Mozilla Nederland LogoDe Nederlandse

Daniel Stenberg: Another wget reference was Bourne

Mozilla planet - za, 22/10/2016 - 01:36

wget-is-not-a-crimeBack in 2013, it came to light that Wget was used to to copy the files private Manning was convicted for having leaked. Around that time, EFF made and distributed stickers saying wget is not a crime.

Weirdly enough, it was hard to find a high resolution version of that image today but I’m showing you a version of it on the right side here.

In the 2016 movie Jason Bourne, Swedish actress Alicia Vikander is seen working on her laptop at around 1:16:30 into the movie and there’s a single visible sticker on that laptop. Yeps, it is for sure the same EFF sticker. There’s even a very brief glimpse of the top of the red EFF dot below the “crime” word.


Also recall the wget occurance in The Social Network.

Categorieën: Mozilla-nl planet

Yunier José Sosa Vázquez: Actualización para Firefox 49

Mozilla planet - vr, 21/10/2016 - 21:26

En el día de hoy Mozilla a publicado una nueva actualización para su navegador, en esta ocasión la 49.0.2.

Esta liberación resuelve pequeños problemas que han estado confrontando algunos usuarios, por lo que recomendamos actualizar.

La pueden obtener desde nuestra zona de Descargas para Linux, Mac, Windows y Android en español e inglés.

Categorieën: Mozilla-nl planet

Mozilla Turning TLS 1.3 On By Default With Firefox 52 - Threatpost

Nieuws verzameld via Google - vr, 21/10/2016 - 20:49


Mozilla Turning TLS 1.3 On By Default With Firefox 52
Mozilla initially implemented support for the protocol with Firefox 49 back in June. But to take advantage of it users had to change a parameter in the browser in order to turn it on by default. Starting in March, it will ship with draft 16 of the ...
Mozilla patches two Firefox vulnerabilitiesSC Magazine
Firefox update prevents websites from accessing your browsing

alle 3 nieuwsartikelen »
Categorieën: Mozilla-nl planet

Mozilla patches two Firefox vulnerabilities - SC Magazine

Nieuws verzameld via Google - vr, 21/10/2016 - 20:13

SC Magazine

Mozilla patches two Firefox vulnerabilities
SC Magazine
Mozilla pushed out two security patches for Firefox on Oct. 20 rated as potentially having a high impact on users of the popular browser. The first vulnerability, CVE-2016-5287, was “a potential exploitable use-after-free crash during actor destruction ...
Firefox update prevents websites from accessing your browsing

alle 2 nieuwsartikelen »Google Nieuws
Categorieën: Mozilla-nl planet

Air Mozilla: Webdev Beer and Tell: October 2016

Mozilla planet - vr, 21/10/2016 - 20:00

 October 2016 Once a month web developers across the Mozilla community get together (in person and virtually) to share what cool stuff we've been working on in...

Categorieën: Mozilla-nl planet

Firefox 49.0.2: Update von Mozilla schließt kritische Sicherheitslücke -

Nieuws verzameld via Google - vr, 21/10/2016 - 18:13

Firefox 49.0.2: Update von Mozilla schließt kritische Sicherheitslücke
Entdeckt hat die Lücke ein Mitarbeiter des deutschen Software-Herstellers Cliqz, schreibt Mozilla in seinem Sicherheits-Bulletin. Über die zweite mit Version 49.0.2. beseitigte Schwachstelle könnten Hacker ihren Opfern heimlich Malware und Spyware ...
Mozilla Firefox - Schwachstelle: Mozilla rät dringend zu
Mozilla veröffentlicht Firefox 49.0.2 für Desktop und
Firefox 49.0.2 soll Flash- und Grafikprobleme lösenPC-Welt (Blog)
alle 6 nieuwsartikelen »Google Nieuws
Categorieën: Mozilla-nl planet

QMO: Firefox 51.0a2 Aurora Testday, October 28th

Mozilla planet - vr, 21/10/2016 - 17:57

Hello Mozillians,

We are happy to let you know that Friday, October 28th, we are organizing Firefox 51.0 Aurora Testday. We’ll be focusing our testing on the following features: Zoom indicator, Downloads dropmaker.

Check out the detailed instructions via this etherpad.

No previous testing experience is required, so feel free to join us on #qa IRC channel where our moderators will offer you guidance and answer your questions.

Join us and help us make Firefox better!

See you on Friday!

Categorieën: Mozilla-nl planet

Firefox 49.0.2: Mozilla schließt kritische Sicherheitslücke -

Nieuws verzameld via Google - vr, 21/10/2016 - 16:16

Firefox 49.0.2: Mozilla schließt kritische Sicherheitslücke
Entdeckt hat die Lücke ein Mitarbeiter des deutschen Software-Herstellers Cliqz, schreibt Mozilla in seinem Sicherheits-Bulletin. Über die zweite mit Version 49.0.2. beseitigte Schwachstelle könnten Hacker ihren Opfern heimlich Malware und Spyware ...
Mozilla veröffentlicht Firefox 49.0.2 für Desktop und
Firefox 49.0.2 soll Flash- und Grafikprobleme lösenPC-Welt
Firefox erhält neues Update auf Version (Blog)

alle 4 nieuwsartikelen »Google Nieuws
Categorieën: Mozilla-nl planet

Download of the day: Mozilla Thunderbird - TechRadar

Nieuws verzameld via Google - vr, 21/10/2016 - 14:38


Download of the day: Mozilla Thunderbird
If you're looking for a new email client, give Mozilla Thunderbird a try – it comes with some excellent features and tons of extensions to make it even better. It's the perfect tool for managing multiple accounts, and a great way to store your messages ...

Google Nieuws
Categorieën: Mozilla-nl planet

Software-update: Mozilla Firefox 49.0.2 - Tweakers

Nieuws verzameld via Google - vr, 21/10/2016 - 09:59


Software-update: Mozilla Firefox 49.0.2
Mozilla Firefox 2013 logo (75 pix) Mozilla heeft opnieuw een update voor versie 49 van zijn webbrowser Firefox uitgebracht. In versie 49 is onder meer de login manager aangepast, zodat deze nu gegevens die voor een onbeveiligde http-verbinding zijn ...
Firefox-update voorkomt lekken

alle 2 nieuwsartikelen »
Categorieën: Mozilla-nl planet

Hal Wine: Using Auto Increment Fields to Your Advantage

Mozilla planet - vr, 21/10/2016 - 09:00
Using Auto Increment Fields to Your Advantage

I just found, and read, Clément Delafargue’s post “Why Auto Increment Is A Terrible Idea” (via @CoreRamiro). I agree that an opaque primary key is very nice and clean from an information architecture viewpoint.

However, in practice, a serial (or monotonically increasing) key can be handy to have around. I was reminded of this during a recent situation where we (app developers & ops) needed to be highly confident that a replica was consistent before performing a failover. (None of us had access to the back end to see what the DB thought the replication lag was.)

Categorieën: Mozilla-nl planet

Air Mozilla: Privacy Lab - October 2016 - Cyber Security

Mozilla planet - vr, 21/10/2016 - 03:00

Privacy Lab - October 2016 - Cyber Security The October Privacy Lab will have a cyber security theme for National Cyber Security Awareness Month. We will be looking at how privacy and security...

Categorieën: Mozilla-nl planet

Christian Heilmann: Decoded Chats – second edition featuring Monica Dinculescu on Web Components

Mozilla planet - do, 20/10/2016 - 23:42

At SmashingConf Freiburg this year I was lucky enough to find some time to sit down with Monica Dinculescu (@notwaldorf) and chat with her about Web Components, extending the web, JavaScript dependency and how to be a lazy but dedicated developer. I’m sorry about the sound of the recording and some of the harsher cuts but we’ve been interrupted by tourists trying to see the great building we were in who couldn’t read signs that it is closed for the day.

You can see the video and get the audio recording of our chat over at the Decoded blog:

Monica saying hi

I played a bit of devil’s advocate interviewing Monica as she has a lot of great opinions and the information to back up her point of view. It was very enjoyable seeing the current state of the web through the eyes of someone talented who just joined the party. It is far too easy for those who have been around for a long time to get stuck in a rut of trying not to break up with the past or considering everything broken as we’ve seen too much damage over the years. Not so Monica. She is very much of the opinion that we can trust developers to do the right thing and that by giving them tools to analyse their work the web of tomorrow will be great.

I’m happy that there are people like her in our market. It is good to pass the torch to those with a lot of dedication rather than those who are happy to use whatever works.

Categorieën: Mozilla-nl planet

Support.Mozilla.Org: What’s Up with SUMO – 20th October

Mozilla planet - do, 20/10/2016 - 23:23

Hello, SUMO Nation!

We had a bit of a break, but we’re back! First, there was the meeting in Toronto with the Lithium team about the migration (which is coming along nicely), and then I took a short holiday. I missed you all, it’s great to be back, time to see what’s up in the world of SUMO!

Welcome, new contributors!

If you just joined us, don’t hesitate – come over and say “hi” in the forums!

Contributors of the week

We salute you!

Don’t forget that if you are new to SUMO and someone helped you get started in a nice way you can nominate them for the Buddy of the Month! SUMO Community meetings
  • LATEST ONE: 19th of October – you can read the notes here and see the video at AirMozilla.
  • NEXT ONE: happening on the 26th of October!
  • If you want to add a discussion topic to the upcoming meeting agenda:
    • Start a thread in the Community Forums, so that everyone in the community can see what will be discussed and voice their opinion here before Wednesday (this will make it easier to have an efficient meeting).
    • Please do so as soon as you can before the meeting, so that people have time to read, think, and reply (and also add it to the agenda).
    • If you can, please attend the meeting in person (or via IRC), so we can follow up on your discussion topic during the meeting with your feedback.
Community Platform Social Support Forum Knowledge Base & L10n
  • We are 3 weeks before next release / 1 week after current release What does that mean? (Reminder: we are following the process/schedule outlined here).
    • Joni will finalize next release content by the end of this week; no work for localizers for the next release yet
    • All existing content is open for editing and localization as usual; please focus on localizing the most recent / popular content
  • Migration: please check this spreadsheet to see which locales are going to be migrated in the first wave
    • Locale packages that will be migrated are marked as “match” and “needed” in the spreadsheet
    • Other locales will be stored as an archive at – and will be added whenever there are contributors ready to keep working on them
    • We are also waiting for confirmation about the mechanics of l10n, we may be launching the first version without an l10n system built in – but all the localized content and UI will be there in all the locales listed in the spreadsheet above
  • Remember the MozPizza L10n Hackathon in Brazil? Take a look here!
  • for iOS
    • No news, keep biting the apple ;-)

…Whew, that’s it for now, then! I hope you could catch up with everything… I’m still digging through my post-holiday inbox ;-) Take care, stay safe, and keep rocking the helpful web! WE <3 YOU ALL!

Categorieën: Mozilla-nl planet

Cameron Kaiser: We need more desktop processor branches

Mozilla planet - do, 20/10/2016 - 22:49
Ars Technica is reporting an interesting attack that uses a side-channel exploit in the Intel Haswell branch translation buffer, or BTB (kindly ignore all the political crap Ars has been posting lately; I'll probably not read any more articles of theirs until after the election). The idea is to break through ASLR, or address space layout randomization, to find pieces of code one can string together or directly attack for nefarious purposes. ASLR defeats a certain class of attacks that rely on the exact address of code in memory. With ASLR, an attacker can no longer count on code being in a constant location.

Intel processors since at least the Pentium use a relatively simple BTB to aid these computations when finding the target of a branch instruction. The buffer is essentially a dictionary with virtual addresses of recent branch instructions mapping to their predicted target: if the branch is taken, the chip has the new actual address right away, and time is saved. To save space and complexity, most processors that implement a BTB only do so for part of the address (or they hash the address), which reduces the overhead of maintaining the BTB but also means some addresses will map to the same index into the BTB and cause a collision. If the addresses collide, the processor will recover, but it will take more cycles to do so. This is the key to the side-channel attack.

(For the record, the G3 and the G4 use a BTIC instead, or a branch target instruction cache, where the table actually keeps two of the target instructions so it can be executing them while the rest of the branch target loads. The G4/7450 ("G4e") extends the BTIC to four instructions. This scheme is highly beneficial because these cached instructions essentially extend the processor's general purpose caches with needed instructions that are less likely to be evicted, but is more complex to manage. It is probably for this reason the BTIC was dropped in the G5 since the idea doesn't work well with the G5's instruction dispatch groups; the G5 uses a three-level hybrid predictor which is unlike either of these schemes. Most PowerPC implementations also have a return address stack for optimizing the blr instruction. With all of these unusual features Power ISA processors may be vulnerable to a similar timing attack but certainly not in the same way and probably not as predictably, especially on the G5 and later designs.)

To get around ASLR, an attacker needs to find out where the code block of interest actually got moved to in memory. Certain attributes make kernel ASLR (KASLR) an easier nut to crack. For performance reasons usually only part of the kernel address is randomized, in open-source operating systems this randomization scheme is often known, and the kernel is always loaded fully into physical memory and doesn't get swapped out. While the location it is loaded to is also randomized, the kernel is mapped into the address space of all processes, so if you can find its address in any process you've also found it in every process. Haswell makes this even easier because all of the bits the Linux kernel randomizes are covered by the low 30 bits of the virtual address Haswell uses in the BTB index, which covers the entire kernel address range and means any kernel branch address can be determined exactly. The attacker finds branch instructions in the kernel code such as by disassembling it that service a particular system call and computes (this is feasible due to the smaller search space) all the possible locations that branch could be at, creates a "spy" function with a branch instruction positioned to try to force a BTB collision by computing to the same BTB index, executes the system call, and then executes the spy function. If the spy process (which times itself) determines its branch took longer than an average branch, it logs a hit, and the delta between ordinary execution and a BTB collision is unambiguously high (see Figure 7 in the paper). Now that you have the address of that code block branch, you can deduce the address of the entire kernel code block (because it's generally in the same page of memory due to the typical granularity of the randomization scheme), and try to get at it or abuse it. The entire process can take just milliseconds on a current CPU.

The kernel is often specifically hardened against such attacks, however, and there are more tempting targets though they need more work. If you want to attack a user process (particularly one running as root, since that will have privileges you can subvert), you have to get your "spy" on the same virtual core as the victim process or otherwise they won't share a BTB -- in the case of the kernel, the system call always executes on the same virtual core via context switch, but that's not the case here. This requires manipulating the OS' process scheduler or running lots of spy processes, which slows the attack but is still feasible. Also, since you won't have a kernel system call to execute, you have to get the victim to do a particular task with a branch instruction, and that task needs to be something repeatable. Once this is done, however, the basic notion is the same. Even though only a limited number of ASLR bits can be recovered this way (remember that in Haswell's case, bit 30 and above are not used in the BTB, and full Linux ASLR uses bits 12 to 40, unlike the kernel), you can dramatically narrow the search space to the point where brute-force guessing may be possible. The whole process is certainly much more streamlined than earlier ASLR attacks which relied on fragile things like cache timing.

As it happens, software mitigations can blunt or possibly even completely eradicate this exploit. Brute-force guessing addresses in the kernel usually leads to a crash, so anything that forces the attacker to guess the address of a victim routine in the kernel will likely cause the exploit to fail catastrophically. Get a couple of those random address bits outside the 30 bits Haswell uses in the BTB table index and bingo, a relatively simple fix. One could also make ASLR more granular to occur at the function, basic block or even single instruction level rather than merely randomizing the starting address of segments within the address space, though this is much more complicated. However, hardware is needed to close the gap completely. A proper hardware solution would be to either use most or all of the virtual address in the BTB to reduce the possibility of a collision, and/or to add a random salt to whatever indexing or hashing function is used for BTB entries that varies from process to process so a collision becomes less predictable. Either needs a change from Intel.

This little fable should serve to remind us that monocultures are bad. This exploit in question is viable and potentially ugly but can be mitigated. That's not the point: the point is that the attack, particularly upon the kernel, is made more feasible by particular details of how Haswell chips handle branching. When everything gets funneled through the same design and engineering optics and ends up with the same implementation, if someone comes up with a simple, weapons-grade exploit for a flaw in that implementation that software can't mask, we're all hosed. This is another reason why we need an auditable, powerful alternative to x86/x86_64 on the desktop. And there's only one system in that class right now.

Okay, okay, I'll stop banging you over the head with this stuff. I've got a couple more bugs under investigation that will be fixed in 45.5.0, and if you're having the issue where TenFourFox is not remembering your search engine of choice, please post your country and operating system here.

Categorieën: Mozilla-nl planet

Air Mozilla: Connected Devices Weekly Program Update, 20 Oct 2016

Mozilla planet - do, 20/10/2016 - 19:30

Connected Devices Weekly Program Update Weekly project updates from the Mozilla Connected Devices team.

Categorieën: Mozilla-nl planet

Mozilla to Ship TLS 1.3 in Firefox 52 - On the Wire (blog)

Nieuws verzameld via Google - do, 20/10/2016 - 18:23

Mozilla to Ship TLS 1.3 in Firefox 52
On the Wire (blog)
Mozilla plans to implement the next version of the TLS specification in an upcoming release of its Mozilla browser. TLS 1.3 will be shipped in Firefox 52, which is scheduled for release in March 2017. Mozilla's Martin Thomson said in an email to the ...

Categorieën: Mozilla-nl planet

Air Mozilla: Reps Weekly Meeting Oct. 20, 2016

Mozilla planet - do, 20/10/2016 - 18:00

Reps Weekly Meeting Oct. 20, 2016 This is a weekly call with some of the Reps to discuss all matters about/affecting Reps and invite Reps to share their work with everyone.

Categorieën: Mozilla-nl planet

Mozilla Reps Community: Rep of the Month – September 2016

Mozilla planet - do, 20/10/2016 - 12:59

Please join us in congratulating Mijanur Rahman Rayhan, Rep of the Month for September 2016!

Mijanur is a Mozilla Rep and Tech Speaker from Sylhet, Bangladesh. With his diverse knowledge he organized hackathons around Connected Devices and held a Web Compatibility event to find differences in different browsers.


Mijanur proved himself as a very active Mozillian through his different activities and work with different communities. With his patience and consistency to reach his goals he is always ready and prepared for these. He showed commitment to the Reps program and his proactive spirit these last elections by running as a nominee for the Cohort position in Reps Council.

Be sure to follow his activities as he continues the activate series with a Rust workshop, Dive Into Rust events, Firefox Testpilot MozCoffees, Web Compatibility Sprint and Privacy and Security seminar with Bangladesh Police!

Please join us in congratulating him on Discourse!

Categorieën: Mozilla-nl planet

Gervase Markham: No Default Passwords

Mozilla planet - do, 20/10/2016 - 12:06

One of the big problems with IoT devices is default passwords – here’s the list coded into the malware that attacked Brian Krebs. But without a default password, you have to make each device unique and then give the randomly-generated password to the user, perhaps by putting it on a sticky label. Again, my IoT vision post suggests a better solution. If the device’s public key and a password are in an RFID tag on it, and you just swipe that over your hub, the hub can find and connect securely to the device over SSL, and then authenticate itself to the device (using the password) as the user’s real hub, with zero configuration on the part of the user. And all of this works without the need for any UI or printed label which needs to be localized. Better usability, better security, better for the internet.

Categorieën: Mozilla-nl planet