. Qualcomm's 2022 flagship SoC, the Snapdragon 8 Gen 1 chip, doesn't support AV1. Samsung's Exynos 2200 managed to ship the video codec this year in international versions of the Galaxy S22, while the MediaTek Dimensity 1000 SoC has been shipping in phones for over a year now with AV1 support. Apple is a founding member of the AV1 Alliance, but its devices also don't support the codec yet.

The report says Qualcomm's "upcoming flagship Snapdragon mobile processor" -- model number "SM8550" -- will support AV1. That would probably be called the "Snapdragon 8 Gen 2" SoC, due out in 2023. Wide adoption of AV1 seems inevitable, though it is taking a while. The codec is a successor to Google's VP8 and VP9 codecs and is being built by the Alliance for Open Media. The alliance's lineup is a who's who of tech companies, with founding members like Amazon, Apple, ARM, Facebook, Google, Intel, Microsoft, Mozilla, Netflix, Nvidia, and Samsung. Netflix and Google's YouTube are both making AV1 support "a requirement" for future products that want to support either video service. That should motivate just about every hardware and software vendor out there to get the job done.
Aside from being open source and royalty-free, the report notes that the newer AV1 codec also has the benefit of being 30% more efficient than H.265.
Firefox

With Growing Revenue But Slipping Market Share - Is Firefox Okay? 242

Industry analysts and former Mozilla employees are concerned about Firefox's future, reports Ars Technica, warning that the ultimate fate of Firefox "has larger implications for the web as a whole." Since its release in 2008, [Google's] Chrome has become synonymous with the web: it's used by around 65 percent of everyone online and has a huge influence on how people experience the Internet. When Google launched its AMP publishing standard, websites jumped to implement it. Similar plans to replace third-party cookies in Chrome — a move that will impact millions of marketers and publishers — are shaped in Google's image.

"Chrome has won the desktop browser war," says one former Firefox staff member, who worked on browser development at Mozilla but does not want to be named, as they still work in the industry. Their hopes for a Firefox revival are not high. "It's not super reasonable for Firefox to expect to win back even any browser share at this point." Another former Mozilla employee, who also asked not to be named for fear of career repercussions, says: "They're just going to have to accept the reality that Firefox is not going to come back from the ashes...."

Mozilla's financial declarations from 2020 said that despite the layoffs it is in a healthy place, and it expects its financial results for 2021 to show revenue growth. However, Mozilla and Firefox acknowledge that for its long-term future it needs to diversify the ways it makes money. These efforts have ramped up since 2019. The company owns read-it-later service Pocket, which includes a paid premium subscription service. It has also launched two similar VPN-style products that people can subscribe to. And the company is pushing more into advertising as well, placing ads on new tabs that are opened in the Firefox browser.... Selena Deckelmann, senior vice president of Firefox, says Firefox is likely to continue looking for ways to keep personalizing people's online browsing. "I'm not sure that what's going to come out of that is going to be what people traditionally expect from a browser, but the intention will always be to put people first," she says. Just this week, Firefox announced a partnership with Disney — linked to a new Pixar film — that involves changing the color of the browser and ads to win subscriptions to Disney+. The deal speaks both to Firefox's personalization push and the strange roads its search for revenue streams can lead down.

Deckelmann adds that Firefox doesn't need to be as big as Chrome or Apple's Safari, the second largest browser, to succeed. "All we really want is to be a viable choice," Deckelmann says. "Because we think that this makes a better Internet for everybody to have these different options."

Interesting stats from the article:
  • Next year, Firefox's "lucrative search deal with Google — responsible for the vast majority of its revenue" — is set to expire.
Bug

Linux Developers Patch Bugs Faster Than Microsoft, Apple, and Google, Study Shows (zdnet.com) 43

Linux programmers fixed bugs faster than anyone — in an average of just 25 days (improving from 32 days in 2019 to just 15 in 2021). That's the conclusion of Google's "Project Zero" security research team, which studied the speed of bug-fixing from January 2019 to December 2021.

ZDNet reports that Linux's competition "didn't do nearly as well." For instance, Apple, 69 days; Google, 44 days; and Mozilla, 46 days. Coming in at the bottom was Microsoft, 83 days, and Oracle, albeit with only a handful of security problems, with 109 days.

By Project Zero's count, others, which included primarily open-source organizations and companies such as Apache, Canonical, Github, and Kubernetes, came in with a respectable 44 days.

Generally, everyone's getting faster at fixing security bugs. In 2021, vendors took an average of 52 days to fix reported security vulnerabilities. Only three years ago the average was 80 days. In particular, the Project Zero crew noted that Microsoft, Apple, and Linux all significantly reduced their time to fix over the last two years.

As for mobile operating systems, Apple iOS with an average of 70 days is a nose better than Android with its 72 days. On the other hand, iOS had far more bugs, 72, than Android with its 10 problems.

Browsers problems are also being fixed at a faster pace. Chrome fixed its 40 problems with an average of just under 30 days. Mozilla Firefox, with a mere 8 security holes, patched them in an average of 37.8 days. Webkit, Apple's web browser engine, which is primarily used by Safari, has a much poorer track record. Webkit's programmers take an average of over 72 days to fix bugs.

Cloud

Is It More Energy-Efficient to Program in Rust? (amazon.com) 243

A recent post on the AWS Open Source blog announced that AWS "is investing in the sustainability of Rust, a language we believe should be used to build sustainable and secure solutions."

It was written by the chair of the Rust foundation (and leader of AWS's Rust team) with a Principal Engineer at AWS, and reminds us that Rust "combines the performance and resource efficiency of systems programming languages like C with the memory safety of languages like Java."

But there's another reason they're promoting Rust: Worldwide, data centers consume about 200 terawatt hours per year. That's roughly 1% of all energy consumed on our planet... [C]loud and hyperscale data centers have been implementing huge energy efficiency improvements, and the migration to that cloud infrastructure has been keeping the total energy use of data centers in balance despite massive growth in storage and compute for more than a decade... [I]s the status quo good enough? Is keeping data center energy use to 1% of worldwide energy consumption adequate..? [Will] innovations in energy efficiency continue to keep pace with growth in storage and compute in the future? Given the explosion we know is coming in autonomous drones, delivery robots, and vehicles, and the incredible amount of data consumption, processing, and machine learning training and inference required to support those technologies, it seems unlikely that energy efficiency innovations will be able to keep pace with demand...

[J]ust like security, sustainability is a shared responsibility. AWS customers are responsible for energy efficient choices in storage policies, software design, and compute utilization, while AWS owns efficiencies in hardware, utilization features, and cooling systems.... In the same way that operational excellence, security, and reliability have been principles of traditional software design, sustainability must be a principle in modern software design. That's why AWS announced a sixth pillar for sustainability to the AWS Well-Architected Framework. What that looks like in practice is choices like relaxing service-level agreements for non-critical functions and prioritizing resource use efficiency. We can take advantage of virtualization and allow for longer device upgrade cycles. We can leverage caching and longer times-to-live whenever possible. We can classify our data and implement automated lifecycle policies that delete data as soon as possible. When we choose algorithms for cryptography and compression, we can include efficiency in our decision criteria.

Last, but not least, we can choose to implement our software in energy efficient programming languages.

There was a really interesting study a few years ago that looked at the correlation between energy consumption, performance, and memory use.... What the study did is implement 10 benchmark problems in 27 different programming languages and measure execution time, energy consumption, and peak memory use. C and Rust significantly outperformed other languages in energy efficiency. In fact, they were roughly 50% more efficient than Java and 98% more efficient than Python. It's not a surprise that C and Rust are more efficient than other languages. What is shocking is the magnitude of the difference. Broad adoption of C and Rust could reduce energy consumption of compute by 50% — even with a conservative estimate....

No one developer, service, or corporation can deliver substantial impact on sustainability. Adoption of Rust is like recycling; it only has impact if we all participate. To achieve broad adoption, we are going to have to grow the developer community.

That "interesting study" cited also found that both C and Rust execute faster than other programming languages, the blog post points out, so "when you choose to implement your software in Rust for the sustainability and security benefits, you also get the optimized performance of C."

And the post also notes Linus Torvalds' recent acknowledgement that while he really loves C, it can be like juggling chainsaws, with easily-overlooked and "not always logical" type interactions. (Torvalds then went on to call Rust "the first language I saw which looked like this might actually be a solution.")

The Rust Foundation is a non-profit partnership between Amazon Web Services (AWS), Google, Huawei, Microsoft, and Mozilla.
Advertising

Google to Overhaul Ad-Tracking on Android Phones Used by Billions (msn.com) 22

The Washington Post reports: Google announced it will begin the process of getting rid of long-standing ad trackers on its Android operating system, upending how advertising and data-collection work on phones and tablets used by more than 2.5 billion people around the world.

Right now, Google assigns special IDs to each Android device, allowing advertisers to build profiles of what people do on their phones and serve them highly targeted ads. Google will begin testing alternatives to those IDs this year and eventually remove them completely, the company said in a Wednesday blog post. Google said the changes will improve privacy for Android users, limiting the massive amounts of data that app developers collect from people using the platform.

But the move also could give Google even more power over digital advertising, and is likely to deepen concerns regulators have already expressed about the company's competitive practices... It made $61 billion in advertising revenue in the fourth quarter of 2021 alone....

The announcement comes over a year after Apple began blocking trackers on its own operating system, which runs on its iPhones, giving customers more tools to limit the data they share with app developers.... Google contrasted its plan with Apple's, saying it would make the changes over the next two years, working closely with app developers and the advertising industry to craft new ways of targeting ads and measuring their effectiveness before making any drastic changes.

"We realize that other platforms have taken a different approach to ads privacy, bluntly restricting existing technologies used by developers and advertisers," said Anthony Chavez, vice president of product management for Android security and privacy, in the blog post. "We believe that without first providing a privacy-preserving alternative path such approaches can be ineffective and lead to worse outcomes for user privacy and developer businesses."

The Post also includes this quote from the chief security office of Mozilla (which began restricting ad tracking in Firefox several years ago). "Google's two year plan is too long. People deserve better privacy now."
Chrome

Firefox and Chrome Versions '100' May Break Some Websites (engadget.com) 92

As both the Chrome and Firefox browsers approach their 100th versions, what should be a reason for the developers to celebrate could turn into a bit of a mess. From a report: It turns out that much like the Y2K bug, the triple-digit release numbers coded in the browsers' User-Agents (UAs) could cause issues with a small number of sites, Bleeping Computer reported. Mozilla launched an experiment last year to see if version number 100 would affect sites, and it just released a blogpost with the results. It did affect a small number of sites (some very big ones, though) that couldn't parse a user-agent string containing a three-digit number. Notable ones still affected included HBO Go, Bethesda and Yahoo, according to a tracking site. The bugs include "browser not supported" messages, site rendering issues, parsing failures, 403 errors and so on.

Slashdot Top Deals