Chrome’s next release will make DRM mandatory

An interesting problem has come to light for Google Chrome users, revolving around the browser’s built-in DRM scheme for accessing content on services such as Netflix. With Chrome 57, the next major Chrome release, Google will disable the plugin settings page chrome://plugins. That means anyone who wants to disable any built-in plugins, including the DRM decryption module called Widevine, can no longer do so.chromelogo

It’s likely the vast majority of Chrome users just leave the Widevine decryption setting as is. For those who want to disable it, however, it’s an important setting and one that shouldn’t be removed so easily.

As Cory Doctorow over at Boing Boing points out, a component like Widevine is not immune to security flaws. However, security issues discovered in DRM schemes are harder to publicize due to the legal restraints put in place to discourage their disclosure. That means security issues can exist for months or years without the public finding out. Because of that, some users want to disable Widevine and do without DRM-laden video streaming services on their PCs.

Chrome 57 is currently being tested in the browser’s dev channel.

Despite the sudden outcry, Google has been quietly planning the end of the plugins page for several months. In May 2016, the Chromium team proposed disabling chrome://plugins. The page was seen as irrelevant since the primary reason for maintaining it was to control Chrome’s built-in Flash player, and controls for Flash are now available in Chrome’s primary settings.

In October, the team decided that Widevine would become enabled for everyone once chrome://plugins disappeared from the browser, according to a comment from a Chromium team member.

It appears Google may be rethinking its new approach to Widevine in Chrome. Several comments in Chromium’s bug tracker are discussing the issue, noting that the “Internet is not happy” about the loss of control over the decryption module. Nothing has been decided yet, but it looks like Google may decide to enable a settings option to disable Widevine in Chrome.

Trump to sign cybersecurity order calling for government-wide review

President Donald Trump is due to sign an executive order Tuesday that gives each cabinet official more responsibility for the safety of data within their agency.3127835

It will be accompanied by a government-wide review of cybersecurity by the Office of Management and Budget, looking at the technology in place that guards U.S. government systems from cyberattacks, according to a White House official.

The results of that review could lead to a government-wide upgrade of federal cybersecurity systems.

The U.S. government has been hit by hacks in the last few years. The State Department spent months trying to get rid of intruders in its unclassified network and the Office of Personnel Management lost personal information on millions of government workers through a second hack.

Before he signs the executive order, the president is due to meet with cybersecurity experts for an hour-long “listening session,” according to the White House press office. The White House has not yet supplied a list of attendees.

A draft of the executive order was posted online. It calls for a review of the nation’s cyber vulnerabilities to be completed within 60 days. It also asks for a review of U.S cybersecurity skills and training, including “computer science, mathematics and cybersecurity education from primary through higher education.”

Google pushes out 7.1.2 beta, but Nexus 6 and Nexus 9 won’t get it

While many Android phones are still waiting for the first taste of Nougat, Google is pushing ahead on the latest version of Android for its Nexus and Pixel devices. Or rather, most of them.androud nougat 7.0 on nexus 6p

Available for users enrolled in the Android Beta Program, the next release is, according to Google’s blog description, “an incremental maintenance release focused on refinements, so it includes a number of bug fixes and optimizations, along with a small number of enhancements for carriers and users.” That means you probably won’t see any differences in your day-to-day use, unless you were consistently bothered by a particular bug.

However, if you happen to own a Nexus 6 or Nexus 9, you’re out of luck. Not only is the device unable to install the beta, Google says that the general release of 7.1.2, which is expected to land in a couple of months, will be available for the Pixel, Pixel XL, Nexus 5X, Nexus 6P, Nexus Player, and Pixel C devices. Notably excluded from that list are 2014’s Nexus 6 and Nexus 9, 2014 devices released by Motorola and HTC, respectively, that were on board with the previous Nougat updates. While Google doesn’t specifically say they will be excluded from future releases, it would appear that they have reached the end of the line for updates.

The 7.1.2 public beta is available through the Android Beta Program, which you can sign up for at android.com/beta with a Google account and one of the supported phones. If you’ve already enrolled in the program, your phone will receive the update within the next few days, according to Google. To check to see if an update is available, you can go to the About tab in Settings and tap on System updates.

While it may be sooner than expected, it was pretty inevitable that Google would stop supporting the 2014 Nexus 6 and Nexus 9 devices sometime this year. When Google announced its updated security efforts for Nexus devices ahead of Marshmallow’s release in 2015, it vowed they would “continue to receive major updates for at least two years.” More importantly, it will continue to deliver security patches “for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.” So you don’t need to toss them in the recycle bin just yet.

This story, “Google pushes out 7.1.2 beta, but Nexus 6 and Nexus 9 won’t get it” was originally published by Greenbot.

Easy-to-exploit authentication bypass flaw puts Netgear routers at risk

For the past half year Netgear has been working on fixing a serious and easy-to-exploit vulnerability in many of its routers. And it’s still not done.netgear r8500 AC5300 Nighthawk X8

While Netgear has worked to fix the issue, the list of affected router models increased to 30, of which only 20 have firmware fixes available to date. A manual workaround is available for the rest.

The vulnerability was discovered by Simon Kenin, a security researcher at Trustwave, and stems from a faulty password recovery implementation in the firmware of many Netgear routers. It is a variation of an older vulnerability that has been publicly known since 2014, but this new version is actually easier to exploit.

In January 2014, a researcher found that he could trick the web-based management interface of Netgear WNR1000v3 routers to disclose the admin’s password. The exploit involved passing a numerical token obtained from one script called unauth.cgi to another called passwordrecovered.cgi. Neither of them required authentication to access.

Last year, Kenin came across this old exploit when he wanted to break into his own router — a different Netgear model — and realized that it worked. The researcher decided to write a script to automate the exploit so that other people could test their own router models, but due to a programming error the script didn’t pass the correct token to passwordrecovered.cgi. Yet the exploit still worked.

“After few trials and errors trying to reproduce the issue, I found that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send,” Kenin said in a blog post Monday. “This is a totally new bug that I haven’t seen anywhere else. When I tested both bugs on different NETGEAR models, I found that my second bug works on a much wider range of models.”

Kenin claims that he reported the vulnerability to Netgear in early April and the company put out an advisory in June, along with patched firmware for “a small subset of vulnerable routers.” Firmware fixes are now available for 20 models.

The company’s workaround for routers that don’t yet have patched firmware versions involves logging into their management interfaces and enabling the Password Recovery feature on the ADVANCED > Administration > Set Password page. The exploit only works when password recovery is disabled, which is the default setting.

Routers that are configured for remote administration over the internet are directly vulnerable to attacks that exploit this flaw. By obtaining admin credentials attackers can, at the very least, change a router’s DNS server settings to redirect users to malicious websites.

However, this doesn’t mean that routers whose web interfaces can only be accessed over the local area network — the default setting — are not at risk.

If vulnerable routers are used to provide wireless internet access in a public space like a library, a bar or a restaurant, anyone connecting to those networks can compromise them. People also routinely share their home Wi-Fi passwords with friends and family members who can bring compromised computers or smart phones into their networks.

There are also cross-site request forgery (CSRF) attacks that can hijack a user’s browser when visiting a specially crafted web page and use it to send malicious requests to a router over the local area network.

“We have found more than ten thousand vulnerable devices that are remotely accessible,” Kenin said. “The real number of affected devices is probably in the hundreds of thousands, if not over a million.”

In an emailed statement, Netgear said, “This is not a new or recent development. We have been working with the security analysts to evaluate the vulnerability.” The company added that firmware fixes are available for the majority of the affected devices and that users should follow the advised workaround for routers for which final updates are still pending.

The company did not clarify whether the list of affected router models in its advisory, which was last updated Friday, is final or if additional models might be added to it in the future.

Some of the affected models, like the C6300 router, which also has cable modem functionality, are distributed to customers by ISPs. Service providers also distribute firmware patches. Kenin found that the Lenovo-branded R3220 router uses Netgear firmware and is also vulnerable.

When it comes to security, Netgear is actually one of the better router manufacturers out there. Earlier this month the company launched a bug bounty program through the Bugcrowd platform.

Attacks against home routers have intensified over the past few years and powerful DDoS botnets like Mirai are now being built from compromised embedded devices. Unfortunately, the software running on such devices continues to be plagued by ’90s-era vulnerabilities like command injection and buffer overflows and basic security features found in modern software, like automatic updates or sandboxing, are rare

How to turn the Nvidia Shield TV into an OTA DVR with HDHomeRun and Plex

One of the Nvidia Shield TV’s nerdier virtues is its ability to record free broadcast TV from an antenna and stream it to all your other devices. But setting this up isn’t exactly a breeze.plexdvrshield

To turn your Shield into a whole-home DVR, you’ll need an HDHomeRun networked tuner, an antenna, a subscription to Plex Pass, and an ounce of patience as you put all the pieces together. As of this writing, you’ll also need to join a Plex beta program.

We’ll help you through each step. When we’re finished, you’ll have a Plex DVR on your Nvidia Shield Android TV.

Either the first- or second-generation model will do, as they both have the same hardware and ports. You can also opt for the Shield Pro ($299.99 at Amazon), which has 500GB of built-in storage, as an alternative to using an external hard drive.

shieldtvhero

 You’ll plug this into the Shield to store recordings, unless you have a Shield Pro. Ideally, the drive should have at least 500GB of storage and a USB This tuner connects to your router over ethernet, and streams broadcast channels to the Shield. The HDHomeRun Connect ($105 at Amazon) requires more bandwidth for streaming, and more storage for recordings. The HDHomeRun Extend ($179 at Amazon) uses transcoding to reduce the size of streams and recordings. (Note: If your router isn’t in a location where your over-the-air antenna can get good reception, this solution won’t work for you.)

hdhomeruntuner

The HDHomeRun tuner connects to an antenna via coaxial cable, and to your home network router over ethernet.

 It can be indoor or outdoor, as long you can wire the coaxial cable to the HDHomeRun.

This gives you access to Plex’s DVR service and a bunch of other features.

 This can be a PC, a tablet, or a smartphone, but you’ll need it to set up Plex and schedule recordings.

1. Connect your over-the-air antenna to the HDHomeRun tuner, connect the HDHomeRun into your router, and connect the HDHomeRun to a power source. (To access HDHomeRun’s live TV apps, follow the instructions included with the tuner. This will require a PC or Mac to set up.)

2. Plug the USB hard drive into your Nvidia Shield, head to Settings > Storage & reset, and select General USB Drive. Select “Erase & format as device storage” and follow the on-screen instructions. Warning: This will delete anything that’s currently on the USB drive, and anything stored on the drive after formatting will not be available outside of the Shield. The Shield does not currently support writing Plex recordings to conventionally formatted hard drives or network-attached storage devices.

shieldformatstorage

3. Join the Plex Media Server beta by visiting this link in your web browser and then clicking the “become a tester” button.

4. Install Plex Media Server on your Shield through the Google Play Store. You can install to your Shield straight from the web by clicking “Install” and selecting “No carrier Nvidia SHIELD Android TV” from the list.

5. Open Plex on your Shield—it should be pre-installed—and follow the prompts for setting up Plex Media Server.

6. Visit Plex.tv and sign in through the account associated with your Plex Pass subscription. After signing in, click “Launch” in the upper right-hand corner.

7.  Aim your cursor at the “Libraries” section in the left sidebar, and hit the “+” button. Select “TV Shows,” then hit “Next,” and select “Browse for Media Folder.”

plexlibraryadd

8. Select the folder on your USB drive (or on the Shield itself, for Shield Pro users) where you want TV recordings to be stored.

shieldaddfolder

7. Repeat steps 7 and 8, but for “Movies” instead of “TV Shows.”

8. Select “Settings” from the left sidebar, then select “DVR (Beta)”—the second option from the bottom—and click “DVR Setup.”

plexdvrsetup

9. Plex should detect the HDHomeRun automatically. Select “Continue.”

10. Make sure “Antenna” is the input source in the next menu, and then hit “Scan” to find local channels through the tuner. Select your country, language, and postal code on the next screen, and then hit “Continue.”

plexdvrsetup2

11. On the program guide screen, select “Local Over the Air Broadcast” from the list, and then hit “Continue.” Plex will begin downloading guide data for your area.

plexdvrsetup3

You’re done, though it may take some time to pull in channel listings. The main Plex menu should now display a “Program Guide” section, where you can browse and add recordings, and a “Recording Schedule” section where you can look for potential conflicts.

The best part of this setup is that you don’t have to use the Shield to access your recordings. Using the Plex app on your phone, tablet, PC, or TV device, you can stream those recordings from anywhere, including outside the home.

The only downside is that you need a separate app to watch live TV. The official HDHomeRun app is available on Android TV, Xbox, and Windows, while unofficial apps are available for other platforms, including Channels for Apple TV and iOS, and InstaTV for Amazon Fire TV.

Alternatively, the Tablo DVR ($220 for the two-tuner model, available at Amazon for $198.30 at time of publication) has a simpler setup process, supports whole-home viewing, and offers a single app on many platforms for live and recorded TV. A guide subscription costs $5 per month, $50 per year, or $150 for life, and you must supply your own antenna and hard drive.

If you want to go even simpler, TiVo’s Roamio OTA (with a 1TB hard drive, $369.99 at Amazon at the time of publication) and Channel Master’s DVR+ ($349 with a 1TB internal hard drive; $249 if you want to provide your own external hard drive) can record broadcast channels with no subscription fees, but only for a single television. If you don’t need rich guide data or powerful scheduling features, you can also buy a no-frills tuner box like the MediaSonic Homeworx ($35, available at Amazon) and record channels to an external USB drive. (Look for a review roundup of these options in the near future.)

Where the Nvidia Shield excels is its high-quality recordings from the HDHomeRun tuner, granular recording options from Plex, and the ability to have a single box that serves up all your media. For more tech-savvy users, it’s worth jumping through some hoops to get there.

This story, “How to turn the Nvidia Shield TV into an OTA DVR with HDHomeRun and Plex” was originally published by TechHive.

Arch Linux pulls the plug on 32-bit

If you’re reading this article on a PC, it’s quite likely the processor under the hood is 64-bit. Most computers these days run 64-bit CPUs, and most computers run 64-bit operating systems. Arch Linux is acknowledging that fact by making February the last month the distribution will include an i686 (32-bit) download option.arch linux cpu

“Due to the decreasing popularity of i686 among the developers and the community, we have decided to phase out the support of this architecture,” Bartłomiej Piotrowski said in a January 25 announcement on the Arch Linux website.

“The decision means the February ISO will be the last that allows [installation of] 32-bit Arch Linux,” Piotrowski continued. The announcement goes on to say that i686 installs will continue to receive upgraded packages for a nine-month “deprecation period.” But starting November 2017, i686 will be effectively unsupported.

Arch is the first of the major Linux distributions to stop supporting the 32-bit architecture; although, as PCWorld reported last July, Ubuntu, Fedora, and OpenSUSE all anticipate the imminent demise of 32-bit distros. Fedora, for its part, stopped offering 32-bit versions of its server images with Fedora 24, but for the time being you can still get 32-bit desktop versions of Fedora 25.

archlinux1

Linux was available fairly early on for AMD’s 64-bit architecture, which is why some 64-bit builds still carry the label of “amd64” instead of the more agnostic “x86_64.” While 64-bit Linux can run 32-bit versions of software, it often requires a lot of duplication in the form of libraries and other dependencies. Arch will keep maintaining its multilib repository, which provides 32-bit binary packages ). For many desktop Arch users, the multilib repository is unneeded, though some packages (like PlayOnLinux and 32-bit versions of WINE) require access to the multilib repo.

Arch is kind of a special case in the world of the Linux desktop. Since it’s a rolling-release distribution, offering new images every month, Arch is more agile than its standard-distribution counterparts such as Fedora or Ubuntu. But given that Arch is already making the move away from 32-bit, we may see the big distrosFedora, Ubuntu, Mint, and OpenSUSEdrop support this year as well, as new versions of those OSes come out.

In the case of Ubuntu, 2016 was a long-term support year. Ubuntu 16.04 LTS, which includes a 32-bit version, will be supported until 2021, per Ubuntu’s guidelines. Odd “non-LTS” years for Ubuntu see shorter-term releases that often experiment with features that are later released in an LTS versions. While there’s no official date for Ubuntu to drop 32-bit, it’s feasible we could see that support drop in an October (17.10) release. Right now, Canonical is still listing 32-bit images of Ubuntu 17.04 in its nightly builds, so April’s release will likely retain a 32-bit image option.

Although 32-bit operating systems and applications still have their place, server and consumer desktop computing largely transitioned to 64-bit long ago. The Arch devs are not wrong for acknowledging this fact, and other distributions will eventually follow suit. This year may be the last one you’ll see download links ending in “i386,” “i686,” or “x86” for new releases of major distributions.