Firefox 77 Arrives With Faster JavaScript Debugging and Optional Permissions (venturebeat.com) 30
Ask Slashdot: Why is Microsoft Blocking Its Own Server Pages? 21
Your request has been blocked. This may be due to several reasons. 1. You are using a proxy that is known to send automated requests to Microsoft. Check with your network administrator if there is any proxy and what User-Agent they are sending in the request header. 2. Your request pattern matches an automated process. To eliminate, reduce the volume of requests over a period of time. 3. Reference ID: 41.70790b91.4823110533.409105b4
It turns out the advisory number doesn't matter, just the extension for "Active Microsoft Server Page" (https.../.mspx) at the end. I guess there were too many security advisory lookups for MS to handle! *snort*!
The .mspx extension indicates a page using a special internal Microsoft rendering framework with a custom web handler (built in ASP.Net). But I ran some tests Saturday, and observed the exact same glitch described above using three different browsers — Firefox, Edge, and Brave. Anyone have a theory about what's going on?
Leave your thoughts in the comments. Why is Microsoft blocking its own server pages?
Chrome and Firefox Block Torrent Site YTS Over 'Phishing' (torrentfreak.com) 34
It's not clear what the exact problem is but the Chrome warning mentions that YTS was caught phishing. This is also reflected in Google's Safe Browsing report, which states the torrent site recently tried to trick visitors into sharing personal info or downloading software. Whether any of this is intentional remains a question. It seems more likely that the warning was triggered by some type of malicious advertisement.
Chromium Project Finds 70% of Its Serious Security Bugs Are Memory Safety Problems (chromium.org) 154
ZDNet reports: The percentage was compiled after Google engineers analyzed 912 security bugs fixed in the Chrome stable branch since 2015, bugs that had a "high" or "critical" severity rating. The number is identical to stats shared by Microsoft. Speaking at a security conference in February 2019, Microsoft engineers said that for the past 12 years, around 70% of all security updates for Microsoft products addressed memory safety vulnerabilities. Both companies are basically dealing with the same problem, namely that C and C++, the two predominant programming languages in their codebases, are "unsafe" languages....
Google says that since March 2019, 125 of the 130 Chrome vulnerabilities with a "critical" severity rating were memory corruption-related issues, showing that despite advances in fixing other bug classes, memory management is still a problem... Half of the 70% are use-after-free vulnerabilities, a type of security issue that arises from incorrect management of memory pointers (addresses), leaving doors open for attackers to attack Chrome's inner components...
While software companies have tried before to fix C and C++'s memory management problems, Mozilla has been the one who made a breakthrough by sponsoring, promoting and heavily adopting the Rust programming language in Firefox... Microsoft is also heavily investing in exploring C and C++ alternatives⦠But this week, Google also announced similar plans as well... Going forward, Google says it plans to look into developing custom C++ libraries to use with Chrome's codebase, libraries that have better protections against memory-related bugs. The browser maker is also exploring the MiraclePtr project, which aims to turn "exploitable use-after-free bugs into non-security crashes with acceptable performance, memory, binary size and minimal stability impact."
And last, but not least, Google also said it plans to explore using "safe" languages, where possible. Candidates include Rust, Swift, JavaScript, Kotlin, and Java.
Firefox 78 To Prevent Websites From Forcing Users To Save PDF Documents (thewindowsclub.com) 69
"Mozilla is rolling out this feature to the masses with the stable release of Firefox 78." Right now, Mozilla has added this feature to Firefox 78 in the Nightly channel.
The issue was first raised in 2011, and it took Mozilla 9 years to fix it. Many websites host and offer PDF documents with the following HTTP header:
Content-Disposition: attachment; filename="whatever.pdf."
This is an indication to the web browser that the PDF file should be saved with the specified name rather than try opening it in the web browser window. But since Firefox has a built-in PDF viewer, it should be for users to decide whether they want to view or save PDF documents.
Firefox 76 Arrives With Password Management and Zoom Improvements (venturebeat.com) 75
[...] Firefox 76 adds support for Audio Worklets, which run custom JavaScript audio processing code for applications like VR and gaming on the web. Unlike their predecessor, ScriptProcessorNode, worklets run off the main thread in a similar way to web workers. Mozilla also notes Audio Worklets are "being adopted by some of your favorite software programs." The company specifically called out Zoom, which has become a phenomenon of its own during the pandemic. In short, you now join Zoom calls in Firefox without having to download or install the Zoom client.
New Firefox Service Will Generate Unique Email Aliases To Enter In Online Forms (zdnet.com) 70
Firefox Raises Its Bug Bounties to $10,000 (mozilla.org) 5
Additionally, we'll be publishing more posts about how to get started testing Firefox — which is something we began by talking about the HTML Sanitization we rely on to prevent UXSS. By following the instructions there you can immediately start trying to bypass our sanitizer using your existing Firefox installation in less than a minute...
Lastly, we would like to let you know that we have cross-posted this to our new Attack & Defense blog. This new blog is a vehicle for tailored content specifically for engineers, security researchers, and Firefox bug bounty participants.
They point out that Firefox has one of the world's oldest bug bounty programs, dating back to 2004 -- and it's still going strong. "From 2017-2019, we paid out $965,750 to researchers across 348 bugs, making the average payout $2,775 — but as you can see in the graph below, our most common payout was actually $4,000!"
Vivaldi Browser Gets Built-in Tracking Blocker, Goes GA on Android (techcrunch.com) 26
Mozilla Installs Scheduled Telemetry Task On Windows With Firefox 75 (ghacks.net) 102
Mozilla says:
- "We're collecting information related to the system's current and previous default browser setting, as well as the operating system locale and version. This data cannot be associated with regular profile based telemetry data..."
- "We'll respect user configured telemetry opt-out settings by looking at the most recently used Firefox profile."
- "We'll respect custom Enterprise telemetry related policy settings if they exist. We'll also respect policy to specifically disable this task."
"Collecting telemetry is one way we're able to ensure we can understand default browser trends in a way that helps us improve Firefox. It's our hope that by better understanding more about our users and their choices around browser preferences, we can continue to build a better Firefox."
Long-time Slashdot reader AmiMoJo writes, "Opting out can be done via the Privacy & Security section of the preferences screen. You can view collected telemetry and view your current settings at about:telemetry."
Bleeping Computer also notes that by default, "For some time, Firefox has been collecting telemetry data about how you use the browser, such as the number of web pages you visit, safebrowsing information, the number of open tabs and windows, what add-ons are installed, and more. This telemetry data is kept for 13 months and IP addresses listed in server logs are deleted every 30 days.
"On my computer, Firefox has collected over 400KB of information."
Longtime Mozilla Leader Mitchell Baker is Now CEO (cnet.com) 34
Firefox 75 Arrives With Revamped Address Bar; Mozilla To Stick With 2020 Schedule (venturebeat.com) 43
When the coronavirus crisis took hold, millions found themselves spending more time in their browsers as they learn and work from home. But the crisis is also impacting software developers. Google was forced to pause its Chrome releases, which typically arrive every six weeks. Ultimately, Chrome 81 was delayed, Chrome 82 is being skipped altogether, and Chrome 83 has been moved up a few weeks. Microsoft has followed suit with Edge's release schedule, consistent with Google's open source Chromium project, which both Chrome and Edge are based on. Mozilla wants to make clear it is not in the same boat. The company took an indirect jab at Google and Microsoft today, saying: "We've built empathy into our systems for handling difficult or unexpected circumstances. These strengths are what allow us to continue to make progress where some of our competitors have had to slow down or stop work."
Edge Overtakes Firefox To Become the Second-Most Popular Browser (softpedia.com) 119
So right now, Microsoft Edge is the second most-used desktop browser on the planet with a share of 7.59%, while Mozilla Firefox is now third with 7.19%.
As for who's leading the pack, Google Chrome continues to be number one with a share of 68.50%.
Twitter Discloses Firefox Bug That Cached Private Files Sent or Received via DMs (zdnet.com) 42
To Conserve Bandwidth, Should Opting In Be Required Before Autoplaying Videos? (fatherly.com) 103
To give an example, a couple of days ago I was watching a show on Hulu, and either I was more sleepy than I thought or the show was more boring than I had expected (probably some combination of both), but I drifted off to sleep. Two hours later I awoke and realize that Hulu had streamed two additional episodes that no one was watching. I searched in vain for a way to disable autoplay of the next episode, but if there is some way to do it I could not find it.
What I wonder is how many people even want autoplay? I believe Netflix finally gave their users a way to disable it, but they need to affirmatively do so via a setting somewhere. But many other platforms give their users no option to disable autoplay. That is also true of many individual apps that can be used on a Roku or similar device. If conserving bandwidth is really that important, then my contention is that autoplaying of the next episode should be something you need to opt in for, not something enabled by default that either cannot be disabled or that forces the user to search for a setting to disable.
"Firefox will disable autoplay," writes long-time Slashdot user bobs666 (adding "That's it use Firefox.") And there are ways to disable autoplay in the user settings on Netflix, YouTube, Hulu, and Amazon Prime.
But wouldn't it make more sense to disable autoplay by default -- at least for the duration of this unusual instance of peak worldwide demand?
I'd be interested in hearing from Slashdot's readers. Do you use autoplay -- or have you disabled it? And do you think streaming companies should turn it off by default?
Doc Searls: 'Zoom Needs to Clean Up Its Privacy Act' (harvard.edu) 32
Zoom does use certain standard advertising tools which require Personal Data ...
What they mean by that is adtech. What they're also saying here is that Zoom is in the advertising business, and in the worst end of it: the one that lives off harvested personal data. What makes this extra creepy is that Zoom is in a position to gather plenty of personal data, some of it very intimate (for example with a shrink talking to a patient) without anyone in the conversation knowing about it. (Unless, of course, they see an ad somewhere that looks like it was informed by a private conversation on Zoom.)
A person whose personal data is being shed on Zoom doesn't know that's happening because Zoom doesn't tell them. There's no red light, like the one you see when a session is being recorded. If you were in a browser instead of an app, an extension such as Privacy Badger could tell you there are trackers sniffing your ass. And, if your browser is one that cares about privacy, such as Brave, Firefox or Safari, there's a good chance it would be blocking trackers as well. But in the Zoom app, you can't tell if or how your personal data is being harvested.
(think, for example, Google Ads and Google Analytics).
There's no need to think about those, because both are widely known for compromising personal privacy. (See here. And here. Also Brett Frischmann and Evan Selinger's Re-Engineering Humanity and Shoshana Zuboff's In the Age of Surveillance Capitalism.)
Zoom claims it needs personal data to "improve" its users "experience" with ads -- though Searls isn't satisfied. ("Nobody goes to Zoom for an 'advertising experience,' personalized or not. And nobody wants ads aimed at their eyeballs elsewhere on the Net by third parties using personal information leaked out through Zoom.") His conclusion?
"What Zoom's current privacy policy says is worse than 'You don't have any privacy here.' It says, 'We expose your virtual necks to data vampires who can do what they will with it.'"
Firefox Is Launching a New Test Pilot With Scroll To Pay Web Publishers (theverge.com) 65
The extension includes Scroll and also a "customized Enhanced Tracking Protection setting that will block third-party trackers, fingerprinters, and cryptominers," according to Mozilla. It will work across different desktop browsers, but of course it is designed primarily to be used with Firefox. The deal with Mozilla should get Scroll a much larger userbase, but neither company would disclose any financial terms. Scroll takes a 30 percent cut of your subscription fee and pays the rest out to its partner publishers based on your web browsing habits. It tracks those habits automatically, and the company tells me that it will soon offer users tools to delete their data -- on top of a pledge to never sell that data. Scroll also pledges to make it easier for small publishers to sign up through an automated system soon.
Mozilla Launches New Initiative With Scroll To Fund Publishers (axios.com) 33