reporter

Electric toothbrushes can make dental care easier. With the holiday rolling in, this is a great time to pick up one of the best models we’ve found.View the full article

The iPhone 17 brings improvements to the camera, display and battery. But is it worth the upgrade?View the full article

Chrome now integrates with Google Wallet to incorporate more information.View the full article

For this week's giveaway, we've teamed up with GRID Studio to offer MacRumors readers a chance to win a new iPhone 17 from Apple. GRID Studio is a company that takes discarded Apple devices and turns them into collectible art for Apple fans. If you're still looking for holiday gifts, GRID Studio has a Christmas sale going on this week. You can get 20 percent off site wide with promo code CM20, and there are also deeper discounts on select items. The iPhone 2G is available for $299, down from $399. The GRID 2G is one of the most popular devices that GRID Studio sells, because it showcases the first iPhone that Apple made. It highlights all of the components that were in the original 2007 ‌iPhone‌, including the curved shell, power button, headphone socket, speaker, logic board, and ear piece. Apple's original ‌iPhone‌ was made well before Apple started manufacturing its own chips, so there are some unique components to reminisce about. The iPhone 4s is available for $99, down from $139. The ‌iPhone‌ 4S was the last ‌iPhone‌ introduced during Apple co-founder Steve Jobs' lifetime, and it was the first ‌iPhone‌ Apple CEO Tim Cook released without Jobs. It was the fifth ‌iPhone‌ that Apple came out with, and in the name, the "S" stood for Siri. The ‌iPhone‌ 4S was the first ‌iPhone‌ that included Apple's personal assistant. Compared to the ‌iPhone‌ 4, the ‌iPhone‌ 4S included an upgraded A5 chip, an 8-megapixel camera, and up to 64GB of storage. It ran iOS 5, a major operating system update that brought features like iCloud and iMessage. All of the internal components from the ‌iPhone‌ 4S are thoughtfully arranged in GRID Studio's piece, and there's even a look at the default app arrangement that was available at the time. GRID has the iPhone 5 available for $109, down from $139. The GRID 5 highlights the 2012 ‌iPhone‌ 5, which was the first ‌iPhone‌ that was developed under Apple CEO ‌Tim Cook‌ and the last ‌iPhone‌ that Apple CEO Steve Jobs was involved with. The ‌iPhone‌ 5 is an important part of Apple's history because it included a taller 4-inch display, and it was the first ‌iPhone‌ to use the Lightning port rather than the 30-pin port. GRID also makes art from other Apple products, like Apple Watches. The GRID Watch 1st Gen is available for $149, and it features Apple's first-ever Apple Watch. Components include the heart rate sensor, flex cable, display, main board, S1 chip, speaker, power button, battery, and Taptic Engine, along with the casing and band. It's a fun piece of Apple history for Apple Watch fans. We have an ‌iPhone 17‌ to give away to one lucky MacRumors reader. To enter to win, use the widget below and enter an email address. Email addresses will be used solely for contact purposes to reach the winner(s) and send the prize(s). You can earn additional entries by subscribing to our weekly newsletter, subscribing to our YouTube channel, following us on Twitter, following us on Instagram, following us on Threads, or visiting the MacRumors Facebook page. Due to the complexities of international laws regarding giveaways, only U.S. residents who are 18 years or older, UK residents who are 18 years or older, and Canadian residents who have reached the age of majority in their province or territory are eligible to enter. All federal, state, provincial, and/or local taxes, fees, and surcharges are the sole responsibility of the prize winner. To offer feedback or get more information on the giveaway restrictions, please refer to our Site Feedback section, as that is where discussion of the rules will be redirected. GRID Studio Giveaway The contest will run from today (December 5) at 10:00 a.m. Pacific Time through 10:00 a.m. Pacific Time on December 12. The winner will be chosen randomly on or shortly after December 12 and will be contacted by email. The winner will have 48 hours to respond and provide a shipping address before a new winner is chosen.Tag: Giveaway This article, "MacRumors Giveaway: Win an iPhone 17 From GRID Studio" first appeared on MacRumors.com Discuss this article in our forums View the full article

For a few more days, you can save on mattresses and bed frames from one of our favorite makers.View the full article

No crease, but big price: Apple's iPhone Fold might launch at $2,400.View the full article

Intel is expected to begin supplying some Mac and iPad chips in a few years, and the latest rumor claims the partnership might extend to the iPhone. In a research note with investment firm GF Securities this week, obtained by MacRumors, analyst Jeff Pu said he and his colleagues "now expect" Intel to reach a supply deal with Apple for at least some non-pro iPhone chips starting in 2028. The non-pro iPhone chips would be manufactured with Intel's future 14A process, according to Pu. The research note did not provide any other details about these potential plans, but based on the stated timeframe, Intel could start supplying Apple with the A22 chip for devices like the "iPhone 20" and "iPhone 20e" in around three years from now. Importantly, there is no indication that Intel would play a role in designing the iPhone chips, with its involvement expected to be strictly limited to fabrication. Apple would continue to design iPhone chips, and Intel would start to handle a smaller percentage of manufacturing alongside Apple's primary chipmaker TSMC. Last month, Apple supply chain analyst Ming-Chi Kuo said he expects Intel to begin shipping Apple's lowest-end M-series chip for select Mac and iPad models as early as mid-2027. For this, Kuo said Apple plans to utilize Intel's 18A process, which is the "earliest available sub-2nm advanced node manufactured in North America." Intel supplying Apple-designed, Arm-based chips would differ from the era of Intel-based Macs, which used Intel-designed processors with x86 architecture. Apple reaching a chip supply deal with Intel would boost its reliance on an American manufacturing company and help to diversify its supply chain. Intel previously supplied Apple with cellular modems for some iPhone 7 to iPhone 11 models.Tags: Intel, Jeff Pu This article, "Apple's Return to Intel Rumored to Extend to iPhone" first appeared on MacRumors.com Discuss this article in our forums View the full article

AWS is releasing a lot of new AI tech but the cloud infrastructure giant's enterprise customers may not be ready for it yet. View the full article

Cybereason is continuing to investigate. Check the Cybereason blog for additional updates. KEY TAKEAWAYS Critical vulnerability discovered on December 3, 2025 in React that could allow for unauthenticated remote code execution. Cybereason experts have dubbed this vulnerability as trivial to exploit. Issue allows the server to incorrectly trust user-supplied identifiers and fails to verify. Initial working proof of concept is public and attributed to Chinese threat actors. If server was exposed to public internet prior to patch release date (December 3, 2025), investigate for signs of compromise. Update to latest patched versions of React, and review advisory for additional recommendations. View the full article

OnePlus 15 vs. RedMagic 11 Pro: These powerful gaming-optimized phones look completely different, and each takes a different tactic to make the most of their high-end hardware.View the full article

A new agentic browser attack targeting Perplexity's Comet browser that's capable of turning a seemingly innocuous email into a destructive action that wipes a user's entire Google Drive contents, findings from Straiker STAR Labs show. The zero-click Google Drive Wiper technique hinges on connecting the browser to services like Gmail and Google Drive to automate routine tasks by granting themView the full article

Apple is about to release iOS 26.2, the second major point update for iPhones since iOS 26 was rolled out in September, and there are at least 15 notable changes and improvements worth checking out. We've rounded them up below. Apple is expected to roll out iOS 26.2 to compatible devices sometime between December 8 and December 16. When the update drops, you can check Apple's servers for the download by going to Settings ➝ General ➝ Software Update on your iPhone. Set a Reminder Alarm iOS 26.2 brings a new alarm capability to the Reminders app. When you create a reminder, you can toggle on an "Urgent" option so that, at the due time, your iPhone sounds an alarm rather than simply showing a notification. Adjust Liquid Glass Clock Apple's latest update adds a new slider under the "Liquid Glass" Lock Screen settings that gives much finer control over the clock's appearance. You can choose to make the time display nearly fully transparent, or more frosted and opaque, rather than being limited to the previous fixed presets. AirDrop Files to People Not in Contacts iOS 26.2 introduces a one-time AirDrop code system, letting you share files with someone even if they're not in your contacts. Once generated, the code remains valid for 30 days. Apple also includes a "Manage Known AirDrop Contacts" pane so that you can see and manage the people you've shared codes with. View Apple Music Lyrics Offline Apple Music is gaining offline lyrics support, so you can now view song lyrics in the app even when your iPhone isn't connected to Wi-Fi or mobile data. Get a Better Sleep Score If you wear your Apple Watch in bed, it's worth knowing that Apple has reworked its Sleep Score scoring tiers, with the aim of better matching typical sleep-quality experiences. Now, "Very Low" runs 0–40 (previously 0–29), "Low" 41–60, "OK" 61–80, "High" 81–95, and "Very High" 96–100 (previously labelled "Excellent"). Automatically Create Podcast Chapters The Podcasts app can now automatically generate chapters for individual episodes. This means that rather than fixed chapter markers, the app will create them for you – and episode transcriptions now let you tap on mentions of other podcasts or links. Manage Websites Where Passwords Aren't Saved In the Passwords app's main settings menu, there's a new section allowing you to review and manage websites where you have deliberately avoided saving credentials. It gives you finer control over which domains are excluded from password storage. Get AirPods Live Translation in EU Apple's latest update expands the reach of AirPods Live Translation to countries in the European Union. The feature was previously unavailable in the EU due to Apple's ongoing regulatory compliance work. Flash iPhone Screen for Alerts In the Accessibility settings, under "Flash for Alerts," you can now choose to have your iPhone screen flash when a notification arrives, rather than just the rear camera's LED flash. You can configure it to use the screen flash alone, the LED flash, or both simultaneously, giving you more flexibility for alert styles. Quicker Access to Apple News Sections The Apple News app gets a refreshed interface. The top-of-feed buttons now let you jump quickly into categories (e.g. sports, business, food, puzzles) instead of scrolling or tapping through menus. Manage Safety Alerts iOS 26.2 introduces an "Enhanced Safety Alerts" section in Notifications settings that centralizes earthquake alerts, imminent-threat alerts, and also includes a new location-based "improved alert delivery" option, helping ensure the reliability of alerts. Sort Games by Size In the Games app library, there's now an option to sort games by size (in addition to name or recent). It should prove useful if you want to clear storage or identify large games quickly. Beyond sorting, the update also brings support for controller-based navigation and real-time challenge-score updates while playing. Disable Pinned Messages in CarPlay For CarPlay users, iOS 26.2 lets you disable the new "pinned messages" view in the Messages app – restoring the older, classic messages interface if you prefer that simpler look while driving. Replace Siri Side Button Functionality (in Japan) For iPhone users registered in Japan, iOS 26.2 lays the foundation for replacing the default voice assistant triggered by the Side button from Siri to a third-party voice assistant (for example, Gemini or Alexa), giving users a choice at the system level for the first time. Multitask More on iPad For iPad users, iPadOS 26.2 restores some multitasking flexibility, and allows you to drag and drop apps from the App Library, Dock, or Spotlight into Split View or Slide Over. The change should make window and multitask management on iPad more fluid. This article, "15 New Things Your iPhone Can Do in iOS 26.2" first appeared on MacRumors.com Discuss this article in our forums View the full article

eSIM as a technology has been around for a decade now. However, global eSIM adoption was around 3% last year and will only cross 5% this year. Despite these figures, analysts, eSIM-providing startups, and investors are bullish about eSIM’s upward trajectory, largely thanks to travel. Device compatibility One of the key factors for that is […]View the full article

The inclusion of the Waymo look-a-likes appears to be part of a larger storyline that will encourage players to "stop the development of a mass surveillance network."View the full article

EU regulators also reprimanded the social media company for its lack of ad transparency and failure to provide researchers with access to data.View the full article

Make these smart speakers from Amazon, Apple, Nest and others the top of your list when trying to find the best for your home.View the full article

On this week's episode of The MacRumors Show, we discuss Samsung's new Galaxy Z TriFold smartphone and how it could compare to Apple's upcoming foldable iPhone. Subscribe to The MacRumors Show YouTube channel for more videos Samsung this week introduced the Galaxy Z TriFold, its first smartphone with two folding sections instead of one. When unfolded, the device presents a 10-inch screen, while the cover display measures 6.5 inches. Samsung says it has minimized visible creasing across the panels. The Galaxy Z TriFold uses an inward-folding design intended to protect the main display. The folding mechanism has been engineered with an alert system that notifies users if the device is being folded incorrectly. Samsung is using a titanium Armor FlexHinge with two differently sized hinges joined by a dual-rail structure. According to the company, this enables a smoother and more stable fold despite uneven panel weight distribution, and increases durability thanks to a thin metal reinforcement that protects the hinge assembly. A third of the unfolded display measures 3.9mm thick, increasing slightly around the triple-lens camera module. The center display section is 4.2mm thick, while the segment containing the side button is 4mm. The device includes a reinforced overcoat atop a shock-absorbing display layer for impact resistance, and an aluminum frame prevents the screens from coming into contact when closed. Samsung has equipped the Galaxy Z TriFold with a 5,600 mAh three-cell battery, with one cell behind each display panel. The company says this is the largest battery it has ever used in a smartphone. The rear camera system includes a 200-megapixel wide camera, a 12-megapixel ultra wide camera, and a 10-megapixel telephoto camera with 3x optical zoom. Two 10-megapixel selfie cameras are integrated into the cover display and the main display. The Galaxy Z TriFold supports three portrait-layout apps running side-by-side, multi-window resizing, full-screen video viewing, and a vertical reading mode. Samsung has also added standalone Samsung DeX, enabling up to four workspaces with five apps active simultaneously. Samsung apps have been optimized for the triple-panel layout, and Google's Gemini Live has been optimized as well. The Galaxy Z TriFold launches in Korea on December 12, followed by China, Taiwan, Singapore, and the UAE. It will arrive in the United States in the first quarter of 2026. Pricing has not yet been announced. Meanwhile, recent rumors suggest that Apple's first foldable ‌iPhone‌ will feature an industry-first 24-megapixel under-display camera for the inner display, as well as a Samsung-supplied OLED panel, virtually no crease, a hybrid titanium and aluminum frame, and a 5,400–5,800 mAh battery. Analyst estimates currently place pricing at around $2,400. The device is only expected to include two rear cameras, unlike the TriFold and all of Samsung's book-style foldables. Apple will likely use a wide and an ultra-wide camera, similar to the iPhone 17, while reserving a telephoto camera for the iPhone 18 Pro and Pro Max. Early information also suggests it will also not be as thin as Samsung's Galaxy Fold 7. We discuss the importance of rear camera setups on foldables, the rumored price point of Apple's version, and the risk of it falling victim to some of the same pitfalls as the iPhone Air. The MacRumors Show has its own YouTube channel, so make sure you're subscribed to keep up with new episodes and clips. Subscribe to The MacRumors Show YouTube channel! You can also listen to ‌The MacRumors Show‌ on Apple Podcasts, Spotify, Overcast, or your preferred podcasts app. You can also copy our RSS feed directly into your podcast player. If you haven't already listened to the previous episode of The MacRumors Show, catch up to hear our discussion about we talk through the latest rumors about Apple's upcoming iPad mini 8. Subscribe to ‌The MacRumors Show‌ for new episodes every week, where we discuss some of the topical news breaking here on MacRumors, often joined by interesting guests such as Kayci Lacob, Kevin Nether, John Gruber, Mark Gurman, Jon Prosser, Luke Miani, Matthew Cassinelli, Brian Tong, Quinn Nelson, Jared Nelson, Eli Hodapp, Mike Bell, Sara Dietschy, iJustine, Jon Rettinger, Andru Edwards, Arnold Kim, Ben Sullins, Marcus Kane, Christopher Lawley, Frank McShan, David Lewis, Tyler Stalman, Sam Kohl, Federico Viticci, Thomas Frank, Jonathan Morrison, Ross Young, Ian Zelbo, and Rene Ritchie. ‌The MacRumors Show‌ is on X @MacRumorsShow, so be sure to give us a follow to keep up with the podcast. You can also head over to The MacRumors Show forum thread to engage with us directly. Remember to rate and review the podcast, and let us know what subjects and guests you would like to see in the future.Tag: The MacRumors Show This article, "The MacRumors Show: Galaxy Z TriFold vs. Apple's Foldable iPhone" first appeared on MacRumors.com Discuss this article in our forums View the full article

There is uncertainty about Apple's head of hardware engineering John Ternus succeeding Tim Cook as CEO, The Information reports. Some former Apple executives apparently hope that a new "dark-horse" candidate will emerge. Ternus is considered to be the most likely candidate to succeed Cook as CEO. The report notes that he is more likely to become CEO than software head chief Craig Federighi, Chief Operating Officer Sabih Khan, or marketing head Greg Joswiak. Ternus is 50 and has worked at Apple since 2001. He is known for being dependable and good at following orders with an obsessive attention to detail. Colleagues describe him as calm, emotionally intelligent, logical, and conservative. He purportedly took the fall for Apple's butterfly keyboard internally, which earned him respect. He also led the transition of the Mac to Apple silicon to much success. These situations are said to have helped Ternus earn Cook's trust. However, some voices in the company believe that Ternus is not ready to take on the role, which could delay a succession announcement. Some skeptics inside the company say that Ternus is too risk averse, leading to frustrations within his group. For example, some in Apple's hardware engineering department were disappointed that Ternus declined to fund more ambitious projects. One of these individuals was vice president Tang Tan, who now leads OpenAI's project to build an AI hardware device designed by Apple's former chief designer, Jony Ive. Tan and Ive have since poached a large number of hardware engineers from Ternus' team to work on the unreleased device. Other critics say that Ternus "isn't a charismatic leader" and has had little involvement in the geopolitical affairs that have dominated the attention of Cook in recent years. While Craig Federighi could succeed Cook due to his high profile, there are concerns that his focus on software may make him a poor fit for the role. He apparently prefers tackling technical problems rather than dealing with the kind of broader issues that the role of CEO demands. Federighi is also risk-averse and voiced disproval over the Apple's spending on the Vision Pro and its now-canceled self-driving car project. He was also initially skeptical about AI, believing that the technology was overhyped and too unpredictable. Cook has said publicly that he wants Apple's next CEO to come from within the company, but it is possible that the company could opt for a former employee. One such individual is said to be former Apple hardware executive Tony Fadell, who co-created the iPod. Fadell reportedly told associates recently that he would be open to replacing Cook as CEO. Some former Apple executives believe that Fadell would help "shake up" the company from the perspective of a brash product leader. Other individuals within Apple see the prospect as "unlikely," since Fadell was a "polarizing figure" when he worked at the company. Apple passed on acquiring Fadell's smart home company Nest in 2014 because some staff did not want him to return to the company. Regardless of who succeeds him, Cook is now thought to be highly likely to retire in the not-too-distant future. Some analysts believe that ‌Tim Cook‌ "hasn't moved fast enough" or with the urgency of executives at Meta and Google to respond to the growing challenge of AI. There are reportedly growing signs in Cook's personal life that he could be planning to move on soon. He apparently no longer routinely rises at 4 a.m. as he once did to go to the gym. Individuals around Cook have begun to notice a slight tremor in his hands, which was also visible during a recent visit to the White House. In addition, Cook surprised colleagues when he purchased a luxury home outside Palm Springs, California. The report notes that he used to be noticeably more frugal, such as when he chose to rent a home in Silicon Valley rather than buying one to save money. Senior Apple employees are said to be so sure of the likelihood of major management changes at the company, which could open up new opportunities, that they have raised the situation to many who have tried to recruit them. Tags: Craig Federighi, John Ternus, The Information, Tim Cook, Tony Fadell This article, "Will John Ternus Really Be Apple's Next CEO?" first appeared on MacRumors.com Discuss this article in our forums View the full article

Hamlet TV is a way to help keep citizens informed of what's happening inside local governments. View the full article

Here are some highly rated films to check out, plus a look at what's new in December.View the full article

A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity. "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows anView the full article

The shift from perimeter-based security to zero trust is now indispensable for combating modern threats. The obsolete “castle-and-moat” model, granting implicit trust to any device or user inside the network, collapsed with the rise of cloud, remote work and BYOD. Attackers now bypass traditional controls by targeting identity, exploiting AI-driven phishing, supply chain intrusions and advanced session hijacking. The browser is at this frontline, serving as the universal access point for SaaS, developer tools and sensitive AI resources. As data from diverse trust domains converge, each access request demands rigorous, real-time validation of identity, device posture and behavior. NIST SP 800-207 provides the model: decouple access from network location by using a policy engine, policy administrator and browser-based policy enforcement point to enforce dynamic, context-aware authorization. NIST SP 800-207A extends this to runtime control across multi-cloud and microservices. Simultaneously, CISA’s Zero Trust Maturity Model v2 maps a clear implementation path spanning five pillars and emphasizing automation, analytics and governance as essential enablers. This journal unites these leading standards with current enterprise practices, delivering a comprehensive browser-first ZTA framework that balances least-privileged access, SSO/MFA, device compliance and session isolation for secure, adaptable operations. The imperative for browser-centric zero trust As remote work and cloud adoption become the default operating model, the inability of implicit network trust and legacy VPNs to address the modern attack surface is undeniable. Adversaries now target the browser directly with attacks like cross-site scripting (XSS), session hijacking via stolen tokens and advanced phishing that bypasses traditional MFA. A browser-centric ZTA framework is the necessary response, built on the following six principles. 1. Identity-first access control Network proximity is now an inferior trust signal. Only federated, cryptographically verifiable identity tokens issued by centralized enterprise IdPs using OIDC or SAML are permitted as gates to corporate resources. This transition, well-documented by FIDO Alliance and Microsoft research, transfers the very concept of “inside” the organization from the network to the user’s validated persona. No session proceeds without a signed, short-lived identity claim. 2. Least-privileged access (LPA) Legacy roles that confer standing privileges are antithetical to zero trust. LPA decrees that entitlements are minimized, time-bounded and context-aware. The application of just-in-time access, JWT token scoping and dynamic risk assessment ensures users receive only what is necessary for their current task, never more. Device state, resource value and behavior all adjust privilege in flight: a noncompliant device or anomalous login instantly narrows the access window. 3. Continuous verification and adaptive policy Zero trust is not “authenticate once, trust forever.” It is a continuous cycle of verification. Adaptive policy rules, executed by the policy engine, must re-evaluate access in real-time based on new telemetry. This “posture drift” can be triggered by numerous signals: Behavioral: If a user typically logs in from Texas at 9 am but suddenly authenticates from Eastern Europe at 3 am (“impossible travel”), adaptive rules flag the anomaly and restrict access. Device: An EDR agent detects a malicious process, changing the device’s health state from “compliant” to “at-risk.” Network: A user moves from a trusted corporate network to an untrusted public Wi-Fi hotspot. In response, the PE can automatically initiate a session revocation, force a step-up MFA challenge or reduce the session to read-only. 4. Integrated phishing-resistant authentication To secure the identity-first gate, the authentication method itself must be robust. Traditional MFA (like SMS or one-time passcodes) is phishable. The ZTA browser model mandates the adoption of phishing-resistant MFA, primarily through FIDO2/WebAuthn passkeys. As detailed by the FIDO Alliance, passkeys are a W3C standard that replaces passwords with cryptographic key pairs. The private key never leaves the user’s device (e.g., a YubiKey, a phone’s secure enclave or a Windows Hello TPM), making it impossible to phish. The user authenticates with a simple biometric or PIN, providing unparalleled security with a superior user experience. By 2025, passkey adoption will have moved from emerging to mainstream, with deployments showing authentication times under two seconds and proven reductions in phishing-related losses. 5. Device health gating A trusted user on a compromised device is a critical threat. The ZTA model must validate the endpoint before issuing an access token. This “device health gating” is a cornerstone of modern IdP solutions. The conditional access policy engine queries the device for posture signals collected by an MDM (mobile device management) or EDR (endpoint detection and response) agent. As documented in Microsoft’s conditional access framework, policies enforce compliance before token issuance. Key signals include: Patch level: Is the OS fully patched? EDR status: Is the EDR agent (e.g., CrowdStrike, Defender) running and reporting no active threats? Disk encryption: Is the primary drive encrypted (e.g., BitLocker, FileVault)? Device state: Is the device jailbroken or rooted? Only devices that meet this baseline are considered “compliant” and eligible for access. 6. Remote browser isolation (RBI) For the highest-risk activities, we must assume the endpoint cannot be fully trusted and that web content is malicious. Remote browser isolation (RBI) addresses this by executing risky or privileged web sessions in isolated, disposable cloud containers. The user’s endpoint never interacts with active web code; it only receives a stream of pixels (pixel-streaming RBI) or a sanitized, reconstructed version of the page (DOM-reconstruction RBI). As demonstrated by zero trust solutions like Cloudflare RBI, this neutralizes all browser-based exploits, prevents malware from reaching the endpoint and can enforce data loss prevention (DLP) by disabling copy/paste or uploads from the isolated session. Modern workflows and policy patterns: A blueprint A modern ZTA browser architecture is not a single product but an integrated system that operates on a continuous, per-request verification loop. This is the foundational user-facing workflow for all access. Request: A user on a managed browser (e.g., Chrome Enterprise) attempts to access a protected app (e.g., test.company.com). Intercept & redirect: An access proxy (ZTNA/PEP), like Cloudflare Access or Zscaler Private Access, intercepts the request. Seeing no valid session token, it redirects the browser to the enterprise IdP (e.g., Okta, Entra ID) to initiate an OIDC or SAML authentication flow. Authentication: The IdP authenticates the user. Based on policy, it requires a phishing-resistant MFA step using a FIDO2/WebAuthn passkey. The user taps their YubiKey or uses Windows Hello. Contextual evaluation: The IdP’s Conditional Access Policy Engine (PE) evaluates the request. It queries the Microsoft Intune or CrowdStrike ZTA integration for device posture. The policy is: ALLOW IF (user_group == ‘Sales’) AND (device_status == ‘Compliant’) AND (auth_method == ‘FIDO2’). Token issuance: Upon success, the IdP mints a signed JSON Web Token (JWT). This token contains critical claims: the user’s ID (sub), their roles (groups), the authentication method (amr) and a short-lived expiration (exp). Access granted: Browser supplies JWT to proxy, proxy grants direct, secure application access. B. Adaptive session management and least privilege This workflow demonstrates the “continuous verification” principle. Scenario 1 — Posture drift: The user is authenticated and working. Midway through the session, their EDR agent detects a high-priority threat (e.g., malware execution). The EDR agent instantly updates the device’s health state. The IdP’s conditional access, which leverages a continuous access evaluation protocol (CAEP), receives this signal and immediately revokes all active session tokens for that device, forcing a logout and remediation. Scenario 2 — Step-up authentication: A user with a valid session for a low-risk app (like a wiki) clicks a link to a high-risk app (like the SAP admin console). The ZTNA proxy (PEP) intercepts this new request, recognizes the “Tier 0” sensitivity of the application and re-challenges the user, forcing a new step-up authentication with a hardware passkey before proceeding, even though they already have an active SSO session. C. Privileged and sensitive operations via isolation This workflow is for protecting “Tier 0” assets like administrator consoles. Request: An administrator attempts to access the Okta admin console or an internal Kubernetes dashboard. Policy enforcement: After successful FIDO2 authentication, the ZTNA policy (PEP) for this “Tier 0” application is configured not with an “Allow” action, but with an “Isolate” action. Isolation: The user is transparently routed to an RBI service. The entire admin session is executed in a secure, disposable container in the cloud. Only benign pixels are streamed to the end-user’s browser. DLP & threat neutralization: This mitigates two critical risks: Endpoint Malware: If the admin’s workstation is compromised, keyloggers or token-stealing malware cannot access the privileged session, as it’s not running locally. Data Exfiltration: Granular RBI policies are applied: copy/paste, file downloads and printing are disabled for this session, preventing accidental or malicious credential or data leakage. D. Forward-thinking SCIM provisioning This workflow is the automation backbone that makes LPA viable at scale. System for cross-domain identity management (SCIM) is an open standard (RFC 7643) for automating the exchange of user identity information between systems. The SCIM protocol (RFC 7643) defines a REST API and schema for managing user and group resources. The Workflow (Joiner/Mover/Leaver): Source event: A manager in the HRIS (e.g., Workday) changes an employee’s role from “Sales Rep” to “Sales Manager.” SCIM push: The HRIS (or an integration layer) automatically triggers a SCIM PATCH request to the IdP (Okta, Entra ID). IdP update: The IdP updates the user’s attributes, removing them from the group:sales-rep and adding them to the group:sales-manager. Policy propagation: The IdP’s Policy Engine (PE) immediately uses this new attribute data. Re-evaluation: The next time the user authenticates (or their token expires), their access is re-evaluated. Their old access to rep-level tools is gone, and their new access to manager dashboards is automatically granted. This “Just-in-Time” provisioning prevents “privilege creep” and ensures all access decisions are based on accurate, real-time identity data. Maturity pathways: Roadmap to optimal state This roadmap, aligned with the CISA ZTMM v2, allows organizations to make measurable, incremental progress. Initial: At this stage, the organization moves beyond the “Traditional” perimeter. All browser-accessed applications are federated with a central IdP and protected by an access proxy (ZTNA). SSO and passkey-based FIDO2/WebAuthn MFA are mandatory for all users. All access logs are centralized in a SIEM. This achieves the Identity and Network pillar foundations. Advanced: The organization builds on the initial foundation with richer context. Device compliance (via Intune/CrowdStrike integration) is enforced for all sessions. Policy decisions become adaptive, leveraging real-time telemetry from EDR and user behavior analytics (UBA). SCIM is fully implemented for automated provisioning from an identity source of truth (e.g., HRIS). This demonstrates maturity in the Devices and Automation capabilities. Optimal: At the highest level of maturity, access is determined on a per-request, least-privilege basis, fully aligning with NIST 800-207A. RBI is automatically and transparently enforced for all privileged, unmanaged or high-risk web sessions. The entire ecosystem is automated, with post-authentication security (like token theft detection and CAEP) fully integrated. This represents an optimal state across all CISA pillars, driven by robust automation and governance. Operationalizing ZTA browser security Implementing this architecture requires a shift in operational thinking. Policy design: Move from network rules to a “who, what, where, when, why” logic model. Policies should be readable statements: GRANT access IF (user_group == ‘Finance’) AND (app == ‘SAP’) AND (device_status == ‘Compliant’) AND (auth_method == ‘FIDO2’). Start with a default “deny” and create explicit “allow” rules, creating a policy matrix that maps user personas to data and applications. Dynamic access: Token claims must be context-bound and short-lived. A token issued for a read-only wiki should not be valid for accessing a finance application. True phishing resistance requires eliminating all phishable recovery methods. This means deprecating SMS, email links and security questions in favor of passkey-based recovery or in-person identity verification. Risk automation: Session adaptation (step-up, revocation) must be triggered by automated analytics. Integrate the IdP and ZTNA solution with your SIEM/SOAR platform. An EDR alert (e.g., “high-severity malware”) or a UBA alert (e.g., “impossible travel”) should automatically trigger a SOAR playbook that calls the IdP’s API to revoke the user’s session tokens. Governance-as-code: Policies must not be managed via manual “click-ops” in a GUI. All ZTNA access rules, IdP Conditional Access policies and RBI configurations should be defined as code (e.g., using Terraform, HCL or JSON). This enables version control, peer review (via pull requests) and automated CI/CD pipelines, aligning with CISA’s cross-cutting controls for governance and automation. Configuration patterns (Latest, 2025) Chrome Enterprise: Use Chrome Browser Cloud Management to enforce a secure baseline on all corporate browsers. Enforce policies like BrowserSignin (to force login to a managed profile), PasswordManagerEnabled (set to false to mandate use of an enterprise password manager), SafeBrowsingProtectionLevel (set to Enhanced) and BuiltInDnsClientEnabled (to enforce secure DNS). Google’s Chrome Enterprise policies provide the full list of controls to manage extensions, data leakage and security settings. Intune/conditional access: Create a non-negotiable “baseline” policy: Require compliant device and Require phishing-resistant MFA for all users accessing all cloud apps. Then, create more granular policies. For example, block access entirely from high-risk countries or require a “Compliant + Hybrid Joined” device for access to legacy on-prem apps. FIDO2/WebAuthn passkeys: Deploy passkeys (platform-based like Windows Hello and hardware-bound like YubiKeys) as the primary authenticator. Start with privileged users (admins) and high-value targets (executives, finance) first, then roll out to the general population. Cloudflare RBI/ZTNA: Configure clientless ZTNA to secure third-party and BYOD access without requiring an agent. Use Service Auth policies (based on mTLS certificates or service tokens) to secure non-human (RPA bot) access to web applications. Configure a “default-isolate” policy that automatically sends all traffic to unclassified or high-risk domains through the RBI service. SCIM automation: Connect your IdP (Okta, Entra ID) to your source of truth (e.g., Workday) via a pre-built SCIM connector. Map HR attributes (e.g., Department, Role, EmploymentStatus) to IdP attributes. Use these attributes to drive dynamic group membership, which in turn drives all application access and ZTNA policies. The browser is now both sword and shield Browser security is the linchpin for zero trust and organizational resilience. By converging validated identity, rigorous device posture, adaptive access policies, automated provisioning and session isolation, we not only defend against the sophisticated threats of 2025 but also set a foundation for scalable, measurable governance. In moving from static perimeters to live, session-level policy enforcement, every click and credential is scrutinized, every privilege time-boxed, every access revocable by context and behavior not convenience or legacy. Teams must treat the browser not as an exposed window, but as the policy stronghold of the modern enterprise. Building toward this architecture is a journey: Begin with SSO and robust MFA, enforce device compliance, automate provisioning and integrate RBI where risk justifies isolation. Codify policy, automate telemetry and develop governance as code. Refuse the ‘trusted network’ myth. Zero trust is here, and the browser is now both sword and shield. This article is published as part of the Foundry Expert Contributor Network. Want to join? View the full article

Most of Black Friday and Cyber Monday's biggest discounts have expired, but today we're keeping track of the best leftover holiday discounts at various retailers. Below you'll find great deals on AirPods 4, iPhone 17 cases, portable power stations from Jackery and Anker, and The Frame TV at Samsung. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. AirPods 4 What's the deal? Take $80 off AirPods 4 Where can I get it? Amazon Where can I find the original deal? Right here $80 OFFAirPods 4 (ANC) for $99.00 This week Amazon still has a record low price on the AirPods 4 with Active Noise Cancellation, available for $99.00, down from $179.00. All other Black Friday/Cyber Monday AirPods deals have expired. Jackery and Anker What's the deal? Save sitewide on portable power stations Where can I get it? Jackery and Anker Where can I find the original deal? Right here UP TO 65% OFFJackery Black Friday Encore Sale UP TO 65% OFFAnker SOLIX Cyber Monday Last Call Black Friday and Cyber Monday may be over, but you can still find up to 65 percent off Anker and Jackery's best portable power stations this week. Each retailer is hosting a last call sale for its most popular charging accessories, with major savings on these high-priced power stations. Jackery Explorer 500 - $359.00, down from $499.00 Explorer 2000 v2 - $749.00, down from $1,499.00 Battery Pack 2000 Plus - $799.00, down from $1,399.00 Battery Pack 3600 - $999.00, down from $2,099.00 HomePower 3000 Solar Generator - $1,199.00, down from $2,499.00 Anker Anker 521 PowerHouse (300W) - $149.99, down from $249.99 Anker 535 PowerHouse (500W) - $249.00, down from $649.99 SOLIX C1000 Gen 2 Portable Power Station - $429.00, down from $799.00 SOLIX C1000 Gen 2 + Solar Panel - $609.00, down from $1,298.00 SOLIX C2000 Gen 2 Portable Power Station - $739.00, down from $1,498.00 Samsung What's the deal? Save sitewide on Samsung TVs, monitors, and more Where can I get it? Samsung Where can I find the original deal? Right here SITEWIDE DISCOUNTSSamsung Cyber Monday Sale Samsung's Cyber Week sale is still going on today, and it has great deals on monitors, storage accessories, TVs, Galaxy smartphones, home appliances, and more. Highlights from this event include quite a few models of The Frame TV on sale, including a new all-time low price on The Frame Pro models. You can get the 65-inch The Frame TV for $999.99 ($1,000 off), as well as The Frame Pro for $1,999.00 ($1,200 off). iPhone 17 Cases What's the deal? Take up to 50% off iPhone 17 cases Where can I get it? Amazon Where can I find the original deal? Right here UP TO 50% OFFiPhone 17 Cases at Amazon Amazon this week has big discounts across Apple's Clear, Silicone, and TechWoven Cases for the iPhone 17 and iPhone Air lineup. Items on sale include Clear, Silicone, and TechWoven Cases for the iPhone 17, iPhone 17 Pro, iPhone 17 Pro Max, and iPhone Air. If you're on the hunt for more discounts, be sure to visit our Apple Deals roundup where we recap the best Apple-related bargains of the past week. Deals Newsletter Interested in hearing more about the best deals you can find this holiday season? Sign up for our Deals Newsletter and we'll keep you updated so you don't miss the biggest deals of the season! Related Roundup: Apple Deals This article, "Best Apple Deals of the Week: Last Call on Cyber Week Deals for AirPods 4, iPhone 17 Cases, and More" first appeared on MacRumors.com Discuss this article in our forums View the full article

The New York Times filed a copyright lawsuit against Perplexity, joining other publishers using legal action as leverage to force AI companies into licensing deals that compensate content creators.View the full article

AI startups say the promise of turning dazzling models into useful products is harder than anyone expected. Three founders discuss what it takes.View the full article