Rubénerd!

And here be the reason why I use my disposable Gmail instead of my regular mail account to register for websites!

I, along with a ton of other people, got sent this email a couple of days ago.

Dear addons.mozilla.org user,

The purpose of this email is to notify you about a possible disclosure of your information which occurred on December 17th. On this date, we were informed by a 3rd party who discovered a file with individual user records on a public portion of one of our servers.

OUCH!

We immediately took the file off the server and investigated all downloads. We have identified all the downloads and with the exception of the 3rd party, who reported this issue, the file has been download by only Mozilla staff. This file was placed on this server by mistake and was a partial representation of the users database from addons.mozilla.org. The file included email addresses, first and last names, and an md5 hash representation of your password.

Scary stuff. I'd be interested to know who comprises "Mozilla staff" in this case, and for how long it was public.

The reason we are disclosing this event is because we have removed your existing password from the addons site and are asking you to reset it by going back to the addons site and clicking forgot password. We are also asking you to change your password on other sites in which you use the same password. Since we have effectively erased your password, you don’t need to do anything if you do not want to use your account. It is disabled until you perform the password recovery.

Done and done. Yikes.

We have identified the process which allowed this file to be posted publicly and have taken steps to prevent this in the future. We are also evaluating other processes to ensure your information is safe and secure.

We apologize for any inconvenience this has caused.

Chris Lyon
Director of Infrastructure Security

To their credit, at least they disclosed this issue to their users instead of sweeping it under the rug. I hope lessons have been learned, and this doesn't happen again.

Amusing anecdotes

This whole thing reminds me of a time I was doing a week's work for a relatively large IT firm that will remain anonymous, and their ticket system were validating users with plain text versions of their passwords. My first thought was "didn't people stop doing this in the 80s?" and secondly, that I was glad I didn't have an account with them.

Then there are time times I've forgotten my passwords for sites, but instead of sending me an email with a reset token or the like, they send me my password, indicating they have it stored in a database. Last time that happened it was something trivial like a creaky old forum, but suffice to say I left there quicker than that strip club I was tricked into going to for my 19th birthday by my room mates at the time. Hey shaddup, I was scared.

You don't need a degree in cryptography to know you never store people's passwords! Kudos to Mozilla for not doing this too ;).

Today’s Wait, What Screenshot? (hey, that rhymes) comes to us from my installation of Mozilla Thunderbird, taken around lunchtime. According to Thunderbird, it downloaded 4,294,967,295 new messages during that session. There’s a bad pun about the sound a crazy bird makes in there somewhere.

Must be all my hate mail, or all my date rejection letters.

Firefox may still be the best browser to use for its security and privacy extensions, but if you have Chrome or Safari user interface envy you can use the userChrome.css file to pare down the UI to something a bit more spiffy.

The userChrome.css file

The first step is to access the chrome folder in your Firefox profile folder. If you don't know where yours is, Henrik Gemal has a great page listing the different profile folder locations for Mac, *nix and Windows.

In the chrome folder there's a userChrome-example.css file. Copy it and rename it to userChrome.css. This is the file we'll be editing in a plain text editor to tweak the Firefox UI.

Editing the file

When you open the file you'll notice a bunch of commented lines which you can change if you like, and a @namespace declaration which is mandatory. Personally, I just leave everything in the file alone and start adding my own statements at the end.

This is what I have in my file. My miopic short sightedness means I can define a smaller UI font to save space on toolbars:

/* make primary UI font more compact */
*
{
 font-size:10px !important;
}

I'm a huge fan of Safari's merged reload/stop button; it makes sense not having both because pages don't ever need to simultaneously reloaded and stopped. The only caveat is the stop button must be placed before the reload button on the toolbar before trying this.

/* merge stop and reload buttons
   stop must be placed before reload to work */
#stop-button[disabled="true"],
#stop-button:not([disabled]) + #reload-button
{
 display:none !important;
}

Now it just comes down to hiding things I really don't need. It may seem silly hiding lots of little things, but they add up to lots of extra space.

/* hide (in this order):
   1. url box dropdown arrow
   2. url box / search box resize splitter
   3. star (bookmark) button
   4. go button
   5. forward-back dropdown button
   6. new tab button */
#urlbar .autocomplete-history-dropmarker,
#urlbar-search-splitter,
#star-button,
#go-button,
#back-forward-dropmarker,
.tabs-newtab-button
{
 display: none !important;
}

Finally, I never understood why the bac, forward, reload and stop buttons were also placed in the page right click menu, so now I can get rid of them!

/* never saw reason for having go/stop/back buttons
   in the context (right click) menu */
#context-back,
#context-forward,
#context-reload,
#context-stop,
#context-sep-stop
{
 display: none !important;
}

The end notes and stuff

Of course this is only scratching the surface of what you can do with userChrome.css. If you browse the Mozilla documentation you'll find that pretty much every UI element has a handle you can reference in CSS and modify (or hide!).

I also fragently cheated in my screenshot. You can merge the URL bar and search bar like Chrome has it with the Onmibar extension. The clean look comes from Camifox, a theme that borrows elements from the really nice Camino browser of which I'm still quite fond.

Useful pages and stuff

• Henrik Gemal's page showing where Firefox Profiles are
• Mozilla's official page on customising software with CSS
• Mozilla's complete list of userChrome.css element names/IDs

I never knew you could do this!

• In Firefox, click the Bookmarks menu and Organise Bookmarks...
• In the Bookmarks Manager, click the toolbar button with a star
• Click Export HTML... and choose a place to save the exported file

Now you have a tidy, one HTML file backup of all your Firefox bookmarks that you can even open and click links in, and reimport into another machine!

I've been a heavy Delicious user since 2003 (so was mum), but sometimes random links find their way into my Bookmarks toolbar. Not enough to warrant use of Mich Kapor's FoxMarks, but its good to know I can back them up :)

If you've been reading my blog for a while you'd know I'm a huge fan of Taco for Firefox, the Targeted Advertising Cookie Opt-out extension. Running an update yesterday I noticed there are now two different versions: the classic Taco and a new Beef Taco fork. Ugh, too many food puns.

What the heck is a taco?

One of the most perfect foods in the universe. In this context though, it's an extension that does some cool stuff:

Sets permanent opt-out cookies to stop behavioral advertising by 102 different advertising networks, including Google, Yahoo, Microsoft, all members of the Network Advertising Initiative, and many other companies.

The controversy, I think

From what I can ascertain (I hate that word, but it fits) the classic Taco extension developers decided to take their extension commercial and add a lot more features with the 3.x series. The 2.x series which was F/OSS licenced has been forked as Beef Taco for those who find the new terms unacceptable.

I thought the new developer of BEEF TACO was quite the gentleman and civil about the whole thing:

Also, please do not be too harsh on Abine in the reviews. They are trying to start a commercial company and made some (IMHO) bad decisions. That doesn't mean they are malicious or evil, TACO 3.0 is actually a decent product when you take time to understand it. You can read more of my feelings on this ,a href="http://www.velvetcache.org/2010/06/17/forking-taco-2-0">here.

In the meantime, let's keep this a positive, happy place, shall we :-)

Fair enough :).

Features are often scary

Personally I'll be sticking with Beef Taco now, not because of the licencing issue (which I'm fairly indifferent to, that's why I use ZFS on FreeBSD!) but because I'm generally a feature-phobe. In general I feel more features generally degrade the usability of existing ones, introduce bloat, slow software down and most critically they introduce new vectors for exploits. For something as relatively simply as an extension that just sets cookies to opt me out of targeted advertising I prefer keeping things simple

As far as I can tell, the old Taco and Beef Taco don't even have a UI, they just work in the background doing their thing like a studious worker who... eats tacos.

And now if you'd excuse me, I'm off to pack more boxes. I took a break from packing and cleaning to talk about a browser extension I love. Is there a sign of something there?

Related posts

• TACO, Master Password Timeout for Firefox
• My updated list of useful Firefox Extensions

I've decided to replace all the icons for my Mozilla browser installs with the icon from Netscape Navigator in a fit of nostalgia. Technically, it's not completely a falsehood, kinda.

If you want to as well:

1. Download this icon: firefox.icns
2. Right click your browser and Show Package Contents
3. Go to ./Contents/Resources
4. Replace firefox.icon with the downloaded icon

You might need to remove your browser from the dock and add it again for the changes to show.

First browser I ever used was Netscape Navigator Gold two point something, in primary school year five. Lots of numbers in that sentence.

Mozilla's naming conventions have almost started to confuse me as much as Intel and Ubuntu. Looking for the developer builds of Firefox this morning I had the option to get Namoroka which I expected, but also Lorentz which shared the same 3.6.3 version number.

I think I have this right, feel free to correct me! As far as I know, Mozilla slipstreams certain new features they're testing into separate builds before they incorporate them into Firefox. Aside from those new features they're testing, the rest of the browser is identical, which means they can test real world performance and stability instead of just using them in a beta. I think it's pretty clever.

Okay Ruben, get to the friggen point already

The point of Lorentz is to test the ability of the browser to gracefully handle plugin crashes without the rest of the browser falling on its electronic feet. When a plugin crashes or otherwise starts spiraling out of control, it is suspended and the user presented with an option to restart just that plugin instead of the entire browser. It looks really cool.

I proactively block all Flash with NoScript and the only Java I use is on my internet banking site, so perhaps such new features are fairly redundant for me. Still I'm using it as my primary browser now to check it out. After all, if a malicious user can predictably crash a plugin, its the first step to exploitation.

Mozilla has builds you can download for Linux, Mac and ReactOS compatible systems, and as usual Latko has some excellent Intel optimised builds for Mac if you want to check it out.

For those of you as addicted to Tree Style Tab for Firefox as I am, there's been a flurry of updates over the last week that address some appearance and functionality bugs as well as improved compatibility with other extensions. Get it!

If only my brain were so easily updated

As of this evening I'm up to the conveniently named 2010.04.02 version and it works great. Curiously I had the Christmas 2009 version of it for months before Firefox told me there was an update, despite the fact there were several intermediary versions and other extensions have been automatically updated dozens of times since then.

Anyway, I used to say NoScript was the only reason I stuck with Firefox, but having all my tabs neatly stacked on the side instead cramming them all under the address bar makes them so much easier to read and navigate. As far as I know Opera is the only other browser that allows you to put tabs on the side, which is weird given I'd think you'd really need it if you're a browser power user.

The screenshot below that I took for this post back in 2009 should give you a pretty good idea as to why I need such an extension!

Some trivia

Wikipedia articles that have trivia sections tend to have template boilerplate stating their existence is discouraged, so I've decided to actively put trivia sections in more of my blog posts from now on.

If you abbreviate "Tree Style Tab", you get TST, which sounds an awful lot like a South Park episode with a dog whisperer, as well as being an acronym for Transition state theory which I learned in high school, and the code for a Hong Kong MTR station. True story.

Macslocum over at O'Reilly Answers is asking people to submit their favourite browser plugins and extensions. No prizes for guessing which one I chose!

First Macslocum's recommendations:

Firebug (Firefox) -- I can't believe this thing is free. It's hands-down the best HTML/CSS testing tool I've ever used. It's also incredibly handy when I can't remember my own CSS naming conventions.

ClickToFlash (Safari) -- This automatically disables any Flash-based elements. But unlike strict ad blockers, ClickToFlash gives you the option of activating Flash on a piece-by-piece basis. So if you want to watch a movie on a web page but you don't want to see the Flash ads, just click the movie element and that Flash-based part of the page will load.

How about you? Which plugins/extensions do you use?

For what it's worth, I also highly recommend ClickToFlash to all my Mac friends using Safari, it improves performance and reliability so much it's as if you've just shoved an extra few gigs of memory into your system for free.

My predicable answer

Without a doubt it'd have to be NoScript for Firefox. The fact no other browser has such simple blocking and whitelisting for dynamic content and Javascript ensures I won't be switching browsers anytime soon.

Frankly, given all the thousands of exploits using Javascript as a vector I'm surprised (and somewhat dismayed) it's such an unusual extension.

[For some reason text fields on the O'Reilly Network always correct JavaScript as Javascript!]

As I've enumerated here many times, I can't use a browser without NoScript anymore, I feel as though I'm in a car without seat bealts, a war zone without a bulletproof vest or a conference without pants when I don't have it. How people think they can be responsible internet users without such software in 2010 baffles me more than... attending a conference without pants. I suppose some people wear business skirts, just not me, surprising though that may sound. Chuck Peddle wears pants, I can tell you that much. And he invented the 6502 for heaven's sake!

If you have an O'Reilly account, go over there now and voice your opinion. Tim O'Reilly, the good O'Reilly, not the sleazy news guy ;).

Relatedness

If you haven't seen my other posts on this subject, I also talk about my other favourite Firefox plugins in these posts: More Firefox extensions and Firefox extensions. I put way too much effort into those pages! Of all the extensions, most are security related.

Having only just sat at Starbucks to do some programming and cleaning out my desktop (I let far too many files accumulate) I accessed the free WiFi and launched Firefox only to see the above dialog presenting me with a NoScript update. Problem is, I'm connected to the WiFi hotspot but not to the open internet! Spooked out stuff.

In this circumstance I was presented with the above NoScript update notification when I connected to Wireless@SG but before I had entered my login credentials, so it couldn't have requested and received information from Mozilla yet. At least I hope not, for security sake!

The only thing I can think of is Firefox pings for updates while running but doesn't download them, then if the application is relaunched it checks if any extensions have been flagged as outdated and proceeds to download them. I love the word ping.

I suppose in this way it doesn't download updates in the background which may slow a client's machine down... which is already slow from running Firefox, but instead just checks for the existence of updates. I think that's right, is it? Time to dust off my Mozillazine forum account?

Attack vector?

Picture this: say you were a malicious hacker in a public WiFi hotspot and you wanted to allow some remote code execution on some machines for your own mischievous purposes.

When a person connects to a [typical] hotspot they would connect to the WiFi network, then open their browser and use the web based login screen for the hotspot provider to authenticate. The way this works is the remote server or router equipment would automatically redirect all traffic from any specified domain to the login screen.

If you could somehow get access to the router (still too easy to do due to a combination of weak passwords and being in the open) and modify it's DNS settings to point all requests to the login screen except for the URL Firefox (or Chrome, or Opera...) uses to check for updates, could you perform a man-in-the-middle attack and provide a false update flag, followed by a false update executable that could contain your code? People would launch their browsers and not realise they don't have access to Mozilla.org yet, so when they're told there's an update they'd go ahead and download it.

I don't know too much about Firefox's internals, probably updates are digitally signed in some way to prevent MITM attacks, at least I hope they are. If they just rely on the URL being well formed and expected, a DNS attack like this could get around it.

Hey wait a minute, its even easier!

*viscously bangs head on table!*

Stuff all this "accessed the WiFi before they log in" trickery, if you could break into the router and modify DNS you could do that even if they are logged in, and presumably you could do plenty of other more sinister things too.

I find talking about things like this out loud is a really fun and useful thing to do because in explaining my idea I better understand it myself. In this case, how silly my example really was!