grin agymenései
Taggalés english

What Firefox loses while blending in

2017-10-30 09:17 írta grin

"Fuck you, Mozilla."

Don't take me wrong: I understand security, I have the knowledge to see why rewriting APIs can be good, I can see why replacing a bad internal structure with a decent, state-of-the-art one is good.

There is a difference, however, between forcing the developers to change to the new set of internal functions, and therefore force people to replace the old add-ons with the new ones -- versus removing old function calls when new ones aren't yet written and not available, alienating add-on developers with mediocre communication and inflexibility.

It is not helping that by replacing the old with the new the browser incidentally loses the flexibility of manipulations the add-ons have enjoyed, which resulted rich funcionality available from the outside developers and the core browser was not forced to accumulate millions of interesting functions which is used by some percent of the users, but they are indeed very important for that few percent.

So what Mozilla does right now? They are rewriting the internals to be faster and more secure. While doing it they create new internal access (API) for addons to be able to do their magical work within the browser; except, they haven't created all of the old APIs and recreated some (well, due to the new structure some say many) APIs with much less functionality. They started to remove the old APIs. When plugin developers complained that their old code stop working and it's not possible to write new one since there is no API for that the mozilla developers said "your problem, not mine" (well, often they simply said "fuck off" in various forms, but it's just the difference of style, really, same thing). So some developers of really important, or some really well written plugins said "sorry, there's no happy feeling to write this stuff anymore, I'm gone". Since, you have to see, these developers wrote code for good feeling, not money. No good feeling, no code.

Let me show you an example. There was a feature in mozilla which grouped the various tabs in tab groups, then was able to display a quick overview of tabs to pick from; it's essential when you work with large amounts of tabs. Then the core developers said "well we don't use it so you shouldn't either" and removed the feature and said "well this is Firefox, so if you need it code an addon!". And so that is exactly what happened, and Tab Groups addon was created with the same functionality. Happyness. Then comes new Firefox and all the APIs required for Tab Groups are either removed or changed to the extent that it's not possible to do it anymore. And the developer calls out to Mozilla to make it possible to have it rewritten. "It's not a good way to do things", says Mozilla, "we don't need that addon." Nice.

I see the Firefox Nightly channel, this is where the latest development version can be checked, tried. Eventually Nightly become Beta, then Release, then ESR (Extended Support Release), which is what most everyone uses. Right now Nightly rejects 95% of the addons I have been using. It takes half a year until Nightly become ESR. You have 6 months to get away.

Let me just show some:


  • Tab Groups - with 570 tabs it's not possible to live without this
  • Auto unload tab - free memory used by a tab without losing its state
  • DownThemAll - download manager with brains
  • Master Password Timeout - essential security when a strong master password protects lots of not that important passwords
  • Saved password editor - what the name says, this is essential when someone uses the password db
  • PasswordMaker - create passwords with a strong master and the hash of the website address (good for some kind of use)
  • Session manager - I hate to lose browser state; firefox by itself loses it every few restarts, session manager never have lost any.
  • YouTube video and audio downloader - obviously
  • HttpFox - tracing the web traffic to hunt bugs
  • Lazarus form recovery - do you like to lose the feedback form you typed for 35 minutes? Firefox does.
  • NoScript - clickjacking, fake forms, evil javascript; we don't need those
  • Calomel SSL validation - TLS security checker, for the security geek
  • HTTP2 / SPDY indicator - I like to know
  • Tab memory usage - firefox can't say which tab eats memory
  • Stylish - when I want CSS to do what I want
  • UAcontrol - for some really braindead sites

And some small stuff not important even to me.

All of these are going to be trashed.

What works

  • uBlock origin
  • uMatrix (webext)

That's… um… not a long list.

What now?

Some addon developers still hope to kick some sense into Mozilla developers and try to create tickets to have the missing API coded by the time the new WebExtension based addons (well, those few) will trump over the old ones. Some people are creating tickets to tell mozilla about their addon usage and the loss they will experience when the shit will hit the fan. Some Mozilla developers try to help.

But in general Mozilla core developers reply that "this feature need 4th level security review so it has been delegated to committe no. 44 and it's been planned to be discussed in some future non-specific date." Which means in human language that "we do not oppose your request but we don't support it either, we put it into the TODO pile and let's hope someone's picking it up; you may code an API for it and you may even use it but you should expect us to notice and remove or change it any time". (This is what's happening to most of the security related APIs.) For some feature they said "we don't like this feature, so we try to remove everything related to it", which means that they don't just remove the API but they remove the whole feature (this may well happen to one of the most important thing Firefox have: the integrated, secure password storage).

So I expect either they delay the release of Beta, Release and whatever (until the required APIs going to be discussed and designed and accepted and coded and verified and hopefully after addon developers had some time to actually incorporate them into their code, which seems rathat unlikely) or they release it in its current crippled form, which kills off lots of addons and alienate lots of addon developers and people actually start looking for better alternatives.

And the inconvenient thing is that if Firefox addons can do exactly the same as Chromium addons then there's no point to pick Firefox; or at least out of 100 reasons to do it there are some 20 left.

But either way, the users going to lose the functionality of the old addons. So it's going to be worse for them.

…except that I know these kind of addons are only used by geeks and hackers and coders, and the average people use addons which make buttons look like yawning cats, addons which animate the background and addons which play a merry tune when the page have loaded. Those people will not notice much. They going to write their passwords into a text file, they will click on the phishing sites' fake buttons, their memory use will be compensated by buying more RAM, and they don't give a fuck about who and how figure out what the bugs are and how to fix them.

It's the hard life of the intelligent minority versus the happily ignorant masses.

Secure chat on mobile and desktop

2017-01-07 10:12 írta grin

Big Brother is Listening

We live in curious times.

While we have "civilisation" and "freedom" and "democracy", we also happen to have corrupted politicians, governmental secret services, industrial and business spying, and generally various violations of privacy and personal space.

When Phil Zimmermann have created PGP it wasn't because he was spied on -- it was because anyone of us could have been spied on and we wouldn't be able to protect ourselves; usually it doesn't quite matter but at the point when it started to matter it'd be already too late to start doing something about it. Prevention. Back then the Government have considered a person "suspicious" if s/he encrypted the communication; when everyone encrypts their communication it wouldn't be "suspicious" anymore, and wouldn't be possible to single out peope just because they're using secure means to communicate. And by "secure" I mean secure against even the skilled criminals, including governmental ones. Todays' encryption is usually "unbreakable" even for the three-letter U.S. and Russian agencies (and the similar ones with undescribable name in China).

Since then time have forwarded fast, and not just PGP became legal but there are plethoras of programs promising secure communication, protection of one's identity, untraceability or deniability of messages, self-destructing or timing out messages and alike. This have happened due to the governmental and industrial criminals becaming more and more aggressive in their invasion of our privacy, storing and analysing personal private communication, using and abusing it to their purpose and agenda.

They often say: the terrorists use the technology, so we have to make it illegal. Obviosuly, since if we make it illegal the terrorists will stop using it, unlike the citizens protecting their own private life from the government?

"When privacy is outlawed only outlaws have privacy."

But that's a theoretical problem; in reality we have to protect ourselves from political and business oriented criminals in high positions, attacking our communication infrastructure wherever they can. Google have learned the hard way that even their internal traffic could be unlawfully tapped by the agencies and they're hard working preventing that and hoping that they're protecting faster than the government infiltrates it. Everyone have to protect themselves as good as they can since we cannot put all the trust in the companies running the stuff in faraway places. I trust best what I protect for myself.

So let us see the practice. I try to summarise you some of the best and most secure, widely available communication programs for mobile phones (or at least Androids). We do not talk about the security of the devices here: that's a different and quite lengthy topic, but let's assume that at least the devices are not readily tapped. If the stakes are that high then don't use industrial devices; use self-built open-source computers with professionally crafted protection. It is not hard, but we don't need it right now - we don't want to kill JFK after all, just prevent agents to blackmail people for whatever random reason, to prevent our email and phone addresses from spamming and analysing, to prevent agents and businesses to build personality profiles of us and alike. We're not the criminals - they are.

The programs

The good

I'll expand these below.

  • WhatsApp - public protocol
  • Signal (formerly TextSecure) - public protocol
  • Wire - open source
  • Conversations (XMPP + OMEMO / OTR) - public protocol
    • ChatSecure (discontinued)
  • Telegram secret chat
  • SIP + encryption
  • ToX (and AnTox) - public protocol

The questionnable

These often encrypt the communication between you and the server of the provider, but without end-to-end encryption they can read everything you do.

  • Telegram normal / group chat
  • Hangouts / Google Talk - TLS

The bad

Apart from using insecure means of communication these programs often leak private data to their parent companies or agencies. Some of them gather completely unrelated private data on purpose.

  • Viber - insecure and known illegal transfer of private communication
  • Facebook chat - insecure
  • Facetime - pretty secure but no identity verification
  • Skype - insecure, known privacy problems
  • Snapchat - insecure and misleading

Never heard of

These show up in my searches but never have used them, listing them in case someone's wondering.

  • Threema - non-free
  • Gliph - looks like some kind of bitcoin based business, with non-published security architecture and high claims
  • Wickr (possibly pretty good, with end-to-end encryption and have been audited but the protocol isn't public and the code is not open; it have a stupid idea of destroying every message after at most a week or so; and I've been told that Wickr shuts down accounts not used for half a year without warning.)
  • G-Data Secure chat - not much info, uses signal protocol
  • Line - Japan... no much info on implementation
  • Ricochet - runs on TOR network, no group chat (yet) and its security isn't that great. Rather simplistic.
  • Streembit - "a network service for humans and machines"; p2p, dht, ecdsa sign, aes256 crypt

Crypto background

Let me briefly tell you about some crypo stuff to make it easier to feel what's that fuss about. For those who are professionals on the crypto field I offer my sincerest apologies for oversimplifications.

Attackers and assurances

An "attack" means that someone gets to know information they have no business to know. Attackers could be anyone: governments, businesses, spammers, rogue internet providers, spooks, and even the person you're talking to. Let's see first what could go bad, and what to do about it:

Attacker goalSecurity property
1. Compromise messagesConfidentality
2. Change messagesIntegrity
3. Inject false messagesAuthenticity
4. Identify as another personAuthentication of partners
5. Block communicationNo single point of blocking
6. Learn metadataPrivacy protection
7. Prove content of messagesDeniability of content
8. Prove that persons communicatedDeniability of conversation
9. Learn past communication after compromiseForward secrecy
10. One attack compromises all future communicationFuture secrecy

That's a lot indeed.

There is also one property which is very important to consider: being open source. OS means that the program code is published for anyone to read, and to be able to verify the (security and other) claims the program authors make. Closed source often means code nobody ever looked at and never verified, so the authors can claim whatever they please without doing anything about it. Some closed source code were, however, externally audited, and if you trust the professionality of the auditor these (claims) should be reasonably trusted.

From the security protocol viewpoint (eg. "how good is the encryption technology a program uses") number 5 and 6 are not part of the problem, while in reality these are very important.

Metadata (#6) means the attacker can reveal who communicated to whom, when, how many times, how long the messages were, as well as the possible identity of the parties; in a hostile communication environment (like that between ukrainian people vs. Russian government) these are very sensitive (and potentially life threatening) informations. Metadata protection usually means that anonimity of the parties are ensured while there's some methods to assure #3 and #4.

Protecting from #5 is not meaningless as well. While obviously there is no protection against switching off the whole internet for someone, there exist protection against shutting down one or some central servers by force. Distributed, serverless channels are just for that.

You have to see that from the programs above very few offers you protection against #5, because it means you have to be a member of a distributed network. Tox and the not very much used Bleep offers you that, in exchange for higher network traffic, since you have to be a member of a distributed network of nodes, basically you're one server of the many. To be honest it is important that these assurances are only true if there are plenty of users using the given method, since a distributed network is only good if there are at least a few hundred well distributed users around (preferably way more). Tox does seem to have such userbase, Bleep may not.

To protect against #6 is not convenient for you either, since to protect from #4 both parties have to verify each others' anonymous identity. It's compulsory to be sure that what you verify is true, so the verification has to happen on a channel (preferably in live conversations or phone conversation) which is strongly identifying the partner. It usually involves reading up lots of numbers. :-) Conversations, Wire, Tox, Bleep offers you such protection.

Another way of #6 (metadata protection) is that the provider is reasonably trusted not to collect metadata, usually by using open source to prove it or to have an external auditor to prove it (but in that case it only stands for the audited software version and not for any other versions). Signal is probably on of these: while they collect real-world metadata (phone numbers) and store it on a central server they don't collect converstional metadata, which is fairly safe while having a simplified partner identification and partner directory. The counterexample is WhatsApp which provides the same way of message security and confidentality as Signal but syphons your metadata to Facebook to sell for advertisers or else.

Most program I suggested protects you against all other problems, which means Conversations, Wire, Tox, Bleep, Signal, Telegram secret chats, and possibly others which cannot be verified due to their closed source nature.

I would draw the line here, and insert summary in the middle to screw up those who read only the beginning and the end of a long post:

To use full security use Tox

The others (from "questionable" to "bad") often only protect the path between the device and the central server of the provider, and you have to fully trust the provider not to, well, act like an attacker. They can do whatever they want, including faking messages and reveal all content to third parties. If you do trust the provider, your messages may be safe from 3rd party adversaries listening to your network connection.

There are an interesting group of programs which claim to have a cryptographical technology to protect you (mostly only for #1 - #3), while their very technology is questionable. Such problems were identified in Telegram, and possibly others in the "bad" bunch which I didn't check thoroughly.

(Unfinished enty)

Hungarian popular referendum about refugees and the EU

2016-10-03 08:11 írta grin

From the inside of Hatelands

We are kind of over the period of more than two months of the Hungarian Fidesz government orchestrated hatred campaign, where the ruling Party have burnt more than 20 billion HUF (72.8 million USD) on all kinds of media places to tell the people what to think and vote about the referendum they have initiated. It's been already said that this was probably the most evil campaign ever in the history of Hungary since World War II, full of outright lies, violations of local (and most probably international) laws and unbelievable amounts of intervention in the life of public institutions from elementary schools to the law enforcement.

This has already been mentioned about this refrendum, and it surely help to understand the results. The average citizen get the news from the now completely Party-controlled public media, where they have acquired, taken or forced to have released to them most of the nationwide TV channels, they force providers to put these channels in the first programmed places, if you can imagine such a thing, so they use 7 TV and at least 2 radio channels to reflect their own view and provide selected and filtered news to the ignorant masses, so it may not come as a surprise that the government dictated results came out in majority. In fact this has been known well before the actual results, there was zero doubt about that.

However international, and even national news failed to show the much more relevant points to help understand what the results really show. Let me provide you some insight.

There are many objective analysis of the referendum from non government controlled institutions, and many agree in that the referendum possibly violates the national election laws (since there is no possibility to start a referendum in a topic where the National Assembly have no power), that the hate campaign of the government violated many local laws (since the government must not take sides in a referendum and the FIDESZ party [which technically a spearate legal entity but in reality spends the public founds as they were the government] are not in the position to use public funds to do a public campaign) and the referendum was completely pointless for many reasons, including the absence of information about what the government want to do with the results.

These have been the reasons that many parties, NGOs and politically active and even many not really active organisations called people not to engage in the voting process since it's illegitimate and illicit, and other entities (like the originally joke purpose Hungarian Two-tailed Dog Party, who now became the "neither of them" choice of some more informed voters) suggested the people to boycott the referendum by casting deliberately invalid votes.

People have been debated about these: should I stay home to boycott or should I go and cast an invalid vote? It is kind of surreal when one realises that in 2016, in Europe, it is a completely believable and natural thing that we have to calculate how to counter-measure the voting fraud of the government; whether it is easier for Them to fake your signature and vote when you stay home or whether it's easier to use a fake vote when you have signed your presence; how you should take care to make your invalid in a way that they cannot "interpret" it as a valid one (since there was an official guide how to interpret invalid votes as valid unless it's absolutely not posisble to misinterpret); how could the people somehow check whether the results were reflecting the reality. It did not help that most of the voting booths were validated only by governing party selected people.

Therefore it is very important to see how many people have actually stayed away and how many invalid votes were cast.

There are always invalid votes, that's normal. However, let me show you a comparison of the elections and referendums of the past decade:

Invalid votes in the percentage of total

This graph shows that we have almost ten times higher invalid votes than we ever had (this is true for the older referendums as well but their available data is not easy to automatically compare). Based on some statistical data additionally to this 6.27% invalid votes many of the absent votes have been part of the boycott, which results 10%, or more possibly more close to 20% of the population who deliberately rejected the referendum.

When you only see that there were almost no "support for refugees" you must know that those more than 1.5 million of Hungarians (possibly many more) did show their support by not being a puppet in this evil, hateful, dark comedy.

Regular Expression (regex) debugger

2016-07-01 10:50 írta grin
This is highly technical, non-geeks run away, now.

Okay, no, just kidding, this is just a bookmark entry since this is so cool.

Regular expressions are part of the Zen™© of the Programming. They are patterns which are matched against a string and check whether there is a match or not, take parts of the string or similar.

Also, regexps are highly geeky because they are an absolutely unreadable mix of all kinds of punctiation. Simple regexes are easy to write and easy to understand, however there are some whose complexity requires more understanding than one can spare for an average human lifetime.

Here come the RegEx debuggers. Funny, I almost have used none so far, maybe I like to break my brain on them. Anyway, there was one which was full of "meta matches" (?:) and recursive groups (eek), and I was looking for the easy way and googled "regex debugger". Found a lot of interesting but not that useful one, but then…


Nice. Syntax diagram of the regexp.

Your address:

2016-03-10 11:22 írta grin

Where am I in the World?

Hungary - Europe (Hungary is less and less part of Europe and more and more part of the Soviet Union, China or Madlandia) - planet Earth - Sol system - Milky Way - Local group - Virgo supercluster - Laniakea supercluster - Pisces–Cetus Supercluster Complex - Perseus—Pegasus Filament(?) - Observable Universe - Universe.


Taggalés english


grin agymenései