Chipp.in Tech News and Reviews

Cookie stealing may soon be a thing of the past

Posted on April 3, 2024April 3, 2024 by Martin Brinkmann

Google is working on a new security feature for the Web that aims to protect users against cookie theft malware better. Called Device Bound Session Credentials (DBSC), its main purpose is to bind cookies to the user’s device.

To better understand this, it is necessary to analyze the current situation. When you sign-in to a web service, a cookie is usually saved to the local system. This session cookie may then be used in future sessions. The effect is that you do not need to sign-in again, as this has been done in the past.

Cookies expire eventually, but until that happens, they may be used. One of the problems that arises is that cookies may also be used on other systems. This is what makes them attractive to criminals. If they manage to get their hands on session cookies, they may access the service without authentication.

A subtype of malware is designed to find and extract cookies from user systems. While this requires access to the user’s system in one way or another, it is a fairly common type of attack.

Device Bound Session Credentials

As the name implies, Device Bound Session Credentials limit cookies to individual devices. If you sign-in to a web service, the boundary is your computer (or a particular application). Anyone stealing the cookie cannot use it to access the account on another device, thanks to the new protective system.

Google explains:

By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value.

Google admits that attackers may still get value out of attacks, but only if they act on the user system thanks to the boundary.

Technically, DBSC uses key pairs that are created when a new session starts. The private key is stored by the operating system and protections such as TPM help protect the keys against attacks. Servers may associate sessions with the public key; this ensures that a session is still on the original device.

Google notes that there is no “persistent user tracking” as sites may not “correlate keys from different sessions”. Keys may also be deleted at any time using the browser, e.g., Chrome’s option to delete site data.

Going forward

Google has open sourced the project and plans to make it a public standard. It is already experimenting with a prototype in Chrome Beta that protects Google Account users. Some companies, including Microsoft, have expressed interest already in DBSC.

You can check out Google’s post on the Chromium blog for an overview or the technical explainer on GitHub for additional information.

Firefox 124.0.2 fixes a video playback issue

Posted on April 2, 2024April 2, 2024 by Martin Brinkmann

Mozilla will release another point update for Firefox 124 later today. Firefox 124.0.2 is a bug fix update that addresses four non-security issues in the browser. Apart from a crash on Linux AArch64, it is fixing a video playback issue that is causing video playback on sites such as Netflix to go blank or crash the browser.

The update is not available yet, but it will be released shortly to the public. You may check Menu > Help > About Firefox to display the current version. Firefox runs a check for updates. Once released, it will download and install the update automatically.

Firefox 124.0.2: the fixes

The main fix of the point update addresses a playback issue on video sites such as Netflix. The bug report offers a very specific example, and it is unclear how narrow the issue is based on it.

According to the report on Bugzilla, the issue was caused on Netflix when users activated the “Inuyasha” icon to play it. Firefox’s window would then flash and go blank. Mozilla reproduced the issue and found out that the issue was caused by a crash of the GPU process.

The new Firefox release fixes several other issues:

Users with large amounts of bookmarks could not restore backups of bookmarks. This has been addressed in this release. The bug report suggests that this was caused if the bookmarks were crossing the 32766 mark.
Fixed a crash that affected Linux AArch64 builds. Details about the patch can be found here.
Fixed the loading of some webpages on Ubuntu 24.04 systems caused by the “changes made to the default AppArmor configuration”.

Closing words

There is no need to rush the update if you have not experienced any of the issues in Firefox. Firefox 125, expected on April 16, 2024, will include these fixes.

Do you use Firefox or another browser as your main driver?

After almost 10 years, Settings is still a mess in Windows

Posted on April 1, 2024April 1, 2024 by Martin Brinkmann

When Microsoft released Windows 10 in 2015, it introduced the new Settings app. Back then, Microsoft said that the app would replace the ancient Control Panel in the future.

And so it began. The initial version of Settings lacked many options that the Control Panel offered. Users and administrators had to juggle between the two to configure Windows.

While Microsoft moved some sections to the Settings app in the years that followed, the Control Panel is still going strong in 2024.

Take the “uninstall a program” option in the Control Panel. It is far superior to the “all apps” section of the Settings app. It features a table that lists more information and is fully sortable. It offers eight different views: five more than what the Settings app offers.

The Control Panel offers 38 different configuration options in the latest version of Windows 11. If Microsoft continues the snail-like pace, it may take very well until 2035 and Windows 15 before everything has been moved over.

The juggling between Control Panel and Settings app is just one of the issues that users may experience.

Is there any order in the Settings app?

The Settings app displays categories in a sidebar on the left. The main pane lists the configuration pages of the active category.

The order seems random in both panes. The sidebar begins with Home, System, and Bluetooth & devices. Apps is found after Personalization, and Windows Update at the very end. Maybe it is the most popular options that you find nearer to the top, but is Bluetooth & devices really more popular than Personalization?

Similarly, when you open a category, you get an unordered list of pages. System lists Display, Sound, and Notifications at the top.

Apart from that, you may also sometimes have trouble finding something. All Start and taskbar settings are found under Personalization, but when you want to enable scroll bars for all windows, you have to visit Accessibility to do that. There, you also find the option to change the mouse pointer or text size.

Nearby sharing is found under System, even though it might fit better under Network & Internet, or Bluetooth & devices.

A search is provided, which is helpful, provided that you know the name of the setting. Type “mouse”, and you get every setting related to the term.

Microsoft could introduce sorting options or favorites to improve accessibility.

All Settings is awol

The Settings app offers no list of all settings that it contains. It would be useful to get a full list, especially if it could be sorted by name.

Unless you really know the Settings app, it may simply take too long to find something. Search is useful to a degree, but if your search term is too broad, you get lots of results.

Closing Words

It is time for Windows to get a central location for settings. The current state of the Settings app is lacking, especially when it comes to finding a specific page.

What is your take on the Settings app? Do you still use the Control Panel?

YouTube: Google has found a way to break Invidious

Posted on March 31, 2024April 1, 2024 by Martin Brinkmann

Update: A workaround is now available that fixes the issue.

If you use Invidious to access YouTube videos, you may have noticed that most (all?) instances are broken right now. Attempts to play YouTube videos are met with error messages.

Messages such as “the video returned by YouTube isn’t the requested one” are thrown by Invidious instances at the time.

A bug report on the official GitHub repository confirms the issue. Good news is that the team is aware of the issue. Bad, that there is no fix yet to address it.

YouTube search works on all instances, but videos won’t play anymore. You can try any of the listed Invidious instances or others, and you will likely get the same result.

The issue was reported three days ago on the GitHub project site.

Another popular YouTube frontend, Piped, appears affected as well. Attempts to play videos are met with the error code “failed with error code 1002”.

Google seems to have implemented changes to YouTube that break video playback functionality of the frontends. It is too early to say whether this can be fixed at all.

Google seems to be tightening access to YouTube in an effort to increase revenue and lock out alternatives. Privacy conscious users like these alternatives, as they include no ads or tracking.

It is quite possible that Google is going to lock down YouTube further in the future. It is probably only a matter of time. It is likely that existing alternatives and new alternatives will see huge user jumps when that happens.

Now You: do you watch videos on YouTube? Did you run into these issues?

You may soon limit Microsoft Edge’s RAM usage

Posted on March 30, 2024March 30, 2024 by Martin Brinkmann

In the past 20 or so years, browsers have grown significantly. From tools used solely to display webpages to general purpose tools. Yes, you can still open webpages in modern browsers, but that is not all.

Nowadays, browsers are used to watch media streams, play highly demanding games, or do your homework. It comes as no surprise that RAM usage of browser processes has gone up significantly as well.

Browsers can easily use 1 gigabyte of RAM or more these days. Much of it depends on use. If you open a single plain text website only, you will never cross the threshold. Open a stream on Twitch, play a game in another tab, and have dozens or hundreds of tabs open, and you reach that threshold easily.

Most Chromium-based browsers may display memory usage of individual tabs. This is a recent feature addition. There is also the option to press Shift-Esc to display the built-in Task Manager, which reveals memory usage of individual browser components.

Microsoft Edge, like other Chromium-based browsers, supports a sleeping tabs feature next to that. The main idea of it is to reduce memory use by putting inactive tabs into sleep mode. Microsoft says that the feature saves an average of 39.1 MB per tab.

Microsoft Edge: control memory usage

Microsoft is working on another feature to tame the browser’s memory usage. The new resource controls option gives users control over the maximum amount of RAM that Edge may use.

It is disabled by default, which means that Edge may use as much RAM as available. Once activated, options are provided to limit RAM usage always or when playing PC games.

The new preference is found under Settings > System and performance > Resource controls.

Once enabled, you may use a slider to set a RAM limit in gigabyte. The lowest amount selectable is 1 gigabyte, the highest the available RAM of the system. You may increase or decrease the limit in 1 gigabyte steps.

When you enable the new feature, RAM usage is displayed in Browser Essentials under performance.

You need to run the latest Microsoft Edge Canary release and start the browser with the parameter –enable-features=msEdgeResourceControlsRamLimiter to get access to it.

Here is what happens when Microsoft Edge reaches the designated RAM limit: it puts tabs to sleep in order to reduce Edge’s RAM use.

Closing Words

It is too early to say if the feature will ever make it into Edge stable. If it does, it will likely remain a niche feature. While it may help some users free up RAM for other activities on the PC, most may prefer to close Edge instead, if they do not use the browser actively at the time.

Usefulness depends on how you use your system and Edge. If you use Edge all the time, you may benefit from it. There are downsides, on the other hand. Edge puts tabs to sleep and you get no say in the matter. If you need access to those tabs, you need to wake them up again.

All in all, Edge’s new RAM usage feature is a niche feature. It might grow to something more in organizations and for some edge cases.

Now You: what is your take on limiting RAM usage in browsers? (via Leopeva)

How to sign out users when Windows shuts down

Posted on March 28, 2024March 28, 2024 by Martin Brinkmann

If you share a Windows PC with others, you may have noticed that users may appear as signed in after you log in to the operating system. A click on the Start button and another click on the user profile icon may reveal this.

Should not Windows sign out users when the system is shut down? Windows used to to this prior to the release of the Fall Creators Update for Windows 10.

When you shut down Windows then, all users were signed out automatically. You may have gotten a prompt reminding you that users were still signed in, but you could shut down the system and all signed in users were signed out as part of the process.

This changed with the release of the Fall Creators Update for Windows 10 in 2017. All Windows releases since then behave in the same way, including Windows 11.

Microsoft’s explanation for the feature

Updates for Windows require user specific processes that need to run before the installation of the update completes. These require that users are signed-in.

Previously, users had to wait for the completion of these processes after update installations.

Winlogon automatic restart sign-on is the official name of the feature introduced in the Fall Creators Update. Microsoft describes what it does in the following way:

When Windows Update initiates an automatic reboot, ARSO extracts the currently logged in user’s derived credentials, persists it to disk, and configures Autologon for the user. Windows Update running as system with TCB privilege initiates the RPC call.

In other words: Windows copies the current user’s credentials, copies them to disk and enables automatic sign-in for the user. The user will be signed in automatically after the final update reboot. The device is locked to protect the user’s session.

Managed and unmanaged devices are treated differently. Managed devices need TPM 2.0, SecureBoot, and BitLocker. Device encryption is used on unmanaged devices, but it is not a requirement.

How to sign out all users on shutdown in Windows

Microsoft introduced a new option in the Fall Creators Update that triggers the functionality. It is enabled by default.

Here is how you change the behavior on Windows 11:

Select Start and then Settings.
Go to Accounts.
Select Sign-in options.
Scroll down to “additional settings”.
Toggle “Use my sign-in info to automatically finish setting up after an update” to Off.

The path is slightly different on Windows 10 devices. You need to go to Settings > Accounts > Sign-in Options instead. There you find the preference under Privacy.

All users are signed out when the system is shut down from that moment forward.

Group Policy

You may also make the change to the configuration using the Group Policy Editor (not on Home editions, and requires Windows 10 version 1903 or newer):

Open Start.
Type gpedit.msc and load the Group Policy Editor result.
Go to Computer Configuration > Administrative Templates > Windows Components > Windows sign in Options.
Double-click on Sign-in and lock last interactive user automatically after a restart.
Set the policy to Disabled.
Close the Group Policy Editor.
Restart the PC.

Registry

You can also make the change in the Registry. This works on Home editions as well:

Open Start.
Type regedit.exe and select the Registry Editor result.
Confirm the UAC prompt with “yes”.
Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
If the Dword DisableAutomaticRestartSignOn does not exist, do the following:
- Right-click on System and select New > Dword (32-bit) Value.
- Name it DisableAutomaticRestartSignOn.
Double-click on DisableAutomaticRestartSignOn and set its value to 1 to disable the feature.
Restart the PC.

DirectSR promises to push gaming on Windows 11

Posted on March 27, 2024March 27, 2024 by Martin Brinkmann

The next feature update for Windows 11 will likely introduce support for a new technology that Microsoft calls DirectSR. This technology promises to make the life of game developers easier. While gamers do not benefit directly from it, they will benefit indirectly, as games will make use of the technology.

DirectSR, the SR stands for Super Resolution, is a new DirectX API designed to improve the implementation of upscaling in games. Microsoft collaborated with NVIDIA, AMD, and Intel to develop DirectSR.

Developers have to implement specific upscaling technologies currently to support them. If they want to support these for AMD and NVIDIA cards, they need to implement NVIDIA DLSS (Deep Learning Super Sampling) and AMD FSR (FidelityFX Super Resolution). These implementations take time to develop as the systems require different implementations.

This led to issues in the past, when games supported only one of the available upscaling technologies.

DirectSR promises to improve how upscaling is implemented. It offers a standardized interface for multiple upscaling technologies. Developers may use this option to implement upscaling technologies in their games across Windows and Xbox systems.

How DirectSR works

The core idea is simple: developers feed data that the API then routes to the upscalers. This works because upscalers tend to require the same set of data.

In other words: the API takes care of the processing of the data that the upscalers need to improve game performance and visuals. This means that developers need to provide the data just once to support all upscalers.

Microsoft promises that its new API covers upscaler updates as well. Company engineers update the API whenever necessary to support new features and changes.

Closing Words

Microsoft has not announced a release data for the new API yet. A likely target for inclusion on Windows is the release of the 2024 feature update for Windows 11. This will be released in the second half off 2024, like at the end of September or beginning of October 2024.

As is the case with new gaming technologies, it will take some time before games will make use of them. While some games may support the feature early, it may take years before a good number of games support it.

Much depends on Microsoft’s promise that the technology will make things easier for game developers.

Now You: do you play games at all?

How to deal with Notifications in Google Chrome

Posted on March 26, 2024March 26, 2024 by Martin Brinkmann

All modern web browsers support so-called push notifications. Websites may request permission to send notifications. When users accept, they may push notifications to the user’s system. Ideally, these are useful to the user. Maybe about a new post on the site, an auction running out, or about item availability in online stores.

Most of the time, at least from my experience, notifications are not that helpful for users. Sites may push lots of notifications to user systems. Abuse is rampant. Notifications may get abused for advertisement, scams, or malicious attacks.

While notifications contain no executable content, clicking on notifications may launch sites and thus attacks.

You can check out this recent story on Bleeping Computer for an example of attacks. The attack originated on Google Search and used notifications to push spam and malware.

One of the best options to deal with notifications is to disable them. This works well for users who never use them in the first place. Those who do use notifications on specific sites may also optimize their configuration.

The following paragraphs explain how that is done. Note that this applies to other Chromium-based browsers as well. All offer these options, and you may load the URL provided below to open the Settings.

Blocking Notifications in Chrome permanently

It takes just a few steps to block notifications in Google Chrome.

Load chrome://settings/content/notifications in the Chrome address bar. You may also open Menu > Settings > Privacy & Security > Site settings > Notifications manually.
Set the default behavior to “Don’t allow sites to send notifications”.

You are done. Chrome won’t send any notifications from this moment up. There is one exception, and this is handy to allow specific sites to send notifications while disallowing them from any other site.

Scroll down to the customized behaviors section. There you find overrides. Use the “allowed to send notifications” section to allow specific sites to send notifications to your system.

Activate the “add” button and type the domain name using the following format: [*.]domain.com.

This allows the domain to send notifications, even though the general setting is set to disabled.

Tip: you can also allow sites in the following way:

Open the site in the Chrome browser.
Click on the icon that is in front of the domain name in Chrome.
Select Site Settings from the menu.
Locate the Notifications preference and set it to “allow”.

Closing Words

My recommendation is to turn off Notifications and use the allow list for select sites only. This blocks all notification spam and any attempt to use notifications for malicious attacks. It also prevents less tech savvy users from accepting notifications on a regular basis in the browser.

Display the power on hours and other hard drive stats on Windows

Posted on March 25, 2024March 25, 2024 by Martin Brinkmann

All hard drives have a limited lifespan. It does not really matter if you use Solid State Drives or platter-based drives. Eventually, they will fail. It is therefore important to keep an eye on the status of hard drives. This gives you enough time to migrate the data to a new hard drive to avoid disaster.

Looking up hard drive usage information is also useful in other scenarios. Say you want to sell a hard drive. Buyers may want to know for how long the hard drive was used and how much writes it had. The latter is important for Solid State Drives, which support a limited number of writes.

One of the best applications for the job is Crystal Disk Info. The free software for Windows is easy to use. It displays internal hard drive data courtesy of S.M.A.R.T. — Self-Monitoring, Analysis, and Reporting Technology — of hard drives.

S.M.A.R.T.’s primary purpose is to monitor and report drive reliability data. CrystalDiskInfo retrieves the information and displays them in its interface for each connected hard drive.

CrystalDiskInfo

You can download the latest version of CrystalDiskInfo from the developer’s website. Run the program after installation. It displays each hard drive in a tab in its interface.

Data of the primary hard drive is displayed automatically. Click on other hard drives to display their data in the interface.

Check the top right corner to get “total host reads”, “total host writes”, Total NAND writes”, “power on count” and “power on hours” information. These should give you a good view of the utilization of the drive.

Note that the information is slightly different for platter-based drives. These display the rotation rate, which is the speed more or less, as well as power on count and power on hours.

Additional information about the drive is displayed on the left side. You find the features that it supports there as well as the current transfer mode. This can also be useful to determine issues, e.g., if a drive is slow.

The app displays all S.M.A.R.T. values in a table below. Some, like the write error rate, temperature, or reallocated sectors count, may also be useful.

The current and worst values are displayed, as well as potential thresholds.

Closing Words

CrystalDiskInfo is a great app when it comes to hard drive information. It is free and easy to use. It is a good idea to check S.M.A.R.T. values regularly to detect failing hard drives as early as possible.

Now You: do you monitor S.M.A.R.T. values of hard drives?

Notepad is getting spellchecking support

Posted on March 24, 2024March 24, 2024 by Martin Brinkmann

Microsoft continues to enhance Notepad, the plain text editor of the Windows operating system. After adding features such as tabs, auto saves, or text formatting to Notepad, it is now testing spellchecking support.

The latest version of Notepad, version 11.2402.18.0, includes the functionality. It is available in the Canary and Dev development channels only. Not all testers get the feature right away, as Microsoft is — once again — rolling it out gradually to users. It can very well take weeks or months before a particular feature reaches all testers.

Microsoft describes the functionality on the Windows Insider Blog:

With this update, Notepad will now highlight misspelled words and provide suggestions so that you can easily identify and correct mistakes. We are also introducing autocorrect which seamlessly fixes common typing mistakes as you type.

Notepad Spellchecking

Microsoft notes that misspelled words are highlighted automatically by the editor. They appear in red. A click or tap on the word or phrase displays spelling suggestions. The keyboard Shift-F10 does that as well, but it appears less practicable to use.

Select a suggestion with the mouse, by touch, or keyboard, and it takes up the place of the misspelled word.

An option to add words to the dictionary is provided. This is useful if a word is spelled correctly but marked as misspelled by Notepad. There are also options to ignore words in a single document.

Spell checking is enabled for some file types only. For others, including log files and some files used for coding, it is turned off. Options to change the behavior are available in the settings.

AI or not?

Microsoft makes no mention of AI in the Windows Insider blog. The spell checking feature seems to run locally on the system. I cannot test it, thanks to Microsoft’s habit of rolling out features over a long period of time.

It looks to be a local feature that checks words using a local dictionary. Again, I could not confirm this at this stage.

Closing Words

Spell checking is a useful feature, even for a plain text editor like Notepad. Users who do not need it can turn the feature off in the settings.

With Wordpad deprecated, it looks as if Microsoft is putting the focus on Notepad. While it is not a full replacement, it is now getting features that Wordpad never supported.

Notepad is one of the few native Windows apps that I use regularly. What about you?