Microsoft engineer fixes enterprise-level Chromium bug students could exploit to cheat in online tests

Ability to block 'view source' for specific URLs hasn't actually worked for years

Future Chromium-based browsers under administrative control will be able to prevent users from viewing webpage source code for specific URLs, a capability that remained unavailable to enterprise customers for the past three years until a bug fix landed earlier this week.

Back on October 15, 2018 an employee of Amplified IT, a Google education partner since acquired by CDW, filed a bug report describing how the Chromium URL Blocklist – which administrators can set to conform with organization or enterprise policy – doesn't actually work.

Evidently, tech savvy students were viewing the source code of web-based tests to determine the answers.

"With view-source in the URLBlacklist, the view-source:http://[URL] should not be available," the bug report explains. "With schools using Google Forms as a testing platform, students are able to use this shortcut to search through the source of the page, and determine the correct answers."

Students are able to use this shortcut to search through the source of the page, and determine the correct answers

Despite ample evidence that this was a problem, in the form of confirmation from Google employees reporting similar concerns from education customers and from videos explaining how to view web page source code to cheat, the bug that prevented URL Blocklist from catching when a URL contains the view-source: prefix lingered untended until a few days ago.

It was fixed by Microsoft principal program manager Eric Lawrence, a veteran browser developer who also spent several years at Google. Microsoft's Edge browser, like Google'e Chrome, is based on the open-source Chromium project.

The abstract prospect of losing access to the ability to view web page source code alarmed various people online and without any basis was linked to a recent public spat involving the viewing of web source code: Missouri Governor Mike Parson's absurd claim that a reporter's scrutiny of webpage code to uncover insecure data handling amounted to unlawful hacking.

While there is some reason to complain that Chromium will finally get URL Blocklist working as intended – no one likes to be treated like a child or to have their tools hobbled by an administrator – it's really not much of one.

In the context of education, it's possible to argue that denying students the ability to view web source code will foreclose a longstanding path to learning how to write web applications. Ignoring how popular web apps are often obfuscated to prevent meddling, this bug fix hardly denies all avenues for looking at web pages, like saving them locally and then opening them in a text editor (though that too can be blocked via policy controls).

Attempting to address critics, Lawrence explained his rationale for squashing the URL Blocklist bug in a post to Hacker News earlier this week. He wrote:

  1. I landed this fix because there was a policy that did not work properly. We could instead document that the URLBlocklist policy works for every scheme but one, or we could fix it. Fixing it makes more sense.
  2. This policy only can be set on managed machines.
  3. This policy, in isolation, is trivially circumvented. Managed environments block many things, including many of the proposed circumventions here.
  4. I've built one of the world's most popular tools for viewing and modifying web traffic. The narrative that this feature has broad implications for anything is absurd.

Not everyone accepted that explanation. In reply, Janne Mareike Koschinski, a computer scientist based in Germany who maintains Quasseldroid, condemned Lawrence.

"Many of the best people in IT are there today, because they got curious about how stuff worked, experimented with it, broke the rules, and learned from that," Koschinski wrote. "This curiosity needs to be encouraged, not stopped. … If you contribute to this culture of closed technology, you are just as well at fault as developers of DRM tech or Android SafetyNet."

Apple's Safari browser runs the risk of becoming the new Internet Explorer – holding the web back for everyone


That's one way to look at it, though it dismisses pretty much everyone who has worked for Microsoft, Google, Apple, and every other commercial technology company that has implemented any system that recognizes permission settings and user privileges.

Let's assume for the sake of moving things along that Lawrence's bug fix isn't the Orwellian boot of oppression alluded to above. Nonetheless, it is adjacent to legitimate concern about technological disempowerment, for which there are far better examples, such as proctoring software that surveils students and their devices, or work-monitoring software that applies similar scrutiny to remote workers.

It's fair to say there should be more discussion with the privileged who apply administrative controls – schools, employers, and other authorities – to explore what's reasonable and what's oppressive, particularly in the US where freedom is something that supposedly can be had. We should all be so fortunate as to have our IT tools work for us rather than against us.

Until that gets resolved, cherish the software bugs – the enduring shoddiness of software ensures any technical expression of authoritarianism will be hackable. ®

Send us news

Alibaba exec accused of sexual assault wants alleged victim to apolgise

Manager was fired, now wants his reputation restored with post on a prominent website

An Alibaba exec accused of sexually assaulting an employee has now sued the plaintiff for damage to his reputation and sought an apology, according to Chinese media reports.

Chinese publication, a news outlet partially funded by the Cyberspace Administration of China, reported that the case was accepted by the Yuhang District People's Court of Hangzhou City.

The former Alibaba manager, Li Yonghe, has petitioned the court to order the female employee to engage in a grand gesture of apology by posting a statement in a prominent position on a national website for 15 days. He has also requested a token payment.

Continue reading

Microsoft 365 admins 'flooded' with bulk and bogus notifications for over an hour

Recent change to cloud services suspected as cause, any real messes will be advised in email only for now

Updated Admins in charge of Microsoft 365 subscriptions are complaining that the software giant is spamming them with a stream of bulk and bogus notifications sent to the admin app for iOS.

Numerous social media users, as well as a sysadmin of The Register's acquaintance, have reported multiple notifications have landed in the last 30 minutes – most concerning an issue with menus in OneDrive and SharePoint.

Continue reading

US trade watchdog opposes Nvidia's Arm buy, mostly over fears about data center innovation

FTC sues to block deal because it would be bad for competition

The US Federal Trade Commission, having previously expressed unease about Nvidia's plan to acquire UK chip design firm Arm, acted on its concern Thursday by suing to prevent the deal.

"The FTC is suing to block the largest semiconductor chip merger in history to prevent a chip conglomerate from stifling the innovation pipeline for next-generation technologies,” said FTC Bureau of Competition Director Holly Vedova, in a statement. "Tomorrow’s technologies depend on preserving today’s competitive, cutting-edge chip markets."

Nvidia's acquisition offer – a cash-plus-shares bid that was announced at $40bn and is now worth more than $50bn, thanks to the rising value of the 44.3m Nvidia shares to be issued to Arm if and when the deal is consummated – was already under scrutiny from the UK Competition and Markets Authority.

Continue reading

BadgerDAO DeFi defunded as hackers apparently nab millions in crypto tokens

Badger, badger, badger, coin theft, coin theft!

BadgerDAO, maker of a decentralized finance (DeFi) protocol, said on Wednesday that it is investigating reports that millions in user funds have been stolen.

"As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals," the company wrote in a Twitter post. "Our investigation is ongoing and we will release further information as soon as possible."

PeckShield, a blockchain security firm, put the losses at $120.3 million, if translated to fiat currency.

Continue reading

Texas' anti-moderation social network law blocked by judge

Enforcing rules on content is in everybody's interest, court decides

A federal judge on Wednesday blocked Texas legislation banning large social media companies from moderating content, one day before the law was due to come into effect.

Under the law, HB20, social media platforms with over 50 million monthly active users in the US are prohibited from removing content posted by users, especially if they’re posting within Texas, unless it's unlawful. The bill was signed into law by the state’s Governor Greg Abbott on 9 September, earlier this year.

The law was challenged, however, when two IT trade groups filed a lawsuit in an attempt to block the law from being enforced. Netchoice and the Computer & Communications Industry Association (CCIA) argued HB20 violated First Amendment rights by forcing companies to host content they didn’t agree with.

Continue reading

You've seen the Raspberry Pi CM4 in a mini-ITX case. Now here's four in a mini-ITX case

How to coordinate 16 Arms

Keen on Kubernetes? It has been a long wait, but the Turing Pi 2 is finally close to shipping.

A year and a bit after the Raspberry Pi Compute Module 4 shipped, and one of our crafty commenters noticed that a new version was coming, the Turing Pi 2 board is close enough to shipping that zealous Pi-related YouTuber Jeff Geerling has got his hands on one.

Unlike the Alftel Seaberry we covered last month, this is not a Pi CM4 in a mini-ITX case. No, it's four Pi CM4s in a mini-ITX case. No need to imagine a Beowulf cluster of these: it's specifically designed to build such a thing, or more contemporaneously, a Kubernetes cluster of them.

Continue reading

Ubiquiti dev charged with knocking $4bn off firm's value after insider threat spree

Prosecutors claim Nickolas Sharp even posed as a whistleblower to press

A Ubiquiti developer has been charged with stealing data from the company and extortion attempts totalling $2m in what prosecutors claim was a vicious campaign to harm the firm's share price – including allegedly planting fake press stories about the breaches.

US federal prosecutors claimed that 36-year-old Nickolas Sharp had used his "access as a trusted insider" to steal data from his employer's AWS and GitHub instances before "posing as an anonymous hacker" to send a ransom demand of 50 Bitcoins.

The DoJ statement does not mention Sharp's employer by name, but a Linkedin account in Sharp's name says he worked for Ubiquiti as a cloud lead between August 2018 and March 2021, having previously worked for Amazon as a software development engineer.

Continue reading

Microsoft makes tweaks to Windows 11 Start Menu for Insiders but stops short of mimicking Windows 10

If it's not broke, don't f- ... never mind

Microsoft's long-suffering unpaid testers are to start seeing some improvements in the Windows 11 User Interface.

Build 22509 arrived last night for Windows Insiders on the Dev Channel and, as well as making things a bit more accessible by improving the web browsing experience with Microsoft's Edge browser and the Narrator, there were some much-needed tweaks to the Start Menu and Taskbar.

Starting with the most jarring change in the user experience for Windows 11, the Start Menu, some easy-to-access options were added. One can opt for more pinned applications or more recommendations to control how many rows of either are displayed. It's not quite the "make it like Windows 10" that some users have requested, but it's a step in the right direction.

Continue reading

ESA's Mars Express picks up plaintive bleeps of China's Zhurong rover, adding much-needed comms redundancy

We're all ears

The European Space Agency (ESA) has confirmed that its Mars Express orbiter has heard from China's Zhurong rover.

The experiment was to demonstrate that it was possible to relay data from Zhurong back to Earth via the veteran orbiter. In itself not unusual. However, while there is normally some handshaking to be done between spacecraft and trundlebot, two-way exchanges are not possible with Zhurong using the frequencies transmitted by Mars Express. The orbiter therefore had to listen for signals as it sailed serenely overhead.

Experiments began in November and have now concluded. And the result? It worked.

Continue reading

Santa's sack is bulging with browsers: Vivaldi 5.0 arrives full of festive cheer

Keeping one's privates private

"I don't think we have any business with collecting information about what people are doing," Vivaldi CEO Jon von Tetzchner told The Register as its eponymous browser pushed out a major version update today.

The latest increment includes new themes and translations, although we put it to von Tetzchner that perhaps there wasn't an awful lot in the there to justify the jump to version 5. As one would expect, he disagreed.

"If you look at the desktop side," he said, "let's start with the translate panel… we have our own translation hardware, which we are hosting in Iceland. I think that's a big deal."

Continue reading

Co-Operative Bank today 'terminated' Capita's outsourcing contract years before it was due to expire

Services ops for mortgages to go back in-house, says High Street lender, can't say how many to TUPE across

Co-Operative Bank is terminating its outsourcing contract with Capita years ahead of schedule and is planning to TUPE across staff to provision services in-house again, ending what at times was a fractious relationship.

A six-year agreement for Capita to run the Bank's mortgage services operation was signed in 2015 worth £325m, it included handling customer queries and applications and mortgage maturity, as well as digitising processes.

Yet the following year the companies fell out, with Co-Operative Bank threatening litigation over alleged failings regarding digital transformation service delivery.

Continue reading