Microsoft sued for millions over Windows 10 upgrades

Unhappy Windows 10 users in Illinois are taking Microsoft to court, claiming that problems caused by the Windows 10 upgrade show that it was negligently designed, that Microsoft fraudulently failed to disclose its defects, and that the upgrade is unfit for purpose.

In a break from tradition, Microsoft offered Windows 10 as a free upgrade to Windows 7 and 8.1 for the first year of its release. This unusual offer was matched with a set of increasingly aggressive promotions within Windows itself. In the early days of the upgrade offer, there were even some users reporting that it installed automatically.

Three plaintiffs claim specific harm was caused by the operating system. Stephanie Watson claims that Windows 10 installed without her choosing to accept it. The upgrade destroyed some data, caused such harm that Geek Squad was unable to fully repair the machine, and forced the purchase of a new system.The suit claims that “many” consumers have had their hard drives fail because of the Windows 10 installation, and that the operating system does not check “whether or not the hard drive can withstand the stress of the Windows 10 installation.”

Read 6 remaining paragraphs | Comments

Doxed by Microsoft’s Docs.com: Users unwittingly shared sensitive docs publicly

On March 25, security researcher Kevin Beaumont discovered something really unfortunate on Docs.com, the Microsoft free document-sharing site tied to the company’s Office 365 service: its homepage had a search bar. That in itself would not have been a problem, if Office 2016 and Office 365 users were aware that the documents they were posting were being shared publicly.

Unfortunately, hundreds of them weren’t. As described in a Microsoft support document, “with Docs.com, you can create an online portfolio of your expertise, discover, download, or bookmark works from other authors, and build your brand with built-in SEO, analytics, and email and social sharing.” But many users used Docs.com to either share documents within their organizations or to pass them to people outside their organizations—unaware that the data was being indexed by search engines.

Within a few hours, Beaumont, a number of other researchers, and Ars found a significant number of documents shared with sensitive information in them—some of them discoverable by just entering “passwords” or “SSN” or “account number.”

Read 4 remaining paragraphs | Comments

Cloud computing pushes into the classroom, but not without challenges

When you think about a traditional school workflow, it’s not unlike that of a business: Paper is generated and moved in a systematic way between the children and the teacher. Just as cloud computing has transformed workflows in business to make them more collaborative and mobile, that same type of change has been coming to schools. Children and teachers use the power of the cloud to collaborate while accessing, storing, and sharing content.

As with business, this change is ongoing, uneven, and by no means complete. But if schools are at least partly about preparing children for the next generation of work, then the cloud needs to be a part of that preparation. Just as some businesses have struggled to transition to the cloud, schools face similar challenges. But because schools involve a specific demographic—children from a variety of abilities and socioeconomic and linguistic backgrounds—their challenges can be even more complicated.

Slowly but surely, in spite of the issues, cloud tools are coming to the classroom. As more companies, large and small, help schools bring about this transition in a way that makes sense for teachers and children in a classroom context, we are seeing a shift to the cloud and all the advantages (and problems) that brings.

Read 15 remaining paragraphs | Comments

Charter promises Trump a broadband push, but no extra Internet connections

Charter CEO Tom Rutledge met with President Donald Trump today, and he made a splashy promise to “invest $25 billion in broadband infrastructure and technology in the next four years.”

But Charter, the second biggest US cable company after Comcast, was already planning broadband expansions during the Obama administration. When Charter purchased Time Warner Cable and Bright House Networks 10 months ago, it agreed to a merger condition requiring it to bring 60Mbps download speeds to an additional two million customer locations.

The spending Charter promised Trump today won’t guarantee broadband access for any additional customers beyond what the company already committed to during the Obama years.

Read 16 remaining paragraphs | Comments

Azure Service Fabric takes first tentative steps toward open source

Microsoft’s embrace of open source software continues, with Azure Service Fabric making the first tentative foray into the open world. Today, the SDK was (mostly) published to GitHub under the MIT license. The team behind the move described it as the “beginning stages” of a wider use of open source.

Service Fabric, first revealed in 2015, grew out of the infrastructure Microsoft developed to build and run large-scale cloud services, including Azure SQL, Cortana, and Skype for Business. It provides scaling and fault tolerance for services, both stateless and stateful, running in containers across clusters of (virtual) machines. It runs in Azure, naturally, but the runtime is also freely downloadable and can be deployed across on-premises Windows systems, or even onto Windows virtual machines in non-Microsoft clouds. A Linux version of the runtime is currently in development, too.

Microsoft has already been using GitHub for tracking feature requests and bugs within Service Fabric. Users of the runtime have expressed a greater interest in the design and features of Service Fabric, and opening up the SDK is seen as the next step in engaging with the community and helping drive the development direction.

Read 3 remaining paragraphs | Comments

How ISPs can sell your Web history—and how to stop them

The US Senate yesterday voted to eliminate privacy rules that would have forced ISPs to get your consent before selling Web browsing history and app usage history to advertisers. Within a week, the House of Representatives could follow suit, and the rules approved by the Federal Communications Commission last year would be eliminated by Congress.

So what has changed for Internet users? In one sense, nothing changed this week, because the requirement to obtain customer consent before sharing or selling data is not scheduled to take effect until at least December 4, 2017. ISPs didn’t have to follow the rules yesterday or the day before, and they won’t ever have to follow them if the rules are eliminated.

But the Senate vote is nonetheless one big step toward a major victory for ISPs, one that would give them legal certainty if they continue to make aggressive moves into the advertising market. The Senate vote invoked the Congressional Review Act, which lets Congress eliminate regulations it doesn’t like and prevent the agency from issuing similar regulations in the future. For ISPs, this is better than the FCC undoing its own rules, because it means a future FCC won’t be able to reinstate them.

Read 44 remaining paragraphs | Comments

Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs

In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have issued more than 30,000 certificates.

Effective immediately, Chrome plans to stop recognizing the extended validation status of all certificates issued by Symantec-owned certificate authorities, Ryan Sleevi, a software engineer on the Google Chrome team, said Thursday in an online forum. Extended validation certificates are supposed to provide enhanced assurances of a site’s authenticity by showing the name of the validated domain name holder in the address bar. Under the move announced by Sleevi, Chrome will immediately stop displaying that information for a period of at least a year. In effect, the certificates will be downgraded to less-secure domain-validated certificates.

More gradually, Google plans to update Chrome to effectively nullify all currently valid certificates issued by Symantec-owned CAs. With Symantec certificate representing more than 30 percent of the Internet’s valid certificates by volume in 2015, the move has the potential to prevent millions of Chrome users from being able to access large numbers of sites. What’s more, Sleevi cited Firefox data that showed Symantec-issued certificates are responsible for 42 percent of all certificate validations. To minimize the chances of disruption, Chrome will stagger the mass nullification in a way that requires they be replaced over time. To do this, Chrome will gradually decrease the “maximum age” of Symantec-issued certificates over a series of releases. Chrome 59 will limit the expiration to no more than 33 months after they were issued. By Chrome 64, validity would be limited to nine months.

Read 7 remaining paragraphs | Comments

Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs

In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have issued more than 30,000 certificates.

Effective immediately, Chrome plans to stop recognizing the extended validation status of all certificates issued by Symantec-owned certificate authorities, Ryan Sleevi, a software engineer on the Google Chrome team, said Thursday in an online forum. Extended validation certificates are supposed to provide enhanced assurances of a site’s authenticity by showing the name of the validated domain name holder in the address bar. Under the move announced by Sleevi, Chrome will immediately stop displaying that information for a period of at least a year. In effect, the certificates will be downgraded to less-secure domain-validated certificates.

More gradually, Google plans to update Chrome to effectively nullify all currently valid certificates issued by Symantec-owned CAs. With Symantec certificate representing more than 30 percent of the Internet’s valid certificates by volume in 2015, the move has the potential to prevent millions of Chrome users from being able to access large numbers of sites. What’s more, Sleevi cited Firefox data that showed Symantec-issued certificates are responsible for 42 percent of all certificate validations. To minimize the chances of disruption, Chrome will stagger the mass nullification in a way that requires they be replaced over time. To do this, Chrome will gradually decrease the “maximum age” of Symantec-issued certificates over a series of releases. Chrome 59 will limit the expiration to no more than 33 months after they were issued. By Chrome 64, validity would be limited to nine months.

Read 7 remaining paragraphs | Comments