Language Selection

English French German Italian Portuguese Spanish

Web

These Weeks in Firefox, Mozilla on Privacy, FSFE Blogs on Tor, Purism’s CEO Todd Weaver Testifies at California Congressional Privacy Commission

Filed under
Web
  • These Weeks in Firefox: Issue 53
  • Mozilla Future Releases Blog: Enhanced Tracking Protection Testing: Protecting users’ privacy by default

    Over the past couple of months since we announced that we would broaden our approach to anti-tracking we’ve been experimenting and testing Enhanced Tracking Protection, a feature that blocks cookies and storage access from third-party trackers. Recently, we published a set of policies that define which tracking practices will be blocked in Firefox, and a new set of redesigned controls for the Content Blocking section where users can choose their desired level of privacy protection. As the next step in our path to enable Enhanced Tracking Protection by default, this week we launched a study to observe how enabling this functionality for a group of Firefox users in our Release Channel would impact the online experience.

  • I am up to no good.

    am a user of “the darknet”. I use Tor to secure my communications from curious eyes. At the latest since Edward Snowden’s leaks we know, that this might be a good idea. There are many other valid, legal use-cases for using Tor. Circumventing censorship is one of them.

    But German state secretary Günter Krings (49, CDU) believes something else. Certainly he “understand[s], that the darknet may have a use in autocratic systems, but in my opinion there is no legitimate use for it in a free, open democracy. Whoever uses the darknet is usually up to no good.”

    [...]

    Instead of trying to ban our democratic people from using tor, we should celebrate the fact that we are a democracy that can afford having citizens who can avoid surveillance and that have access to uncensored information.

  • Purism’s CEO Todd Weaver Testifies at California Congressional Privacy Commission

    My name is Todd Weaver, and I think you’ll find I’m an unusual witness here today, while I may be sitting side-by-side with impressive privacy protection groups, I am here as the CEO of a rapidly growing technology company based in California.

    I am here calling for much stronger consumer privacy protections – starting with giving consumers the power to opt IN rather than opt OUT of sharing their personal data.

    I am here to tell you it’s time for California’s extraordinary tech industry to stop harvesting and “sharing” our most personal private data without our meaningful consent and knowledge.

    I am not here to tell you AB 375 (or stronger) protections are tough to implement, history is filled with wrongdoers complaining that doing right will put them out of business only to comply and thrive later. Incidentally, this same tech industry complained about Europe’s GDPR that certainly did not put them out of business.

    I am here to tell you the new law (or stronger) is easy to technically comply with – if we companies simply begin to honor our customer’s privacy rights and design our services to be privacy-protecting rather than privacy-exploiting.

gitgeist: a git-based social network proof of concept

Filed under
Development
Web

Are you tired of not owning the data or the platform you use for social postings? I know I am.

It's hard to say when I "first" used a social network. I've been on email for about 30 years and one of the early ad-hoc forms of social networks were chain emails. Over the years I was asked to join all sorts of "social" things such as IRC, ICQ, Skype, MSN Messenger, etc. and eventually things like Orkut, MySpace, Facebook, etc. I'll readily admit that I'm not the type of person that happily jumps onto every new social bandwagon that appears on the Internet. I often prefer preserving the quietness of my own thoughts. That, though, hasn't stopped me from finding some meaningfulness participating in Twitter, Facebook, LinkedIn and more recently Google+. Twitter was in fact the first social network that I truly embraced. And it would've remained my primary social network had they not killed their own community by culling the swell of independently-developed Twitter clients that existed. That and their increased control of their API effectively made me look for something else. Right around that time Google+ was being introduced and many in the open source community started participating in that, in some ways to find a fresh place where techies can aggregate away from the noise and sometimes over-the-top nature of Facebook. Eventually I took to that too and started using G+ as my primary social network. That is, until Google recently decided to pull the plug on G+.

While Google+ might not have represented a success for Google, it had become a good place for sharing information among the technically-inclined. As such, I found it quite useful for learning and hearing about new things in my field. Soon-to-be-former users of G+ have gone in all sorts of directions. Some have adopted a "c'mon guys, get over it, Facebook is the spot" attitude, others have adopted things like Mastodon, others have fallen back to their existing IDs on Twitter, and yet others, like me, are still looking.

Read more

WWW and OSS Leftovers

Filed under
OSS
Web
  • WWW = Woeful, er, winternet wendering? CERN browser rebuilt after 30 years barely recognizes modern web

    In preparation for next month's 30th anniversary of the proposal that gave us the world wide web, boffins at the behest of CERN have recreated the world's first web browser, and made it accessible as a modern web page.

    Created by Sir Tim Berners-Lee, the ur-browser, first called WorldWideWeb, and later Nexus, was built from Objective-C in 1990 on a NeXT workstation to display its maker's HyperText Markup Language.

    The browser's resurrection – click here to try it out – follows five days of hacking by an international team of nine developers, reunited after a previous effort to revive the original Line Mode Browser in 2013.

  • Web Design Survey Findings and Next Steps

    Now we need your help again! The main takeaway from the first survey was that developers and designers of every experience level want to better understand CSS issues like unexpected scrollbars and sizing. We’ve started researching and prototyping potential tool ideas for investigating specific types of CSS bugs, but we need your feedback to guide our work.

    Please take a moment with our quick single-page CSS Layout Debugging survey and help us rank the most time-consuming bugs. Your feedback will be immensely helpful in clarifying our plans in 2019 and beyond.

  • How donations helped LibreOffice and TDF in 2018

    Donations to The Document Foundation, the non-profity entity behind LibreOffice, help us to grow our community, share knowledge about the software (and its development), maintain our infrastructure, organise events and much more. The image below shows what was made possible in 2018, thanks to your generous donations – click for a larger version!

  • NomadBSD 1.2-RC2 released!

    The second release candidate of NomadBSD 1.2 is now available! We would like to thank all the RC1 testers who sent us feedback and bug reports. If you notice any problems, please let us know.

  • Mi 9 kernel source code available on launch day

    Xiaomi literally declared war against Samsung by setting the launch date of Mi 9 on the same day with Galaxy S10. The Chinese launch event by Xiaomi completed just now – Mi 9, Mi 9 Transparent Edition and Mi 9 SE are now official.

  • Bell Labs, Skunk Works, and the Crowd Sourcing of Innovation

    I’ve noticed that we hear a lot less from corporate research labs than we used to. They still exist, though. Sure, Bell Labs is owned by Nokia and there is still some hot research at IBM even though they quit publication of the fabled IBM Technical Disclosure Bulletin in 1998. But today innovation is more likely to come from a small company attracting venture capital than from an established company investing in research. Why is that? And should it be that way?

Software Code’s “Wayback Machine” Gets a Boost

Filed under
OSS
Web

Call it the Wayback Machine of code: a searchable open archive of software source code across iterations; from buggy beta versions, to sophisticated contemporary release.

Software Heritage is a non-profit initiative developed and hosted by the French Institute for Research in Computer Science and Automation.

Officially created in 2015, the project has been growing over the years. It now spans 5.6 billion source files from more than 88 million projects.

Software Heritage is itself built on open-source code. It gathers source files by trawling through repositories that developers uses to create and share code, such as Github, Gitlab, GoogleCode, Debian, GNU and the Python Package Index, with users able to trace detailed revision history of all the codebase versions that it stores.

Read more

Free/Open Source Software on IoT and the Net/WWW

Filed under
Web
  • Security Vulnerabilities Pose a Challenge to IoT/IIoT Mass Adoption

    Statista, a leading market and consumer data research firm, estimates that by 2020, the utilities, transportation and logistics, and discrete manufacturing industries are each projected to spend $40 billion on Internet of Things (IoT) platforms, systems and services. The next largest spending category will be business-to-consumer vendors, at $25 billion, while the health-care, energy and retail industries are each projected to spend north of $10 billion. These numbers add up to a significant investment in the IoT. In fact, the Boston Consulting Group predicts that the IoT market will reach $267 billion by 2020.

  • Decentralised IoT Network Gets Tencent Investment

    Wienke Giezeman is a man on a mission: since 2015, he’s been busy creating a decentralized LoRaWAN based internet of things (IoT) network which has no single owner and no single point of control. His goal is to make it easy for people to focus on the business value created by IoT, and not have to worry about the technology.

    Giezeman stood on the stage at his The Things Conference here earlier this month to announce some major breakthroughs that could just tip the balance for mass deployment of LoRaWAN devices and gateways. This includes a very low cost $69 indoor gateway, a generic software defined IoT node device incorporating multiple sensors, a security chip in conjunction with Microchip Technology, and a partnership with Tencent to accelerate LoRaWAN network expansion among the Chinese developer community.

  • Open IoT Network Adds Devices, Expands in China

    Giezeman stood on the stage at his The Things Conference here earlier this month to announce some major breakthroughs that could just tip the balance for mass deployment of LoRaWAN devices and gateways. This includes a very low cost $69 indoor gateway, a generic software defined IoT node device incorporating multiple sensors, a security chip in conjunction with Microchip Technology, and a partnership with Tencent to accelerate LoRaWAN network expansion among the Chinese developer community.

  • How Tim Berners-Lee's Inrupt project plans to fix the web

    Tim Berners-Lee wants to change the face of the internet he created. In September 2018, the father of the world wide web announced the launch of startup Inrupt, co-founded with cybersecurity entrepreneur John Bruce, which has as its mission “to restore rightful ownership of data back to every web user.”

    Since 2015, Berners-Lee has been working on a new web infrastructure called Solid, which rethinks how web apps store and share personal data. Inrupt aims to drive the development of the Solid platform and transform it from an innovative idea to a viable platform for businesses and consumers. “My group in the CSAIL [Computer Sciences and Artifical Intelligence Laboratory] Lab at MIT had been working on Solid for some years,” Berners-Lee says. “The initial goal of Inrupt is to add the energy and resources of a startup to the open-source efforts to make the Solid movement happen.”

    Over the past three decades, the web has evolved into something very different to Berners-Lee's original vision of openness, co-operation and creativity. Most of the data we put online is now siloed on the servers of companies like Google, Facebook and Twitter, and used to sell us as an audience for targeted advertising. We can download and delete our online histories, but we still can't easily move our data between services. “Innovation and value creation are choked by powerful forces whose focus is primarily on what generates profit or serves political agendas,”says John Bruce, who takes the role of CEO at Inrupt (Berners-Lee is CTO).

Here Is Why I Finally Switched To Firefox

Filed under
Web

The web browser market is an active war zone. You never know what can happen next. I am a guy who has always used Chrome. I’d never even bother using anything else. The first thing that I’d ever do on a new system is install Google Chrome. I would say I actively avoided even having to use anything else. I do install Firefox and opera but they are always used for separating my personal and work environment.

Read<br />
more

Session Sync - A nice session manager for Firefox Quantum

Filed under
Moz/FF
Web

Back in the good ole days, Firefox had a wealth of excellent, powerful extensions. Among them, Tab Mix Plus with a superb built-in session manager. Come Firefox Quantum (57 onwards) and WebExtensions, a lot of goodies have gone away, forever. We are left with diminished functionality.

One of the things that I've been hunting after the most is a flexible session manager akin to the old stuff, with the ability to manage multiple sessions in a smart, simple, elegant way. I think I've finally found an addon that does the trick. It's called Session Sync, and I'm happy enough to actually write a whole article about this.

Read more

16 Best Linux IRC Clients (Updated 2019)

Filed under
GNU
Linux
Software
Web

Internet Relay Chat (IRC) is a form of real-time Internet text messaging (chat) or synchronous conferencing. IRC was born during summer 1988 when Jarkko Oikarinen wrote the first IRC client and server when he was working in the Department of Information Processing Science at the University of Oulu, Finland. This system enables millions of people around the world to communicate in real time. While IRC has lost some popularity, IRCv3 looks interesting with some advanced client features such as instant notifications, improved security and more.

IRC is mainly designed for group communication in discussion forums, called channels, but it also allows one-to-one communication via private message as well as chat and data transfers via Direct Client-to-Client.

IRC is used for many different purposes such as obtaining technical support from developers and users, for conducting meetings and even for rolegaming.

Users typically connect to an IRC network using an IRC client. The client takes the raw IRC traffic and turns it into an easy-to-use interface.

Read more

curl 7.64.0 – like there’s no tomorrow

Filed under
OSS
Web

I know, has there been eight weeks since the previous release already? But yes it has – I double-checked! And then as the laws of nature dictates, there has been yet another fresh curl version released out into the wild.

Read more

Web Browsers: Chrome and Firefox

Filed under
Google
Moz/FF
Web
  • Firefox 65 takes a long time to close & high CPU usage

    Well, well, I've encountered a new, interesting and - ultimately - annoying problem. On one of my Windows machines, I upgraded Firefox to version 65. Then I noticed that the close sequence for the browser takes a very long time. Previously, this would be a very short thing - 1-2 seconds max. Now, it was taking a whole minute and eating one core worth of CPU. So I decided to dig into this issue more deeply and figure out whether this is something in my own setup or a fresh issue in Firefox.

    As always, the Internet wasn't very helpful. I had the usual slew of recommendations - update drivers, refresh this, refresh that. The worst kind of suggestions that completely ignore the problem or the reasons why it manifested. After all, if you don't understand the issue, making changes only masks the whole thing in the long run. To that end, I set about doing this the right way. Follow me.

  • Google Chrome 72 for Android Improves Privacy with Updated Incognito Mode

    Google released today the Chrome 72 mobile web browser for Android devices ahead of the desktop platforms (Linux, Mac, and Windows), an update that improves privacy and security.
    If you're a fan of the Google Chrome web browser and you use it on your Android smartphone or tablet, you should know that it's been updated to version 72.0.3626.76, a new stable release adding stability and performance improvements, as the company noted in the brief release announcement.

    To tackle various security and privacy issues that users have reported since previous updates, Google decided to update the built-in Incognito Mode of the Chrome web browser by making the media player controls and notifications incognito as well, which means that they're now invisible to the naked eye.

  • Chrome is right to remove the webRequest extension API

    …but the proposed declarativeNetRequest API isn’t a good replacement. So where does that leave us?

    Headline writers have had their fun over the last week playing on people’s mistrust of Google’s motivations and their governance of the Chromium web browser project. Despite the headlines: Google is not about to kill ad-blocking extensions in Chrome.

Syndicate content

More in Tux Machines

Games: Surviving Mars and OpenMW

Kernel and Security: BPF, Mesa, Embedded World, Kernel Address Sanitizer and More

  • Concurrency management in BPF
    In the beginning, programs run on the in-kernel BPF virtual machine had no persistent internal state and no data that was shared with any other part of the system. The arrival of eBPF and, in particular, its maps functionality, has changed that situation, though, since a map can be shared between two or more BPF programs as well as with processes running in user space. That sharing naturally leads to concurrency problems, so the BPF developers have found themselves needing to add primitives to manage concurrency (the "exchange and add" or XADD instruction, for example). The next step is the addition of a spinlock mechanism to protect data structures, which has also led to some wider discussions on what the BPF memory model should look like. A BPF map can be thought of as a sort of array or hash-table data structure. The actual data stored in a map can be of an arbitrary type, including structures. If a complex structure is read from a map while it is being modified, the result may be internally inconsistent, with surprising (and probably unwelcome) results. In an attempt to prevent such problems, Alexei Starovoitov introduced BPF spinlocks in mid-January; after a number of quick review cycles, version 7 of the patch set was applied on February 1. If all goes well, this feature will be included in the 5.1 kernel.
  • Intel Ready To Add Their Experimental "Iris" Gallium3D Driver To Mesa
    For just over the past year Intel open-source driver developers have been developing a new Gallium3D-based OpenGL driver for Linux systems as the eventual replacement to their long-standing "i965 classic" Mesa driver. The Intel developers are now confident enough in the state of this new driver dubbed Iris that they are looking to merge the driver into mainline Mesa proper.  The Iris Gallium3D driver has now matured enough that Kenneth Graunke, the Intel OTC developer who originally started Iris in late 2017, is looking to merge the driver into the mainline code-base of Mesa. The driver isn't yet complete but it's already in good enough shape that he's looking for it to be merged albeit marked experimental.
  • Hallo Nürnberg!
    Collabora is headed to Nuremberg, Germany next week to take part in the 2019 edition of Embedded World, "the leading international fair for embedded systems". Following a successful first attendance in 2018, we are very much looking forward to our second visit! If you are planning on attending, please come say hello in Hall 4, booth 4-280! This year, we will be showcasing a state-of-the-art infrastructure for end-to-end, embedded software production. From the birth of a software platform, to reproducible continuous builds, to automated testing on hardware, get a firsthand look at our platform building expertise and see how we use continuous integration to increase productivity and quality control in embedded Linux.
  • KASAN Spots Another Kernel Vulnerability From Early Linux 2.6 Through 4.20
    The Kernel Address Sanitizer (KASAN) that detects dynamic memory errors within the Linux kernel code has just picked up another win with uncovering a use-after-free vulnerability that's been around since the early Linux 2.6 kernels. KASAN (along with the other sanitizers) have already proven quite valuable in spotting various coding mistakes hopefully before they are exploited in the real-world. The Kernel Address Sanitizer picked up another feather in its hat with being responsible for the CVE-2019-8912 discovery.
  • io_uring, SCM_RIGHTS, and reference-count cycles
    The io_uring mechanism that was described here in January has been through a number of revisions since then; those changes have generally been fixing implementation issues rather than changing the user-space API. In particular, this patch set seems to have received more than the usual amount of security-related review, which can only be a good thing. Security concerns became a bit of an obstacle for io_uring, though, when virtual filesystem (VFS) maintainer Al Viro threatened to veto the merging of the whole thing. It turns out that there were some reference-counting issues that required his unique experience to straighten out. The VFS layer is a complicated beast; it must manage the complexities of the filesystem namespace in a way that provides the highest possible performance while maintaining security and correctness. Achieving that requires making use of almost all of the locking and concurrency-management mechanisms that the kernel offers, plus a couple more implemented internally. It is fair to say that the number of kernel developers who thoroughly understand how it works is extremely small; indeed, sometimes it seems like Viro is the only one with the full picture. In keeping with time-honored kernel tradition, little of this complexity is documented, so when Viro gets a moment to write down how some of it works, it's worth paying attention. In a long "brain dump", Viro described how file reference counts are managed, how reference-count cycles can come about, and what the kernel does to break them. For those with the time to beat their brains against it for a while, Viro's explanation (along with a few corrections) is well worth reading. For the rest of us, a lighter version follows.

Blacklisting insecure filesystems in openSUSE

The Linux kernel supports a wide variety of filesystem types, many of which have not seen significant use — or maintenance — in many years. Developers in the openSUSE project have concluded that many of these filesystem types are, at this point, more useful to attackers than to openSUSE users and are proposing to blacklist many of them by default. Such changes can be controversial, but it's probably still fair to say that few people expected the massive discussion that resulted, covering everything from the number of OS/2 users to how openSUSE fits into the distribution marketplace. On January 30, Martin Wilck started the discussion with a proposal to add a blacklist preventing the automatic loading of a set of kernel modules implementing (mostly) old filesystems. These include filesystems like JFS, Minix, cramfs, AFFS, and F2FS. For most of these, the logic is that the filesystems are essentially unused and the modules implementing them have seen little maintenance in recent decades. But those modules can still be automatically loaded if a user inserts a removable drive containing one of those filesystem types. There are a number of fuzz-testing efforts underway in the kernel community, but it seems relatively unlikely that any of them are targeting, say, FreeVxFS filesystem images. So it is not unreasonable to suspect that there just might be exploitable bugs in those modules. Preventing modules for ancient, unmaintained filesystems from automatically loading may thus protect some users against flash-drive attacks. If there were to be a fight over a proposal like this, one would ordinarily expect it to be concerned with the specific list of unwelcome modules. But there was relatively little of that. One possible exception is F2FS, the presence of which raised some eyebrows since it is under active development, having received 44 changes in the 5.0 development cycle, for example. Interestingly, it turns out that openSUSE stopped shipping F2FS in September. While the filesystem is being actively developed, it seems that, with rare exceptions, nobody is actively backporting fixes, and the filesystem also lacks a mechanism to prevent an old F2FS implementation from being confused by a filesystem created by a newer version. Rather than deal with these issues, openSUSE decided to just drop the filesystem altogether. As it happens, the blacklist proposal looks likely to allow F2FS to return to the distribution since it can be blacklisted by default. Read more

gitgeist: a git-based social network proof of concept

Are you tired of not owning the data or the platform you use for social postings? I know I am. It's hard to say when I "first" used a social network. I've been on email for about 30 years and one of the early ad-hoc forms of social networks were chain emails. Over the years I was asked to join all sorts of "social" things such as IRC, ICQ, Skype, MSN Messenger, etc. and eventually things like Orkut, MySpace, Facebook, etc. I'll readily admit that I'm not the type of person that happily jumps onto every new social bandwagon that appears on the Internet. I often prefer preserving the quietness of my own thoughts. That, though, hasn't stopped me from finding some meaningfulness participating in Twitter, Facebook, LinkedIn and more recently Google+. Twitter was in fact the first social network that I truly embraced. And it would've remained my primary social network had they not killed their own community by culling the swell of independently-developed Twitter clients that existed. That and their increased control of their API effectively made me look for something else. Right around that time Google+ was being introduced and many in the open source community started participating in that, in some ways to find a fresh place where techies can aggregate away from the noise and sometimes over-the-top nature of Facebook. Eventually I took to that too and started using G+ as my primary social network. That is, until Google recently decided to pull the plug on G+. While Google+ might not have represented a success for Google, it had become a good place for sharing information among the technically-inclined. As such, I found it quite useful for learning and hearing about new things in my field. Soon-to-be-former users of G+ have gone in all sorts of directions. Some have adopted a "c'mon guys, get over it, Facebook is the spot" attitude, others have adopted things like Mastodon, others have fallen back to their existing IDs on Twitter, and yet others, like me, are still looking. Read more