It’s that time of year! The excitement of Black Friday carries into today – CyberMonday – the juxtaposition of the analog age and the digital age. Both days are fueled by media and retailers alike and are about shopping. And both days are heavily reliant on the things that we want, that we need and what we think others want and need. And, all of it is powered by the data about us as consumers. So, today – the day of electronic shopping – is the perfect day to provoke some deep thinking on how our digital lives impact our privacy and online security. How do we do this?
One way is by launching “The Glass Room” – an art exhibition and educational space that teaches visitors about the relationship between technology, privacy and online security. The Glass Room will be open in downtown New York City for most of the holiday shopping season. Anyone can enter the “UnStore” for free to get a behind the scenes look at what happens to your privacy online. You’ll also get access to a crew of “InGeniouses” who can help you with online privacy and data tips and tricks. The Glass Room has 54 interactive works that show visitors the relationship between your personal data and the technology services and products you use.
This is no small task. Most of us don’t think about our online security and privacy every day. As with our personal health it is important but presumed. Still, when we don’t take preventative care of ourselves, we are at greater risk for getting sick.
The same is true online. We are impacted by security and privacy issues everyday without even realizing it. In the crush of our daily lives, few of us have the time to learn how to better protect ourselves and preserve our privacy online. We don’t always take enough time to get our checkups, eat healthily and stay active – but we would be healthier if we did. We are launching The Glass Room to allow you to think, enjoy and learn how to do a checkup of your online health.
We can buy just about anything we imagine on CyberMonday and have it immediately shipped to our door. We have to work a little harder to protect our priceless privacy and security online. As we collectively exercise our shopping muscles, I hope we can also think about the broader importance of our online behaviors to maintaining our online health.
If you are in New York City, please come down to The Glass Room and join the discussion. You can also check out all the projects, products and stories that The Glass Room will show you to look into your online life from different perspectives by visiting The Glass Room online.
Why Mozilla treats marketing as a business within the business
With the twin objectives of adding more engaged users to its Firefox web browser and managing a forthcoming brand refresh, the marketing team at not-for-profit internet company Mozilla, owner of the Firefox web browser, have adopted agile practices to ...
Mozilla setzt ab Firefox 53 auch für Linux eine CPU mit SSE2-Unterstützung ... - soeren-hentzschel.at
Mozilla setzt ab Firefox 53 auch für Linux eine CPU mit SSE2-Unterstützung ...
Firefox für Windows setzt seit Version 49 eine CPU mit SSE2-Befehlssatzerweiterung voraus. Ab Firefox 53 gilt dies auch für die von Mozilla erstellten Linux-Builds. Firefox für Windows funktioniert bereits seit Version 49 nicht mehr auf Systemen mit ...
en meer »
Firefox将在Firefox 51中停止信任SHA-1签名认证。当前Firefox 51正处于开发版本阶段，计划于2017年1月发布。为评估移除SHA-1签名认证对真实使用情况的影响，Mozilla在2016年11月初着手在部分beta用户中开展移除SHA ...
Firefox 50 Update: Mozilla Introduces Changes To Downloads And Protection
Three years ago, Mozilla was recognized as the The Most Trusted Company In Privacy. Now, with the Firefox 50.0 update, the browser just reinforced privacy protection for its users. From the time the free-software community was created in 1998 by ...
Firefox 53: exclusive content process for local filesGhacks Technology News
alle 2 nieuwsartikelen »
Software-update: ReactOS 0.4.3
Hoewel er al veel software probleemloos op draait, waaronder LibreOffice, Mozilla Firefox, Mozilla Thunderbird en diverse spellen, verkeert het hele project volgens de ontwikkelaars nog in het alfastadium en is het niet geschikt voor dagelijks gebruik.
Caschys Blog (Blog)
Mozilla: Update zum Schicksal der Firefox-Add-Ons im Jahr 2017
Caschys Blog (Blog)
Firefox Artikel Logo Mozilla hat sich noch einmal zum Schicksal der Add-Ons bzw. dem Aufstreben der WebExtensions in seinem Browser Firefox geäußert. WebExtensions sollen veraltete Techniken wie XUL (XML User Interface Language) und XPCOM ...
Mozilla: Firefox macht 2017 Schluss mit alten AddonsGolem.de
Firefox wirft die Add-ons rausplanet of tech
alle 4 nieuwsartikelen »
Mozilla stopt eind volgend jaar met huidige Firefox add-ons
Mozilla heeft de knoop doorgehakt en stopt eind volgend jaar met het ondersteunen van de huidige browser add-ons. Firefox gaat overstappen op de WebExtensions-API. Deze wordt ook gebruikt door onder andere Chrome, Edge en Opera. Hierdoor is het ...
en meer »
Mozilla: Firefox macht 2017 Schluss mit alten Addons
Mozilla plant, den Wechsel von alter Technik für Firefox-Addons hin zu dem Webextensions-API bereits in einem Jahr zu beenden, wie das Unternehmen in seinem Addons-Blog bekanntgibt. Demnach seien ab der Firefox-Version 57, die Ende November ...
Mozilla představila Firefox Focus, prohlížeč pro iOS se zabudovaným Adblockem - Letemsvetemapplem.eu
Mozilla představila Firefox Focus, prohlížeč pro iOS se zabudovaným Adblockem
Mozilla vydala novou aplikaci nazvanou “Firefox Focus,” neobvyklý internetový prohlížeč, který automaticky blokuje reklamy a online sledování. Společnost řekla, že mimo pohodlnější a bezpečnější brouzdání po internetu je také výhodou to, že blokování ...
Mozilla hackers audit cURL file transfer toolkit, give it a tick for security
Mozilla has given the widely-used cURL file transfer library a thumbs up in a security audit report that uncovered nine vulnerabilities. Of those found in the free security review were four high severity vulnerabilities leading to potential remote code ...
'Aplicativos nos preocupam mais que o Chrome', diz diretor da Mozilla
Você pode conhecer a Mozilla apenas por causa do navegador Firefox. Mas trata-se de uma fundação muito maior que isso: numa época em que você não consegue fazer praticamente nada na internet sem abrir mão da privacidade e segurança dos seus ...
PI Trucchi/ Mozilla Firefox 50
A differenza dei giganti dell'IT, che perseguono sempre interessi corporativi, Firefox è supportato solo dalla fondazione non profit Mozilla Foundation, che mira a promuovere l'utente, così come una Internet libera e aperta. "Con Firefox non si sceglie ...
Old Firefox Add-Ons Will Stop Working in Firefox 57, End of 2017
Old XUL-based Firefox extensions built on the ancient Add-ons SDK will stop working when Mozilla releases Firefox 57, scheduled for the end of 2017. Only add-ons built on the new WebExtensions API will work following that date, Mozilla Search and ...
en meer »Google Nieuws
Firefox stopt eind volgend jaar met ondersteuning huidige add-ons
Mozilla stopt volgend jaar met het ondersteunen van add-ons in Firefox die niet werken met de WebExtensions-api. Dat zal vanaf versie 57 van de browser gebeuren. WebExtensions zouden minder ontwikkeltijd vergen en beter compatibel zijn met extensies ...
en meer »
PC Tech Magazine
Mozilla launched Firefox Focus; its super private browser for iOS
PC Tech Magazine
Firefox has unveiled its new browser 'Firefox Focus' for iOS users, a new experiment which revolves around privacy. When you browse the internet from your desktops, your tracks can be saved with a lot of extensions and add-ons available, but mobile ...
Mozilla gaat WebExtensions voor Firefox verplichten
Mozilla zal volgend jaar verschillende aanpassingen aan de ondersteuning van Firefox-add-ons doorvoeren zodat de browser alleen nog maar met WebExtensions werkt. Andere add-ons zullen dan niet meer worden ondersteund. Firefox maakt op dit ...
Mozilla Launches Private Browser For iOS: Firefox Focus
Mozilla has announced the launch of Firefox Focus – promising free, fast and easy to use private browsing for iOS devices. Firefox Focus is for the times when you don't want to leave a record on your phone… You know, for information that in certain ...
Mozilla's Firefox Focus Browser Protects Your Tracks OnlineOStatic (blog)
alle 7 nieuwsartikelen »
SCCACHE: Mozilla baut geteilten Compiler-Cache in Rust
Als Compiler unterstützt das Programm zurzeit GCC, Clang und MSVC. Das Werkzeug soll künftig so erweitert werden, dass es auch außerhalb von Mozilla einfach eingesetzt werden kann, da es Probleme löse, die sicher auch andere Unternehmen haben.
“the overall impression of the state of security and robustness
of the cURL library was positive.”
I asked for, and we were granted a security audit of curl from the Mozilla Secure Open Source program a while ago. This was done by Mozilla getting a 3rd party company involved to do the job and footing the bill for it. The auditing company is called Cure53.
I applied for the security audit because I feel that we’ve had some security related issues lately and I’ve had the feeling that we might be missing something so it would be really good to get some experts’ eyes on the code. Also, as curl is one of the most used software components in the world a serious problem in curl could have a serious impact on tools, devices and applications everywhere. We don’t want that to happen.Scans and tests and all
We run static analyzers on the code frequently with a zero warnings tolerance. The daily clang-analyzer scan hasn’t found a problem in a long time and the Coverity once-every-few-weeks occasionally finds something suspicious but we always fix those immediately.
We have thousands of tests and unit tests that we run non-stop on the code on multiple platforms running multiple build combinations. We also use valgrind when running tests to verify memory use and check for potential memory leaks.Secrecy
The audit itself. The report and the work on fixing the issues were all done on closed mailing lists without revealing to the world what was really going on. All as our fine security process describes.
There are several downsides with fixing things secretly. One of the primary ones is that we get much fewer eyes on the fixes and there aren’t that many people involved when discussing solutions or approaches to the issues at hand. Another is that our test infrastructure is made for and runs only public code so the code can’t really be fully tested until it is merged into the public git repository.The report
We got the report on September 23, 2016 and it certainly gave us a lot of work.
The audit report has now been made public and is a very interesting work if you’re into security, C code and curl hacking. I find the report very clear, well written and it spells out each problem very accurately and even shows proof of concept code snippets and exploit examples to drive the points home.
Quoted from the report intro:
As for the approach, the test was rooted in the public availability of the source code belonging to the cURL software and the investigation involved five testers of the Cure53 team. The tool was tested over the course of twenty days in August and September of 2016 and main efforts were focused on examining cURL 7.50.1. and later versions of cURL. It has to be noted that rather than employ fuzzing or similar approaches to validate the robustness of the build of the application and library, the latter goal was pursued through a classic source code audit. Sources covering authentication, various protocols, and, partly, SSL/TLS, were analyzed in considerable detail. A rationale behind this type of scoping pointed to these parts of the cURL tool that were most likely to be prone and exposed to real-life attack scenarios. Rounding up the methodology of the classic code audit, Cure53 benefited from certain tools, which included ASAN targeted with detecting memory errors, as well as Helgrind, which was tasked with pinpointing synchronization errors with the threading model.
They identified no less than twenty-three (23) potential problems in the code, out of which nine were deemed security vulnerabilities. But I’d also like to emphasize that they did also actually say this:
At the same time, the overall impression of the state of security and robustness of the cURL library was positive.Resolving problems
In the curl security team we decided to downgrade one of the 9 vulnerabilities to a “plain bug” since the required attack scenario was very complicated and the risk deemed small, and two of the issues we squashed into treating them as a single one. That left us with 7 security vulnerabilities. Whoa, that’s a lot. The largest amount we’ve ever fixed in a single release before was 4.
I consider handling security issues in the project to be one of my most important tasks; pretty much all other jobs are down-prioritized in comparison. So with a large queue of security work, a lot of bug fixing and work on features basically had to halt.
You can get a fairly detailed description of our work on fixing the issues in the fix and validation log. The report, the log and the advisories we’ve already posted should cover enough details about these problems and associated fixes that I don’t feel a need to write about them much further.More problems
Just because we got our hands full with an audit report doesn’t mean that the world stops, right? While working on the issues one by one to have them fixed we also ended up getting an additional 4 security issues to add to the set, by three independent individuals.
All these issues gave me a really busy period and it felt great when we finally shipped 7.51.0 and announced all those eleven fixes to the world and I could get a short period of relief until the next tsunami hits.