For years, Google has enforced a restriction on changing the @gmail addresses it hands out when signing up for a new account. Apart from email, that's the address you use to log into any Google service, like YouTube, so many of us have been stuck with old identities we'd like to move on from. Fortunately, this convenience appears to be within reach, as the Google Pixel Hub Telegram group has spotted an official Google support document outlining the feature.

The support page is only in Hindi, suggesting that the rollout is limited to India for now. Even then, Google clearly states that users will gradually begin to see this option, indicating that global adoption is still some way off. Still, we're looking at official info here, not a leaked excerpt, so Gmail truthers can rejoice.

For context, competing providers, such as Microsoft Outlook, allow you to change your email address and offer "aliases," which are commonplace today. You can add alternate email addresses under a Google Workspace account, but that's a different thing entirely, as it's a managed service.

To clarify further, Google lets you change your Google Account name, but you can't edit the @gmail.com address. In the document, Google states that you'll retain and have access to your old email address after you switch to a new one — essentially, you'll have two @gmail addresses for one account, which in and of itself could be a game changer for many. Previously, you'd have to create a new Google Account to access a secondary email address, which you could then use to set up a faux alias.

With this, you'll receive emails in both inboxes, and none of your existing data, such as Drive or Photos, will be affected. That said, you cannot register another email address for the same Google Account for the next 12 months after switching to a new one. Keep in mind that Google hasn't officially announced this feature yet, so all of this is potentially subject to change with the global rollout.

Still, to check whether you can get a new @gmail address right now, go to my.account.google.com/google-account-email on a phone or computer. There, tap/click on "Personal Information," and under "Email," you should see the option to "Change email address for your Google Account." It will look like the screenshot above if you're not part of the rollout yet.

Elon Musk's digital ambitions are set to encompass one of the oldest and most established forms of communication on the internet—email. Musk first told a Twitter/X user, "It's coming," when asked about an email offering in February this year. This week, he hinted at stripped-down thread-less Xmail, in stark contrast to Google's popular Gmail.

With its roots dating back to 1975, electronic mail, now better known as Email, is engrained within most connected device users. It continues to live and prosper even in the age of messaging apps, and that is probably due to several key factors.

Email has always had easy-to-sort and search mailboxes and can work across a wide range of apps, platforms, and devices. Everyone has an email, too, which is probably why it is often the foundation upon which you will sign up for all your other messaging and social accounts.

The Tweet/X that Musk highlighted, commenting, "That’s exactly what we are going to do," seems to be looking for something simpler than today's popular Email offerings, notably Gmail.

X user Ross outlined his desire for a more straightforward type of email. "TBH I'd just like an email address that goes into a plain text DM [direct messaging] inbox and abstracts the annoying & messy threads/formatting mess that is email," wrote Ross. "The main nice thing about email is that it is a universal handle system and compatible with everything so you don't have to download a new app, input a contact, or connect with someone."

After being quiet about Email for months, Musk also commented on App Researcher Nima Owji's post – yearning for Xmail to replace Gmail – earlier this week. The xAI and Tesla boss did his usual single-word signal for thoughtfulness, "Interesting." Then Musk elaborated, "We need to rethink how messaging, including email, works overall."

I started using email with YAM on the Amiga and Eudora on the Apple Mac to avoid being averse to something simpler than Gmail or Outlook. Perhaps that's why I have stuck with Yahoo Mail since the 90s, even though Gmail probably offers more convenient integrations for someone using Android devices, always using Google Maps, and organizing schedules and appointments (primarily) using the Google Calendar.

However, it is easy to promise the moon on a stick. Let's see what Xmail looks like when it is launched. Might the vision take stripping things back too far? Also, given Musk's track record, potential users should carefully consider Xmail's T&Cs and possible free/premium tiers and features before getting excited.

Google’s ready to help you write but it would rather write for you. This week at Google I/O, the search giant announced that it was adding new generative AI features to its Workspace tools, including Docs, Gmail, Sheets and Slides. I signed up for Google Workspace Labs (as the beta is called) and today I got off of the waitlist – it must have been my SAT score – and had a chance to peruse the main tool right now, a “Help Me Write” button that can generate text from scratch or completely rewrite your copy in its own voice.

In its keynote and subsequent blog post, Google talked about adding image creation to Slides and data insights to Sheets, but the only feature I see available right now is the “Help me Write” button in Docs and Gmail. The feature, as it stands, has some utility for folks who are poor wordsmiths or are just too lazy to string a few sentences together on their own, but like other AI tools it can either “hallucinate” details or leave you with text that’s so generic that it’s useless. Unfortunately, it’s a perfect tool for students who want to fake their book reports or writers who want to plagiarize someone else’s work. And worst of all, it doesn’t live up to its name because, instead of helping you improve your writing, it silences your voice and replaces your work with its own.

The “Help me write” button appears as a floating pen icon in the left rail of Gdocs and at the bottom of the compose window in Gmail. Primarily, I tested it in Gdocs but it works the same way in the email compose window. If you click on the button, there’s a bluish-purple dialog box that appears, allowing you to create a writing prompt for brand-new text. You enter your prompt and click “Create.” Then the system presents you with its text and you can either click “Insert” to put it into the article, Refine to have the AI change it slightly, or Recreate.

I started by asking it to write a letter saying I was resigning from my job immediately. It was both generic and hallucinatory. It said all the things you’d expect a resignation letter to say that I’d enjoyed my time and learned a lot from the company, but at the same time, it said that I had accepted a position at a different company. While most people wouldn’t quit their job without another lined up, this is a detail I didn’t give it. 

Similarly when I asked it to “write a letter applying for a job as an editor at Tom’s Hardware,” it made up a ton of details about my experience, saying that I had more than 10 years of experience and that my previous role was as an Editor at PC Magazine. I do have more than 10 years of experience but never worked at PC Magazine and I assume that the bot didn’t even attempt to search the web for my actual experience.

Rather than making things up, sometimes the  bot would (wisely) leave placeholders for key details. On the resignation letter, it used the words Manager’s name, Company name, Last Day and Specific Field for the places where those details would go. However, these blanks weren’t marked with a fill-in-the blank (ex: Company name) nor were they enclosed by brackets (ex: [Company Name]). I am 100 percent certain that many people will use “Help Me Write” to write an important letter and then neglect to replace the placeholder text with actual details. Definitely don’t do this when you ask it to write a break up letter for you.

If you click the “Refine” button, you’re presented with a menu that allows you to choose  to regenerate the text as either “Formalize,” “Shorten,” “Elaborate,” or “Rephrase.” When I chose “Elaborate,” I’d get a little more detail. For example, when I regenerated the breakup letter, it added two paragraphs of hallucinated details about the author and his girlfriend meeting at a party last year, taking long walks, and watching movies. The “Shorten” option cut my breakup letter to the chase, making it just two sentences.

Doing Your Homework for You

Good news for students who want to cheat on their homework! The Help Me Write feature will generate an essay for you, even targeting it at a certain grade level so it sounds like it came from a younger child. For example, I asked it to write a book report about "A Wrinkle in Time" at a fifth-grade writing level and it delivered an excellent summary. When I asked for the book report at a seventh-grade level, it got a bit longer and more detailed.

There does seem to be a limit to how long of a result it will give you, no matter what you ask. I asked it to write a 5,000 word essay on Abraham Lincoln and why he was the best president ever. Instead, it delivered to me a tight, 397-word paper with a bulleted list of points.  But to its credit, it understood the assignment and delivered factual, on-topic prose. 

I also tried to get the bot to compose a master’s thesis with this prompt “Write a master’s thesis on Shakespeare's comedies and how they reflect the political tensions of his time.” A master’s thesis is usually tens of thousands of words with lots of footnotes, but this one was a mere 245 words with no scholarly research involved. However, it did make some valid, though surface-level points like saying that the character of Dogberry in "Much Ado About Nothing" is a critique of real-life constables. 

I have to wonder if schools, many of which use Google Docs as the official writing tool for their students, will have the ability to disable the “Help Me Write” feature for students’ accounts. It’s pretty bold for Google to put a powerful cheating function right into a product it regularly sells to school districts.

Can’t Use Web Information

Many LLMs these days can take input from the web so you can feed them a URL and then base a prompt on it. But, much to its detriment, Google Workspace’s Duet AI couldn’t ingest data that I fed to it. 

For example, I sent it the URL for a job listing and asked it to write a cover letter for that job. However, it gave me an error message saying that it couldn’t do that. That’s a shame because you would need specific information like that to get the most out of the tool.

Rewriting Existing Text

If you highlight text and click the “Help Me Write” button, you can have it rewrite the text for you. That can take the form of a summary or changing the content type from an essay to a letter.

I took the text from a couple of recent articles I wrote – a review of the Lenovo Yoga 9i laptop and a recent news article on OpenAI’s Shap-E model – and pasted them into Google docs. Then I highlighted them and clicked Help Me Write. I was offered the opportunity to Formalize, Shorten, Elaborate, Rephrase or enter a custom prompt.

In the case of the Yoga 9i review, when I chose Rephrase, Google’s AI gave me back a much shorter version of my review with mostly bullet points. My review was 2,600 words but the “rephrase" version was a mere 122 words. When it gave me the sample text, I had the choice to click “Replace” which would completely replace my original text or to have it rephrase, shorten or elaborate the output.

I then tried highlighting the text from the article on Shap-E and asking Help Me Write to turn it into an email. It indeed turned the article into a politely phrased email informing the reader about the new 3D model tool. Unfortunately, it did not automatically open Gmail and put the email copy into a compose message.

I also highlighted the Shap-E article and asked Google to give me 5 headline choices that are up to 80 characters each. The results were ok. My original headline was “OpenAI’s Shap-E Model Makes 3D Objects From Text or Images” and the five suggested headlines were quite similar to that.

But, even though I asked for headlines, Google only gave me the option to Replace the entire article with its output. There was no way to just say “insert this headline at the top.”  That typifies the biggest problem with Google’s AI.

Help Me Write or Right For Me?

The biggest problem with Google’s Help Me Write feature is that it doesn’t help you write but instead wants to either do your work for you from scratch or replace your text with its own. What the tool would not do is give me advice about how to improve my existing text. When I asked it what it thought of my article, it gave me an error message, because it’s not designed to be an editor; it’s designed to be a writer replacement tool.

The quality of the writing is so basic at this point that it’s not good for doing more than just the basics. Unfortunately, the basics may be good enough for kids to cheat their way through a school assignment, for someone to phone in a cover letter or for someone who really wants to plagiarize an article to copy it into Gdocs and then ask the AI to rewrite it for them.

A truly helpful AI copilot would evaluate your writing, make suggestions for specific sections of text and allow you to choose which to accept or reject. A really useful tool would also ask you follow-up questions rather than making up details from whole cloth. If I tell you to write me a cover letter and you don’t know anything about me, ask me questions so you can do the job properly! But like so many AI products we test, Google Workspace AI and its Help Me Write feature are designed to take the wheel, even if it means that they drive you over a cliff.

Yesterday we reported on Google's announcements which fanfared AI integrations throughout its portfolio. The new Pathways Language Model 2 or PaLM 2 large language model (LLM) is already powering 25 Google services, as the search giant rushes to close the AI-gap with competitors like Microsoft.

So, we now have more AI smarts powering the Google services many of us use daily, like: Gmail, Google Docs, Google Sheets and YouTube – as well as the emerging Google Bard chatbot. However, there are some interesting “early-stage experiments” in AI which Google would like you to try, covering AI-enhanced search, workspaces, note-taking, and music making. Let us take a closer look.

To test out the new ‘Google Labs’ AI-enhanced services you first have to sign up to gain access and you will likely be on waiting list. You must be using the Chrome browser to sign up, which we learned after firing up the link in Firefox... Head over to this Google Labs page with your Chrome browser and you will find more information, sign up opportunities, and wait-lists to join for accessing the new AI-enhanced services:  Search Labs, Google Workspace with Duet AI, Project Tailwind and MusicLM. 

If you want access to all four services, you'll need to sign up for the waitlists for all four and you may get access to them at different times. For each one, you'll also be asked for your location, profession and why you want to use it. You can find all the links on labs.withgoogle.com, but here are the direct sign-up links.

• Search Labs Signup
• Google Workspace with Duet AI
• Project Tailwind
• MusicLM
• PaLM API

Search Labs

With web search at its historical core, it isn’t a surprise that Google would like users to dabble with its new AI enhanced Search Labs project. This experiment (English language, US only, initially) exposes three useful features to users: the Search Generative Experience (SGE), Code Tips, and Add to Sheets.

SGE is the most interesting new feature of the Search Labs project for typical users. Google says that this experiment takes your search term(s) and applies AI to make sense of the information that is generated by the search. For example, AI-powered overviews of the information are generated, and pointers to explore more and follow up are highlighted.

Workspace Labs

Google’s Workspace Labs project is designed to appeal to those who regularly use office productivity tools. The work of the ‘Duet AI’ here is to both create (generative AI) and act as a spare pair of hands in many routine office tasks (assistive AI).

Google asserts that Workspace with Duet AI can help with writing suggestions (Docs, Gmail), can optimize calendars, can create images from verbal descriptions, or generate background images in Meet, and more. One of the ways it works alongside you is via a side panel, which Google describes as a ‘sidekick’ companion.

Yesterday we noted that the ‘Help me write’ tool is already available to the public, but you must sign up for the extra AI tools mentioned above. Again, this experiment is geo-limited, but if you are interested follow the link and check if you can join the wait list.

Project Tailwind

Though it could sit comfortably within the Workspace concept, for some reason Google has separated out this AI-first notebook experiment. Project Tailwind is trained on your personal documents in Google Drive. It is therefore effectively a personalized and private AI model powered by the information you choose to give to it.

Google framed this as a great notebook tool for students, but it could also find fans among anyone utilizing information from a host of sources to create new work. Project Tailwind is US-only at the time of writing.

MusicLM

MusicLM is a generative AI tool which is designed to turn your textual descriptions into music. As an adapted language model (LM) it can transmute your typing into complex melodies.

Google suggests that you dip your toe in the testing water of this tool by inputting a prompt like “soulful jazz for a dinner party.” Whatever you input, MusicLM will provide two audio alternatives, asking you to click on a trophy next to your favoured result to improve the AI model.

MusicLM appears to sit alongside the most impressive AI applications which write and render images from a little human prompting. Again, there are geo-limits on applications, and even if you are accepted as a potential service tester you may be put on a wait list.

PaLM API

If you're a developer and you want to build your own AI tools using Google's PaLM API,  you can join the waitlist for that.

Google kicked off Google I/O this afternoon by talking for more than an hour about its numerous advances in artificial intelligence.  The company discussed its new PaLM 2 large language model (LLM) for generative AI, which powers the Bard chatbot tool. This is a foundational pillar for adding AI-infused features across Google's product portfolio, including Google Maps, Google Photos, and Gmail (among others).

With that in mind, there is a need for some serious horsepower in the cloud to power models in the wild, as millions (and eventually billions) of users send requests for operations as mundane as removing a person lingering in the background of a picture to composing an entire email for you based on a short text prompt. That's where Google's new A3 GPU supercomputer comes into focus. Google says the new A3 supercomputers are "purpose-built to train and serve the most demanding AI models that power today's generative AI and large language model innovation" while delivering 26 exaFlops of AI performance.

Each A3 supercomputer is packed with 4th generation Intel Xeon Scalable processors backed by 2TB of DDR5-4800 memory. But the real "brains" of the operation come from the eight Nvidia H100 "Hopper" GPUs, which have access to 3.6 TBps of bisectional bandwidth by leveraging NVLink 4.0 and NVSwitch.

According to Google, A3 represents the first production-level deployment of its GPU-to-GPU data interface, which allows for sharing data at 200 Gbps while bypassing the host CPU. This interface, which Google calls the Infrastructure Processing Unit (IPU), results in a 10x uplift in available network bandwidth for A3 virtual machines (VM) compared to A2 VMs.

"Google Cloud's A3 VMs, powered by next-generation NVIDIA H100 GPUs, will accelerate training and serving of generative AI applications," said Ian Buck, VP for hyperscale and high-performance computing at NVIDIA. "On the heels of Google Cloud's recently launched G2 instances, we're proud to continue our work with Google Cloud to help transform enterprises around the world with purpose-built AI infrastructure." 

If your business wants to leverage A3 virtual machines, the only way to gain access is by filling out Google's A3 Preview Interest Form to join the Early Access Program. But as Google clearly states, plugging in your information doesn't guarantee a spot in the program.

What is Mastodon?

Mastodon is an alternative social media platform which uses individual servers, each independently run by an administrator, to create a larger network (often called the "Fediverse," a combination of "federated" and "universe") where users can post messages. 

Each Mastodon instance is independent of others, in much the same manner as an email server. You may sign up for one instance, but you can send and receive messages with others. The example given on the Mastodon GitHub page is that when we sign up for an email account with Gmail, Yahoo or Outlook, we are not limited to just sending emails to users on the same server.

Unlike Twitter, Mastodon has two timelines, local and federated. The local timeline is every post with a public status from users on the same instance as you. The exceptions are posts (which were called toots) which are replies to others. The federated timeline is every post with a public status from other instances which are known to your instance. Both of these timelines can be busy, with posts flying up the screen. A new term to learn is “boost” which is analogous to Twitter’s retweet. Of course, you can also follow a feed made of accounts that you have subscribed to, much like Twitter.

How can you move from Twitter to Mastodon and which is the right instance for you? In this how-to we will cover exactly that and learn how to cross post from Mastodon to Twitter and search for our Twitter followers on the many Mastodon instances.

Moving from Twitter to Mastodon

The first task when moving from Twitter to Mastodon is choosing the correct instance. With Twitter, there is just one instance and timeline. But with Mastodon you first have to choose an instance (server). There are two things to consider. Firstly, the size of the server. A larger server is more likely to be backed by a group / organization that can financially support it. Smaller servers may be quiet havens in a busy world, but they run the risk of being the folly of a well-intentioned and eager admin. Secondly, try and select an instance for a subject you are interested in. This means that your posts will merge seamlessly with the posts in the local timeline. If you are interested in Raspberry Pi, but others are not, then your posts may not get the attention they deserve.

1. Open a browser to this wizard to select the correct server for you, click Start to begin. If you know which instances you're interested in, you can also go to them directly.

2. Set your preferred language(s) and click Next.

3. Select the number of users that you would like on an instance. Smaller instances are quieter, but you run the risk of the instance disappearing. We chose “It does not matter”.

4. Set your moderation rules for each of the criteria and click Next. The moderation rules are used to filter instances that support your choices.

5. Use the search bar to filter the instances for your chosen subject. We searched for retro computing hardware and found two instances that supported our interest.

6. Click on your preferred instance and follow the sign-up process. The sign up process is generally straightforward, requiring you to provide a username, password and email details. Some instances are invite only. Popular instances, such as mastodon.social have periods where sign-ups are paused. This is to reduce the load on the server. Before signing up it is wise to read the rules / terms for that server.

Your First Post

In Mastodon a message can be sent to your followers, and, in this case, anyone on the local and federated timelines. 

1. In the web interface type, in your message and click "Publish" to send a message to all of your followers, local and federated timelines.

2. Type @ and then the first few letters of a follower name to send a post directly to a follower.

Sending a DM

1.  Search for / select the person who you wish to DM. There is a search box in the top left of the Mastodon page.

2. On the recipient's profile click on the three vertical dots and select Direct Message.

3. In the dialog box on the left side of the screen, type your message and click Publish to send. Note that the message starts with @ and the name of the recipient. Also note that the Publish button has a padlock. Indicating that the message is private.

4. Alternatively, click on the globe icon and select “Mentioned People Only” then type in the handle of the recipient. Direct messages will still appear in your home timeline; this is normal and does not mean that it has been sent to all of your followers. Not that the timestamp (top right) is altered to show @ rather than a globe. This means the message is private.

5. Messages can also be posted as Unlisted, visible to all (but opted-out of discovery) or only for Followers.

Finding Your Followers

You’ve made the move, but have your Twitter followers? That carefully curated group of followers are mostly likely in the same boat as you. So how do we find our followers and the people we follow?

The simplest way is to use a tool that checks your follower list and searches for them on the many Mastodon instances. Debirdify by Manuel Eberl is just such a tool and we will use it to find our followers on Mastodon. Hat tip to Drew Fustini (https://mastodon.social/@pdp7) for pointing us to this tool.

1. Open a browser and go to the Debirdify website.

2. Click on "Authorise With Twitter."

3. Authorize Debirdify to use your Twitter account. This provides read only access to Twitter, enabling the tool to scan your followers and the people you follow, and use the data to search Mastodon’s instances.

4. Click on Search Followed Accounts to search for the accounts that you follow on Twitter.

5. Scroll down the page and download the CSV export. Graphs and a list of followed accounts (grouped by instance) show how they are spread across the many instances of the fediverse.

6. Click on Search Followers to find those that follow you on Twitter.

7. Scroll down the page and download the CSV export. Graphs and a list of followers (grouped by instance) show how your followers are spread across the many instances of the fediverse.

8. Open a browser to your Mastodon account and click on Preferences. Our instance is on mastodon.social, opening this in a browser will open a columned display similar to Tweetdeck.

9. Click on Import and Export.

10. Click on Import and then set the import type to Following list and then select the CSV file containing the accounts that you followed on Twitter. Ensure that Merge is selected before pressing Upload. This will merge the list of CSV contacts with your current Mastodon contacts.The process can take some time, depending on the instance's current load and the number of users in your list.

11. Optionally, import the list of the accounts that follow you on Twitter. 

The import will take some time and will happen in the background, over the next few hours you will see many notifications confirming that you are now following the accounts.

Cross-posting Between Mastodon and Twitter

Cross-posting is where we can post from one service to another. It is normally used when either migrating one service to another, or for growing your presence across multiple services. Setting up cross posting is a simple matter of authorizing an application to act as a bridge between the two services.

1. Open a browser to Mastodon Twitter Crossposter. This project was created by Renato Lond Cerqueira.

2. Click on Twitter and authorize the Crossposter app to access your account.

3. Click on Mastodon and authorize the Crossposter app to access your account.

4. Check that both accounts are now linked. This provides the basic bridge between the two services.

5. Click on Options >> Options overview. Using this menu we can further tweak the settings at a granular level to create a bespoke bridge between the services.

6. Select to send your posts to Twitter, and Tweets to Mastodon then click Update User. Now we have set up the basic bridge between Twitter and Mastodon. In our example we have decided not to post our Tweets to Mastodon, but our posts will go to Twitter. You may want to experiment with this and consider which messages are appropriate for which platform.

7. Click on From Mastodon to Twitter. Here you can optionally configure which messages are sent to Twitter. Tweak your settings accordingly and click Update User to save.

8. Click on From Twitter to Mastodon. Here you can optionally configure which messages are sent to Mastodon. Tweak your settings accordingly and click Update User to save.

Mastodon Clients

Mastodon can be used via the browser, and for the first few days of using Mastodon that is exactly how we used it. 

The basic UI is pleasant and easy to use. Power users can unlock a Tweetdeck inspired UI via Preferences >> Advanced > Appearance > Enable Advanced Web Interface. 

But there are alternative clients for the desktop and mobile devices, including official apps, which provide a better user experience.

For Windows, macOS and Linux users, Whalebird is an excellent application which uses a Slack-inspired layout to enhance your Mastodon experience. The layout is clear, with a series of tabs along the left side of the interface offering quick access to notifications, direct messages and the local / public timeline.

For Android users, Tusky has proven to be a good client in the time that we have been using it.

The interface is clear, with a top row for quick links to our timeline, notifications, local and federated timelines. Posting, boosting etc are all within easy reach and the user interface feels responsive.

Managing email is like cleaning up after the world's most rambunctious toddler. Technically it's possible, sure, but odds are that something new will demand your attention as soon as you've caught up. Google is hoping to make this nigh-impossible task (managing email, not cleaning up after a toddler) seem a little bit more doable with a new context menu in Gmail.

People tend to take the mighty right-click for granted. But many developers offer quick access to common tasks, like renaming a file or opening a link in a new tab, behind that humble button. It can be hard to strike the right balance, though. Having too many options can make it hard for someone to find what they're looking for. Having too few, on the other hand, is a wasted opportunity.

Gmail currently belongs to the latter camp. Right-clicking an email offers very few options: "Move to tab," "Archive," "Mark as read," "Mark as unread" and "Delete." There are some notable omissions there, the foremost of which being the inability to quickly reply to a message via the context menu. The lack of a "Snooze" option is strange, too, since that action's included among the buttons shown whenever someone hovers over an email.

Google is planning to change that with a new context menu that includes many more actions. You can see the full list in the image above, but we'll share it here for posterity:

• Reply
• Reply all
• Forward
• Archive
• Delete
• Mark as unread
• Snooze
• Move to
• Label as
• Mute
• Find emails from (Sender)
• Open in new window

People who don't use Gmail's conversation view can also find all emails with the same subject line by using the context menu.

That should cover pretty much everything most people want to do with an email without actually having to open it. The menu isn't exactly the same as the one shown in the message view--it's missing things like "Add to Tasks" and "Filter messages like these"--so we doubt Google simply copied the actions from that menu for this new one. It seems like the company thought about (and likely A/B tested) exactly what a right-click should do.

Besides, as long as they don't mar an otherwise good experience, having more options isn't usually a bad thing. Want to control everything via keyboard shortcuts? Gmail can do that. Prefer to point and click your way through the never-ending barrage of emails? This update will make that easier, too. 

Google said this feature will start rolling out to G Suite users with Rapid Release domains on February 11 and Scheduled Release domains on February 22. The rollout will vary: the company said this feature will appear over the course of 15 days for Rapid Release domains and three days for their Scheduled Release counterparts. People who use the personal version of Gmail should be able to use the context menu sooner than later.

UPDATE: Nov. 16, 3:05 p.m.: Microsoft communications head Frank X. Shaw said on Twitter that the ads are "an experimental feature that was never intended to be tested broadly and it is being turned off." Original article below:

It's almost impossible to escape advertising. Brands market their wares anywhere they can, and with the shift towards free software, tech companies often rely on advertising to actually make some money. Nothing is safe from the inexorable crawl of ad-based marketing, and Microsoft has provided yet another example of that by releasing a Windows 10 preview build that includes ads in the operating system's Mail app.

Mail reportedly shows interest-based ads in the latest version of Windows 10 released to members of the Windows Insider Program. That means Microsoft is using what it knows about its users--it doesn't appear to be scanning anyone's emails--to show ads it believes are relevant to them. This is a common practice, but that doesn't mean everyone's comfortable with it, especially when the ads pop up in communications tools.

It's possible to opt out of these interest-based ads via Windows 10's settings. But the ads won't disappear entirely; Mail will just display a generic advertisement instead. The only way to get rid of these ads is to subscribe to Office 365--even if someone's using Mail for Gmail or some other email service. That means users either have to put up with the ads or pay for a productivity suite.

This isn't the first time Microsoft has introduced ads in its software. The company added games like Candy Crush to new installs of Windows 10 and has displayed notifications throughout the operating system's user interface, for example. 

The interest-based ads were added to Mail in version 11605.11029.20059.0. Because this is just a test among Windows Insider Program members, it's possible Microsoft won't move forward with the decision to fill Windows 10 Mail with ads when it releases its next update to the general public.

According to a WSJ report, Google’s social media service, Google+, exposed the private profile data of almost 500,000 users for the past three years; however, the company opted not to tell anyone about it, fearing that it would face both reputation damage as well as new regulations.

Undisclosed User Data Exposure

Google learned in March that a software vulnerability that has existed in its Google+ service since 2015 could have allowed malicious third-party app developers to access users’ private profile information.

The company discovered the issue right when the Facebook-Cambridge Analytica privacy scandal was still fresh on everyone’s minds. At the time, multiple governments were scrutinizing Facebook over its data practices, and, according to WSJ's report, this seems to be the reason why Google failed to disclose its security issue to the public.

A memo by Google’s legal and policy team to the company’s senior executives and obtained by WSJ said that disclosing the incident would trigger “immediate regulatory interest” and invite comparison to Facebook’s scandal. After an internal committee had already reached the decision not to disclose the privacy and security issue to the public, Google’s CEO, Sundar Pichai, was also notified.

Google told WSJ that it came to the conclusion not to disclose the issue based on several factors, including whether the company could accurately identify the impacted users, whether there was any evidence of misuse and whether there was any action the users could have taken. The company said that “none of those thresholds were met.” The internal memo from the legal and policy staff said that the company had no evidence of any attack exploiting this vulnerability, but there was also no way to know for sure.

The exposed private profile data included full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status.

According to WSJ’s report, the Google+ privacy issue was due to an API that allowed third-party developers to collect users’ friends data, even if that data was set to non-public. When a user granted a developer permission to their profile, any of the data related to that profile could be collected by the developer. This is very similar to how Cambridge Analytica was able to collect data on millions of users too. Although it’s not able to tell whether or not apps misused user data, Google said that up to 438 applications had access to unauthorized Google+ data.

Google+ Shuts Down

Considering that Google+ has been considered a bit of a ghost town for years already, it’s not too surprising to see it shut down. However, it’s still interesting to see the company is making this decision now, after the privacy issue became public. 

The company told WSJ that shutting down Google+ is part of a recent effort to limit third-party developers access to its users’ data, including Gmail add-on developers and Android app developers.

Google said that only Gmail add-on developers that pass security audits will be allowed to continue accessing users' Gmail accounts, while “most” third-party Android developers will no longer receive access to users’ SMS messages, call logs and some additional forms of contact data on Android devices. Previous reports have found that some third-party Gmail add-on developers were reading users’ emails, supposedly to improve their algorithms.

Google CEO to Testify In Congress

Google’s lawyers advised the company’s executives, including its CEO, to avoid public disclosure of this privacy issue because the company was “not legally required” to do so. Unlike in the EU, where data breach notices are mandatory within three days of the event due to laws such as the recently passed GDPR, the U.S. doesn’t yet have federal laws regulating data breach notices.

Google also feared that disclosing the Google+ privacy issue would mean that CEO Sundar Pichai would have to testify in Congress, just as Mark Zuckerberg did. In fact, some senators did call for Google’s CEO to appear in a data privacy hearing earlier this spring. Pichai has refused to testify multiple times since then, but he recently agreed to testify in the U.S. House in the coming weeks.

Google was roundly criticized earlier this week for automatically signing people into Chrome if they used it to log in to Gmail, YouTube and other services. That didn't happen with previous versions of the browser, but with the release of Chrome 69 in early September, the company silently changed this behavior. Now, it's responding to critics by making those changes much clearer--and easier to notice--for all Chrome users.

Signing in to Chrome doesn't accomplish much on its own. It does offer the option to sync open tabs across devices, though, and people feared that it would be all-too-easy for Google to activate that feature for anyone signed in to the browser. (Similar remote changes to user settings have occurred before.) Quietly changing the way Chrome handles Google accounts was also likely to undermine people's trust in the browser.

Google didn't mention this change in any of the materials it released about Chrome 69. It had plenty of opportunities--this latest release celebrated the browser's tenth birthday, and somewhere in between revealing the new design and trumpeting various performance improvements there was bound to be a chance to discuss it. Instead, Google only explained its rationale after the change was discovered. It said in a blog post:

"The new UI reminds users which Google Account is signed in. Importantly, this allows us to better help users who share a single device (for example, a family computer). Over the years, we’ve received feedback from users on shared devices that they were confused about Chrome’s sign-in state. We think these UI changes help prevent users from inadvertently performing searches or navigating to websites that could be saved to a different user’s synced account."

Shortly after criticism over this decision began, Google said it would update Chrome's privacy policy to reflect this change, and now it's revealed its plans to help clarify the situation. The first will be an option in Chrome's settings to disable this surprise feature, and the second will be a change to the browser's user interface that makes it clear that being signed in to Chrome does not mean the sync feature has been enabled.

The company will also respond to another problem: Google auth cookies persisting even after someone clears their cookies. The company said this was supposed to "allow you to stay signed in after cookies are cleared." Yet that defeats the purpose of clearing those cookies in the first place. So the company is planning to make it so Google auth cookies are deleted and users are signed out like they're supposed to be.

Google said these changes will arrive with the release of Chrome 70 in mid-October. That release's previous highlights were the addition of a Shape Detection API, improvements to the Web Authentication API and various back-end improvements. 

The latest version of Google Chrome brought significant changes to the browser. It received a new design, improved password management, and many other tweaks released in honor of its 10th birthday. Johns Hopkins University cryptographer Matthew Green revealed that Google made another change: Chrome now automatically signs users into their Google accounts within the browser whenever they log in to a Google service.

Chrome has long allowed people to sign in to their Google accounts so they can keep their open tabs in sync across devices. This feature was optional, however, and many people chose not to use it because they didn't want their browsing history to be sent to Google. Not signing in to Chrome was an easy way to make sure the feature wasn't "accidentally" enabled.

Worse still was the fact that Chrome doesn't let people know when it's automatically signed them in to their Google account. The company didn't just remove the option to use its browser without using a Google account; it did so in a way that makes it hard to believe Google wasn't trying to escape scrutiny. There's no mention of this change in the blog posts, patch notes or even privacy policy that accompanied Chrome 69's debut.

Google should have known this change would A) be discovered and B) rankle people who care about their privacy. The company is often criticized when things people already knew, such as the fact that it lets third-party app developers scan Gmail if people connect their accounts, come back into the public eye. Secretly making a change to Chrome that at least appeared to undermine privacy was bound to be controversial.

Here's the good news: Green said in his blog post that Google engineers told him Chrome doesn't automatically enable the sync feature even when someone is signed in. He was also told Google would update Chrome's privacy policy to note the new behavior. Both of these decisions are supposed to relieve Chrome users who feared their browsing history had been secretly handed over to Google because of this change.

But neither actually resolves the main issues with this change. The fear that Google now has the potential to enable syncing without notice is still there, especially since the company remotely enabled the battery saver feature on Android smartphones by accident in mid-September. Things happen--settings are changed during the update process, bugs undermine settings, etc.

The other problem was the fact that everything about this change was kept secret from Chrome users. More information has become available since Green published his blog post, and Google has stressed that being signed in to Chrome doesn't automatically undermine someone's privacy, but the point is that people expect to know when something that could affect their privacy changes without a peep after years of use.

We asked Google for more information about this change and a spokesperson linked us to a series of tweets from Chrome engineer and manager Adrienne Porter Felt. In addition to saying that Google is working to update Chrome's privacy policy and that merely being signed in to the browser doesn't enable the sync feature so many people are worried about, Porter Felt explained the reasoning behind the change:

"My teammates made this change to prevent surprises in a shared device scenario. In the past, people would sometimes sign out of the content area and think that meant they were no longer signed into Chrome, which could cause problems on a shared device. [...] The new UI clearly reminds you whenever you're logged in to a Google account. Plus, you now only need to sign out in one place before you share your computer with someone else."

All of which means a feature that was actually supposed to help Chrome users keep their information private from people with access to a shared computer has rekindled the flame of controversy around Google's privacy practices. The company doesn't appear to be changing its mind, though, so anyone concerned about being signed in to Chrome will either have to be more vigilant or switch to a different browser.

Many sitcoms use pre-recorded laugh tracks, and even the ones that don't let the audience know exactly when they're supposed to chuckle. A similar thing happens when it comes to privacy scares. Some problem is revealed, usually regarding a big tech company, and people are expected to freak out. The latest cue to act surprised: Google told U.S. lawmakers that it lets third-party devs scan and share email via Gmail.

That's supposed to seem like some kind of revelation. Pretending that it is, though, is more like following someone else's prompt than genuinely responding to what The Wall Street Journal read in a letter Google sent to senators questioning the privacy protections afforded to Gmail users. The reality is that we've always known third-party apps could read messages in Gmail because they simply wouldn't exist without that capability.

How else is a third-party app made specifically for Gmail supposed to function? People use these products because they want to be able to handle their inboxes better, extract information from the far-too-many emails they receive each day, or do something else that Gmail doesn't. Being upset that Google lets developers access this data is like someone in a high-rise being mad at their doorman for letting UPS into the building.

There is one key difference: the WSJ reported in July that some of these developers were having their employees read some emails themselves so they could train AI. Developers can also share information with outside companies, meaning information gleaned via email scanning could be used to inform advertisements, for example. A lot of Gmail users probably didn't realize the contents of their emails could be used in that way.

But that comes down to a matter of technical literacy. Many companies offer free services that are monetized by advertisements. Marketers want to make sure their ads reach the right people, so they require access to increasing amounts of data from the companies they do business with. Using these free services, then, often requires people to give up their privacy in exchange for not having to pay for a product themselves.

The WSJ's report also indicated that Google isn't simply letting developers access information willy-nilly. The company reportedly said in its letter that "developers may share data with third parties so long as they are transparent with the users about how they are using the data" and that it requires privacy policies for these third-party apps to be "easily accessible to users to review before deciding whether to grant access.”

A similar rule applies to how Google handles Gmail itself. The company stopped collecting information for the purposes of ad targeting from Education users in 2014, and did the same for all Gmail users in 2017. But note the phrase "for the purposes of ad targeting." The company still uses its access to Gmail users' messages to introduce new features like Smart Replies and the inbox that automatically categorizes messages.

There are plenty of things worth criticizing Google--and other large tech companies--regarding their handling of user privacy. The company's ability to read "confidential" messages, its decision to stop working on end-to-end encryption in Gmail and efforts to gather more information are all worrisome. Letting third-party apps function, both technically and financially, is now part of the status quo.

Getting Light Text on a Dark Background

By default, most software shows dark text on a white background, much like old-fashioned ink on paper. However, many prefer the exact opposite, light-colored text on a dark screen, and find it easier on the eyes. Who wants to stare at a bright white screen in a room with the lights off?

From Windows' setup menu to all three major web browsers to social media sites like Twitter, many programs and web tools offer ways to change into what they call either Dark Mode, Dark Theme or Night Mode. Here's how to get light text on a black background in over a dozen popular PC and web-based apps.

Turning on Dark Mode in Windows 10

To enable dark mode in Windows 10, right click on the desktop and select Personalize. Click Colors in the left pane. Then scroll down and select Dark under Choose your default app mode.

Settings Menus

Entering Windows 10's dark mode makes all of the operating system's setting menus have light text on a dark background. You can control the color of the icons by choosing an accent color in Settings->Personalization->Colors.

File Explorer

In current Windows 10 Insider builds, enabling dark mode in the settings menu also turns it on for File Explorer. However, if you don't want to run an Insider Build of the operating system, you'll have to wait for the next major update.

Microsoft Office Menus

If you want all of your Microsoft Office apps to turn dark, all you need to do is open one of them (ex: Word), navigate to the File tab, click Account and then select Black from the Office Theme menu. These settings will affect the menus in Outlook, Word, Excel, PowerPoint and more.

Word Documents

Even if you change the Office theme to black, the actual documents will still show black text on a white background. If you want to change the editing area for all new documents, first open the Normal.dotm file, which is likely located in C:Users[YOURID]AppDataRoamingMicrosoftTemplates.

Navigate to the Design tab and select black from the Page Color pulldown. The text will automatically be white. Save the file. Then navigate to File->Options->Advanced and check "Show background colors and images in Print Layout view."

Existing documents that other people send you will still be black on white, unless you head over to the Design tab and select black from the Page Color menu each time.

High-Contrast Mode for Windows

Windows 10's dark mode changes the menus on the settings menu, File Explorer (in Insider builds) and a few other places, but it doesn't affect the vast majority of traditional apps people use. When you really, really want all of your programs to have light text and dark backgrounds in their menus, you can enable Windows' high-contrast mode.

Keep in mind, though, that high-contrast mode is a blunt instrument and makes a lot of things in UI look very ugly. For example, the live tiles in the Start menu look just awful. However, if you decide you want high-contrast mode, navigate to Settings-> Ease of Access -> High-Contrast and switch it to on.

Skype

Skype has a built-in dark theme. To activate it, navigate to Settings->General->Themes. Then choose Dark. It's that simple.

Twitter Night Mode

Twitter's dark mode is called Night Mode. To activate Night Mode, click on your profile picture and select it from the menu.

Dark Mode for Web Pages in Chrome / Firefox

No matter how dark the rest of your apps appear, most web pages will still have dark text on a black background, unless you use a browser extension to solve the problem.

Download Dark Mode for Chrome or for Firefox. It puts a switch into your browser toolbar and, if you toggle it to on, all web pages change to white on black. It also offers a variety of custom dark modes or modes that are made just for popular sites such as Google, Amazon and Reddit.

Dark Themes in Your Browser

To make the tabs, address bar and toolbars in your browser turn to the dark side, you need a new theme, and there are many options. Chrome's store has a huge listing of dark themes. The Morpheon Dark theme is my favorite. 

Firefox users have a built-in dark theme they can active by navigating to Customize from the settings menu and then selecting Dark from the theme pulldown on the bottom of the screen.

In Edge, navigate to Settings and select Dark from the Choose a theme menu.

Gmail Dark Theme

It's easy to change the color scheme in Gmail so that your inbox listing has light text on a dark background. However, the individual emails you open or write will still be black on white.

To change the theme in Gmail, navigate to settings by hitting the gear icon in the upper right area of the screen. Then select Themes, scroll down and pick the onewith the black background.

YouTube Dark Theme

When you go to the movie theater, they turn the lights off to help you see the movie better, so why would you want a white background surrounding your video player? To turn the lights down in YouTube, click on your picture, select Dark Theme and toggle the switch to on.

Visual Studio Dark Color Theme

If you're writing an app for Windows, chances are that you're using Microsoft Visual Studio. The development environment makes it easy to go into dark mode. Just navigate to Tools->Options->General and select Dark from the Color Theme pulldown.

You can also choose custom background and foreground colors by navigating to Tools->Options->Fonts and Colors.

Notepad++ Dark Themes

My favorite development tool, Notepad++ is a text editor on steroids. This must-have piece of freeware lets you view files side-by-side, do advanced search/replaces and get all kinds of visual cues to help with your coding. 

By default, Notepad++ has light text on a dark background, but the software comes with a ton of preinstalled themes, including many different dark ones. Navigate to Settings->Style Configurator and then choose a theme from the list. I recommend Bespin or Blackboard.

Reddit Night Mode

When you're sitting in a dark room, combing through the posts on Reddit, you don't necessarily want a bright white screen staring back at you. Fortunately, the social network makes it very easy to change to a dark theme. Just click on your username (or a down arrow if the screen is too narrow) in the upper right corner of the screen and then select Night Mode.

Google’s previously announced “confidential mode” is now live in Gmail across all devices, but the feature may not be as privacy-focused as Google would like us to believe.

Gmail Confidential Mode

Earlier this year, Google announced confidential mode, a security feature for the new Gmail interface. The feature should sound familiar to Snapchat users. It works in a similar way in which all emails with the feature enabled will self-destruct after a set amount of time. Users can also choose to enable a “SMS passcode,” which is generated by Google.

The confidential mode has now gone live, and Gmail users that have enabled the new interface are able to use it on both desktop and mobile. Senders are not only able to control when the email messages self-destruct, but they can also remove the recipients’ access to messages from their own Sent folder whenever they want. The senders are able to do this because the confidential emails can only be read using Gmail, so Google controls the experience at all times.

Google Can Still Read Confidential Messages

Google is offering confidential mode primarily so users who have their accounts hacked don’t expose old emails with private information. Most people don’t delete their emails, so this could be a way to automatically keep their inboxes, as well as the inboxes of their friends, clean and secure.

However, unlike services that use end-to-end encryption, Google can still read all of those emails. Additionally, Google doesn’t allow users to set their own symmetric encryption passwords for emails, as that password is automatically generated by Google and sent to recipients via SMS. This achieves two things for Google. First, it encourages users to give Google their phone numbers and link them to their email addresses, and second, Google remains in control of decrypting those emails at all times.

After Edward Snowden’s revelations, Google seemed eager to adopt end-to-end encryption for Gmail. The company eventually abandoned that project. Since then, some end-to-end encrypted email services, such as ProtonMail, have continued to gain popularity, so confidential mode seems to be Google’s answer to that.

However, this seems like a superficial answer that doesn’t solve any of the problems that ProtonMail and other end-to-end encrypted services do. Furthermore, it may actually increase users’ risk to phishing attacks, as now attackers could start pretending that they need user credentials before the confidential emails are shown to recipients.

Additionally, we keep learning more and more that SMS security is vulnerable, so Google’s SMS-reliant solution doesn’t seem too future-proof.

"DRM for the Web"

The Electronic Frontier Foundation (EFF) has also criticized Gmail’s confidential mode as being some sort of “DRM for the web.” According to the EFF, Google has the ability to store your emails indefinitely, regardless of whether or not your emails have “self-destructed.” 

Much like DRM, which stands for digital rights management, Google has a feature called “Information Rights Management” (IRM) that allows the company to disable certain Gmail features, such as forwarding, on confidential emails. To prevent the forwarding of confidential emails on other email services, Google encrypts the confidential email messages so that only Gmail users can read them (whether or not the sender has set-up a SMS passcode). Like DRM, the security benefits of this feature also depend on Section 1201 of the Digital Millennium Copyright Act, which makes bypassing the IRM lock a potential felony, carrying a five-year prison sentence and a $500,000 fine for the first offense.

What this means in the real world is that competitors will not be able to reverse-engineer Google’s IRM and read the confidential emails. The EFF also believes that Google calling messages that have supposedly self-destructed “expired” is misleading because the sender, as well as Google, can continue to see those emails indefinitely.

Gmail's confidential mode could still prove useful in some situations, if users care enough to enable it, but ultimately it's nowhere near as secure as an end-to-end encrypted email message that only the sender and the receiver can read. 

Google is today allowing users in the United States sign up for Google One, its new consumer storage service with a new name and pricing. Users with paid Google Drive plans may have already been upgraded.

If you’re not in the U.S., you’ll have to wait a bit. Google says that it will open up One to more countries in the coming weeks.

Google One plans start at $1.99 per month for 100GB, $2.99 for 200GB or $9.99 per month for 2TB. Users with 1TB plans are automatically upgraded to the 2TB plan, and the 200GB option is brand new. Of course, you still get 15GB of free space with Google services, but none of the extra benefits. One does not replace Drive, but rather allows for space across all the entirety of Google’s ecosystem.

Additionally, Google One allows for a family plan, so you can have as many as five people sharing storage on a single bill. This is similar to Microsoft’s Office 365, which provides 1TB of storage for up to five users (plus five Office installs).

But Google One’s plans are a bit cheaper than Microsoft’s OneDrive, which offers 5GB of storage free, 50GB for $1.99 per month, 1TB for $70 per month, which includes Office 365, and 5TB with Office 365 (5 installs) for $99.99 per year.

Google One also adds 24/7 customer service to answer user queries. I had a chance to go hands-on with it. A little after 6:30 p.m., I contacted support to ask about how to access Gmail offline. I had to be transferred to another representative, but despite the simple question, the Google rep never made me feel dumb (and even backtracked when I pretended to be confused).

Additionally, Google is adding rewards to Google One members using its services. The company states that it has begun by issuing Google Play credits and deals on hotels found through Google Search (another odd echo of Microsoft’s Bing Rewards). Google suggests that in the future, deals on Google Express and the Google Store could become available.

Again, if you’re not in the U.S., you’ll have to wait a bit. Google says that it will open up One to more countries in the coming weeks.

Users who want to join Google One can go to the website for more details.

This month, Google revealed the extreme effectiveness of FIDO Universal 2nd Factor (U2F) security keys against phishing within the company. Google has now announced that it has built its own U2F security key, called the Titan Key, which promises secure and easy-to-use PC and mobile authentication for both enterprise cloud customers and consumers.

Google’s U2F-Based Titan Key

The most known security key maker right now is Yubico, which is also one of the founding members of the FIDO Alliance. The FIDO Alliance is the same group that develops the U2F and WebAuthn standards for secure and easy-to-use, hardware-backed authentication tools.

Yubico has consistently released quality security keys with support for PCs, mobile phones and even servers, which is why its keys have become so popular. Google now plans to give Yubico a run for its money by launching the Titan Key.

On the dedicated page for its security key, Google claims Titan Key is something every security-conscious user should have and is an absolute must for IT professionals and other similar high-value targets.

Google’s own developers wrote a custom firmware for the Titan Key to verify the integrity of the generated encryption keys at the hardware level. Google’s security key uses the same FIDO U2F standard that everyone else, including Yubico, uses too. The security key works with services such as the company’s G Suite, Cloud Identity and Cloud Platform, as well as other services, like GitHub, Dropbox and Facebook.

Although Google is only making the Titan Key available to its cloud customers for now, it will soon sell the security key in its Play Store so anyone can get one.

The Need For More Secure Authentication

These days, we seem to hear about a major data breach or leak exposing the data of millions or tens of millions of users every month or two, if not more often. Large companies almost seem defenseless against sophisticated attackers, although they are certainly not without blame either. The data breaches are usually enabled by companies continuing to use legacy and unpatched software, poor security practices that don’t emphasize endpoint security strongly enough and social engineering or phishing.

According to Google, a common phishing attempt is to put up a fake website that pretends to be a Google service (such as Gmail) asking for a two-factor authentication code. Once the criminals get that code, and assuming they’ve already gotten the victim's passwords, they can then attempt to recover credentials for work-related data too. Eventually, they can gain access to data hosted by certain cloud providers or enterprise companies hosting it on their own servers.

How U2F Keys Improve Authentication

U2F security keys have proven to be virtually invulnerable to phishing, which is why they're increasingly being adopted, even by federal U.S. federal agencies. They're not just highly resistant to phishing, but they're literally as easy to use as clicking one button next to your device when you're trying to log into a website.

The reason U2F keys make phishing so difficult is because the public encryption key that needs to be sent to the corresponding website when a user tries to authenticate with a U2F security key will simply not work with the fake website.

The Wall Street Journal published what seemed like a bombshell report about developers being able to read your emails if you give them access to your Gmail account. There's no doubt that some of the actions described, such as having employees read users' emails to train machine learning algorithms, are cause for alarm. But thinking developers weren't going through users' emails was simply naive.

Using a service like Gmail puts you at the mercy of companies like Google. Because the messages aren't end-to-end encrypted, the company has the ability to read them whenever it wants. Google said it doesn't usually--employees are said to read emails only when they need to to squash bugs or fix security flaws--but the reality is that Gmail users have little say over who at Google can read their email.

Users also have few controls over what third-party developers can do once they're granted access to an account. Many of these developers simply want to offer a new email app, help you sift through your emails, or do something else you can't achieve through Gmail's core experience. Developing those features isn't easy, though, and the WSJ reported that some developers read users' emails to help speed up the process.

None of this should be news to anyone. The issue of who can read your communications has been repeatedly brought up since Edward Snowden revealed NSA surveillance programs in 2013; that's why end-to-end encrypted tools like Signal have become increasingly popular. The dangers of giving app developers access to your information was also headline news when an OAuth phishing scam compromised 1 million Google users.

Let's spell it out again: non-encrypted messages aren't secure and developers will gather as much information about you as you let them. Using a service like Gmail or a third-party app requires a leap of faith, and no one should be surprised when that faith is misplaced. Not that the problem is exclusive to email. Remember when Uber came under fire because employees were tracking journalists, exes, and other people?

The phrase "fox guarding the henhouse" could have been coined specifically for this situation. Companies that rely on user data to make their money, improve their features, or merely just offer their services are going to find ways to access more of that data. Any restrictions will either be self-imposed or required by regulators--neither of which prevents rogue employees from abusing their positions to spy on their users.

Yet the fact of the matter is that none of this will shock people enough to effect change. Users will still be surprised when a report similar to the Journal's is published in the future, or when they're told after a data breach not to use the same password on very website, or when they're reminded not to download suspicious files because some new malware is spreading faster than the flu. Time will tell which headline we'll see in a week.

None of that is to say that the Wall Street Journal and other publications should just give up on consumers. The specter of being publicly chastised for misusing data is, in some cases, the only thing stopping companies from behaving even worse. Just don't expect the majority of Gmail users to change their habits or even remember this story in a few days. Most hens only worried about "now," and can't be bothered with "then."

Google, you complete me. On the other hand, maybe you shouldn't. Yesterday at its I/O conference, the search giant unveiled two creepy A.I. features: one that finishes your sentences in Gmail and another that literally makes phone calls for you, using a deceptively human voice.

As a tech geek I'm impressed, but as a human who values communication, I'm bummed out. The language you choose when writing and the intonations you make when speaking are your own. If a computer does the talking for you, then your "word" isn't really yours.

Whose words are they?

Google's new Smart Compose feature helps you finish your sentences. For example, if you start typing "Hav" at the beginning of a message, it suggests completing the phrase as "Haven't seen you in a while." If you start writing "Does next T," it suggests that you say "Does next Tuesday work for you?"

On the face of it, these suggestions seem innocuous. If you really meant to say "haven't seen you in a while," you can save yourself two dozen keystrokes by hitting tab. But what if, you really were thinking about saying "Haven't hung with you in a minute," which means essentially the same thing ("a minute" means a long time in context), but is devoid of personality?

Chances are that to, save yourself the effort, you'll just start accepting Google's suggestions to save yourself the hassle. All of a sudden your "voice" is the same as everyone else's.

If, as a recipient, you know that your conversation partner is using canned text, everything they say has less meaning. How excited can you be about getting birthday greetings on Facebook when you know that none of your so-called friends actually remembered your special day?

And while it's always good to save your fingers from extra strokes, your sentiments are meaningless if you can't even take 3 seconds to enter them on your own. I tried writing a sample termination letter using Gmail and here's what I got.

Smart Compose is fairly conservative right now. I tried typing some insults or highly-personal things and it didn't suggest anything. But I'm sure that Google will refine this tool so that it's much more aggressive in the future.

It's important to note that there's nothing inherently unethical about using auto suggestions, but it still takes "you" out of your communication.

"I suspect that Google’s automatic writing will be banal but not unethical. ," former New York Times Ethicist Randy Cohen told me. "Much email writing is already lackluster in both form and content."

To be fair, Smart Compose isn't the first feature to make suggestions. Gmail users on phones have seen suggested replies for a while now and a number of other platforms also suggest words and phrases. However, Smart Compose shows that this trend is growing and starting to transform how we write.

I'd like Google Assistant to make some soul-sucking calls. Perhaps it can call and argue with the insurance company.

I have a bot holding on line three

Soon computers will go beyond writing and literally speak for you. Demoing a feature it calls Duplex, Google played a recording of a customer calling a restaurant to reserve a table. The customer, who turns out to be a bot, sounds exactly like a real person, even using verbal ticks like "um" that make it sound completely realistic. It has a complete conversation, asking questions and responding to queries from the person at the restaurant.

You can check out the audio of a sample hair salon call below (courtesy of our sister site, Tom's Guide).

The immediate goal of Duplex is to perform rote tasks that really ought to happen online. Many restaurants already take reservations via the web so the Google Assistant is merely filling the gap by calling a small business that's still on analog.

Frankly, I'd like Google Assistant to make some of the more soul-sucking calls I have to endure. Perhaps it can call and argue with the insurance company about doctor bills. Then it can answer calls from a relative and feign interest in the gossip she wants to share. I'm sure it would be great for dealing with bill collectors.

However, it's much more likely that you'll be talking to a bot than having one speak for you. As it stands, most PC vendors make it difficult for you to reach person when dial tech support. How long before they replace every human in the call center with a realistic-sounding bot?

How can you plead your case to a bot or get a bot to do something outside of its script for you? What if you need to get in to see the doctor right away because you're feeling ill, but the bot on the other end of the line says that there are no appointments available today? It won't take pity on you and try to squeeze you in.

And if you think robocalls are annoying today, just wait until telemarketers and political candidates get ahold of Duplex (or something like it). Tell you what. I'll have my bot talk to your bot.

What do you think about Google Duplex and Smart Compose? Are you excited about the convenience or creeped out about losing your humanity? Share your thoughts in the comments below.   

After years of the same utilitarian, gray, and “meh” all around platform, the new Gmail update is giving the email service a new face. While functional, old Gmail lacks the efficiency and integration that's key to a good user experience. I went hands-on with the new features and discovered there was something worth pinging home about.

To get started, I transformed my inbox by clicking the cogwheel and selecting “try the new Gmail.” For review purposes, I went with  the default layout.

At first glance, the new look is pretty pleasing to the eye. It’s colorful and most necessary tools are right in front of me. What immediately stands out is the new right-hand toolbar that includes my Calendar and Notes, with room for add-ons. 

Right Hand Toolbar

Clicking on the calendar tab, my schedule pops up as opposed to opening a new tab. It's a cool feature if you're a heavy Google Notes and Calendars user because it could be helpful in scheduling appointments or discussing important matters over email. It’s definitely better than toggling to the app in a separate tab.

Confidential mode

I was very interested in this feature but it’s not completely rolled out yet. In the Google announcement, the Confidential Mode option is positioned next to the insert picture and attachment tools.

Google says this addition is “useful for when you have to send sensitive information via email like a tax return or your social security number.” It's an invaluable feature in an age of rampant hacks and identity theft, so I look forward to the feature’s full availability

Promotion and Social Tabs

These categories are in the old Gmail, but were largely hidden in the sidebar. Now that they’re centerpieces, and I therefore know of their existence, these features seem OK if you have a lot of volume. The promotions tab seems much more useful than the social tab, but as someone that doesn't need to do mass mailings, I could take the features or leave them.

Snooze button

The Snooze button works pretty much the same it does on your alarm clock. If you want to take care of an email later, snooze it to have it reappear at a desired, programmed time where it shows with an orange snooze label. This could be useful if your inbox is chaotic, but I wouldn’t use it over simply checking the read status.

Attachment viewing

Though it seems like a small feature, I really like how few clicks I needed to open attachments. Clicking my “Kyoto Trip” attachment launched it in a new tab quickly and painlessly. It saved me about a second, but a second is a minute in internet time.

All in all, the new and improved Gmail is a nice step up from the old version. Though every new feature is not a “must have,” the user experience is much more streamlined and easy. Because of the integrated tools and improved attachment viewing, I won’t be switching back to the old version.

Two cybersecurity companies, Agari and Farsight Security, published a report that revealed that 90% of brands fall prey to domain name fraud. At the same time, Farsight Security discovered that 99% of the sites in its study didn’t use DMARC, an important email authentication protocol that Gmail and some governments have already deployed for their email systems to lower email fraud and phishing attempts.

DMARC - Important Against Domain Spoofing

Without DMARC authentication, malicious actors can impersonate legitimate companies in the emails they send as spam to internet users. The users would see the “sender email” as a legitimate-looking email address, such as “email@paypal.com,” even though the email would have nothing to do with PayPal, in this case.

Malicious actors can steal users’ credentials by sending them in to fake PayPal log in pages, too, or by sending them email attachments infected with malware. Many users may open these attachments because they would trust the legitimate-looking “source.”

Patrick Peterson, founder and executive chairman, Agari said:

Email and phishing remain a top source of cyber-attacks and data breaches. This groundbreaking report provides compelling evidence of the successes of DMARC adoption in protecting customers and brands, driving phishing rates near zero. However, with DMARC enforcement at only 27% of those firms who have adopted DMARC, it also shows how few enterprises have put these proven controls in place.

Additional Findings

The research by Agari and Farsight Security found that healthcare is the most targeted industry by phishers right now. Over 92% of healthcare domains have been targeted by domain name spoofing. In fact, the majority of emails (58%) that appear to be sent by healthcare companies are actually sent by malicious actors. This not only endangers patients, but also lowers their trust in healthcare providers in general. Only between 10% and 20% of the healthcare companies use DMARC authentication for their domains.

The research also found that the government sector is the second most attacked industry, with 87% of the domains being targeted. Over 12% of the emails that appear to be sent by the U.S. government are malicious, which is significantly higher than the global average of 3%.

As we’ve seen in other reports, phishing is a thriving industry for malicious actors. This is in part because companies don’t authenticate their domains, email providers don’t enforce that authentication, and also because it’s quite an effective way to get someone’s credentials or infect them with malware if the attackers can send the victim an email that looks legitimate.

Google revealed the “Advanced Protection Program,” which aims to defend high-value targets or anyone who wants to maximize the security of their Google accounts. The program is a step above the typical two-factor authentication solution in terms of the level of security it offers, but it also comes with some compromises in terms of ease of use.

Protection Against Phishing

For starters, anyone who enrolls in the Advanced Protection Program will be required to use two physical security keys (one for main use and one for backup). One of Google’s senior security engineers, Adam Langley, has recently tested some of the better known hardware token options, and it seems that Yubico’s popular Yubikeys are the most secure.

Some older Yubikeys were impacted by Infineon’s TPM vulnerability recently, but Yubico said that most Yubikey customers should not be affected. Additionally, the newer authentication protocols such as U2F were never affected by that vulnerability. Langley also previously said in his post that he could find no flaw in Yubikey’s U2F keys. This is not much of a surprise, considering Yubico is also one of the co-creators of the U2F standard.

The previous one-time password (OTP) method for two-factor authentication would generate a new random five- or six-digit code, and the user would have to input it to a login box on a service’s website. The new U2F method simply requires the user to plug the security key in the USB port and tap a button to generate a new public key that is then used by the service to authenticate you.

This solution is more resistant to phishing because it’s much harder for an attacker to compromise a hardware token. By comparison, an attacker could impersonate you to a carrier and then user your phone number to retrieve a two-factor authentication SMS code. If your smartphone has malware on it, codes generated by apps such as Google Authenticator could also be compromised.

Limit Third-Party App Access

Google has made it easier to integrate third-party services with Google accounts, but sometimes a user may allow a malicious app to access some sensitive emails or documents. For now, Google will limit access only to Gmail and Drive this way, but other apps and services will be supported in the future.

Protecting Against Impersonation

Sometimes, the attackers try to impersonate the victims whose accounts they’re trying to hack. They go to various services and pretend to be locked out so that someone from the firm lets them inside the account.

Google said that for users of the Advanced Protection Program, extra steps will be put in place to prevent attackers from hijacking an account. The steps include reviews and requests for more details about why they’ve lost access to their accounts. This will also apply to the users themselves if they ever lose their security keys.

Google has been testing this program with journalists and human rights and environmental activists over the past few weeks. The company said it has gained important feedback from people such as Andrew Ford Lyons, a Technologist at Internews, which is an international nonprofit organization that has supported the development of thousands of media outlets worldwide.

“Journalists, human rights defenders, environment campaigners and civil society activists working on any number of sensitive issues can quickly find themselves targeted by well-resourced and highly capable adversaries," said Lyons. "For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step," he added.

Starting today, anyone can enroll in the Advanced Protection Program, given they already have two U2F security key (either from Yubico or Feitian, as recommended by Google) and are able to use the Chrome browser. Chrome is currently the only browser that supports U2F authentication, but other browsers should start supporting it soon, too.

Call it trickle-down privacy: Google announced that it will no longer scan your emails to personalize the ads you see in Gmail. The company said this change results from its decision to make the professional version of Gmail, which is included in G Suite, "more closely align" with the consumer version. G Suite customers already have this level of privacy; now the billion-plus people who don't pay a cent for Gmail will also be able to enjoy it.

That isn't to say personalized ads will entirely disappear from Gmail. You're still going to see targeted ads--it's just that Google plans to use existing data (search history, YouTube activity, etc.) instead of scanning all your emails. Odds are good that you probably won't even notice the change. The company's built on ads, so if it thought improved privacy would hurt its ability to sell ads, it would likely maintain the status quo.

But the continued presence of targeted ads doesn't diminish the importance of this change. Google previously offered you two options: pay for its services or let it scan your emails. Privacy was basically just another premium feature offered to those who could afford G Suite, which starts at $5 per month for each user, and not the average consumer. Now privacy comes standard instead of being something for which you pay extra.

"This decision brings Gmail ads in line with how we personalize ads for other Google products. Ads shown are based on users’ settings," Google said in its announcement. "Users can change those settings at any time, including disabling ads personalization. G Suite will continue to be ad free."

This change might result from increasing anxiety over privacy. Many services, from Signal to ProtonMail, have found success in recent years because they can't snoop on your communications. Not that they could if they wanted to--they and other services have turned to end-to-end encryption to prevent intelligence agencies, hackers, and others from intercepting your communications and using them for their own purposes.

Deciding to make Gmail a little more private could help Google convince people to stick with its service instead of turning to others. And even if the company's ability to personalize ads does take a slight hit, it's better to risk showing irrelevant ads t than to lose the ability to show any ads at all. In its announcement, Google accidentally supported the idea that it wants to keep its users happy with this "elevator pitch" for Gmail:

The value of Gmail is tremendous, both for G Suite users and for users of our free consumer Gmail service. Gmail is the world’s preeminent email provider with more than 1.2 billion users. No other email service protects its users from spam, hacking, and phishing as successfully as Gmail. By indicating possible email responses, Gmail features like Smart Reply make emailing easier, faster and more efficient. Gmail add-ons will enable features like payments and invoicing directly within Gmail, further revolutionizing what can be accomplished in email.

Google said it plans to stop email scanning in Gmail "later this year." More details about when the change will be made or how it will roll out weren't provided.

Google announced that it has added a suite of new security features to Gmail. These additions will make it easier for the company to detect phishing attempts, fight malware that spreads via attachments, let businesses make sure internal data stays within their control, and warn users when they're visiting a suspicious website. The additions still won't be enough to keep you totally safe, but you're definitely more secure than before.

Many of today's improvements are the result of Google's vast troves of data and its machine learning prowess. The company specifically cites machine learning-based enhancements in its announcement, saying that early phishing detection results from a "dedicated machine learning model that selectively delays messages (less than 0.05 percent of messages on average) to perform rigorous phishing analysis and further protect user data from compromise." In another blog post, the company said this resulted from a new algorithm that spots patterns in phishing attacks.

In yet another post--seriously, Google published a bunch of 'em--the company said that "machine learning has helped Gmail achieve more than 99% accuracy in spam detection." The improvements announced today are supposed to "reduce your exposure to threats by confidently rejecting hundreds of millions of additional messages every day." That process will require the company to analyze metadata and flat-out block certain file types. Google explained:

We now correlate spam signals with attachment and sender heuristics, to predict messages containing new and unseen malware variants. These protections enable Gmail to better protect our users from zero-day threats, ransomware and polymorphic malware. [...] In addition, we block use of file types that carry a high potential for security risks including executable and javascript files.

Business customers will now be able to warn their employees whenever they're about to send information to someone outside the company. Google won't prevent people from sending those messages, though; it merely displays a warning if it detects that you're sending a file to an email address not associated with your employer. That could be enough to help businesses keep their private date private, though, and it will also make it easier to enforce punishment for "accidental" leaks. No fancy machine learning here though--Google just checks all the email addresses involved.

Google also touted a recent improvement that first debuted in Gmail for Android: anti-phishing security checks. This feature immediately warns you when you're about to follow a suspicious link. It's sure to be a useful feature, but we're kind of surprised Google decided to draw attention to it, since it was introduced right around the time that a so-simple-it-hurts phishing campaign that compromised the Google accounts of roughly 1 million people. All the attacker had to do was make an app disguised as Google Docs and wait for people to offer up access to their accounts.

In fact, Google doesn't mention the recent attack in any of the many blog posts it published today. That isn't surprising--it's not like the company wants to draw attention to a massive-yet-simple attack--but it's definitely the elephant in the room. Google constantly improves the security of its products, sure, but chances are good that Google wanted to introduce these security improvements as soon as possible to reassure its users.

New builds are ready for members of the Windows Insider Program's Fast ring: Preview Build 16184 for PC and Preview Build 15208 for mobile.

Preview Build 16184 features two main updates: My People, a taskbar app that's supposed to make it easier to communicate with the people in your life, and the expansion of some Windows 10 Mail and Calendar features to Gmail users. The former is all about introducing new features to Microsoft's communications tools, whereas the latter makes other features available to people who don't use Outlook and Office 365 to handle all of their email.

Here's what Microsoft said in its blog post about My People:

Technology is all about making it easier for you to connect with your most important people. Whether you want to share a photo, make plans for dinner, or get an answer from a friend or coworker – My People is here to take it to the next level and bring the people you care about most to the center of your experience.

My People is supposed to achieve that lofty goal by letting you pin up to three people in your taskbar, allowing you to view multiple communications services right next to each other, and remembering your app of choice for the next time you want to chat with that person. Enabling the feature requires you to install Preview Build 16184; make sure you have the latest versions of Skype, Mail, and People; and click the People icon in the taskbar.

This build also kicks off the expansion of some Mail and Calendar features to Gmail users. Microsoft said earlier this month that the apps will now let non-Outlook and Office 365 users to do things "such as easily tracking travel and shipping deliveries, making emails more actionable, helping you easily track your favorite sports events, faster search, and more." Windows Insiders will, naturally, be the first to use the expanded features.

Preview Build 16184 also brought some improvements to the Start menu, squashed a few bugs, and "fixed an issue resulting in Counter Strike Global Offensive hanging or freezing during game play." You can find a full list of bug fixes and known issues in Microsoft's blog post about the build.

The company also released Preview Build 15208 for mobile. It fixed two issues--one pertaining to the Bluetooth Settings page and the other creating a 20-second delay if you try to shut down a phone after switching from one network to another--and has its own batch of known problems. The most important of those bugs is a "small percentage of devices" that "may experience text message backup loss" and "random shutdowns on some devices."

These updates seem downright bursting with new features (moreso on PC than mobile) when compared to their predecessors. That's because most of the recent preview builds have focused on improving Windows 10's core instead of adding new features so close to the Creators Update's debut. Or, you know, revealing that the Creators Update for mobile devices would be restricted to just a handful of smartphones.

Last week, the U.S. Senate voted to reject the Federal Communications Commission's (FCC) soon to be implemented privacy framework that would’ve stopped internet service providers (ISPs) from selling your data without permission. It's now cleared the House, as well, in a 215 to 205 vote that would eliminate the FCC’s new privacy rules. Now only President Trump can stop this bill, but chances that he would do so are slim.

ISPs To Use Your Data Unhindered By Privacy Rules

Last fall, the FCC voted to increase privacy protections for broadband customers because over the past few years multiple ISPs have been tracking users' browsing habits across the web without consent. This has prompted some small fines from the Federal Trade Commission (FTC) and FCC, but ultimately ISPs could still attempt to track, collect, and then sell data in other ways.

The FCC wanted to establish clear guidelines for what kind of data they would be allowed to use, and when they should be asking users for consent.

Asking users for permission to sell their data didn’t seem acceptable to the ISPs, which protested the move and lobbied Congress to reverse the FCC’s rules before they went into effect. One of their arguments is that services such as Gmail or Facebook also track you and sell your data.

However, although some of those services can be rather hard to quit because of their widespread use and popularity, they aren’t mandatory, and it’s often easy to find a good alternative that doesn’t sell your data without consent. It’s much more difficult for Americans to change their ISPs, given the fact that most locations usually have only one good internet provider, or two at most. It’s also much more of a hassle to change your contract-bound ISPs than it is to change your email address.

Unlike Gmail or Facebook, which should in theory only track you in a limited context (although Facebook has been found before to break those bounds), ISPs will be able to track every single website that you access on your computer or mobile phone (wirelessly). The bottom line is that the tracking an ISP can do is much more comprehensive. Because the broadband market isn’t steaming with competition, you also don’t have much choice about it.

U.S. House Votes To Eliminate FCC Privacy Rules

The U.S. Senate voted to reverse the FCC’s privacy rules last week 50-48 on a party line vote. Republicans voted to eliminate the broadband privacy protections, while Democrats voted to keep them. However, it could be argued that if the Democrats wanted to stop this bill, they could’ve also filibustered it.

Once the Senate passed the bill, it should’ve been even easier for Republicans to reject the FCC privacy framework, and indeed it was. The House vote was 215 to 205, and again there was no filibuster to worry about. The House vote was also largely on party lines, with some exceptions.

In a way, this came as a surprise, because the House voted unanimously twice in a row for the Email Privacy Act, but the Senate never put it up for a vote. Therefore, it seemed like the House cared more about privacy than the Senate did. However, the difference between the two situations may be that the Email Privacy Act is mainly about restricting law enforcement to abuse data requests, while this bill is about helping ISPs make money by selling that data.

Fight For The Future, a non-profit civil liberties group that fought against the infamous SOPA bill, as well as for net neutrality, believes that this is tied to how many contributions the Republican Congressmen got from the ISPs.

“Today Congress proved once again that they care more about the wishes of the corporations that fund their campaigns than they do about the safety and security of their constituents,” said Evan Greer, campaign director of Fight for the Future.

The group also promised to put up billboards with the senators and representatives who voted to overturn FCC’s privacy framework.

“Congress should know by now that when you come for the internet, the internet comes for you. These billboards are just the beginning. People from across the political spectrum are outraged, and every lawmaker who votes to take away our privacy will regret it come election day,” added Greer.

Greer also believes that by allowing ISPs to collect all the data they want about their users, users will also be exposed to mass surveillance. AT&T has already been caught selling user data to the NSA and law enforcement for profit, and it’s likely that other internet providers do the same.

However, that form of data collection may have been in a more legal grey area, and it may have been more limited so as to not be too intrusive (and therefore, more detectable). If the ISPs believe they have free rein on what they can do to collect user data, then they may start collecting much more data on users and in more intrusive ways. Greer also said this could make ISPs bigger targets for data breaches, once they start holding more valuable data on hundreds of millions of users.

How To Fix It

There is a small chance that if enough people ask President Trump to stop the joint resolution that aims to overturn the FCC’s broadband privacy protections, he would not sign the bill. However, he appointed an FCC chairman that has publicly come out against net neutrality and these privacy rules, so chances are the President holds the same opinions.

Another solution, or rather a mitigation against invasive ISP tracking, is to use the Tor browser more often, or at least use a VPN service. Sending your traffic through a locally encrypted tunnel should prevent most if not all of the ISP intrusions.

Ultimately, the best solution is going to be one pushed through law that can’t be easily changed. Even the FCC rules are not that solid because they are vulnerable to a change of administration and a new FCC chair. If people make this a big policy issue, the two parties may eventually have to come together to establish broadband privacy rights into law. The only question is if such a law would offer similarly strong privacy protections as the FCC rules seemingly did.

Tavis Ormandy, one of the security researchers from Google’s “Project Zero” group, has been looking for (and finding) vulnerabilities in popular password managers for the past few months. He recently found a new bug in LastPass’ extension that would have allowed attackers to steal any of your passwords saved via the service. Another similar-but-different bug was also reported in the utility's Firefox add-on.

Password Manager Security

Security experts generally recommend password managers, not necessarily because they’re an ideal way to deal with passwords, but because they’re the best way to deal with them without re-using the same password on multiple sites. Re-using passwords seems to be a much bigger risk than keeping all of your passwords in a password-protected and encrypted vault. Plenty of data breaches or account hacks have showed the risk of password reuse.

As an example, your Gmail password may be safe on Google’s servers, but if you use the same password for another website, and then that website is hacked, the attackers could log in to your Gmail account. Gmail's servers were secure the whole time, but that didn't matter in the end, because the attacker was able to obtain that same password from a much less secure website.

Password managers may be of great help in such situations, but they are not without risks, either. For instance, password managers that use browser extensions can more easily be attacked remotely, through the browser.

Syncing your password vault with an online server comes with its own risks, too, compared to using a local vault such as those provided by KeePass or KeePassX (two applications recommended by Ormandy). It gives attackers the opportunity to brute-force your master password and login to the vault.

LastPass’ Latest Vulnerabilities

The flaw that Ormandy discovered on March 20 in the LastPass Chrome extension (version 4.1.42.80) was found in an intermediary JavaScript script that stands between the browser extension and LastPass’ cloud service, where your password vault is stored. This bug could allow an attacker to steal your passwords as the vault is accessed.

If you had the “binary component” installed, it would have allowed arbitrary code execution, too. The binary component for the LastPass browser extension contains additional convenience features such as enabling fingerprint authentication support, exporting and importing data, and much more.

Ormandy put together a proof of concept in which he showed that the “calc.exe” application could be started remotely on Windows via that LastPass extension vulnerability. According to a recent LastPass post, the bug affected all versions of the extension (Chrome, Firefox, Edge, and Safari). The company said this bug was addressed--apparently via workaround, rather than a complete fix--hours after it was reported.

Another vulnerability was reported for Firefox on March 21. This bug seems to affect version 4.1.35a of the Firefox extension, and the company said the flaw is “largely the same” to the one reported the previous day. However, instead of addressing the Firefox extension's issue via the same workaround used for the previous bug, LastPass decided to wait until a full fix was ready. The company said it released version 4.1.36a of its extension for Firefox to fix the reported issue at 12:15am ET today.

LastPass added that it has no knowledge of the vulnerabilities being exploited in the wild and that it plans to release a more comprehensive summary of the events soon.

WikiLeaks published documents purporting to show the CIA's hacking abilities. In with claims that the intelligence agency compromised smart TVs to spy on their owners, among other things, the documents explained how the agency targets smartphones to evade the protections of end-to-end encrypted (E2EE) messaging services like Signal and WhatsApp. But don't panic--the CIA hasn't directly undermined the security measures used by those tools.

E2EE secures information by encrypting it before it ever leaves the device. This protects the messages from man-in-the-middle attacks that intercept communications between a device and an app's servers while also preventing companies from reading the information themselves. It's kind of like speaking into a tin can that's connected to another can by a string; messages are only received by their intended recipients. Nobody else gets anything.

This setup rose to prominence after Edward Snowden revealed National Security Agency (NSA) surveillance programs in 2013. Since then, companies like Facebook, Google, and others have rushed to secure their communications tools. (Even if Google did turn over an E2EE project for Gmail to the public.) Many of these apps use the Signal protocol--which is also used by a service of the same name--to protect their users' messages from prying eyes.

Now the new WikiLeaks documents show that the CIA targets individual smartphones to bypass these protections. To continue the metaphor above, this is like putting a microphone in one of the tin cans so you can hear everything someone says. The string still does its job by making sure communications aren't overheard by anyone else, but because the can has been compromised, the system doesn't offer the same level of security that it did before.

Open Whisper Systems, the nonprofit behind the Signal protocol and service, said in a series of tweets that this could actually be a good sign:

The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption. [...] The story isn't about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we're doing is working. [...] Ubiquitous e2e encryption is pushing intelligence agencies from undetectable mass surveillance to expensive, high-risk, targeted attacks.

In a sense, the CIA hacking phones to work around E2EE is kind of like someone picking up the device to read all the messages stored on it. (Or, to continue that metaphor from earlier, holding one of the cans to their ear.) It's not up to groups like Open Whisper Systems to prevent that eavesdropping--people have to be careful about how they use their devices, and manufacturers have to make those devices as hard to hack as possible.

It's better to use encrypted messaging services and force intelligence agencies to use targeted surveillance techniques than to be caught in the dragnet surveillance that Snowden revealed four years ago.

Google announced that the “End-to-End” email browser extension project it started three years ago is no longer a “Google project,” and that the community is invited to take it over because the project “has left the nest.” The company also renamed the End-to-End project “E2EMail.”

“End-to-End” Project Abandoned

Back in 2014, Google announced the OpenPGP-based End-to-End project to bring easier to use end-to-end encryption to Gmail and other email services. Yahoo later joined the project as well, but eventually abandoned it, probably for different reasons.

Google started the project to win back the trust of Gmail users, after being accused of being part of the NSA PRISM program, and to show that it cares about its users’ privacy. End-to-end encryption would make email readable only to the users sending each other emails, but not to Google, as it is now the case.

The company developed the project for two years; last year, though, the code contributions seemed to have suddenly stopped. The project has remained untouched on the GitHub repository for almost a year. We’ve contacted Google before to ask if the project has been abandoned or not, but we haven’t gotten clear answers.

Google has now published a blog post in which it renamed “End-to-End” to “E2EMail” and said that it’s no longer a Google product, but a “fully community-driven open source project.”

Key Transparency

Google also mentioned that it recently announced a separate “Key Transparency” project, which could end up being a critical component of E2EMail in the future. One of the problems that appears when you try to make PGP easier to use is that you have to have everyone’s public keys so that the users don’t have to share those keys with each other. However, you also have to ensure that those keys aren’t changed by malicious actors, so you need a system that can be easily audited.

The Key Transparency project, which at least for now seems to be developed and maintained by Google, takes innovations from the Certificate Transparency project and from CONIKS, a new type of key management system developed by Princeton and Stanford researchers, to create a secure key server.

Despite already working on both projects, Google doesn’t seem to have integrated Key Transparency into the E2EMail project yet, and it’s leaving that up to the community. It’s possible the company didn’t integrate it because the Key Transparency project itself is quite new and unproven, or it could be because Google simply didn’t want to expend more resources working on E2EMail.

The company did mention in the blog post that it’s "looking forward to working alongside the community to integrate E2EMail with the Key Transparency server, and beyond." However, it’s not clear what that means exactly, considering there haven’t been any serious code commits to the End-to-End project from the company in almost a year.

End-To-End Encrypted Emails

Although Google tries not to show it, it does seem that the company is not as focused on bringing end-to-end encryption to its services as it was immediately after the Snowden revelations.

Although the abandonment of the End-to-End tool was evident from the lack of contributions, it was confirmed when the company chose to adopt S/MIME for enterprise users over OpenPGP. Google turned even that end-to-end encryption technology into a centralized/hosted one where Google knows the private key of the users and therefore can read the contents of their emails.

Google seems to be removing itself from all end-to-end encryption projects, as it continues to focus on artificial intelligence and more advanced tracking and mining of user data. That means if you want end-to-end encrypted email, you may have to look elsewhere.

Google likes to celebrate special events. Christmas was the inspiration for a dedicated Santa tracker, Martin Luther King Jr. Day was marked with a doodle, and this year's Safer Internet Day was commemorated with a quick glimpse at how Google tries to protect its users while they browse the web.

Safer Internet Day debuted in 2005 "to raise awareness of emerging online issues" and each year it "chooses a topic reflecting current concerns." This year's theme is "Be the change: Unite for a better internet," and it asks "stakeholders to join together to make the internet a safer and better place for all, and especially children and young people." Google qualifies, of course, because it runs some of the most popular online services in the world.

The company explained how it tries to thwart phishing attempts or malicious websites in a way that even children might be able to understand. It didn't bog down the conversation with technical mumbo jumbo--which is likely to confuse many of the people who rely on these protections--and instead used simple language to convey the same ideas. Just look at how it explained the way it tries to figure out if a sign-in attempt is legitimate or malicious:

The secret sauce is the systems that detect these subtler signals—clues—billions and billions of times every day to help paint the picture of a safe log-in. Think of these like Sherlock Holmes’ magnifying glass...if it were powered by a few data centers. The clues scammers may not even know they’re leaving behind help us inspect each new log-in attempt and compare it with the picture of a safe log-in that our systems have painted based on billions and billions of other log-ins. If something looks fishy, we’ll require more verifications designed to thwart bad guys, send notifications to your phone, or email you so you can quickly act on anything that looks unfamiliar.

Easy! The company used similarly basic language to explain how Safe Browsing (and similar tech used in Android apps) works:

Detecting the obvious badness—sites well-known for phishing scams, ransomware that locks your device until you pay a fraudster—is relatively easy. But the stealthier badness is only detectable by measuring billions of signals across sites and apps. If this sounds similar to the way we approach spam protections on Gmail or suspicious logins into Google, that’s because it is! The ability to understand badness on a large scale enables us to find the clues bad guys don’t even know they were leaving behind.

Some might balk at comparing these services to Sherlock Holmes' magnifying glass or describing malware, phishing traps, and other harmful aspects of websites as "badness." They'll want more in-depth explanations of how Google wants to make the web safer or how it detects malicious apps. Further, many need to know about questionable decisions like introducing always-on DRM, problematic APIs, or hosted S/MIME encryption for services like Gmail.

Yet many people have no idea how any of this stuff works. That's part of why Americans don't try to defend themselves even though they know they've been affected by data breaches and don't trust companies or government agencies to keep their information safe. Google's effort to explain these concepts in a simple way--and to raise awareness of efforts like Safer Internet Day--could help make cybersecurity seem a lot more approachable.

Google announced that it implemented S/MIME (Secure/Multipurpose Internet Mail Extensions) encryption, with a twist, for its enterprise customers. That twist is that its implementation of S/MIME, which is typically an end-to-end encryption protocol, is centralized or “hosted” by Google. In other words, Google can see what’s in all of those S/MIME-protected emails.

S/MIME Protocol

The S/MIME protocol was first invented in 1995. A few years later, it also became an IETF standard (after a few more modifications to the original protocol). S/MIME aimed to be an end-to-end encrypted protocol that would replace the non-encrypted SMTP email protocol. It was also meant to be a little easier to use than PGP (Pretty Good Privacy), another end-to-end encryption protocol that was invented a few years before S/MIME.

With PGP, users have to share their public keys with each other prior to using end-to-end encryption, but with S/MIME, this key distribution is handled by a Certificate Authority that gives each user a certificate. Importing the certificate in the email client and signing email messages with it is what proves that the senders are who they say they are.

Google’s Hosted S/MIME

Google said that instead of supporting the standard client-side S/MIME protocol that allows users to encrypt emails end-to-end (meaning only the sender and receiver can read the emails), it will host all of the users’ certificates and private keys on its own servers.

This will allow the company to essentially read (with its computers) all communications that are protected by S/MIME. From this point of view, it’s no different than the way Gmail emails are encrypted today with TLS.

Google said that this will make it more convenient to enterprise customers to use S/MIME encryption, although without the benefit of end-to-end encryption. The company said that doing things this way allows it continue to stop phishing attempts and block spam email.

The fact that email companies wouldn’t be able to stop spam has long been a criticism of end-to-end encryption. However, WhatsApp seems to have managed quite well by employing techniques that don’t even require them to see people’s messages to block spam.

The techniques seem to involve a combination of verifying the identity of the sender and by tracking their behavior. For instance, if one user sends messages to 100,000 people, chances are that user is spamming. WhatsApp’s anti-spam solution is likely a little more advanced than in that example, but the point is stopping spam when end-to-end encryption is used is not as impossible as previously thought.

It’s Not All Bad

Although Google is essentially downgrading the security of the S/MIME protocol, the move still seems to be an upgrade over the existing, mainly hacked-together email encryption and authentication solutions.

The email protocol was never designed to be encrypted, so even today’s best improvements made to it can’t guarantee the security of the message in transit. This is especially true if the recipients use email services that don’t support the same encryption and authentication protocols that Gmail supports.

With S/MIME, the messages are encrypted with symmetric encryption as well, so it doesn’t matter what sort of hops it passes until the destination, as the messages will be unreadable to anyone intercepting them. They are also automatically signed by the senders, which will guarantee that the senders are who they say they are.

Of course, digital certificates are still vulnerable to certificate authorities going rogue or to being stolen from Google’s servers. The latter is something that may be quite difficult to achieve these days, but likely not impossible.

Is Google Giving Up On End-To-End Encryption?

Back in 2014, and soon after Edward Snowden made public the extent of the NSA’s mass surveillance, Google started working on an end-to-end encryption tool called, appropriately, “End-to-End.” The company seemed furious that the NSA broke into its network and monitoring every packet going through its unencrypted internal network.

From that point forward, it started aggressively adopting encryption everywhere it could add it, whether it was for internal or external communications, or for securing data at rest. One of those measures also involved starting End-to-End. This was a browser extension that would work with multiple email providers (Yahoo joined as well, but it later dropped it around the time it allegedly gave NSA access to its networks), and it would provide PGP end-to-end encryption to users that wanted it.

The project doesn’t seem to have been touched for almost a year (at least in its public code repository). After we contacted Google to ask about this a few months ago, the company declined to give a clear answer on whether it’s still working on this specific project.

Google did launch Allo with end-to-end encryption provided by the Signal protocol, but it’s not enabled by default like it is for the Signal app itself, or WhatsApp. There is also no easy way to make end-to-end encryption the default, if you’re not interested in using Allo’s AI assistant. “Incognito” chats have to be started manually with each contact. Unlike Signal and WhatsApp, Allo also doesn’t provide safety numbers that guarantee there’s no man-in-the-middle attack.

Avoiding Public Email Exposure

If companies want to avoid the type of hacks that hit Sony, the Democratic National Committee, and other organizations that exposed everyone’s emails, then end-to-end encryption is still the way to go. This may include the client-sided (non-hosted) S/MIME protocol or PGP, or even using a service such as ProtonMail.

For other companies that don’t worry as much about Google being hacked (again) and just want an easy to use, well known, and well supported encrypted email service, Gmail’s new hosted S/MIME protocol may still be an acceptable compromise and an upgrade over their existing email encryption hygiene.

Google recently announced that Gmail will revert to basic HTML for Windows XP and Vista users by December 2017. The company also said anyone using Chrome 53 or below--the last version released for XP and Vista was Chrome 49--will be advised to update their software after February 8.

Besides ludicrous "hacking" scenes from shows like NCIS, few things scare the technologically impaired like the idea of losing access to their email, so it's no wonder that news of Gmail's upcoming changes has been making the rounds on social media. Never mind that anyone affected by this decision probably uses an operating system that officially died in 2014 or doesn't know Chrome automatically updates. Just think of the emails!

Surely this must be some dastardly plot, right? Not so, according to Google, which explained in a blog post:

If you continue to use older versions of Chrome Browser now that support has ended, Gmail will be more vulnerable to security risks and users will not have access to new features and bugfixes. Gmail will continue to function on Chrome Browser v53 and below through the end of the year. Users who remain on Chrome v53 and below could be redirected to the basic HTML version of Gmail as early as Dec 2017.

That gives people an extra year (give or take) to finally update to a new operating system or browser. This is something everyone should already be doing--especially since Google made this announcement in its G Suite blog, which is meant for businesses. Companies might have put off upgrading from Windows XP to avoid extra costs, either for software licensing or newer computers, but doing so also means they're vulnerable to many attacks.

The same is true for individuals. Upgrading can be a pain, sure, and sometimes new versions of software don't appeal to everyone who used the older versions. But making sure everything is up to date is perhaps the best way to defend against someone who wants to take over a device. Old software has known vulnerabilities, rarely gets updated to fix new problems, and ultimately offers just a little more protection than an open kimono.

All that said, Google recognized that many people will be affected by this change:

Please note: Google does not typically announce when we discontinue support for older versions of Chrome browser because of our current supported browser policy, which states that only the most recent version of Chrome is supported. This announcement was made given the expected impact on Windows XP and Windows Vista users and known security risks.

Maybe this will be the kick businesses and individuals alike need to finally update their stuff.

Google announced that it will add .js (JavaScript) extensions to its list of restricted file extensions (such as .exe, .msc, and .bat) for Gmail starting February 13, 2017.

As Flash is being phased out, attacks based on JavaScript vulnerabilities may be the new go-to for malicious hackers. Late last year, a researcher had already found a JavaScript vulnerability in Yahoo Mail that could have allowed any attacker to eavesdrop on Yahoo customers’ emails.

Throughout the last year, it has also been observed that various ransomware families have begun to spread through email spam that sent malicious JavaScript attachments.

Email has always been an effective way to spread malware because people often click on the attachments they receive without taking any additional protections. Those extra protections would include opening the attachments in a better sandboxed environment (Sandboxie, as or a virtual machine, are two examples). It’s understandable why most do not, because it’s often too inconvenient to take such measures to read your email. Therefore, it’s up to email service providers to try and limit this type of malware risk as much as possible.

Where applicable, the browser’s sandboxing should also help. However, chances are the malware makers already take browser sandboxes into account and include ways to bypass them.

Blocking .js file attachments is bound to frustrate software developers who may use email to share JavaScript files with each other. Google has a solution for this, which is to use Google Drive, Google Cloud Storage, or other cloud storage solutions to share those files.

The new restriction is a part of Google's continuous efforts to improve Gmail security. However, we're still waiting for the end-to-end encryption feature that Google promised back in 2014 but has yet to deliver.

Hold Security, a company specializing in information security assessment, risk management and incident response, announced that it has discovered a cache of over 1.17 billion stolen online credentials from a Russian hacker that collected the data from a variety of breached sources, including Gmail, Yahoo and Microsoft.

To Catch A Hacker, Like Their Social Media Page

Hold Security was able to track down the hacker taking credit for the stolen information, and it wasn’t as hard as you might think. The Russian cybercriminal was openly bragging about his lifted stash of data in an online forum, and they even provided the company with the files to prove it in exchange for votes or likes to their social media pages.

The initial database consisted of 917 million records totaling over 10 GB, but the first batch of stolen credentials the hacker provided seemed unimpressive from a breach standpoint; the majority of the information was already identified, and appropriate measures were likely already taken to secure the companies or individuals affected. Only 0.45 percent of this data was considered new. What should you expect from a hacker that initially asked for only 50 rubles (less than $1.00 USD) for his talked-up treasure trove and then caved for a few likes on Facebook?

The Bad News

However, after digging deeper, Hold Security discovered the hacker was holding something significant back from the company’s undercover agents: a cache of 1.17 billion stolen email accounts from Yahoo, Gmail and Microsoft, in addition to Mail.ru accounts. The Russian cybercriminal provided this new and potentially more-damaging data set after some further investigation by Hold Security in exchange for (you guessed it) more praise on their social media pages.

The new batch of stolen credentials seemed to hit the three major players in the email game, with nearly 57 million Mail.ru, 40 million Yahoo Mail, 33 million Hotmail and 24 million Gmail accounts compromised. Thousands of credentials from German and Chinese email providers, in addition to logins for employees of some of the largest banking, manufacturing and retail companies located in the U.S are also listed in the stolen data.

The Good News

The company is still working to identify the specific breaches or vulnerabilities that allowed the hacker to gain access to the mega-sized data dump of stolen email logins, but Hold Security also determined that only 272 million of the 1.17 billion pilfered credentials were unique. The company estimated this translates to roughly 42.5 million viable credentials, which is about 15 percent of the total, something Hold Security says it has never seen before.

Despite the high amount of possibly-vulnerable email accounts, Microsoft has issued a statement to Reuters to assure its customers that they have little to fear.

“Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access," read the statement.

Other companies such as Google and Yahoo have yet to comment on the breach. Mail.ru stated that it would warn potentially affected users once they have enough information, but the company’s initial checks found no live combinations of user names and passwords that match existing emails.

Hold Security also doubts the integrity of the stolen data, citing that the credibility and value of the stolen information may not be as impactful as the hacker boasts if they are willing to give up the data for some conversation and social media acclaim.

“50 rubles is what the hacker wants for this incredibly large set of data,” stated Hold Security. “He can’t be serious; based on today’s exchange rate, it is less than one U.S. dollar. This greatly impacts the data’s credibility and value, similar to an expensive sports car being sold for pennies at auction.”

It's Time For A Change (Of Passwords)

Despite what the eventual findings may be, if you are using an email account from one of the affected providers, you could (and should) save yourself from potential unauthorized access by changing your password right now. This time, just make sure it’s something more unique than “password.”

Derek Forrest is an Associate Contributing Writer for Tom’s Hardware and Tom’s IT Pro. Follow Derek Forrest on Twitter. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Google announced a new collaboration with other major companies, including Microsoft, Yahoo and Comcast, to implement a new protocol that would ensure all email remains encrypted in transit. Google also introduced a new page in its Safe Browsing system that will encourage those under attack by governments to increase their security by using SMS-based two-factor authentication or a physical Security Key.

Earlier this year, Google introduced some notifications in Gmail that would alert users before they would send their email to another address that doesn’t use encryption. According to Google, this has had the effect of increasing the amount of email sent over encrypted connections by 25 percent.

However, Google also found out from the recent research it has done with the Universities of Michigan and Illinois that attackers could still tamper with email encryption. That’s why it collaborated with Microsoft, Yahoo, and Comcast to create the SMTP Strict Transport Security standard to ensure that email travels only through encrypted channels. Any issues with the encryption would also be reported so that the companies can better understand where the attacks are happening.

Since 2012, Google has begun warning Gmail users of state-sponsored attacks. According to the company, only 0.1 percent of its users have been the targets of such attacks, although considering Gmail has hundreds of millions of users, that’s still hundreds of thousands of attacked users. The targets typically include activists, journalists and policy-makers.

For those that are targeted by state-sponsored attackers, Google launched a new warning page that also acts as an instructions page for how to increase their own security. The users can enable SMS-based two-factor authentication or a FIDO U2F-enabled Security Key.

Although these new security features should help email encryption become stronger, the state-of-the-art remains end-to-end encryption, such as the one employed by PGP-based tools. Ultimately, most of these companies working on the new email encryption protocol rely on revenue from advertising, which implies data mining their users’ email contents.

That’s why it's in direct conflict with end-to-end encryption, because only the users communicating with each other could see the email contents. Google was supposed to also work on the End-To-End encryption browser plugin, but so far progress has been rather slow on that front. Even if it’s eventually finished, it likely won’t be used or promoted as a default solution for most Gmail users.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Google announced that starting this week, Gmail Web users will receive warnings when an email conversation they’re having with someone else is either not encrypted or not authenticated.

Google has been a strong promoter of email encryption for the past few years, especially after the Snowden revelations, when it became more clear to Google as well as other email providers that they need to accelerate their adoption of STARTTLS, which is presently the main TLS-based encryption standard for email.

Not all providers are on board, though, especially many smaller ones. This is why a good portion of email is either not encrypted at all, or if it is, it’s not authenticated, and a man-in-the-middle (mainly national governments) could easily intercept those communications. In a prior study, Google found that as many as 20 percent of emails sent from several countries were susceptible to man-in-the-middle attacks.

The company is now working to lower that rate further by encouraging small providers to increase their services’ security by adopting STARTTTLS encryption and authentication such as DKIM (DomainKey Identified Email) or SPF (Sender Policy Framework).

Google’s solution is to show a broken lock icon in the right corner of the Compose window, which will mean that your contact’s email service doesn’t support encryption.

If you a receive a message from someone, but it’s not authenticated, their profile image will look like a question mark.

Google said that not all email messages that will be affected will necessarily be dangerous, but it’s better to be extra careful when you see that broken lock icon.

Although Google is making some serious efforts to improve TLS encryption for all emails, we haven’t heard much about its End-to-End tool lately, which was supposed to bring strong encryption to the masses. End-to-End uses PGP to encrypt messages with the users’ keys, so no one -- not Google itself nor anyone who might have access to Google’s servers -- can read them anymore, either.

However, since Google launched Inbox as an alternative client to its email service, it has started to look increasingly less likely that the company would adopt strong encryption. A service such as Inbox would not work with strong encryption, at least until homomorphic encryption becomes more mature and much faster.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Late last month, researchers from the Universities of Michigan and Illinois, along with Google, discovered that in many parts of the world the opportunistic STARTTLS encryption for email can be easily broken. Following that result, the company decided it will start warning Gmail users when the emails they deliver to other email providers are sent unencrypted.

The new venture is part of the company's quest to improve email encryption. Google started on the path about a year ago when it launched the Safer Email campaign to encourage other email providers to use STARTTLS encryption. Google can encrypt its own emails, but not everyone uses Gmail. If other providers don't support STARTTLS encryption, then those emails, even from Gmail users, will be sent unencrypted to their destinations.

Since then, multiple providers have begun supporting STARTTLS, but according to Google, the biggest boost in email encryption was offered by Microsoft's and Yahoo's adoption of the protocol. However, many smaller providers still don't offer it to their users, so now Google is taking the step to warn its Gmail users when they send an email to a provider that doesn't properly support STARTTLS.

Google discovered that in some places of the world, such as Tunisia, attackers were tampering with the requests to initiate encryption for email. It also uncovered some malicious DNS servers publishing bogus routing information to email servers looking for Gmail. This type of attack can be used to censor or modify messages before they reach their destination. The company said it will be working with other partners from the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) to strengthen the opportunistic email encryption with technologies already used in Chrome to protect websites against interception.

Gmail users should start seeing the unencrypted email warnings in a few months. Google has also been working on an "End-to-End" encryption browser extension ever since the Snowden revelations in 2013, but it hasn't mentioned any progress on it in about a year.

______________________________________________________________________

Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Security researchers from the University of Michigan, Google, University of Illinois-Urbana Champaign uncovered that a popular form of email encryption between email providers' servers, called STARTTLS, can be easily broken in many places of the world.

Last year, Google started to encourage other email providers to use the STARTTLS protocol, which encrypts email data when it's sent from one email provider to another in the form of SMTP messages. For this encryption to work, everyone has to use it; otherwise, the email that goes from Google to a provider that doesn't support STARTTLS will travel unencrypted. This can leave users' emails vulnerable to interception by attackers who have network access.

The researchers found that while major providers such as Google, Microsoft and Yahoo have solid encryption and message authentication configurations, the long tail of 700,000 other SMTP email servers out there have either improperly set up encryption, or they lack authentication. This makes it easy for attackers to strip the servers of the STARTTLS encryption and intercept the messages.

The researchers discovered that only 82 percent of the 700,000 SMTP servers properly configure their encryption, and only 35 percent configure authentication for their email messages. Without authentication, a man-in-the-middle attack could downgrade the encryption to plaintext.

They also found that in seven countries, more than 20 percent of all emails are actively prevented from being encrypted by network attacks. In the most severe case, 96 percent of all email sent from Tunisia to Gmail was downgraded to plaintext.

Of the 877 most common email domains to which Gmail sends email messages, only 58 percent accepted 100 percent of the email messages over TLS encryption. Only 29 percent of the 26,406 inbound email domains encrypted 100 percent of the emails.

The researchers concluded that much of the growth seen in the past year in terms of STARTTLS encryption happened mainly due to the larger providers such as Outlook and Yahoo Mail adopting STARTTLS mid-year. Most of the smaller providers still lag in adopting properly configured and authenticated STARTTLS encryption for email.

"The fail-open nature of STARTTLS and the lack of strict certificate validation reflect the need for interoperability amidst the gradual rollout of secure mail transport, and they embody the old adage that ‘the mail must go through,'" said researchers in the paper. "Unfortunately, they also expose users to the potential for man-in-the-middle attacks, which we find to be so widespread that they affect more than 20% of messages delivered to Gmail from several countries. We hope that by drawing attention to these attacks and shedding light on the real-world challenges facing secure mail, our findings will motivate and inform future research."

______________________________________________________________________

Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us @tomshardware, on Facebook and on Google+.

Motorola unveiled which of its devices will get the next major version of Android (Marshmallow). The upgrade includes all the major new features in Android 6.0, as well as some that are replicating older Motorola features, making those unnecessary.

All of the 11 smartphones that will receive the Android Marshmallow update seem to be from 2014 or earlier:

2015 Moto X Pure Edition (3rd gen)2015 Moto X Style (3rd gen)2015 Moto X Play2015 Moto G (3rd gen)2014 Moto X Pure Edition in the U.S. (2nd gen)2014 Moto X in Latin America, Europe and Asia2 (2nd gen)2014 Moto G and Moto G with 4G LTE2 (2nd gen)DROID Turbo2014 Moto MAXX2014 Moto TurboNexus 6

The owners of the above phones will be happy to receive all of the following Android Mashmallow features:

Doze Mode

This new feature puts the phone in deep sleep when it's not being used, which ends up significantly increasing the standby battery life, as well as the overall battery life by about 30 percent, according to Google's David Burke at Google's recent keynote.

Android Pay

Android Pay allows users to make store purchases with a single tap, without having to open an extra app. Android M also brought native fingerprint authentication, but none of these phones have fingerprint sensors, so the feature will use a PIN, passphrase or pattern for authentication instead (the same authentication necessary for unlocking the phone).

Direct Share

The new version of Android allows users to share photos, news, links and so on more easily with favorite contacts.

Simpler Volume Controls

Android volume controls have been hit and miss over the years, and Android 6.0 takes another shot at making the volume controls easier to use.

Now On Tap

The Now on Tap feature is an extension of Google Now, which instead of using only data Google already has on its servers through the different services Android phone owners use (such as Gmail, Maps, Google search, etc.), it can also see the information coming from other active applications, and make recommendations based on those.

Deprecating Motorola Features

Android 6.0 brings many other features, and some of them, such as a Do Not Disturb setting, Motorola Migrate, as well as Moto Assist, have been replicated by native Marshmallow features, making them redundant. The Google Chrome extension found in Motorola connect will also be retired, as multiple third-party applications found in the Play Store can now replace this functionality.

Motorola hasn't given an exact timeline for when these phones will receive updates, but it promised it will unveil more details about release details in the coming weeks.

Follow us @tomshardware, on Facebook and on Google+.

Tutanota, one of the few email services with a focus on end-to-end (client to client) encryption that have appeared after the Snowden revelations, said that as many as 37 percent of its users take advantage of its end-to-end encryption feature. This shows that when end-to-end encryption is easy to use and given as an option, at least a third of the users want to take advantage of it.

According to the company, the rise in end-to-end encryption on its service is due to the fact that its system isn't actually powered by PGP, the traditional protocol used to encrypt emails end-to-end, which many consider too difficult to use.

Cryptography professor Matthew Green, Open Whisper Systems' Moxie Marlinspike, and others have come out and said that we need better alternatives if we're going to try to make end-to-end encryption mainstream.

Tutanota can also be used as a "regular" email service, just like Gmail or Outlook, with the added bonus that you can also encrypt your emails with a password that you must share with the recipient. The encryption is symmetrical rather than asymmetrical, as is the case with PGP, where you must share a long public key with the recipient, and other people have to share theirs with you as well.

The jury is out on whether Tutanota actually uses a "better" end-to-end encryption protocol than PGP, but because users only must know a password they can just remember or change at any time, that makes the whole PGP key management issue a non-issue for Tutanota users.

However, the main hurdle with Tutanota's system is that the password will need to be shared securely as well, before exchanging these end-to-end encrypted emails. One way you could do that is by meeting in person, but the people you're emailing are often going to be far away from you, so it's not exactly feasible.

Another way they could share their passwords is through an end-to-end encrypted messenger such as anything based on the OTR protocol (Pidgin, Cryptocat, Chatsecure, Adium, etc.) or Signal/Textsecure. However, this requires Tutanota users to use other apps to take full advantage of the Tutanota system.

This is why it would probably be best that if Tutanota maintains this system in the future, it could at least integrate a secure end-to-end chat application into it that would allow users to safely share their email passwords.

For those who want to continue using PGP in the meantime, there's Whiteout, MailPile, as well as the Mailvelope browser extension, all of which are trying to make PGP a little easier to use in the browser.

Follow us @tomshardware, on Facebook and on Google+.

Lenovo had a roster of new products to show during Lenovo Tech World in China, and one of them is the result of a partnership with Microsoft, specifically with Cortana. In January, Microsoft revealed that its digital assistant, which was only available on Windows 8.1 phones, would be available on all Windows 10 devices. However, Lenovo took the idea even further and combined Cortana with REACHit, a program that allows users to easily manage and search for specific files across multiple Lenovo PCs, tablets, and third-party services.

The result is a more expansive search from any Lenovo device running Windows 10. With Cortana now on any Windows 10 device, you can easily pair it up with REACHit to find files from your home computer, and access that content on any of your other Lenovo devices.

REACHit works by searching through your device's storage files and Windows apps such as Outlook, OneDrive and Microsoft Exchange. Part of the magic is possible through GPS locations and constant time stamps on your files. You can take a picture at a certain park on a Tuesday, and by using Cortana and REACHit, you can specifically ask the program to find that picture based on certain characteristics, such as where the photo was taken, when it was shot, the name of the photo file or even which device you used to store the photo.

The same method would also work for finding certain emails or documents so you can find the document you downloaded at a certain time or located the email sent from your local coffee shop. Either way, the software will find it and show it to you on the Lenovo device that you are currently using.

The functionality is not just limited to the device's storage and apps. You can also add other third-party programs such as Google Docs, Gmail, Dropbox and Box to the search parameters for an even more comprehensive search. At present there's a small number of third-party services that work with REACHit and Cortana, but considering that those three services already have a massive customer base, it's only a matter of time until Lenovo and Microsoft attract similar services to work with the new feature.

Cortana and REACHit will make their collaborative debut in a beta version when Windows 10 launches later this summer, with full public access starting in the fall. Interested users can sign up on Lenovo's website.

The software sounds promising because it can find any file across your suite of Lenovo devices running Windows 10. Not only that, but it can look through third-party services, as well. The one downside is that it's exclusive to Lenovo products. Hopefully, Microsoft improves Cortana to the point where this feature will be available on any device that runs Windows 10.

Follow Rexly Peñaflorida II @Heirdeux. Follow us @tomshardware, on Facebook and on Google+.

Microsoft launched the "Outlook for iOS and Android" app yesterday, which was in fact a rebranding of an existing app called Acompli that Microsoft purchased in early December 2014. However, according to IBM developer René Winkelmeyer, the app presents some major security issues for the companies that intend to use it, and access should be immediately denied to enterprise users.

By far the biggest security issue that the developer found is that Microsoft itself has access to the users' email credentials, including both the username and the password:

“What I saw was breathtaking. A frequent scanning from an AWS IP to my mail account. Means Microsoft stores my personal credentials and server data (luckily I've used my private test account and not my company account) somewhere in the cloud! They haven't asked me. They just scan. So they have in theory full access to my PIM data," said Winkelmeyer in a blog post.

Only Gmail emails, which require OAuth authorization, don't give Microsoft your credentials, according to Acompli's own current Privacy Policy. However, Exchange emails do:

"Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password."

The second major security issue concerns Microsoft's servers acting as some sort of "man-in-the-middle" servers by intercepting a company's private emails as they pass from one user to another.

“Those messages, calendar events, and contacts, along with their associated metadata, may be temporarily stored and indexed securely both in our servers and locally on the app on your device. If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app."

Microsoft and Acompli promote this indexing service as making email delivery slightly faster, but that comes with a rather significant privacy and security cost for the companies utilizing Microsoft's new app. This email interception could be especially worrisome for companies that don't want their data easily shared with certain U.S. government agencies. Those agencies may not have proper jurisdiction over that data when it's held by Microsoft's enterprise customers in other countries. However, they could get access more easily to Microsoft's copies of the data. The Outlook for iOS and Android app also collects all calendar and contact data.

The third security issue, which Winkelmeyer described as a "data security nightmare," is that Microsoft has built-in connectors to OneDrive, Dropbox and Google Drive, which allow an enterprise user to easily share confidential company data with others, or worse, to access files that could be infected with malware, for example. Winkelmeyer's point is that this feature can easily bypass a company's security policies, such as app containerization.

Some of these security issues seem to be older Acompli issues, and given that Microsoft has merely rebranded the app as Outlook, it's possible the company didn't take a hard enough look at the app before re-launching it.

At the same time, Microsoft may have already been aware of the issues but decided to keep the service as is, because indexing of other companies' private email is something Microsoft may want to do. It remains to be seen how Microsoft will react to this discovery, and that reaction should tell us more about the company's intentions regarding these security issues.

Follow us @tomshardware, on Facebook and on Google+.

Right now, the only way to send end-to-end encrypted email is through PGP, a technology and set of tools that has proven very difficult to use for most people. There are several companies and groups working on making PGP easier to use as well as trying to solve this problem of simple end-to-end encrypted email, in general.

Among the most known are Google itself with its "End-to-End" extension, which is supposed to come out in beta later this year. There's also DIME (formerly Dark Mail), which is at an even earlier stage in its development.

Protonmail, made by a few CERN scientists, gathered quite a bit of attention for its ease of use last year. The problem is that it doesn't use true end-to-end encryption, as the keys are managed by the company's server. Thus, it's not much more secure than a service like Gmail.

There's also MailPile, a Kickstarter project, that has focused mainly on making PGP easier to use rather than changing the technology, but now the group seems to work on implementing Google's solution, too.

Today we get to see a whole new take on encrypted email; it uses end-to-end encryption and is also quite different from PGP. The new app utilizing this technology is called Peerio, and it's already available for Windows, Mac OS X and Chrome (which means it works for Linux and Chrome OS, too). There will be an Android and iOS app as well.

Peerio is made by Nadim Kobeissi, the creator of the end-to-end encrypted group messaging app Cryptocat and the encrypted file-sharing app miniLock. Kobeissi has gone through some security blunders with Cryptocat in his first years of working on crypto projects, but he seems to have taken the criticism to heart. Since then, he's been approaching his projects with more professionalism.

For instance, he didn't release the miniLock app until it was audited by a team of security experts to verify that its cryptography is sound. MiniLock passed the test, and it's now the core technology being used to encrypt emails and messages in the Peerio app. Peerio was also audited by the German security team Cure53, before release. No crypto flaws were found, other than some minor Javascript implementation bugs that have already been fixed.

Peerio avoids the complexity of the PGP key management by requiring users to create a long ~30 character passphrase that is then used to create a 100-bit entropy private key and encrypt the files. PGP works by creating a random key and requiring the user to keep that key file safe.

After the long passphrase is selected, you can also choose a PIN, which is a shorter password you can use to log into the app. You still have to remember the longer password if you want to keep your list of contacts and be able to access any files you might have shared with them in the past. If you forget the long passphrase, you'll have to start the process all over again, just like you would if you lost your PGP private key.

Inside the app, Peerio looks more or less like an email client. You can compose messages whether they are one-liners, such as chat messages, or longer email-style messages, and all of them are threaded and searchable.

You also get an interface that shows the received files by category. You can send files up to 400 MB in size right now, but that limit should be increased with a future update. The free version of the app only gets 1.2 GB in storage, though. Although the client is open source and can be reviewed on Github, the Peerio team intends to sell premium features, such as more storage, as its business model.

The emails and files you exchange with your friends will be stored on Peerio's servers, but they can't see what's in them because the messages and files get encrypted locally, by the client, before being sent to the servers and on to the recipient.

In this way it's no different than using PGP over the regular email infrastructure. Because of that, there's also no metadata protection. Your content will be encrypted, but the metadata won't be. That's a problem nobody has solved yet, although DIME is working on it.

Just like PGP, Peerio doesn't have "Perfect Forward Secrecy," so if your passphrase is somehow discovered by someone else, they'll be able to access all of your previous messages and files.

For the future, I could also see automatic deletion after a user-set time period as a feature that could be useful, making all emails ephemeral. This doesn't help much against a spy agency that can tap the Internet cables, capture anything that goes through them, and then hold all encrypted communications for at least five years, but it should still reduce the potential exposure.

Sony, for example, is a company that could have used this to avoid having its private emails being made public. Perhaps, in the future, it may even do that, as Peerio intends to eventually offer the app for enterprise customers as well.

Regular users can start sending end-to-end encrypted through Peerio today, by downloading it from the website.

Follow us @tomshardware, on Facebook and on Google+.

Chrome OS started out as an operating system designed to work primarily online, and the dev team has slowly begun adding more offline features. These include offline HTML5 apps such as Gmail or Google Drive, which can take your input as if they were online and then sync the data later to the cloud, to receiving support for C++ applications through the Native Client plugin.

Earlier this year, Google made the major announcement that Chrome OS would start running full Android applications, although only a handful would be supported initially.

Now, we get the news that a Google intern has made it possible to run Linux directly in a Chrome OS window. This will allow users to run any kind of Linux application (such as Skype, for example) from a Chromebook.

Francois Beaufort, a Chromium evangelist, made the announcement in a Google+ post:

"Google Intern has added support to run Crouton¹ in a Chrome OS Window. Thanks to a 4,471 lines patch², fearless people can now run their favorite Linux distributions on their Chrome Devices in a nice window without jumping between Virtual Terminals as before."

There have been ways to either install Linux on a Chromebook machine and dual boot both operating systems, or run both at the same time using a tool called Crouton. The latter is actually being used here as well, but this time setting it up is much simpler than before.

All you have to do is put the Chromebook in developer mode (the equivalent of a bootloader unlock for a Nexus phone), install the new Crouton extension, download the Crouton tool and then type a simple command. After that you'll be able to use any Linux distro you want inside a Chrome OS window.

Chromebooks are already highly popular in the education sector, and they're slowly taking off in the consumer market as well. The growth has been slower in the mainstream market because either Chrome OS doesn't support the apps people need right now, or users believe they might need a certain app in the future that Windows or Mac OS has but isn't available on Chrome OS. The easier support for full Linux applications should make that gap between application support much smaller, and it should thus make Chromebooks more appealing to those reluctant consumers.

Follow us @tomshardware, on Facebook and on Google+.