From hacks of some of the world’s largest corporations (think Target, Home Depot), to critical vulnerabilities in widely used open source software like Heartbleed and Shellshock, to connected carmakers being woefully unprepared to identify and mitigate attacks, to companies like Sony exercising bad security hygiene even after previously suffering a major attack, the challenges to securing the internet and those who use it have never seemed greater.

Yet, none of these examples or many of the other exploits that have dominated the public imagination in recent years align with traditional government cyber security paradigms. To contribute to developing a more informed public debate in this arena, the Freedom Online Coalition, a group of 26 countries publicly committed to supporting global internet freedom, set up a multistakeholder working group on an “Internet Free and Secure,” of which I’m a member.

In addition to ongoing efforts to map where cybersecurity policy discussions are happening (with an eye to facilitating greater multistakeholder involvement) and developing normative recommendations, the working group also publishes long-form blogs on pertinent issues. Click here to see the latest edition co-authored by Senior Policy Officer for Internet Freedom at the Dutch Ministry of Foreign Affairs Simone Halink and me. In the post, we discuss the Global Conference on Cyber Space (GCCS), the world’s largest interministerial meeting on cybersecurity, and explore how international policy debates on cybersecurity need to evolve and improve in order to meet today’s challenges. The GCCS is taking place April 16 and 17 in the Hague, and Senior Vice President for Business and Legal Affairs Denelle Dixon-Thayer and I will be there to represent Mozilla.

Read the full post here.

https://blog.mozilla.org/netpolicy/2015/04/03/promoting-international-norm-development-in-cybersecurity/

It was nine years ago today that I joined Mozilla as a senior technical writer. I was hired by Mike Shaver and Deb Richardson to help try to keep up with the pace of progress and to work on organizing and cleaning up older content as well. I actually started working the last few days of March, but my first official day (that is to say, the first day I was paid for) was April 3, 2006.

My daughter wasn’t even a year old yet then. Now she’s almost finished with the fourth grade.

We were deep into the documentation process for Firefox 2.0 back then (not to mention trying to finish bits and pieces of critical documentation for Firefox 1.5, which shipped months earlier). It shipped a few months after my joining the company, and was the first release we generally felt was completely documented (for a slightly flexible definition of “completely”).

A lot has changed over those nine years. Back then, Deb and I were the entire writing staff; we had some contributors but not nearly enough. Then Deb moved onward and upward into other awesome things and it was just me for a while. But eventually we started hiring more writers, thankfully, and we wound up with the kick-ass staff we have today. And as we built up our staff, we learned more about community building, and our community of volunteer writers and contributors has grown at an ever-increasing rate.

This is far and away the longest I’ve spent at any job. It’s a great deal of fun, even when I’m stressing out over all the stuff I wish I had time to write about but don’t. Making the world a better place to be a Web developer is a rewarding career path, and I’m glad Dave Miller steered me into the Mozilla community.

http://www.bitstampede.com/2015/04/03/nine-years-of-documenting-the-open-web/

The next major release of Thunderbird, version 38, is now in beta and available for testing. You may download Thunderbird 38.0b1 here.

This version of Thunderbird is the first that is mostly managed by volunteer community members rather than by Mozilla staff. We have many new features, including:

• Message filtering when a message is sent or archived
• File-per-message local storage available for new accounts (maildir)
• Contact search over multiple address books
• Internationalized domain names for RSS feeds
• Allow expanded columns to the folder pane for folder size and counts

Release notes are available here.

There are still a couple of features missing from this beta that we hope to ship in the final version of Thunderbird 38. Those are:

• Ship Lightning calendar addon with Thunderbird with an opt-out dialog
• Use OAUTH authentication with Gmail IMAP accounts

https://blog.mozilla.org/thunderbird/2015/04/thunderbird-38-goes-to-beta/

In this episode, I again started with some code review. I reviewed this patch for this bug by fellow Firefox hacker Gijs, and refreshed my memory on var hoisting. I’ve been using let for so long that it was really, really weird to see how var worked.

After that, I quickly gave an update on my plugin crash UI bug I had been working on the last episode – the patches are up, and are currently undergoing review, so there wasn’t much to do there.

Next, I started on a brand new bug¹, explained the bug², and then laid out my plan for attacking it.

Specifically, I’m going to try an experiment: I will only be working on that bug during Joy of Coding sessions. That way, there is continuity from video to video, and you won’t miss any of the development that goes on between episodes.

We sliced off a chunk to get done, and hit some minor roadblocks (as expected). The View Source code is old and crufty, and I have to do my best to make sure I don’t break any of the other applications that depend on it (like Thunderbird and SeaMonkey).

So that was the name of the game – looking to see how other applications use View Source, and trying to come up with a plan for making sure we don’t break them, while at the same time refactoring View Source to be easier to code against (and work with a frame script and messages).

It was a long slog³, but we got to a good point by the end. Let’s see how far we get next week!

Episode Agenda

References

Bug 1148807 – Method moveToAlertPosition in dialog.xml should check if opener is not null

Bug 1110887 – With e10s, plugin crash submit UI is broken – Notes

Bug 1025146 – [e10s] Never load the source off of the network when viewing source – Notes

1. I say brand new, except that, as I explain in the video, I had already attacked this bug early on in my e10s work, and had only recently come back to it. 

http://mikeconley.ca/blog/2015/04/02/the-joy-of-coding-ep-8-view-source-hacking/

http://featherweightmusings.blogspot.com/2015/04/graphs-in-rust.html

A roundup of links on tracking, advertising and security. These are not complete or even representative, but may be useful to somebody.

Attitudes towards tracking and surveillance

• 91% of adults in the survey “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies (http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/)
• 64% believe the government should do more to regulate advertisers, compared with 34% who think the government should not get more involved (ibid)
• 40% of teen social media users say they are “very” or “somewhat” concerned that some of the information they share on social networking sites might be accessed by third parties like advertisers or businesses without their knowledge (http://www.pewinternet.org/2013/05/21/teens-social-media-and-privacy/)
• 81% of parents report being “very” or “somewhat” concerned about how much information advertisers can learn about their child’s online behavior (ibid)
• 17% of the adults who have heard about the government surveillance programs say they have changed their privacy settings on social media in an effort to hide their information from the government (http://www.pewinternet.org/2015/03/16/how-people-are-changing-their-own-behavior/)
• Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising (https://www.andrew.cmu.edu/user/pgl/soups2012.pdf)

http://monica-at-mozilla.blogspot.com/2015/04/some-links-about-tracking-and-security.html

In the past three weeks, we merged 170 pull requests.

Servo has another browser chrome! Say hello to servo-shell, an interface written with HTML, leveraging the mozbrowser API.

Try it out! At the most recent meeting, we discussed making this the default UI for ./mach run.

html5ever celebrated its first birthday! Keegan published a project update with some plans for the future. h5e’s newest sibling is tendril, a multitalented string type!

If your favorite website looks wrong in Servo, you can help us figure out why! Glenn wrote up a detailed guide on getting started working on Servo’s layout code, with some useful tips for minimizing test cases. We are also working on automatic minimization via “abstract reftests”.

Notable additions

• We landed a Rust upgrade
• Glenn implemented a subset of the mozbrowser APIs and used these to make servo-shell work. This required a ton of iframe fixes.
• Patrick implemented CSS transitions
• Keegan pushed a rebased, remixed version of Clark’s zero-copy html5ever patch. With this PR, html5ever can locate tags and attributes in an input stream at 80 MB/s while keeping whole-process memory consumption to a few MB.
• Nicholas added support for fine-grained memory reporting, along with a tree-like prettified output
• Chris Paris landed innerHTML getter and setter implementations that use html5ever.
• M'aty'as added stroke and arc() support to canvas, along with many other APIs
• Diego implemented the drawImage API for canvas
• Matt McCoy added support for HTTP compression
• Yodalee implemented TextEncoder
• Sebastian implemented StorageEvent
• Zack added a shim for localStorage
• Ms2ger implemented a safer replacement for Vec>
• Manishearth added support for simple userscripts
• Jack fixed a memory leak in the flowtree
• hsavala made console.log messages appear in remote Firefox consoles
• Tetsuharu added support for unrestricted floating point WebIDL values
• Thiago implemented partial support for interacting with worker globals via remote devtools

New contributors

• Brandon DeRosier
• Chris Double
• Connor Jennings
• Daniel Le
• Edward Cho
• Eric Hegnes
• Falco Hirschenberger
• Himaja
• Kyle Cesare
• Martin Schr"oder
• Md. Enzam Hossain
• Mikko Vanhatalo
• Ryan Leavengood
• Sebastian N. Fernandez
• Tim Cuthbertson

Screenshots

A visualization of parallel layout on servo-shell + /r/rust:

The colored boxes indicate which CPU core performed layout for each document node. The box around the active tab spinner is askew, because the spinner is a still image styled with transform: rotate(...).

Meetings

We had meetings on March 16th and March 30th. We discussed servo-shell, getting the PR queue under control, and restricting non-standard APIs like . We also talked about the status of Servo on Android; there are now “nightly” APK builds but they don’t work yet.

We’ve had a lot of discussions recently about the project’s goals and plans for Q2. After months of landing new features at an incredible rate, Q2 is going to focus more on details: performance improvements, fixing compatibility bugs, and paying down technical debt. We’d like to find websites / create demos that showcase Servo’s advantages in a way that’s relevant to users.

We’re also going to work on security. This means finding and fixing issues, but also documenting what we don’t fix yet. Josh is going to upgrade our ancient version of SpiderMonkey, which is important for security and for the future of Servo in general.

http://blog.servo.org/2015/04/02/twis-29/

The Participation Forum

https://air.mozilla.org/participation-at-mozilla/

Welcome to the Mozilla Science Lab (MSL) weekly Training blog.  This is the first in a series to highlight what we’re working on and where we could use your help in our ongoing training initiatives.

At the Mozilla Science Lab we focus on deepening open practice in science through community building, training and code by:

• Creating and testing infrastructure for collaborative learning in science
• Developing training and resources to help researchers work in the open
• Empowering the next generation of open science leaders

We partner with the Software Carpentry Foundation (SCF), a non-profit membership organization devoted to improving basic computing skills among researchers in STEM and other disciplines, to help coordinate and support skills training for open science.

Here’s a snapshot of events we’re supporting over the coming months, a look back at where we’ve been, as well as places for you to get involved.

Where we’ve been this year so far:

Over the first three months of 2015 the Science Lab has helped organize over 20 Software Carpentry workshops in North America.

• Two Women in Science and Engineering workshops in January
  • University of Michigan – Ann Arbor, MI
  • University of Colorado Boulder – Boulder, CO
• Workshops teaching Python at …
  • National Bureau of Economic Research – Cambridge, MA
  • Earlham College – Richmond, IN
  • University of Illinois – Urbana, IL
  • University at Albany – Albany, NY
• Workshops teaching R at …
  • University of Nebraska-Lincoln – Lincoln, NE
  • National Institutes of Health Library – Bethesda, MD
  • St. Joseph’s Hospital and Medical Center – Phoenix, AZ
  • Tulane School of Medicine – New Orleans, LA

Upcoming Workshops:

• Weill Cornell Medical College (http://weill.cornell.edu/) – New York, NY – April 01-02
  • Instructors:  Daniel Chen @chendaniely, Ivan Gonzalez @iglpdc, Sheldon McKay
  • @mckays630, Jennifer Shelton
• University of Miami (http://www.miami.edu/) – Coral Gables, FL – April 02-03
  • Instructors:  Matthew Collins, Xu Fei, Ming Tang, Ashwin Srinath
• Arizona State University (http://www.asu.edu/) – Tempe, AZ – April 18-19
  • http://rachelss.github.io/2015-04-18-ASU/ -
  • Instructors:  Gabriel Devenyi @staticwave_ace, Rachel Schwartz https://www.linkedin.com/pub/rachel-schwartz/3b/156/4aa
• University of Texas-Arlington (http://www.uta.edu/uta/) – Arlington, TX – April 18-19
  • Instructors:  Naupaka Zimmerman @naupakaz, Nichole Bennett , Rayna Harris @raynamharris, Kate Hertweck

Many of these workshops have instructors that are teaching the Software Carpentry curriculum for the first time and we wish them all the best. Want to learn how you can get involved? Get in touch – we’d be happy to help get you started.

In the works:

Looking to get involved? Here are a few workshops that could still use instructors.

• Oklahoma State University – Stillwater, OK
• Federal Reserve Board – Washington, DC

Want to start planning a workshop or have any questions? Drop us a line. We’re happy to help.

http://mozillascience.org/mozilla-science-lab-weekly-training-blog/

We are pleased to announce that Firefox OS has expanded to South Africa, in partnership with MTN. Mozilla’s web-based operating system is now available through MTN on the ALCATEL ONETOUCH FIRE E device.

“We built Firefox OS as part of Mozilla’s mission to put the power of the Web in people’s hands”, Li Gong, President of Mozilla, says. “We are excited to see MTN launching the first Firefox OS devices in South Africa, enabling millions more people to access the mobile Web at an affordable cost.”

South Africa is the first market in the African region where Firefox OS devices become available. As of today, Firefox OS has launched with local partners in 32 markets on five continents. Additional African market launches are anticipated this year, as announced at MWC.

For more information:

• Firefox OS online press kit for Africa

https://blog.mozilla.org/blog/2015/04/02/firefox-os-arrives-in-south-africa/

Despu'es de alg'un tiempo sin publicar algo debido a mi tesis, hoy les traigo la versi'on 3.0 de cuentaFox con nuevo dise~no actual y mejoras en la gesti'on de las contrase~nas desarrollada por Yaicel Torres Garc'es y este servidor. A continuaci'on les muestro sus novedades:

Nueva interfaz

Al principio se realizaron varios dise~nos que fueron publicados en el sitio de desarrolladores hasta llegar a la actual. Para confeccionarla se utiliz'o Material Desing, un nueva concepto de dise~no que est'a de moda en estos d'ias.

La forma de mostrar cuanto ha consumido un usuario ahora se muestra diferente pues se elimina el widget (no recomendado) y en su lugar se a~nade un bot'on con la cantidad de megas que restan por consumir en diferentes colores atendiendo al por ciento que representa del total.

Para ver m'as datos relacionados con la cuota, al dar clic en Actualizar, se pasa a una interfaz donde se pueden observar la cantidad de megas consumidos, el total de la cuota, una barra de progreso y un bot'on Cerrar para ir al inicio y chequear el estado de otra cuenta.

Para facilitar la configuraci'on del complemento al usuario, ahora pueden encontrar estas opciones al dar clic en el Men'u. All'i podr'an:

• Elegir la cantidad de minutos para buscar actualizaciones (m'inimo: 1, m'aximo: 60),
• Mostrar o no las alertas de consumo,
• habilitar o desactivar las actualizaciones (muy 'util cuando estamos sin red y no queremos ver los mensajes de error)
• Cambiar el color de algunos elementos de la interfaz.
• Mostrar en el bot'on del complemento los megas que han gastado y no los restantes.

Al dar clic para cambiar el color, Firefox mostrar'a una paleta de colores donde puedes elegir tu preferido y estar m'as a gusto. A continuaci'on pueden ver como luce cuentaFox con otras tonalidades.

Mayor seguridad

Para mejorar la seguridad ahora se utiliza el administrador de contrase~nas de Firefox para almacenar las claves y no estar a merced de un archivo en texto plano. Esto permite tener m'as de un usuario guardado y nos brinda la posibilidad de auto-completar contrase~nas si lo deseamos, solo basta con marcar la casilla Recordar. Si no queremos que la contrase~na se salve, pues desmarcamos esa opci'on y se borrar'an todos los datos relacionados con cuentaFox en Firefox.

Al iniciar Firefox, si existen contrase~nas almacenadas, se toma la 'ultima cuenta usada y autom'aticamente se obtiene el estado de la misma. Todas estas acciones se realizan despu'es de 10 segundos para mejorar el rendimiento e inicio del navegador.

El certificado de seguridad

Anteriormente no se contaba con un mecanismo para comprobar si el usuario hab'ia a~nadido o no el certificado de seguridad y en muchas ocasiones el complemento no funcionaba y tampoco lo alertaba. Ahora en cada llamada para actualizar la cuota, se comprueba y en caso negativo, una nueva pesta~na se abre (https://firefoxmania.uci.cu) y se emite una alerta.

Para no cargar de peticiones el servidor y no registrar visitas “falsas” se guarda en el navegador el estado del certificado y se llama en 2 horas posteriores para chequear el estado. Quiz'as m'as adelante se aumente esta cifra.

Futuro

Emplear el administrador de contrase~nas de Firefox brinda muchas oportunidades y queremos explotarlas al mostrar el estado de las cuotas almacenadas en una misma interfaz y llevar un mejor control de todas.

Tambi'en la imagen que se muestra encima de nuestro usuario podr'ia se reemplazada por una local o la foto del directorio.

Colabora

Si tienes alguna idea que aportar para a~nadir o te gustar'ia a~nadir c'odigo, puedes hacerlo en GitLab. En la plataforma de colaboraci'on podr'as abrir nuevos Issues y clonar el proyecto.

Instalar cuentaFox

Esto ha sido todo por el momento. Espero que les guste esta nueva versi'on.

http://firefoxmania.uci.cu/disponible-cuentafox-3-0-con-nueva-interfaz-y-mayor-seguridad/

Mozilla hosts Kids Vision Bay Area Mentor Series

https://air.mozilla.org/kids-vision-mentorship-series-20150401/

This is the meeting where all the Mozilla quality teams meet, swap ideas, exchange notes on what is upcoming, and strategize around community building and...

https://air.mozilla.org/quality-team-qa-public-meeting-3/

Duration: 10 minutes This is a weekly status meeting, every Wednesday, that helps coordinate the shipping of our products (across 4 release channels) in order...

https://air.mozilla.org/product-coordination-meeting-2/

The Film Code Rush follows the people of Netscape Communications during an intense period in 1998, when it was all but certain that Microsoft had...

https://air.mozilla.org/code-rush/

Watch mconley livehack on Firefox Desktop bugs!

https://air.mozilla.org/the-joy-of-coding-mconley-livehacks-on-firefox-episode-8/

in order to fix a needinfo clearing issue with the new ui, the following changes have been pushed to bugzilla.mozilla.org:

• [1149440] “Can’t call method “assigned_to” without a package or object reference” error updating bug when “After changing a bug” is set to “Show next bug in my list”
• [1147292] automatic CC when commenting isn’t implemented
• [1146777] use lightbox for images
• [1149881] unable to + a bug-level flag which was set by another user
• [1150002] updating a bug clears the requestee of needinfo requests

discuss these changes on mozilla.tools.bmo.

https://globau.wordpress.com/2015/04/01/happy-bmo-push-day-134/

As I said, I abhor repetition, so I added a new nifty feature to the install-to-adb module I made.

Now it also has a command line tool, and you can push and launch apps from the command line without even having to write a custom script that uses the module (of course, you can still use the module code by requiring it).

In the video above, I’m using the tool to install the browser example from Justin D’Archangelo’s DNS-SD project — a pure JavaScript implementation of mDNS for Firefox OS. This way I don’t need to open WebIDE and install the app separately on each device. Instead I point the tool to the path of the app, and also tell it to launch it when it’s installed

Since I’m running the tool in the same directory as the app is, I don’t even need to specify its full path, I can just use a dot, which in UNIX based systems means “the current path”:

Being pragmatically lazy like this is amazing!

This is also the first time I write a command line tool with node so if there are weirdnesses feel free to file an issue, or (even better) tell me how to fix them.

I published the module on npm too. So if you need to install lots of apps to devices regularly it might be worth to install it globally (wowowow):

Source code: https://github.com/sole/install-to-adb

http://soledadpenades.com/2015/04/01/install-to-adb-with-command-line-tool/

gdb's reverse execution interface interacts with signals in counter-intuitive ways. If you're using rr and gdb reverse execution to debug situations involving signals, e.g. a SIGSEGV, read on...

Consider the following program test.c:

int main(int argc, char **argv) {
  __asm__ __volatile__("jmp 0x42");
}

We can debug this with rr as follows:

[roc@eternity test]$ rr ./test
rr: Saving the execution of `/home/roc/tmp/test' to trace directory `/home/roc/.rr/test-6'.
[rr.170] Warning: task 14677 (process 14677) dying from fatal signal SIGSEGV.
[roc@eternity test]$ rr replay
GNU gdb (GDB) 7.9
...
0x00002aaaaaaaf6f6 in _dl_start () from /lib64/ld-linux-x86-64.so.2
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000042 in ?? ()
(gdb) where
#0  0x0000000000000042 in ?? ()
#1  0x0000000000000000 in ?? ()

At this point you get that awful sinking feeling... But wait!

(gdb) reverse-stepi
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000042 in ?? ()
(gdb) reverse-stepi
main (argc=1, argv=0x7fffffffdf38) at /home/roc/tmp/test.c:28
28   __asm__ __volatile__("jmp 0x42");

Hurrah!

The obvious questions are: why did we have to reverse-stepi twice to get back to the jmp, and why did the first reverse-stepi trigger SIGSEGV again?

If you singlestep forwards through the program using gdb normally, starting at the jmp instruction, you actually see two separate events:

(gdb) run
Starting program: /home/roc/tmp/test 
Breakpoint 1, main (argc=1, argv=0x7fffffffdfd8) at /home/roc/tmp/test.c:28
28   __asm__ __volatile__("jmp 0x42");
(gdb) stepi
0x0000000000000042 in ?? ()
(gdb) stepi
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000042 in ?? ()

It feels a little weird, though it makes some amount of sense. It's even weirder when you reverse-singlestep through the execution of a signal handler, but it still all makes sense. I've been pleasantly surprised by gdb's robustness at handling that sort of thing. I've been unpleasantly unsurprised by the number of rr bugs I've had to iron out to make this work properly at scale for Gecko debugging!

http://robert.ocallahan.org/2015/04/reverse-execution-and-signals.html

I’m doing some research and playing with this new-ish API which is available in Firefox OS on rooted phones with Certified apps etc etc. Guillaume wrote a post on the Hacks blog–read it if you’re interested in what can be accomplished.

The very first thing you need to do is to enable Wi-Fi direct on the device. This involves running some commands as root, via adb. Justin made a gist which worked with Flame phones, but it didn’t work with a Nexus 4, because of the way the /system partition is mounted on those phones.

A (more?) fail-proof way should be this:

this will add a line to the /system/build.prop file and reboot the device.

Once it’s rebooted, the result of navigator.mozWifiP2pManager.enabled should be true, which is GOOD NEWS!

Remember that you need to run that code in

1. a certified app
2. request the wifi-manage permission in the manifest

So essentially your manifest.webapp MUST contain the following fields in addition to the rest of fields you usually have:

http://soledadpenades.com/2015/04/01/enabling-wi-fi-direct-on-your-rooted-firefox-os-device/