Today’s Journal du Geek reports that some unscrupulous websites do not clutter up their webpages with a Submit button when visitors are filling in a form.
If you have already filled in a web form before changing your mind, your data has doubtless been sucked up by an unscrupulous website. In a recent study carried out by researchers from 3 European universities, which will be presented at the Usenix Security conference in August, we learn that some platforms are capable of spying on every character typed on a keyboard.
By analysing 2.8 mn. webpages on the world’s 100,000 most visited websites, the research’s assessment is definitive: in the case of a web form filled completed in Europe, nearly 2,000 of them are capable of collecting the user’s email address before that user has clicked the Send button. One of the joint authors Güne Acar of Radboud University in Nijmegen states: “We were very surprised by the results. We thought we might find a few hundred sites where your email address is collected before you send it, but the result far exceeded our expectations”.
However, the situation in Europe remains better than that in the United States. Whereas the old continent recorded “only” 1844 cases of abusive data sucking, the same request, when sent from the United States triggered 60% more instances, for a total of 2,950 cases, a difference which can be explained in particular by the presence in Europe of the GDPR , which since 2018 has obliged platforms to obtain users’ consent before collecting data..
How do websites record one’s data without consent?
For all practical purposes the majority of sites collecting data before submission forwards email addresses (encrypted or unencrypted) to third party sites are generally specialist advertising campanies, which collected the data to serve up personalised advertising (aka corporate graffiti. Ed.). In some less frequent instances a key logger is used to enable the keystrokes made to be directly recorded.
In Europe, the matter is even more sensitive since a good number of major sites, including Facebook owners Meta and TikTok were amongst the sites tested.
French tech news site Frandroid reports that there has been a very unobtrusive but significant change to the installation procedure for Windows 11, but one with major implications for users’ privacy and security.
Since the launch of Windows 11, users of the home edition have been obliged to have a Microsoft account and an internet connection for the initial configuration of a machine if a fresh installation is involved. The company could soon extend this obligation to the operating system’s Professional edition.
This week Microsoft has released build 22557 to members of the Windows Insider programme. This is a rather ambitious new version of Windows 11 packed with new “features“, including a change in policy regarding Windows 11 Pro.
As Microsoft wrote on its blog announcing the release:
Similar to Windows 11 Home edition, Windows 11 Pro edition now requires internet connectivity during the initial device setup (OOBE) only. If you choose to setup device for personal use, MSA will be required for setup as well. You can expect Microsoft Account to be required in subsequent WIP flights.
As you have read, Microsoft has stated in black and white that people will need to have an internet connection and a Microsoft account, even from Windows 11 Pro to enable a machine’s personal use (as distinct from business or educational use).
As a matter of fact, Microsoft is stating what the obligation will be included in all future versions of Windows 11 in the Insider programme. It can therefore be assumed that this new constraint only affects the initial configuration of machines with versions of Windows 11 from the Insider programme.
We will have to await the next major update of Windows 11 which incorporates the new features of build 22557 to check if having a Microsoft account has really become mandatory for the operating system’s Pro edition.
The use of an online account has long been required by Apple and Google on iOS and Android respectively, but less so for Windows, since historically there has not been any Microsoft account to connect, much to the chagrin of the software publisher. Users are therefore not accustomed to such a requirement, which Microsoft has been trying to promote since the launch of Windows 8
A new initiative by the Open Source Security Foundation (OpenSSF) should improve the security of open source applications, German news site heise reports. The campaign, called the Alpha-Omega Project, is the result of negotiations at the White House between representatives of technology companies, US authorities and non-profit organisations. The initial funding of $5 mn. is being financed jointly by Google and Microsoft.
OpenSSF is organising the project in two parts – Alpha and Omega. In the Alpha section expert groups are analysing the security situation of the most-used open source applications to find and remedy vulnerabilities. This should train software operators and users in security awareness. In the Omega section a team of software developers is working on automated tests for over 10,000 distributed open source project to propose possible security measures to their user communities.
Open source projects and libraries are widely used in software development. The Log4Shell vulnerability in the widely-distributed Log4j Java library recently showed how critical an attack can be. Even after a month and a half it still remains unclear whether companies have survived the worst. Users and companies should therefore investigate their own systems for vulnerable instances of the Log4j library and install current patches.
More details of the Alpha-Omega Project can be found in the official announcement.