50% off Dell UltraSharp U3415W PXF79 34-Inch Curved LED-Lit Monitor

This 34-inch 21:9 curved monitor with a panoramic view, cinematic WQHD resolution and rich sound has just sunk 50% to its best price yet on Amazon, making this a solid deal on the U3415W. Learn more and explore buying options for the U3415W on Amazon. To read this article in full or to leave a comment, please click here
http://www.cio.com/article/3173355/displays/50-off-dell-ultrasharp-u3415w-pxf79-34-inch-curved-led-lit-monitor.html#tk.rss_consumerelectronicsMicrosoft Office 2010

Polycom Cx5000 Unified Conference Station For Microsoft Lync (Amazon) Amazon Logo

$4300.00



Buy Now

Microsoft Surface (32gb) (Amazon) Amazon Logo

$539.95



Buy Now

+ 11 others available from Amazon
Microsoft Office Home & Business 2010 - 2pc/1user (one Desktop And One Portable) (disc Version) (Amazon) Amazon Logo

$278.00

Buy Now
Microsoft Software Office Home And Business 2010 English Pc Attach Key Product Key Card For 1pc (Amazon) Amazon Logo

$219.69

Buy Now
Microsoft Office Home & Student 2010 - 3pc/1user (disc Version) (Amazon) Amazon Logo

$179.99

Buy Now
Microsoft Office Home & Business 2010 Product Key Card- 1pc/1user [download] (Amazon) Amazon Logo

$150.09

Buy Now
Go! With Microsoft Office 2010, Vol. 1, And Student Videos (Amazon) Amazon Logo

$128.49



Buy Now

Microsoft Office Home & Student 2010 - 3pc/1user [download] (Amazon) Amazon Logo

$124.99

Buy Now
Microsoft Office Home & Student 2010 Product Key Card- 1pc/1user [download] (Amazon) Amazon Logo

$99.99

Buy Now
New Perspectives On Microsoft Office 2010, First Course (Amazon) Amazon Logo

$87.20



Buy Now

Microsoft Natural Ergonomic Desktop 7000 (Amazon) Amazon Logo

$81.78



Buy Now

Microsoft Office 2010: Introductory (shelly Cashman Series(r) Office 2010) (Amazon) Amazon Logo

$69.49



Buy Now

Technorati Tags: , , , ,

Facebook tests ad breaks in all types of videos, giving creators a 55% cut

facebook-video-money Facebook today announced it has begun testing ad breaks that interrupt on-demand video, using a small set of partners who will earn a 55 percent ad revenue share while Facebook keeps 45 percent. That could change the way creators make video content so they tease viewers enough to sit through the ads, while luring more producers to Facebook. On-demand video publishers will get to select where… Read More
Microsoft Office 2010
Polycom Cx5000 Unified Conference Station For Microsoft Lync (Amazon) Amazon Logo

$4300.00



Buy Now

Microsoft Surface (32gb) (Amazon) Amazon Logo

$539.95



Buy Now

+ 11 others available from Amazon
Microsoft Office Home & Business 2010 - 2pc/1user (one Desktop And One Portable) (disc Version) (Amazon) Amazon Logo

$278.00

Buy Now
Microsoft Software Office Home And Business 2010 English Pc Attach Key Product Key Card For 1pc (Amazon) Amazon Logo

$219.69

Buy Now
Microsoft Office Home & Student 2010 - 3pc/1user (disc Version) (Amazon) Amazon Logo

$179.99

Buy Now
Microsoft Office Home & Business 2010 Product Key Card- 1pc/1user [download] (Amazon) Amazon Logo

$150.09

Buy Now
Go! With Microsoft Office 2010, Vol. 1, And Student Videos (Amazon) Amazon Logo

$128.49



Buy Now

Microsoft Office Home & Student 2010 - 3pc/1user [download] (Amazon) Amazon Logo

$124.99

Buy Now
Microsoft Office Home & Student 2010 Product Key Card- 1pc/1user [download] (Amazon) Amazon Logo

$99.99

Buy Now
New Perspectives On Microsoft Office 2010, First Course (Amazon) Amazon Logo

$87.20



Buy Now

Microsoft Natural Ergonomic Desktop 7000 (Amazon) Amazon Logo

$81.78



Buy Now

Microsoft Office 2010: Introductory (shelly Cashman Series(r) Office 2010) (Amazon) Amazon Logo

$69.49



Buy Now

Technorati Tags: , , , , ,

Longtime Apple PR veteran Nat Kerris has nabbed a big job at Edelman

Natalie KerrisNatalie Kerris is a familiar name to many people in tech after her 14 years at Apple.

And she just re-entered the tech PR world as the global chair of PR agency Edelman’s technology sector, where she’ll oversee a unit that includes over 700 communications professionals.

Kerris famously left Apple in 2015. During her years there working for Steve Jobs, she helped launch the iPod, iPhone, iPad, MacBook Air, ApplePay, and Apple Watch.

She was rumored to be in the running to take over the top PR role after Katie Cotton retired, but Steve Dowling was promoted and Kerris bowed out.

She then went to Twitter but left after six months, and wasn’t in the public eye until now. Kerris says she doesn’t regret her time at Twitter though, telling Business Insider, “I have tremendous respect for Jack Dorsey and the team at Twitter. The world needs Twitter.”

She’s a favorite among the tech press, having landed on Business Insider’s list of the industry top 50 PR people in 2012, 2014 and 2015.

SEE ALSO: The PR 50: The best public-relations people in the tech industry in 2016

SEE ALSO: The 43 most powerful female engineers of 2017

Join the conversation about this story »

NOW WATCH: Unboxing the Nintendo Switch — here’s everything you’ll get with the new console

Microsoft Office 2010
Polycom Cx5000 Unified Conference Station For Microsoft Lync (Amazon) Amazon Logo

$4300.00



Buy Now

Microsoft Surface (32gb) (Amazon) Amazon Logo

$539.95



Buy Now

+ 11 others available from Amazon
Microsoft Office Home & Business 2010 - 2pc/1user (one Desktop And One Portable) (disc Version) (Amazon) Amazon Logo

$278.00

Buy Now
Microsoft Software Office Home And Business 2010 English Pc Attach Key Product Key Card For 1pc (Amazon) Amazon Logo

$219.69

Buy Now
Microsoft Office Home & Student 2010 - 3pc/1user (disc Version) (Amazon) Amazon Logo

$179.99

Buy Now
Microsoft Office Home & Business 2010 Product Key Card- 1pc/1user [download] (Amazon) Amazon Logo

$150.09

Buy Now
Go! With Microsoft Office 2010, Vol. 1, And Student Videos (Amazon) Amazon Logo

$128.49



Buy Now

Microsoft Office Home & Student 2010 - 3pc/1user [download] (Amazon) Amazon Logo

$124.99

Buy Now
Microsoft Office Home & Student 2010 Product Key Card- 1pc/1user [download] (Amazon) Amazon Logo

$99.99

Buy Now
New Perspectives On Microsoft Office 2010, First Course (Amazon) Amazon Logo

$87.20



Buy Now

Microsoft Natural Ergonomic Desktop 7000 (Amazon) Amazon Logo

$81.78



Buy Now

Microsoft Office 2010: Introductory (shelly Cashman Series(r) Office 2010) (Amazon) Amazon Logo

$69.49



Buy Now

Technorati Tags: , , , , ,

Uber investors blast company for failure to change: 'We have hit a dead end'

travis kalanick uber

Uber investors Mitch and Freada Kapor want to change two things: Uber’s toxic workplace and the deafening silence from Uber’s backers when it comes to the “inexcusable behavior” of the company’s leadership. 

A former engineer’s claims of sexism at Uber have rocked the company for days, leading to a teary apology from its CEO Travis Kalanick. However, they were apparently only the tip of a much deeper problem inside the company’s culture. A bombshell report from the New York Times said a manager had been fired for groping women’s breasts, employees had done cocaine in the bathrooms during company retreats, and a director had yelled gay slurs during meetings. 

In an open letter to Uber’s investors and board, the Kapors blasted Uber for ignoring the work some of its investors have tried to do behind the scenes for years to change the company culture. Freada Kapor lead a workshop on unconscious bias in 2015, she said. They’ve both been contacted by multiple senior officials at Uber — although “notably” never by Travis Kalanick himself, the Kapors said.

The Kapors, who invested early in Uber, are known in Silicon Valley for both their investing prowess but also their passion and engagement around issues of diversity in the tech industry. They created the Kapor Center to help increase access to STEM education and bring more diverse entrepreneurs into the tech ecosystem.

“We are speaking up now because we are disappointed and frustrated; we feel we have hit a dead end in trying to influence the company quietly from the inside,” the Kapors wrote.

Specifically, the investors take issue with who Uber has chosen to lead what it calls an “independent” investigation into Fowler’s claims. Former attorney general Eric Holder previously worked on Uber’s behalf to advocate for the company’s concerns. Arianna Huffington is on the board of the company, and the Chief Human Resources Officer reports to the executive team. All are in on the review.

“We are disappointed to see that Uber has selected a team of insiders to investigate its destructive culture and make recommendations for change. To us, this decision is yet another example of Uber’s continued unwillingness to be open, transparent, and direct,” the Kapors wrote. 

“We intend to be thorough, impartial and objective, and we are conducting this review with the highest degree of integrity and professionalism,” Eric Holder and his law partner Tammy Albarran, said in a statement.

The Kapors remain fearful that Uber will once again be able to “manage its way past this crisis and then go back to business as usual.” They had tried to involve the company in diversity projects run by Kapor Capital, but failed. Now that their work inside the company has failed to bring about change, the Kapors are hoping public pressure might turn the company around.

“We are speaking out publicly, because we believe Uber’s investors and board will rightly be judged by their action or inaction,” the Kapors wrote. “We hope our actions will help hold Uber leadership accountable, since it seems all other mechanisms have failed.

SEE ALSO: Cocaine and groping — bombshell report on Uber’s work environment makes it sound awful and full of bros

Join the conversation about this story »

NOW WATCH: We took a ride in Uber’s new self-driving car on the streets of San Francisco — here’s what it was like

Technorati Tags: , , , , ,

This top military officer perfectly captured the strange nature of cyber warfare in one sentence

US military army cyberterrorism hacking

SAN DIEGO, Calif. — The US military recognizes cyber as a war fighting domain in the same league as ground and air war now, but its unique nature can be a bit hard to comprehend.

Fortunately, Coast Guard Vice Adm. Marshall Lytle gave the perfect analogy that demonstrates how unique, and difficult it can be, for the US military to operate in the cyber realm.

“Cyberwarfare is like a soccer game with all the fans on the field with you and no one is wearing uniforms,” Lytle, who serves as the Chief Information Officer of the Joint Staff, said during a panel discussion on information warfare at the AFCEA West 2017 conference on Wednesday.

Lytle’s remark highlights the “wild west” nature of the cyberwarfare, where the US, Russia, China, and many other non-state actors routinely hack into each others’ networks, steal critical information, and deceive or propagandize for their side.

Cyber soldiers are now an integral part of military strategy, but unlike pilots who can see targets of their bombs and can see their effects, or infantrymen who wear uniforms and fight along much clearer lines, cyber warfare is much messier.

As Lytle explained, cyberwarfare doesn’t have clear battle lines. It’s not like football, he said, where there’s an offensive line and a defensive line, and you’re going up against the opposition that’s composed in a similar fashion.

Instead, the Pentagon’s hackers don’t always know who they’re up against, since technology exists to obfuscate online identities. There is also a noticeable lack in defined rules of engagement for militaries operating online, such as the law of war that keeps most militaries from committing war crimes.

“The rules don’t fit. When you think of traditional areas of hostility,” said Marine Brig. Gen. Dennis Crall, the CIO for the Department of the Navy. “It doesn’t really fit in the world of cyber.”

As US military leaders warn of the growing progress of Russia, China, and North Korea in cyberspace, the Pentagon has ramped up its own efforts in what it calls the “cyber domain” after the release of a new cyber strategy in April 2015.

chinese hackers china cyber

The cyber strategy stood up 133 teams comprising some 4,300 personnel for its “cyber mission force,” 27 of which were directed to support combat missions by “generating integrated cyberspace effects in support of … operations.” 

They are up against China’s own “specialized military network warfare forces,” North Korea’s secretive Bureau 121 hacker unit, other nation-states, hacktivists like Anonymous, and criminal enterprises alike.

They have been further tasked with breaking into the networks of adversaries like ISIS, disrupting communications channels, stopping improvised explosive devices from being triggered through cellphones, or even, as one Marine general put it, just “trying to get inside the enemy’s [head].” 

But, as Lytle noted, lawmakers have so far not offered clearly-defined policies and processes for how the military operates in cyberspace. There have been some attempts, such as the Army’s cyberwarfare “bible” and a top secret presidential policy directive requiring approval for hacks that could potentially result in loss of life, such as the 2009 Stuxnet attack against Iranian nuclear sites.

“There are no internationally agreed upon peacetime norms on cyberspace that keep a tamp on an arms race,” Navy Vice Adm. Michael Gilday said at the conference on Tuesday. “There is no significant deterrent to malicious activity in cyberspace.”

SEE ALSO: How the US military is beating hackers at their own game

Join the conversation about this story »

NOW WATCH: An ACLU lawyer tells us why you should be careful talking to the police after being pulled over

Technorati Tags: , , , , ,

Node.js 7.6.0 tackles asynchronous operations

The Node.js Foundation this week has released Node.js 7.6.0, an experimental version of the server-side JavaScript platform that moves forward with async/await capabilities for handling asynchronous operations. But the Foundation advises enterprise users to skip using the new release in production and instead wait for Node.js 8 to arrive in April.

With Node’s release strategy, odd-numbered releases like the 7.x line are short-lived but feature cutting-edge capabilities still in an experimental phase; even-numbered lines represent Long Term Support lines for enterprises to adopt.

To read this article in full or to leave a comment, please click here

Technorati Tags: , , , , ,

This Week on Windows: Cortana, Calendar app, Moana and Planet Earth II

We hope you enjoyed today’s episode of This Week on Windows! Read more about how Cortana can remind you of your commitments, and find out what’s new with your Windows 10 Mail and Calendar apps. Or, head over here for tips on how the Calendar app can help you stay on top of your day.

Here’s what’s new in the Windows Store this week:

Halo Wars 2

Halo Wars 2 launched worldwide this week on Xbox One and Windows 10 PC through Xbox Play Anywhere! Learn more on Xbox Wire.

Gigantic’s Eternal Dawn update is now available

Gigantic

Calling all heroes! Gigantic’s Open Beta gets a gigantic update this week with new ways for you to approach the battlefield. The Eternal Dawn update continues to expand and polish the game with new fixes, new features, and a brand-new hero joining the lineup: the melee-support goddess, Zandora. The best part is that both the game and all the latest updates are available for free in the Windows Store and Xbox Live Marketplace, where you can grab the game, party up and play cross-platform with your friends across the console and Windows 10 PC. Read more over at Xbox Wire!

Planet Earth II

 Planet Earth II

Journeying across jungles, deserts, mountains, and cities, Planet Earth II ($16.99 HD, $10.99 SD) is an enthralling exploration of the world’s most extraordinary habitats and the animals that call them home. Watch the series premiere that’s been 10 years in the making, available now in the Movies & TV section of the Windows Store.

Moana

MOana

The spirited daughter of an island chieftain embarks on an epic voyage to save her people in Disney’s Moana ($19.99 HD), now available two weeks before Blu-ray. Buy the Oscar-nominated film in the Movies & TV section of the Windows Store and enjoy this animated adventure across all your devices via the Disney Movies Anywhere app.

Oscar-Winning Movies for $4.99 + Windows Store gift card

Oscar-winning movies

Through Sunday, Feb. 26, buy any of these Oscar-winning movies for just $4.99 HD in the Movies & TV section of the Windows Store and get a $5 Windows Store gift card to spend on even more movies, games, apps or music! Once you own these movies, you can watch across any Windows 10 device or Xbox console, or download for offline viewing.

Have a great weekend!

Technorati Tags: , , , , ,

Mitigating arbitrary native code execution in Microsoft Edge

Some of the most important security features in modern web browsers are those that you never actually see as you browse the web. These security features work behind the scenes to protect you from browser-based vulnerabilities that could be abused by hackers to compromise your device or personal data.

In previous blog posts and presentations, we described some of the recent improvements that have been made to Windows 10 and Microsoft Edge in this space. Today we’re kicking off a two-part blog post that describes our vulnerability mitigation strategy and provides a technical deep-dive into some of the major security improvements that are coming to Microsoft Edge in the Creators Update of Windows 10.

Framing our Vulnerability Mitigation Strategy

Before we dive in, it may help to start with an overview of how we approach the problem of web browser vulnerabilities. The Microsoft Edge security team employs a layered, data-driven defense strategy that focuses investments at key points along the kill-chain that attackers follow when exploiting vulnerabilities.

Table illustrating the Edge vulnerability mitigation strategy. The Strategy row reads: "Make it difficult & costly to find, exploit, and leverage software vulnerabilities." The "Tactics" read: "Eliminate entire classes of vulnerabilities," "Break exploitation techniques," "Contain damage & prevent persistence," and "Limit hte window of opportunity to exploit."

First and foremost in this strategy, we look for ways to eliminate classes of vulnerabilities by reducing attack surface and by finding or mitigating specific patterns of vulnerabilities (such as use after free issues, see MemGC). In this way, we try to counter the classic asymmetry between attackers and defenders, e.g. where attackers only need to find one good security issue whereas defenders need to ensure there are none.

Still, we assume that we won’t be able to eliminate all vulnerabilities, so we look for ways to break the techniques that attackers can use to exploit them. This helps to spoil the recipes that attackers prefer to use when trying to transform a vulnerability into a way of running code on a device. This further counters the asymmetry by removing the underlying ingredients and primitives that enable vulnerabilities to be exploited.

We assume that we won’t be able to break all exploits, so we look for ways to contain damage and prevent persistence on a device if a vulnerability is exploited. We do this by once again applying the two previous tactics but this time directed at the attack surface that is accessible from code running within Microsoft Edge’s browser sandbox. This helps constrain attacker capabilities and further increases the cost of achieving their objective.

Finally, assuming all else fails, we look to limit the window of opportunity for an attacker to exploit a vulnerability by having effective tools and processes in place. On the processes side, we take advantage of the well-oiled security incident response processes in the Microsoft Security Response Center (MSRC). On the tools side, we have technologies like Windows Defender and SmartScreen which can be used to block malicious URLs that attempt to deliver an exploit and Windows Update to rapidly deploy and install security updates.

While we’re continuing to invest in security improvements along all of these fronts, the remainder of this post will focus on investments we’ve made to break techniques that are used to exploit the most common type of security issue in modern browsers: memory safety vulnerabilities. More specifically, the next section will explore the technologies we’ve built to help mitigate arbitrary native code execution.

Transparency

Browser security is a difficult problem space. Despite the best efforts of all browser vendors, vulnerabilities exist and can potentially be exploited. This is why Microsoft currently offers bug bounties of up to $15,000 USD for vulnerabilities found in Microsoft Edge and up to $200,000 USD for novel mitigation bypasses and defenses as part of our Mitigation Bypass and Defense Bounty. These bounty programs reinforce our commitment to our vulnerability mitigation strategy and help us reward the great work of security researchers around the world.

Mitigating Arbitrary Native Code Execution

Most modern browser exploits attempt to transform a memory safety vulnerability into a method of running arbitrary native code on a target device. This technique is prevalent because it provides the path of least resistance for attackers by enabling them to flexibly and uniformly stage each phase of their attack. For defenders, preventing arbitrary native code execution is desirable because it can substantially limit an attacker’s range of freedom without requiring prior knowledge of a vulnerability. To this end, Microsoft Edge in the Creators Update of Windows 10 leverages Code Integrity Guard (CIG) and Arbitrary Code Guard (ACG) to help break the most universal primitive found in modern web browser exploits: loading malicious code into memory.

Hackers are developers, too

A typical web browser exploit chain consists of three parts:

  1. An exploit for a remote code execution (RCE) vulnerability which is used to get native code running on the target device.
  2. An exploit for elevation of privilege (EOP) vulnerability which is used to increase privileges and escape the sandbox.
  3. A payload that leverages the obtained access to achieve the attacker’s objective (e.g. ransomware, implant, recon, etc).

These parts naturally translate into a modular design for exploits which enables attackers to select different RCE, EOP, and payload combinations based on their target. As a consequence, modern exploits ubiquitously rely on executing arbitrary native code in order to run the 2nd and 3rd stages of their exploit. By breaking this critical link in the chain, we can influence the exploit economics by invalidating the attacker’s software design assumptions and forcing refactoring costs on them.

Preventing the loading of malicious native code

An application can directly load malicious native code into memory by either 1) loading a malicious DLL/EXE from disk or 2) dynamically generating/modifying code in memory. CIG prevents the first method by enabling DLL code signing requirements for Microsoft Edge. This ensures that only properly signed DLLs are allowed to load by a process. ACG then complements this by ensuring that signed code pages are immutable and that new unsigned code pages cannot be created.

CIG: Only allow properly signed images to load

CIG was first enabled for Microsoft Edge starting with the Windows 10 1511 update. In a previous blog post, we explained how a kernel-enforced User Mode Code Integrity (UMCI) policy has been enabled for Microsoft Edge content processes that requires DLLs to be Microsoft, Windows Store, or WHQL-signed. With this policy in place, the kernel will fail attempts to load a DLL that is not properly signed. In practice, exploits do not typically rely on loading a DLL from disk, but it has been used by some exploits and it must be addressed to achieve our objective and to have a comprehensive solution. Since the Windows 10 1511 release, we’ve made additional improvements to help strengthen CIG:

  1. Preventing child process creation (Windows 10 1607): As the UMCI policy is applied per-process, it is also important to prevent an attacker from spawning a new process with a weaker or non-existent UMCI policy. In Windows 10 1607, Microsoft Edge enabled the no child process mitigation policy for content processes which ensures that a child process cannot be created. This policy is currently enforced as a property of the token for a content process which ensures both direct (e.g. calling WinExec) and indirect (e.g. out-of-process COM server) process launches are blocked.
  1. Enabling the CIG policy sooner (Windows 10 Creators Update): The enablement of the UMCI policy has been moved to process creation time rather than during process initialization. This was done to further improve reliability by eliminating a process launch time gap where local injection of improperly signed DLLs into a content process could occur. This was achieved by taking advantage of the UpdateProcThreadAttribute API to specify the code signing policy for the process being launched.

ACG: Code cannot be dynamically generated or modified

While CIG provides strong guarantees that only properly signed DLLs can be loaded from disk, it does not provide any guarantees about the state of image code pages after they are mapped into memory or dynamically generated code pages. This means an attacker can load malicious code by creating new code pages or modifying existing ones even when CIG is enabled. In practice, most modern web browser exploits eventually rely on invoking APIs like VirtualAlloc or VirtualProtect to do just this. Once an attacker has created new code pages, they then copy their native code payload into memory and execute it.

With ACG enabled, the Windows kernel prevents a content process from creating and modifying code pages in memory by enforcing the following policy:

  1. Code pages are immutable. Existing code pages cannot be made writable and therefore always have their intended content. This is enforced with additional checks in the memory manager that prevent code pages from becoming writable or otherwise being modified by the process itself. For example, it is no longer possible to use VirtualProtect to make an image code page become PAGE_EXECUTE_READWRITE.
  1. New, unsigned code pages cannot be created. For example, it is no longer possible to use VirtualAlloc to create a new PAGE_EXECUTE_READWRITE code page.

When combined, the restrictions imposed by ACG and CIG ensure that a process can only directly map signed code pages into memory. Although this is great for security, ACG introduces a serious complication: modern web browsers rely on Just-in-Time (JIT) compilers for best performance. How can we satisfy both needs?

Supporting Just-in-Time (JIT) Compilers

Modern web browsers achieve great performance by transforming JavaScript and other higher-level languages into native code. As a result, they inherently rely on the ability to generate some amount of unsigned native code in a content process. Enabling JIT compilers to work with ACG enabled is a non-trivial engineering task, but it is an investment that we’ve made for Microsoft Edge in the Windows 10 Creators Update. To support this, we moved the JIT functionality of Chakra into a separate process that runs in its own isolated sandbox. The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages.

Impact on attackers

Together, CIG and ACG provide strong protection against a fundamental primitive that is ubiquitously used when exploiting web browser vulnerabilities. This means attackers must develop new methods for chaining the stages of their exploits.

In the Windows 10 Creators Update, CIG is enabled by default for Microsoft Edge, except for scenarios where certain incompatible extensions are present (such as IMEs) – in these scenarios, both CIG and ACG are currently disabled by default.

For compatibility reasons, ACG is currently only enforced on 64-bit desktop devices with a primary GPU running a WDDM 2.2 driver (the driver model released with the Windows 10 Anniversary Update), or when software rendering is use. For experimental purposes, software rendering can be forced via Control Panel ->Internet Options -> ”Advanced”. Current Microsoft devices (Surface Book, Surface Pro 4, and Surface Studio) as well as a few other existing desktop systems with GPU drivers known to be compatible with ACG are opted into ACG enforcement. We intend to improve the coverage and accuracy of the ACG GPU opt-in list as we evaluate the telemetry and feedback from customers.

One of the limitations of CIG and ACG is that they don’t prevent an attacker from leveraging valid signed code pages in an unintended way. For Example, this means attackers could still use well-known techniques like return-oriented programming (ROP) to construct a full payload that doesn’t rely on loading malicious code into memory. In order to help keep signed code “on the rails” as it executes, Microsoft Edge takes advantage of Control Flow Guard (CFG) which applies a control-flow integrity policy to indirect calls. In the future, we hope to further mitigate control-flow hijacking such as by taking advantage of Intel’s Control-flow Enforcement Technology (CET) to protect return addresses on the stack.

Finally, it should be noted that the use of CIG and ACG in Edge is not intended to fully prevent privileged code running on the system from injecting unsigned native code into a content process.  Rather, these features are intended to prevent the scenario of the content process itself attempting to load malicious native code.

Up Next

In an upcoming post, we’ll shift gears to focus on some of the major improvements that have been made to strengthen containment and isolation for Microsoft Edge in the Creators Update of Windows 10. These improvements provide the next line of defense in our efforts to help prevent web browser vulnerabilities from being used to compromise your device or personal data.

Matt Miller, Principal Security Software Engineer, MSRC

Technorati Tags: , , , , ,

A New Monetization Opportunity: Application Extensions + Microsoft Affiliate Program

Looking for more ways to monetize your app? App developers can boost their revenue through the Microsoft Affiliate Program. As an affiliate you can earn revenue by promoting content in the Windows Store and Microsoft Store, such as apps, games, music and video.

Developers who place links and/or banners on their apps directing users to the Windows Store will receive a commission for each online sale driven by that in-app marketing. You may have participated in other affiliate programs where you get a commission when someone buys something that you link to – the Microsoft Affiliate Program works in much the same way, but is more expansive.

A New Opportunity

As an app developer, this is a golden opportunity to open a new revenue stream for Universal Windows Apps.

Not only do you earn commission on the link that you directly sent the user if he or she purchases an extension, but you also earn up to 10% commission on anything else the user buys online from Microsoft within a window of time lasting up to 14 days.

By using the Affiliate program tools for creating, promoting and tracking campaigns, you can maximize revenue. This includes commission on apps, in-app purchases, games, movies, music downloads, Groove Music Passes, Microsoft Office and even hardware.

App Services/App Extensions + Microsoft Affiliate Program

Now when you combine the Microsoft Affiliate Program with app extensibility, new monetization opportunities open up on the Windows platform that just aren’t available on other app platforms. Three different types of app developers could benefit from combining App Services and Extensions with the Microsoft Affiliate Program:

  1. App developers who host extensibility to their apps can now earn commission on sales of extensions and other store purchases triggered by the installation of those extensions.
  2. App developers who build extensions can now have a store to put their extension in and their extensions get discovered in the context of the app when they are needed.
  3. App developers can make it easy to use their app’s service with the Microsoft Affiliate Program.

To help you get set up to participate in this affiliate-marketing program, let’s talk about App Extensions and App Services.

The Challenge with App Extensibility

The basics are simple: An app defines a plug-in or extensibility protocol, publishes it and then finds ways of getting extension developers to build extensions using the protocol.

Applications have had extensibility mechanisms for years. Desktop apps such as Microsoft Word, Microsoft Outlook, Adobe Photoshop, Visual Studio and Google Chrome have enabled third-party developers to build extensions to enhance and extend the apps in interesting ways, and even in directions that the app developer hadn’t imagined.

But though they are quite often easy to build, there are several challenges with the business of building App Extensions:

  • Extension developers would have to run their own commerce engine or trialware mechanism.
  • Promotional ability is typically limited to being listed in a catalog of available extensions.
  • The best option is quite often to be bought by the app developer.
  • The extension is strictly tied to the protocol and deployment mechanism defined by the host app and making it work with another vendor’s app is an additional effort.

Universal Windows Platform extends App Services

Windows 10 makes this process easier: Apps can now expose App Services to other apps, extending their capabilities.

Apps can even expose multiple services, each with a different protocol, depending on the usage model. The communication between apps via App Services is through an async protocol sending value sets of simple values – you can even share files via tokens with the SharedStorageAccessManager class.

To use an app’s service, you need to know the name of the app, the name of the service and the protocol that it’s expecting. Once you know that, the calling app can send and receive message to and from the app that is running the app service.

App Extensions enhance App Services

A new feature in the Windows Anniversary Edition that works great with App Services is App Extensions.

With App Extensions, an extensible app declares in its manifest that it hosts extensions with a specific named extension mechanism. App extension developers then declare in their apps’ manifests that their extension implements that named extension mechanism.

A new feature in the Microsoft Edge browser is this extension mechanism so that third-party developers can extend Microsoft Edge to add new capabilities. Apps that host extensions can also use the AppExtensionCatalog API to list all of the extensions that are installed and available on the system for the extension protocols declared in the app’s manifest.

As an example, here’s the manifest of my Journalist app, which hosts two different types of extensions:


<uap3:Extension Category="windows.appExtensionHost">
    <uap3:AppExtensionHost>
        <uap3:Name>Journalist.Export.1</uap3:Name>
        <uap3:Name>Journalist.PageItem.1</uap3:Name>
    </uap3:AppExtensionHost>
</uap3:Extension>

The catalog exposes metadata for each extension, including its display name, package family name, and it could even expose the service name – everything necessary to call its app service. My Animated GIF Creator app then declares this in its manifest:


<uap3:Extension Category="windows.appExtension">
    <uap3:AppExtension Name="Journalist.Export.1" 
        Id="AnimatedGifTranscoder" PublicFolder="Public" 
        DisplayName="ms-resource:AnimatedGIF" 
        Description="ms-resource:JournalistExportDescription">
        <uap3:Properties>
            <Service>AnimatedGifCreator.Journalist.1</Service>
            <ExportType>File</ExportType>
            <SuggestedStartLocation>PicturesLibrary</SuggestedStartLocation>
            <ExtensionHtml>Extension.html</ExtensionHtml>
        </uap3:Properties>
    </uap3:AppExtension>
</uap3:Extension>

The only thing missing for an app that hosts extensions is a catalog of available extensions that are not installed on the system but available in the store.

Continuing the example with my Journalist app, I show a list of extensions available to install.

This could be a hardcoded list or a list retrieved from an app service, but the point is that as an app developer, I can detect if a specific app extension is available; if it isn’t, I can provide the UI to install it.

The Install button for each extension will take the user to the page for the app in the Windows Store so he or she can purchase (if it’s not free) and install the app – and this is where the new monetization opportunity is – the Microsoft Affiliate Program. Once the user gets into the store with that affiliate link, the developer can earn commission revenue on ANYTHING the user purchases within the time window mentioned above.

If the user clicks on install, the app will launch a web URL for the Microsoft Affiliate Program and then take the user to a product page for extension in the Windows Store (one extra hop). In another place in my Journalist app, I show related journaling supplies and I used the affiliate program’s link-builder tools to build links to the products circled below:

More Details

As you can see, as an app developer, I’m super excited about app extension and this new opportunity.  Here are some additional details that will help you on your new UWP monetization opportunity:

Technorati Tags: , , , , ,

Verizon scores a decisive win in wireless shootout

Sorry T-Mobile, AT&T and Sprint. Verizon has beaten you handily in an extensive series of tests of wireless network performance.RootMetrics, an independent testing company based in Seattle, performed thousands of tests in 125 metropolitan areas across the U.S., measuring speed, quality and reliability of voice calls, texting and data downloads. When the tests – all conducted in the last half of 2016 — were tallied, Verizon came out on top or tied for first 658 times. The closest to Verizon was AT&T with 372 wins and ties, followed by T-Mobile with 270 and Sprint with 246. Although Sprint fared poorly in many tests, the number-4 carrier earned high marks when it came to call reliability, a key measure of quality for consumers. Indeed, RootMetrics said Sprint was “outstanding” when it came to call reliability and earned an “excellent” rating for that metric in all 125 metro areas it tested.To read this article in full or to leave a comment, please click here
http://www.cio.com/article/3173321/mobile/verizon-scores-a-decisive-win-in-wireless-shootout.html#tk.rss_consumerelectronics

Technorati Tags: , , , ,

Computer Systems Cloud Specialist