Firefox Master Password System Has Been Poorly Secured for the Past 9 Years, Researcher Says ( 73

Catalin Cimpanu, writing for BleepingComputer: For at past nine years, Mozilla has been using an insufficiently strong encryption mechanism for the "master password" feature. Both Firefox and Thunderbird allow users to set up a "master password" through their settings panel. This master password plays the role of an encryption key that is used to encrypt each password string the user saves in his browser or email client. Experts have lauded the feature because up until that point browsers would store passwords locally in cleartext, leaving them vulnerable to malware or attackers with physical access to a victim's computer. But Wladimir Palant, the author of the AdBlock Plus extension, says the encryption scheme used by the master password feature is weak and can be easily brute-forced. "I looked into the source code," Palant says, "I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password."
Open Source

Vim Beats Emacs in 'Linux Journal' Reader Survey ( 183

The newly-relaunched Linux Journal is conducting its annual "Reader's Choice Awards," and this month announced the winners for Best Text Editor, Best Laptop, and Best Domain Registrar. Vim was chosen as the best editor by 35% of respondents, handily beating GNU Emacs (19%) Sublime Text (10%) and Atom (8%). Readers' Choice winner Vim is an extremely powerful editor with a user interface based on Bill Joy's 40-plus-year-old vi, but with many improved-upon features including extensive customization with key mappings and plugins. Linux Journal reader David Harrison points out another great thing about Vim "is that it's basically everywhere. It's available on every major platform."
For best laptop their readers picked Lenovo (32%), followed by Dell (25%) and System76 (11%). The ThinkPad began life at IBM, but in 2005, it was purchased by Lenovo along with the rest of IBM's PC business. Lenovo evolved the line, and today the company is well known as a geek favorite. Lenovo's ThinkPads are quiet, fast and arguably have one of the best keyboards (fighting words!). Linux Journal readers say Lenovo's Linux support is excellent, leaving many to ponder why the company doesn't ship laptops with Linux installed.
In February readers also voted on the best web browser, choosing Firefox (57%) over Chrome (17%) and Chromium (7%). And they also voted on the best Linux distribution, ultimately selecting Debian (33%), open SUSE (12%), and Fedora (11%).

Microsoft Wants To Force Windows 10 Mail Users To Use Edge For Email Links ( 172

Microsoft has revealed today that "we will begin testing a change where links clicked on within the Windows Mail app will open in Microsoft Edge." What this means is that if you have Chrome or Firefox set as your default browser in Windows 10, Microsoft will simply ignore that and force you into Edge when you click a link within the Mail app. The Verge reports: "As always, we look forward to feedback from our WIP community," says Microsoft's Dona Sarkar in a blog post today. I'm sure Microsoft will receive a lot of feedback over this unnecessary change, and we can only hope the company doesn't ignore it.

Mozilla Working On In-Page Popup Blocker For Firefox ( 53

Firefox is working on a blocker for annoying in-page alerts that often ask you to input your email address to receive a newsletter from the site. "The feature is still in the planning stages, but Mozilla is asking users for any examples of sites with annoying pop-ups," reports Android Police. "Mozilla wants to make Firefox automatically detect and dismiss the popups." From the report: If you know of sites that use in-page popups (whether it be newsletter signups, surveys, or something else), you can fill out the survey here. There are also Firefox and Chrome extensions that make the process easier. I'll be interested to see how Mozilla pulls this off, it will no doubt be difficult to detect the difference between helpful and not-helpful popups.

Firefox 59, 'By Far the Biggest Update Since Firefox 1.0', Arrives With Faster Page Loads and Improved Private Browsing ( 103

An anonymous reader shares a VentureBeat report: Mozilla today launched Firefox 59 for Windows, Mac, Linux, and Android. The release builds on Firefox Quantum, which the company calls "by far the biggest update since Firefox 1.0 in 2004." Version 59 brings faster page load times, private browsing mode that strips path information, and Android Assist. In related news, Mozilla is giving Amazon Fire TV owners a new design later this week that lets them save their preferred websites by pinning them to the Firefox home screen. Enterprise users also have something to look forward to: On Wednesday, Firefox Quantum for Enterprise is entering the beta phase. Firefox 59 for the desktop is available for download now on, and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play.

Firefox Gets Privacy Boost By Disabling Proximity and Ambient Light Sensor APIs ( 79

Stating with Firefox 60 -- expected to be released in May 2018 -- websites won't be able to use Firefox to access data from sensors that provide proximity distances and ambient light information. From a report: Firefox was allowing websites to access this data via the W3C Proximity and Ambient Light APIs. But at the start of the month, Mozilla engineers decided to disable access to these two APIs by default. The APIs won't be removed, but their status is now controlled by two Firefox flags that will ship disabled by default. This means users will have to manually enable the two flags before any website can use Firefox to extract proximity and ambient light data from the device's underlying sensors. The two flags will be available in Firefox's about:config settings page. The screenshot below shows the latest Firefox Nightly version, where the two flags are now disabled, while other sensor APIs are enabled.

Firefox Quantum Leader Takes Over All Mozilla Products ( 98

CNET reports: Mozilla launched the faster Quantum version of its Firefox browser last fall in a bid to restore the nonprofit's reach and influence. Now, the leader of that effort has been promoted to oversee all Mozilla products. Mark Mayo, formerly senior vice president of Firefox, is now Mozilla's chief product officer, CNET has learned. That means he's taking over more projects, including the Pocket tool and mobile app. Pocket lets people save websites they'd like to revisit, but Mozilla also plans to use the resulting data to help recommend interesting or useful sites to Firefox users. In addition, Mozilla has promoted Denelle Dixon, formerly head of business and legal work, to chief operations officer. She's overseen an effort to diversify Mozilla revenue sources, including through the Pocket acquisition in February 2017.

Mozilla Removes Individual Cookie Management in Firefox 60 ( 177

Martin Brinkmann, writing for Ghacks: The most recent version of Firefox Nightly, currently at version 60, comes with changes to Firefox's cookie management. Mozilla merged cookie settings with site data in the web browser which impacts how you configure and manage cookie options. If you run Firefox 59 or earlier, you can load about:preferences#privacy to manage privacy related settings in Firefox. If you set the history to "use custom settings for history" or "remember history", you get an option manage cookie settings and to remove individual cookies from Firefox. A click on the link or button opens a new browser window in which all set cookies are listed. You can use it to find set cookies, look up information, remove selected or all cookies. Mozilla engineers changed this in recent versions of Firefox 60 (currently on the Nightly channel).

Tickbox Must Remove Pirate Streaming Add-ons From Sold Devices ( 70

TickBox TV, the company behind a Kodi-powered streaming device, must release a new software updater that will remove copyright-infringing addons from previously shipped devices. A California federal court issued an updated injunction in the lawsuit that was filed by several major Hollywood studios, Amazon, and Netflix, which will stay in place while both parties fight out their legal battle. TorrentFreak reports: Last year, the Alliance for Creativity and Entertainment (ACE), an anti-piracy partnership between Hollywood studios, Netflix, Amazon, and more than two dozen other companies, filed a lawsuit against the Georgia-based company Tickbox TV, which sells Kodi-powered set-top boxes that stream a variety of popular media. ACE sees these devices as nothing more than pirate tools so the coalition asked the court for an injunction to prevent Tickbox from facilitating copyright infringement, demanding that it removes all pirate add-ons from previously sold devices. Last month, a California federal court issued an initial injunction, ordering Tickbox to keep pirate addons out of its box and halt all piracy-inducing advertisements going forward. In addition, the court directed both parties to come up with a proper solution for devices that were already sold.

The new injunction prevents Tickbox from linking to any "build," "theme," "app," or "addon" that can be indirectly used to transmit copyright-infringing material. Web browsers such as Internet Explorer, Google Chrome, Safari, and Firefox are specifically excluded. In addition, Tickbox must also release a new software updater that will remove any infringing software from previously sold devices. All tiles that link to copyright-infringing software from the box's home screen also have to be stripped. Going forward, only tiles to the Google Play Store or to Kodi within the Google Play Store are allowed. In addition, the agreement also allows ACE to report newly discovered infringing apps or addons to Tickbox, which the company will then have to remove within 24-hours, weekends excluded.


The Most Popular Linux Desktop Programs ( 228

The most recent Linux Questions poll results are in. Steven J. Vaughan-Nichols, writing for ZDNet: LinuxQuestions, one of the largest internet Linux groups with 550,000 members, has just posted the results from its latest survey of desktop Linux users. In the always hotly-contested Linux desktop environment survey, the winner was the KDE Plasma Desktop. It was followed by the popular lightweight Xfce, Cinnamon, and GNOME. If you want to buy a computer with pre-installed Linux, the Linux Questions crew's favorite vendor by far was System76. Numerous other computer companies offer Linux on their PCs. These include both big names like Dell and dedicated small Linux shops such as ZaReason, Penguin Computing, and Emperor Linux. Many first choices weren't too surprising. For example, Linux users have long stayed loyal to the Firefox web browser, and they're still big fans. Firefox beat out Google Chrome by a five-to-one margin. And, as always, the VLC media player is far more popular than any other Linux media player. For email clients, Mozilla Thunderbird remains on top. That's a bit surprising given how Thunderbird's development has been stuck in neutral for some time now. When it comes to text editors, I was pleased to see vim -- my personal favorite -- win out over its perpetual rival, Emacs. In fact, nano and Kate both came ahead of Emacs.

A Bug in Browser Extension Grammarly, Now Patched, Could Have Allowed an Attacker To Read Everything Users Wrote Online ( 57

Copyediting app Grammarly included a gaping security hole that left users of its browser extension open to more embarrassment than just misspelled words. From a report: The Grammarly browser extension for Chrome and Firefox contained a "high severity bug" that was leaking authentication tokens, according to a bug report by Tavis Ormandy, a security researcher with Google's Project Zero. This meant that any website a Grammarly user visited could access the user's "documents, history, logs, and all other data," according to Ormandy. Grammarly provides automated copyediting for virtually anything you type into a browser that has the extension enabled, from blogs to tweets to emails to your attorney. In other words, there is an unfathomable number of scenarios in which this kind of major vulnerability could result in disastrous real-world consequences. Grammarly has approximately 22 million users, according to Ormandy, and the company told Gizmodo in an email that it "has no evidence that any user information was compromised" by the security hole. "We're continuing to monitor actively for any unusual activity," a Grammarly spokesperson said.

Firefox 59 Will Stop Websites Snooping on Where You've Just Been ( 121

Firefox 59 will reduce how much information websites pass on about visitors in an attempt to improve privacy for users of its private browsing mode. From a report: When you click a link in your browser to navigate to a new site, the site you go on to visit receives the address of the site you came from, via the so-called "referrer value." While this helps websites understand where visitors are coming from, it can also leak data about the individual browsing, because it tells the site the exact page you were looking at when you clicked the link, said Mozilla. Browsers also send a referrer value when requesting other details like ads, or other social media snippets integrated in a modern website, which means these embedded content features also know exactly what page you're visiting.

Ethereum Startup Vanishes After Seemingly Making $11, Leaves Message: 'Penis' ( 125

CaptainDork shares a report from Motherboard: An Ethereum startup called Prodeum disappeared from the web on Sunday after raising a grand total of $11 USD from investors in a crowdsale. Shortly after the website disappeared, a message appeared on its homepage: "penis." Prodeum's website now redirects visitors to the Twitter account of a cryptocurrency trader (they did not immediately respond to our request for comment), and its Twitter account has been deactivated. Prodeum is at least the second Ethereum startup to pull up stakes after raising money from people in events called Initial Coin Offerings, or ICOs, in which a startup funds their enterprise by taking cryptocurrency from people in exchange for digital tokens. Some ICOs have managed to raise millions of dollars, and the last startup to vanish after conducting an ICO -- Confido, which disappeared from the internet in late 2017 -- made off with roughly $374,000. (A message later appeared on Confido's site stating that it would buy back investors' tokens, but it's unclear if that took place.)

Prodeum, by comparison, only seems to have raised $11 based on the Ethereum address that was advertised on Prodeum's site as being the ICO address. (Update: After this article was published the contents of the ICO wallet were sent to another wallet. That wallet contains roughly $100, with the other funds all coming from a single wallet that predates the Prodeum ICO and contains 46 cents.) Prodeum's pitch, according to a cached version of its webpage, was to track vegetables in a supply chain using digital addresses on a blockchain -- a decentralized ledger at the heart of Ethereum and other cryptocurrencies like Bitcoin.
As for why the "penis" message was left on its homepage, it may have something to do with the name of the startup. Prodeum is a medication that treats urinary tract infections and other urinary problems...

Should Apps Replace Title Bars with Header Bars? ( 362

Gnome contributor Tobias Bernard is on a crusade against title bars -- "the largely empty bars at the top of some application windows [that] contain only the window title and a close button." Instead he wants to see header bars -- "a newer, more flexible pattern that allows putting window controls and other UI elements in the same bar." Tobias Bernard writes: Header bars are client-side decorations (CSD), which means they are drawn by the app rather than the display server. This allows for better integration between application and window chrome. All GNOME apps (except for Terminal) have moved to header bars over the past few years, and so have many third-party apps. However, there are still a few holdouts.
He's announcing the CSD Initiative, "an effort to get apps (both GNOME and third-party) to drop title bars and adopt GNOME-style client-side decorations... The only way to solve this problem long-term is to patch applications upstream to not use title bars. So this is what we'll have to do."
  • Talk to the maintainers and convince them that this is a good idea
  • Do the design work of adapting the layout and make mockups
  • Figure out what is required at a technical level
  • Actually implement the new layout and get it merged

Implementation is already in progress for Firefox, though it has not yet been started for other high-priority apps like LibreOffice, GNOME Terminal, and Skype. "If you want to help with any of the above tasks," writes Tobias, "come talk to us on #gnome-design on IRC/Matrix."


DuckDuckGo App and Extension Upgrades Offer Privacy 'Beyond the Search Box' ( 48

An anonymous reader quotes the Verge: DuckDuckGo is launching updated versions of its browser extension and mobile app, with the promise of keeping internet users safe from snooping "beyond the search box." The company's flagship product, its privacy-focused search engine, will remain the same, but the revamped extension and app will offer new tools to help users keep their web-browsing as safe and private as possible. These include grade ratings for websites, factoring in their use of encryption and ad tracking networks, and offering summaries of their terms of service (with summaries provided by third-party Terms of Service Didn't Read). The app and extension are available for Firefox, Safari, Chrome, iOS, and Android.

The ability to block ad tracking networks is probably the most important feature here. These networks are used by companies like Google and Facebook to follow users around the web, stitching together their browsing history to create a more accurate profile for targeted advertising.

DuckDuckGo calls it "a major step to simplify online privacy," adding that without it, "It's hard to use the Internet without it feeling a bit creepy -- like there's a nosey neighbor watching everything you do from across the street."

Firefox 58 Gets Graphics Speed Boost, Web App Abilities ( 178

Mozilla released on Tuesday a new version of its Firefox Quantum browser, boosting its graphics speed and improving a couple of new technologies designed to make the web more powerful. From a report: The browser, version 58, is the first major update since Mozilla's recovery plan hit full stride in November with the debut of Firefox Quantum. Speed is of the essence in Mozilla's recovery plan, and Firefox 58 does better than its predecessor in some graphics tasks by splitting work better across the multiple processor cores that computer chips have these days. The result should be scrolling that's smooth, uninterrupted by the stuttering that in computing circles goes by the disparaging term "jank." [...] Firefox 58 helps with two new web technologies. One, called WebAssembly, provides for dramatically faster web apps. Firefox 58 can get WebAssembly software running faster so you don't have to twiddle your thumbs waiting as long after clicking a link. Another is progressive web apps (PWAs), an initiative that came out of Google to help make the web a better match for the apps we all drop on our phones.

Google Just Broke Amazon's Workaround For YouTube On Fire TV ( 264

Google has cracked down on Fire TV users once again. Today, the technology company blocked Silk and Firefox browsers from displaying the interface usually shown on large screens. Cord Cutters News reports: Now if you try to access on a Fire TV through the Firefox or Silk browser you will be redirected to the desktop version of the site. According to Elias Saba from AFTVnews, "By blocking access to the version of YouTube made for television browsers, Google has deliberately made browsing their website an unusable experience on Amazon Fire TVs, Fire TV Sticks, and Fire TV Edition televisions." This fight over YouTube and Amazon has been going on for some time. The standoff heated up in early December as Google announced plans to pull the YouTube app from the Fire TV on January 1st 2018. Amazon responded by adding a browser to allow access to the web version on the Fire TV. Now Google has countered by blocking the Fire TV's browsers from accessing the made-for-TV edition of Back on December 15th, The Verge reported that Google and Amazon are in talks to keep YouTube on the Fire TV, but as of today it looks like nothing has come from these talks.

Mozilla Restricts All New Firefox Features To HTTPS Only ( 243

An anonymous reader shares a report: In a groundbreaking statement earlier this week, Mozilla announced that all web-based features that will ship with Firefox in the future must be served on over a secure HTTPS connection (a "secure context"). "Effective immediately, all new features that are web-exposed are to be restricted to secure contexts," said Anne van Kesteren, a Mozilla engineer and author of several open web standards. This means that if Firefox will add support for a new standard/feature starting tomorrow, if that standard/feature carries out communications between the browser and an external server, those communications must be carried out via HTTPS or the standard/feature will not work in Firefox. The decision does not affect already existing standards/features, but Mozilla hopes all Firefox features "will be considered on a case-by-case basis," and will slowly move to secure contexts (HTTPS) exclusively in the future.

Mozilla Tests Firefox 'Tab Warming' ( 170

Catalin Cimpanu, reporting for BleepingComputer: Mozilla is currently testing a new feature called "Tab Warming" that engineers hope will improve the tab switching process. According to a description of the feature, Tab Warming will watch the user's mouse cursor and start "painting" content inside a tab whenever the user hovers his mouse over one. Firefox will do this on the assumption the user wants to click and switch to view that tab and will want to keep a pre-rendered tab on hand if this occurs. "Those precious milliseconds are used to do the rendering and uploading, so that when the click event finally comes, the [tab] is ready and waiting for you," said Mike Conley, one of the Firefox engineers who worked on this feature.

City of Barcelona Dumps Windows For Linux and Open Source Software ( 255

An anonymous reader quotes Open Source Observatory: The City of Barcelona is migrating its computer systems away from the Windows platform, reports the Spanish newspaper El País. The City's strategy is first to replace all user applications with open-source alternatives, until the underlying Windows operating system is the only proprietary software remaining. In a final step, the operating system will be replaced with Linux... According to Francesca Bria, the Commissioner of Technology and Digital Innovation at the City Council, the transition will be completed before the current administration's mandate ends in spring 2019. For starters, the Outlook mail client and Exchange Server will be replaced with Open-Xchange. In a similar fashion, Internet Explorer and Office will be replaced with Firefox and LibreOffice, respectively. The Linux distribution eventually used will probably be Ubuntu, since the City of Barcelona is already running 1,000 Ubuntu-based desktops as part of a pilot...

Barcelona is the first municipality to have joined the European campaign 'Public Money, Public Code'. This campaign is an initiative of the Free Software Foundation Europe (FSFE) and revolves around an open letter advocating that publicly funded software should be free. Currently, this call to public agencies is supported by more than 100 organisations and almost 15,000 individuals. With the new open-source strategy, Barcelona's City Council aims to avoid spending large amounts of money on licence-based software and to reduce its dependence on proprietary suppliers through contracts that in some cases have been closed for decades.

Slashdot Top Deals