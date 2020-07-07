Language Selection

Mozilla: Firefox Nightly, JS, Security and Rust

Wednesday 8th of July 2020 10:56:42 PM
Moz/FF
  • Firefox Nightly: These Weeks in Firefox: Issue 75
  • Additional JavaScript syntax support in add-on developer tools

    When an add-on is submitted to Firefox for validation, the add-ons linter checks its code and displays relevant errors, warnings, or friendly messages for the developer to review. JavaScript is constantly evolving, and when the linter lags behind the language, developers may see syntax errors for code that is generally considered acceptable. These errors block developers from getting their add-on signed or listed on addons.mozilla.org.

  • A look at password security, Part I: history and background

    Today I’d like to talk about passwords. Yes, I know, passwords are the worst, but why? This is the first of a series of posts about passwords, with this one focusing on the origins of our current password systems starting with log in for multi-user systems.

    The conventional story for what’s wrong with passwords goes something like this: Passwords are simultaneously too long for users to memorize and too short to be secure.

    It’s easy to see how to get to this conclusion. If we restrict ourselves to just letters and numbers, then there are about 26 one character passwords, 212 two character passwords, etc. The fastest password cracking systems can check about 236 passwords/second, so if you want a password which takes a year to crack, you need a password of 10 characters long or longer.

    The situation is actually far worse than this; most people don’t use randomly generated passwords because they are hard to generate and hard to remember. Instead they tend to use words, sometimes adding a number, punctuation, or capitalization here and there. The result is passwords that are easy to crack, hence the need for password managers and the like.

    This analysis isn’t wrong, precisely; but if you’ve ever watched a movie where someone tries to break into a computer by typing passwords over and over, you’re probably thinking “nobody is a fast enough typist to try billions of passwords a second”. This is obviously true, so where does password cracking come into it?

    [...]

    This design is a huge improvement over just having a file with cleartext passwords and it might seem at this point like you didn’t need to stop people from reading the password file at all. In fact, on the original UNIX systems where this design was used, the /etc/passwd file was publicly readable. However, upon further reflection, it has the drawback that it’s cheap to verify a guess for a given password: just compute H(guess) and compare it to what’s been stored. This wouldn’t be much of an issue if people used strong passwords, but because people generally choose bad passwords, it is possible to write password cracking programs which would try out candidate passwords (typically starting with a list of common passwords and then trying variants) to see if any of these matched. Programs to do this task quickly emerged.

    The key thing to realize is that the computation of H(guess) can be done offline. Once you have a copy of the password file, you can compare your pre-computed hashes of candidate passwords against the password file without interacting with the system at all. By contrast, in an online attack you have to interact with the system for each guess, which gives it an opportunity to rate limit you in various ways (for instance by taking a long time to return an answer or by locking out the account after some number of failures). In an offline attack, this kind of countermeasure is ineffective.

  • Announcing Rustup 1.22.1

    The rustup working group is happy to announce the release of rustup version 1.22.1. Rustup is the recommended tool to install Rust, a programming language that is empowering everyone to build reliable and efficient software.

  • This Week in Rust 346
Open Usage Commons

  • Introducing the Open Usage Commons

    Open source maintainers don’t often spend time thinking about their project’s trademarks, and with good reason: between code contribution, documentation, crafting the technical direction, and creating a healthy contributor community, there’s plenty to do without spending time considering how your project’s name or logo will be used. But trademarks – whether a name, logo, or badge – are an extension of a project’s decision to be open source. Just as your project’s open source license demonstrates that your codebase is for free and fair use, an open source project trademark policy in keeping with the Open Source Definition gives everyone – upstream contributors and downstream consumers – comfort that they are using your project’s marks in a fair and accurate way.

  • Open Usage Commons Is Google-Backed Organization For Helping With Open-Source Project Trademarks

    Open Usage Commons is a new organization announced today that is backed by Google for helping open-source projects in managing their trademarks. Open Usage Commons was started by Google in conjunction with academia, independent contributors, and others for helping to assert and manage project identities through trademark management and conformance testing.

  • The "Open Usage Commons" launches

    Google has announced the creation of the Open Usage Commons, which is intended to help open-source projects manage their trademarks.

  • Announcing a new kind of open source organization

    Google has deep roots in open source. We're proud of our 20 years of contributions and community collaboration. The scale and tenure of Google’s open source participation has taught us what works well, what doesn’t, and where the corner cases are that challenge projects.

  • Philip Withnall: URI parsing and building in GLib

    Marc-André Lureau has landed GUri support in GLib, and it’ll be available in GLib 2.65.1 (due out in the next few days). GUri is a new API for parsing and building URIs, roughly equivalent to SoupURI already provided by libsoup — but since URIs are so pervasive, and used even if you’re not actually doing HTTP conversations, it makes sense to have a structured representation for them in GLib.

  • Sandboxing in Linux with zero lines of code

    Modern Linux operating systems provide many tools to run code more securely. There are namespaces (the basic building blocks for containers), Linux Security Modules, Integrity Measurement Architecture etc. In this post we will review Linux seccomp and learn how to sandbox any (even a proprietary) application without writing a single line of code.

  • Mario Sanchez Prada: ﻿​Chromium now migrated to the new C++ Mojo types

    At the end of the last year I wrote a long blog post summarizing the main work I was involved with as part of Igalia’s Chromium team. In it I mentioned that a big chunk of my time was spent working on the migration to the new C++ Mojo types across the entire codebase of Chromium, in the context of the Onion Soup 2.0 project. For those of you who don’t know what Mojo is about, there is extensive information about it in Chromium’s documentation, but for the sake of this post, let’s simplify things and say that Mojo is a modern replacement to Chromium’s legacy IPC APIs which enables a better, simpler and more direct way of communication among all of Chromium’s different processes.

  • 6 best practices for teams using Git

    Everyone should follow standard conventions for branch naming, tagging, and coding. Every organization has standards or best practices, and many recommendations are freely available on the internet. What's important is to pick a suitable convention early on and follow it as a team. Also, different team members will have different levels of expertise with Git. You should create and maintain a basic set of instructions for performing common Git operations that follow the project's conventions.

  • Qt for MCUs 1.3 released

    Qt for MCUs 1.3 is now available in the Qt installer. Download it to get the latest improvements and create stunning GUIs with the newly available timeline animation system. Since the initial release of Qt for MCUs 1.0 back in December last year, we've been hard at work to bring new features to MCUs with the 1.1 and 1.2 releases. Efforts haven't slowed down and it's already time to bring you another batch of improvements. Besides the new features, One of the goals has been to make Qt Quick Ultralite a true subset of Qt Quick and align their QML APIs to ensure both code and skills can be reused from traditional Qt platforms to microcontrollers. With Qt for MCUs 1.3, QML code written for Qt Quick Ultralite is now source-compatible with Qt 5.15 LTS.

