Windows Central reports: Microsoft is preparing a major OS update for Windows 10 in 2021 that sources say will bring with it a significant design refresh to the Windows UI. I'm told that Microsoft is planning to update many top-level user interfaces such as the Start menu, Action Center, and even File Explorer, with refreshed modern designs, better animations, and new features. This UI project is codenamed "Sun Valley" internally and is expected to ship as part of the Windows 10 "Cobalt" release scheduled for the holiday 2021 season. Internal documentation describes the project as "reinvigorating" and modernizing the Windows desktop experience to keep up with customer expectation in a world driven by other modern and lightweight platforms.

Windows 10 has remained much the same these last few years, with little to no changes in its design or feature set. Many other platforms on the market have gone through entire redesigns or UI refreshes in the last five years, and while Windows 10 has gone through minor design iterations with the introduction of Fluent Design, we've not seen a significant refresh or rethinking of its UI. The Sun Valley project appears to be spearheaded by the Windows Devices and Experiences team, lead by Chief Product Officer Panos Panay, who took charge of said division back in February. Microsoft announced in May that the company would be "reinvesting" in Windows 10 in the 2021 timeframe, and my sources say that Sun Valley is the result of that reinvestment.

An anonymous reader shares a report: Microsoft has announced that it is ending the ability to cross-sign drivers, effective 1 July 2021. This will effectively make it impossible to release new or updated drivers for Windows 7, Windows 8, and Windows 8.1 systems, including Server 2012 R2. This is not an exaggeration. The only option that will remain available to devs who want to release drivers for versions of Windows other than Windows 10 will be to have those drivers pass HLK/WHQL testing. Unfortunately, not all drivers are even eligible for HLK/WHQL testing, and even for those that are eligible, getting some drivers to pass the HLK/WHQL tests is effectively impossible. [...]

Big changes are coming to Internet Explorer. Starting next month, users trying to access certain websites will see IE refuse to load the URL and automatically open the site in Edge instead. From a report: This forced IE-to-Edge behavior is part of Microsoft's Internet Explorer deprecation plans. Microsoft has been gradually rolling out the feature for testing purposes for some Windows users since the release of Edge 84 this summer. However, with the release of Edge 87, scheduled for next month, Microsoft plans to enable the forced IE-to-Edge action for all IE users.

"No one asked Microsoft to port its Edge browser to Linux," writes Steven J. Vaughan-Nichols at ZDNet, adding "Indeed, very few people asked for Edge on Windows.

"But, here it is. So, how good — or not — is it..?" The new release comes ready to run on Ubuntu, Debian, Fedora, and openSUSE Linux distributions... Since I've been benchmarking web browsers since Mosaic rolled off the bit assembly line, I benchmarked the first Edge browser and Chrome 86 and Firefox 81 on my main Linux production PC.... First up: JetStream 2.0, which is made up of 64 smaller tests. This JavaScript and WebAssembly benchmark suite focuses on advanced web applications. It rewards browsers that start up quickly, execute code quickly, and run smoothly. Higher scores are better on this benchmark.

JetStream's top-scorer — drumroll please — was Edge with 136.971. But, right behind it within the margin of error, was Chrome with a score of 132.413. This isn't too surprising. They are, after all, built on the same platform. Back in the back was Firefox with 102.131. Next up: Kraken 1.1. This benchmark, which is based on the long-obsolete SunSpider, measures JavaScript performance. To this basic JavaScript testing, it added typical use-case scenarios. Mozilla, Firefox's parent organization, created Kraken. With this benchmark, the lower the score, the better the result. To no great surprise, Firefox took first place here with 810.1 milliseconds (ms). Following it was Chrome with 904.5ms and then Edge with 958.8ms.

The latest version of WebXPRT is today's best browser benchmark. It's produced by the benchmark professionals at Principled Technology. This company's executives were the founders of the Ziff Davis Benchmark Operation, the gold-standard of PC benchmarking. WebXPRT uses scenarios created to mirror everyday tasks. These include Photo Enhancement, Organize Album, Stock Option Pricing, Local Notes, Sales Graphs, and DNA Sequencing. Here, the higher the score, the better the browser. On this benchmark, Firefox shines. It was an easy winner with a score of 272. Chrome edges out Edge 233 to 230.
The article concludes that "Oddly, Edge, which turned in a poor performance when I recently benchmarked it on Windows, did well on Linux. Who'd have guessed...? Edge is a good, fast browser on Linux. If you're a Windows user coming over to Linux or you're doing development work aimed at Edge, then by all means try Edge on Linux. It works and it works well."

Yet Vaughan-Nichols admits he's still not going to switch to Edge. "Chrome is more than fast enough for my purposes and I don't want my information tied into the Microsoft ecosystem. For better or worse, mine's already locked into the Googleverse and I can live with that."

"Google released an update to its Chrome browser that patches a zero-day vulnerability in the software's FreeType font rendering library that was actively being exploited in the wild, Threatpost reported this week: Security researcher Sergei Glazunov of Google Project Zero discovered the bug which is classified as a type of memory-corruption flaw called a heap buffer overflow in FreeType. Glazunov informed Google of the vulnerability on Monday. Project Zero is an internal security team at the company aimed at finding zero-day vulnerabilities.

By Tuesday, Google already had released a stable channel update, Chrome version 86.0.4240.111, that deploys five security fixes for Windows, Mac & Linux — among them a fix for the zero-day, which is being tracked as CVE-2020-15999 and is rated as high risk. "Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild," Prudhvikumar Bommana of the Google Chrome team wrote in a blog post announcing the update Tuesday... "The fix is also in today's stable release of FreeType 2.10.4," Ben Hawkes, technical lead for the Project Zero team, tweeted. Meanwhile, security researchers took to Twitter to encourage people to update their Chrome browsers immediately to avoid falling victim to attackers aiming to exploit the flaw...

In addition to the FreeType zero day, Google patched four other bugs — three of high risk and one of medium risk — in the Chrome update released this week... So far in the last 12 months Google has patched three zero-day vulnerabilities in its Chrome browser.

Minecraft said in a blog post yesterday that players will need a Microsoft account to play the game in 2021. Those who do not switch will be unable to play. The Verge reports: The game has existed in two separately developed versions since its 2011 launch on consoles. Previously, the original Minecraft: Java Edition used Mojang accounts, while Minecraft: Bedrock Edition, the name for the console and Windows store version of the game, used Microsoft accounts. After this change, the accounts will be the same, but there's still no crossplay: you still won't be able to play with friends using the other version of the game.

Mojang says players migrating from Mojang accounts will not lose any information and that the new accounts will offer two-factor authentication (2FA) and other safety features previously available in the Bedrock Edition of the game, like parental controls and the ability to block chats and invitations -- a concern for younger players on multiplayer servers. Players will be emailed in batches in the coming months on how to migrate and will receive an additional notification on their profile page when they're able to create a new account. Alongside the blog post, Mojang created a video to explain the switch and preempt player complaints. The Verge points out that usernames for Java Edition players are at risk, which could make many players angry.

"In support articles addressing the change, Mojang is clear that your username won't be affected in-game, but if someone is already using your name or it doesn't meet Microsoft's standards, you might be forced to log in with a different one," reports The Verge. "There may not be as many names available to pick from, given that console players have had eight years to snap them up."

Last month, Microsoft officials said they'd release a preview of the new Chromium-based Edge browser for Linux some time in October. On October 20, Microsoft made good on the promise, making available the Edge Dev Channel build for Linux. ZDNet reports: The new release supports Ubuntu, Debian, Fedora and openSUSE Linux distributions. Microsoft is planning to release weekly builds, like it does with the Dev Channel builds for other platforms. To get started, users can download and install a .deb or .rpm package directly from the Edge Insider site, which will configure a system to get future automatic updates. Or users can install Edge from Microsoft's Linux Software Repository. More detailed instructions are available on Microsoft's Chredge-on-Linux blog post.

As part of the October 2020 Patch Tuesday security updates, Microsoft has added a new option to Windows to let system administrators disable the JScript component inside Internet Explorer. ZDNet reports: The JScript scripting engine is an old component that was initially included with Internet Explorer 3.0 in 1996 and was Microsoft's own dialect of the ECMAScript standard (the JavaScript language). Development on the JScript engine ended, and the component was deprecated with the release of Internet Explorer 8.0 in 2009, but the engine remained in all Windows OS versions as a legacy component inside IE. Across the years, threat actors realized they could attack the JScript engine, as Microsoft wasn't actively developing it and only rarely shipped security updates, usually only when attacked by threat actors. [...]

Now, 11 years after deprecating the component, Microsoft is finally giving system administrators a way to disable JScript execution by default. According to Microsoft, the October 2020 Patch Tuesday introduces new registry keys that system administrators can apply and block the jscript.dll file from executing code. Details on how this can be done are available below, as taken from Microsoft's documentation.

The Verge's senior news editor complains that without permission, Windows 10 restarted to install "unsolicited, unwanted web app versions of Word, PowerPoint, Excel and Outlook onto my computer." OK, it's not as bad as when my entire computer screen got taken over by an unwanted copy of Microsoft Edge. That was truly egregious. No, this time Microsoft is merely sneaking unwanted web apps onto my PC — and using my Windows 10 Start Menu as free advertising space. Did I mention that icons for Microsoft Office apps have magically appeared in my Start Menu, even though I've never once installed Office on this computer?

These aren't full free copies of Office, by the way. They're just shortcuts to the web version you could already access in any web browser of your choice, which double as advertisements to pay for a more fully featured copy... They're the latest proof that Microsoft doesn't respect your ownership of your own PC, the latest example of Microsoft installing anything it likes in a Windows update up to and including bloatware, and the latest example of Microsoft caring more about the bottom line than whether a few people might lose their work when Windows suddenly shuts down their PC. Luckily, I didn't lose any work today, but a friend of mine recently did...

Microsoft seems to think our computers are free advertising space, a place where it can selfishly promote its other products — even though they were told roundly in the '90s that even bundling a web browser was not OK. Now, they're bundling a browser you can't uninstall, and a set of PWA web apps that launch in that same browser. (Yes, they fire up Edge even if you've set a different browser as default.)

"Three JavaScript packages have been removed from the npm portal on Thursday for containing malicious code," reports ZDNet.

"According to advisories from the npm security team, the three JavaScript libraries opened shells on the computers of developers who imported the packages into their projects." The shells, a technical term used by cyber-security researchers, allowed threat actors to connect remotely to the infected computer and execute malicious operations. The npm security team said the shells could work on both Windows and *nix operating systems, such as Linux, FreeBSD, OpenBSD, and others.

All three packages were uploaded on the npm portal in May (first) and September 2018 (last two). Each package had hundreds of downloads since being uploaded on the npm portal. The packages names were:

plutov-slack-client
nodetest199
nodetest1010

"Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer," the npm security team said.

Last month Eric Raymond suggested Microsoft might be moving to a Linux kernel that emulates Windows. ZDNet contributing editor Steven J. Vaughan-Nichols argued such a move "makes perfect sense", and open source advocate Jack Wallen even suggested Microsoft abandon Windows altogether for a new distro named Microsoft Linux.

It eventually drew the attention of Canonical's engineering manager for Ubuntu on WSL, who published a blog post with his own personal thoughts. Its title? "No, Microsoft is not rebasing Windows to Linux." The NT kernel in Windows offers a degree of backward compatibility, long-term support, and driver availability that Linux is just now approaching. It would cost millions of dollars to replicate these in Linux. Microsoft has plenty of paying customers to continue supporting Windows as-is, some for decades. Windows is not a drain on Microsoft that would justify the expense of rebasing to Linux for savings, as Raymond has argued... It is unclear if the Windows user space could even be rebased from NT to the Linux kernel and maintain the compatibility that Windows is known for, specifically what enterprise clients with mission-critical applications are paying to get....

Microsoft has doubled down on Windows in recent years. Microsoft has invested in usability, new features, and performance improvements for Windows 10 that have paid off. These improvements, collaborations with OEMs, and the Surface helped revitalize a PC market that at one point looked in danger of falling to iPads and Chromebooks... Internal reorganizations in 2018 and 2020 show that the future of the Surface and Windows are now inextricably linked. Windows powers the Xbox and we are in a resurgence of mostly Windows-based PC gaming. Microsoft also has ideas for Windows 10X, the next operating system concept following Windows 10 (that I think we will get in gradual pieces), with future hardware like the Surface Neo in mind...

The much more interesting question is not whether Microsoft is planning to rebase Windows to Linux, but how far Windows will go on open source. We are already seeing components like Windows Terminal, PowerToys, and other Windows components either begin life as or go open source. The more logical and realistic goal here is a continued opening of Windows components and the Windows development process, even beyond the Insiders program, in a way that benefits other operating systems...

Raymond is correct in one key part of his blog. I do think the era of the desktop OS wars is ending. We are entering a new era where your high-end workstation will run multiple operating systems simultaneously, like runtimes, and not necessarily all locally. The choice will not really be Windows or Linux, it will be whether you boot Hyper-V or KVM first, and Windows and Ubuntu stacks will be tuned to run well on the other. Microsoft contributes patches to the Linux kernel to run Linux well on Hyper-V and tweaks Windows to play nicely on KVM. The best parts of Ubuntu will come to Windows and the best open source parts of Windows will come to Ubuntu, thanks to an increasing trend towards open source across Microsoft.

The key take-away though is that open source has won. And Raymond can be proud of helping to articulate the case for the open source development model when he did.
The post also explores "the reasons why I think this fantasy this keeps cropping up on Slashdot and Hacker News," calling the idea "a long-held fantasy for open source and Linux advocates."

But instead he concludes "Neither Windows nor Ubuntu are going anywhere. They are just going to keep getting better through open source."

An anonymous reader shares a report: Earlier, Microsoft released the source for Windows Calculator. And now, that calculator app has been ported to Linux by Uno Platform. Best of all, it's insanely easy to install as it is packaged in Snap format. "The good folks in the Uno Platform community have ported the open-source Windows Calculator to Linux. And they've done it quicker than Microsoft could bring their browser to Linux. The calculator is published in the snapstore and can be downloaded right away," explains Rhys Davies, Product Manager, Canonical.

An anonymous reader quotes a report from ZDNet: If you've been hiding under a rock -- and who could blame you these days? -- you may have missed how totally Kubernetes now dominates container orchestration. One way to quickly get up to speed on Kubernetes is with Canonical's MicroK8s. This is an easy-to-run and install mini-version of Kubernetes. And now Canonical has added autonomous high availability (HA) clustering to it. [...] Now, with HA, MicroK8s is ready to move from Internet of Things (IoT) implementations, testing out Kubernetes implementations on a workstation, or simply learning Kubernetes to bigger, better cloud jobs.

With the new MicroK8s release, HA is enabled automatically once three or more nodes are clustered, and the data store migrates automatically between nodes to maintain a quorum in the event of a failure. Designed as a minimal conformant Kubernetes, MicroK8s installs, and clusters easily on Linux, macOS, or Windows. To work, a HA Kubernetes cluster needs three elements. Here's how it works in MicroK8s:

-There must be more than one worker node. Since MicroK8s uses every node as a worker node, there is always another worker available so long as there's more than one node in the cluster.
-The Kubernetes API services must run on one or more nodes so that losing a single node would not render the cluster inoperable. Every node in the MicroK8s cluster is an API server, which simplifies load-balancing and means we can switch instantaneously to a different API endpoint if one fails.
-The cluster state must be in a reliable datastore. By default, MicroK8s uses Dqlite, a high-availability SQLite, as its datastore.

Microsoft co-founder and former CEO Bill Gates told CNBC on Wednesday morning he had been naive about the government scrutiny that comes with getting large when he was running Microsoft and said the chance of Big Tech antitrust regulation is "pretty high." CNBC reports: "Whenever you get to be a super-valuable company, affecting the way people communicate and even political discourse being mediated through your system and higher percentage of commerce -- through your system -- you're going to expect a lot of government attention," Gates said in the "Squawk Box" interview. Last week, the House Judiciary subcommittee on antitrust released a report concluding that Amazon, Apple, Facebook and Google hold monopoly power.

"I was naive at Microsoft and didn't realize that our success would lead to government attention," Gates said, referring to Microsoft's antitrust challenges from more than 20 years ago. "And so I made some mistakes -- you know, just saying, 'Hey, I never go to Washington, D.C.' And now I don't think, you know, that naivete is there." Gates stepped down as Microsoft CEO in the middle of the U.S. Justice Department's antitrust case, which charged the company had tried to monopolize the web browser market when it bundled Internet Explorer with Windows. The company settled with the DOJ in 2001.

"The rules will change somewhat," Gates said in contrast about the possibility of future regulation. "I'd say the chances of them doing something is pretty high." "We have to get the particulars," said Gates when asked about the risk of additional regulation cutting down on innovation. "Is there some rule about acquisition? Is there some rule about splitting parts of the companies, either -- to create open availability of those resources?" Anti-competitive "killer acquisitions" was one of the House subcommittee's concerns, and the report looked into whether Facebook acquired Instagram to eliminate a competitor. Splitting up such acquisitions may be one possibility of future regulation. "We're in uncharted territory here," said Gates.

Mark Wilson writes: Microsoft has teamed up with HP to work on a fix for a problem affecting various HP Business Notebooks. The flaw not only causes a reduction in performance and battery life, but can also lead to swollen batteries. The problem lies with the HP Battery Health Manager, and the update from Microsoft and HP is rolling out to enable a new charging algorithm to help alleviate the issue. Writing about the update, Microsoft says: "Microsoft is working with HP to distribute a solution to help address a configuration setting issue within HP Battery Health Manager on select HP Business Notebooks that can affect battery life and performance. This update does not require a restart to take effect."

In a new video, Microsoft's principal cloud advocate and DevOps lead weighed in on that crucial and perennial developer question: which is better, indenting your code with spaces or with tabs? "This is kind of a loaded question... However, I am very opinionated on this. I happen to be a huge fan of tabs, for a couple of reasons.

Number one, your file size is going to be much smaller, because a tab is just one character. Okay, okay, granted this isn't a big deal any more, but I'm old as dirt, and I remember when hard drive space was at a premium.

But here's the real reason: you can customize your indentation width. And this is actually a bigger deal than it sounds like. By using tabs, you now give each individual the ability to see the indentation widths that they want, or even in some cases need. That makes it so much more accessible than spaces, right?

So because of that, for accessibility reasons, use tabs.
Well, I guess that settles that, leaving no need for any further... Wait, there's more responses from other Microsoft developers on this page, including program manager Craig Lowen. At the end of a video titled WSL2: Code faster on the Windows Subsystem for Linux! he says: I prefer spaces to tabs, and that's because tabs don't actually have a denotation of how wide or short they have to be in indentations. That's totally done by your IDE, so if you open it up in a different IDE, it might have a different level of indentation. If you use spaces, you'll always have the same indentation level if you're using a fixed-width font.

But however, I still use the tab key, and I just make my editor insert spaces for me.

Following up on speculation from Eric Raymond and ZDNet contributing editor Steven J. Vaughan-Nichols, open source advocate Jack Wallen imagines what would happen if Microsoft just switched over altogether from Windows to a Linux distro named "Microsoft Linux": A full-on Linux distribution released by Microsoft would mean less frustration for all involved. Microsoft could shift its development efforts on the Windows 10 desktop to a desktop that would be more stable, dependable, flexible, and proven. Microsoft could select from any number of desktops for its official flavor: GNOME, KDE, Pantheon, Xfce, Mint, Cinnamon... the list goes on and on. Microsoft could use that desktop as is or contribute to it and create something that's more in-line with what its users are accustomed to...

[U]sers would very quickly learn what it's like to work on a desktop computer and not have to deal with the daily frustrations that come with the Windows operating system. Updates are smoother and more trustworthy, it's secure, and the desktop just makes more sense. Microsoft has been doing everything in its power to migrate users from the standard client-based software to cloud and other hosted solutions, and its software cash cow has become web-centric and subscription-based. All of those Linux users could still work with Microsoft 365 and any other Software as a Service (SaaS) solution it has to offer — all from the comfort and security of the Linux operating system...

If Microsoft plays its cards right, the company could re-theme KDE or just about any Linux desktop in such a way that it's not all that different from the Windows 10 interface. Lay this out right, and consumers might not even know the difference — a "Windows 11" would simply be the next evolution of the Microsoft desktop operating system. Speaking of winning, IT pros would spend less time dealing with viruses, malware, and operating system issues and more time on keeping the network (and the servers powering that network) running and secure... Microsoft would be seen as finally shipping an operating system worthy of the consumer; the consumer would have a desktop operating system that didn't deliver as many headaches as it did moments of actual productivity and joy; and the Linux community would finally dominate the desktop.

"Most users don't seem to realize the severity of the risks they're subjecting themselves to while using hotel Wi-Fi networks," writes Windows Report, noting that America's FBI "issued a Public Service Announcement concerning the risks of using hotel Wi-Fi networks while teleworking." Apparently, more and more U.S. hotels started advertising room reservations during the daytime for those who seek a distraction-free environment. This comes as a blessing for teleworkers who can't seem to focus on their work environment while at home. On the other hand...there are a few quite serious risks you may expose yourself to while using Wi-Fi networks in hotels:

- Traffic monitoring: Your network activity could be exposed to a malicious third-party

- Evil Twin attacks: Cloning the hotel network, misleading clients to connect to the fake one instead

- Man-In-The-Middle attacks: Intercepting and stealing sensitive information from one's device

- Compromising work" Facilitating cybercriminals to steal work credentials or other similar resources

- Digital identity theft

- Ransomware
Among other things, the FBI points out: Guests generally have minimal visibility into both the physical location of wireless access points within the hotel and the age of networking equipment. Old, outdated equipment is significantly more likely to possess vulnerabilities that criminal actors can exploit. Even if a hotel is using modern equipment, the guest has no way of knowing how frequently the hotel is updating the firmware of that equipment or whether the hotel has changed the equipment's default passwords. The hotel guest must take each of these factors into consideration when choosing whether to telework on a hotel network.
Or, as Slashdot reader SmartAboutThings puts it, "Using hotel Wi-Fi, in general, is not safe at all, and if you have no other choice, then you might as well give VPN services a try."

Or, just don't use the hotel's wifi (using your cellphone as a mobile hotspot instead).

Brian Krebs writes via KrebsOnSecurity.com: There's an old adage in information security: "Every company gets penetration tested, whether or not they pay someone for the pleasure." Many organizations that do hire professionals to test their network security posture unfortunately tend to focus on fixing vulnerabilities hackers could use to break in. But judging from the proliferation of help-wanted ads for offensive pentesters in the cybercrime underground, today's attackers have exactly zero trouble gaining that initial intrusion: The real challenge seems to be hiring enough people to help everyone profit from the access already gained.

One of the most common ways such access is monetized these days is through ransomware, which holds a victim's data and/or computers hostage unless and until an extortion payment is made. But in most cases, there is a yawning gap of days, weeks or months between the initial intrusion and the deployment of ransomware within a victim organization. That's because it usually takes time and a good deal of effort for intruders to get from a single infected PC to seizing control over enough resources within the victim organization where it makes sense to launch the ransomware.

This includes pivoting from or converting a single compromised Microsoft Windows user account to an administrator account with greater privileges on the target network; the ability to sidestep and/or disable any security software; and gaining the access needed to disrupt or corrupt any data backup systems the victim firm may have. Each day, millions of malware-laced emails are blasted out containing booby-trapped attachments. If the attachment is opened, the malicious document proceeds to quietly download additional malware and hacking tools to the victim machine. From there, the infected system will report home to a malware control server operated by the spammers who sent the missive. At that point, control over the victim machine may be transferred or sold multiple times between different cybercriminals who specialize in exploiting such access. These folks are very often contractors who work with established ransomware groups, and who are paid a set percentage of any eventual ransom payments made by a victim company.

In a not-so-subtle dig at Apple and Google, Microsoft today announced a series of "principles" for its Windows 10 App Store -- including letting users choose their own payment system for in-app purchases -- that it says should serve as a model for other app stores. From a report: The move comes as antitrust regulators in the U.S. and around the world are spotlighting how both Apple and Google manage their mobile platforms and as some developers charge them with running their app stores unfairly. In addition to offering developers the option to use an alternative payment mechanism for in-app purchases, Microsoft pledged that it will, among other things: allow competing app stores; hold its own apps to the same standards as those of other companies; allow app makers to decide what they do and don't want to sell within their app; and allow any developer in its store "as long as it meets objective standards and requirements, including those for security, privacy, quality, content, and digital safety."