The Null Device

Recently, the annual Pwn2Own contest took place; in it, participants try to take over a computer by exploiting security holes in a web browser, and capture the flag (in this case, a file on the computer's hard drive). This year, all the browsers but one fell; Firefox 3.6.2 (though it's not clear whether NoScript would have mitigated this), IE8 and Safari all fell; one of the hackers even pwned an (un-jailbroken) iPhone and made off with the SMS database. The one browser that remained standing: Google Chrome, not because it's bug-free, but because the sandbox mechanism makes exploiting bugs impractical:

"There are bugs in Chrome but they're very hard to exploit. I have a Chrome vulnerability right now but I don't know how to exploit it. It's really hard. They've got that sandbox model that's hard to get out of. With Chrome, it's a combination of things - you can't execute on the heap, the OS protections in Windows and the Sandbox."

¶ chrome firefox iphone security 0

Why is it, you may have asked yourself, that a technological civilisation that can put men on the moon, map the human genome and create the Nintendo Wii and the iPod can't make a standards-compliant web browser that doesn't leak memory like a sieve. Well, there's some good news on the horizon: the developers of Firefox have embarked on a memory leak eradication drive:

Aaron suggested having an "about:memory" page showing a breakdown of Firefox's memory use (bug 392351). When I pointed out the bug to Brendan Eich, he excitedly assigned the bug to himself.

Robert Sayre created a script to load random pages and see whether they cause leaks. The random URLs come from the Yahoo directory (biased toward older, top-level pages), del.icio.us (biased toward newer, geeky pages), and AltaVista (biased toward pornography).

Steve England tested the top 500 web sites, finding two leaks. Later, he tested the top 20 Firefox extensions and found leaks in several of them.

Could I suggest a test of a 10 minute session of scrolling and zooming around in google maps hybrid mode as something guaranteed to to eat over 1GB of memory?

Anyway, good luck to the Mozilla developers. Speaking as one in the habit of leaving lots of windows open in a session, I hope that this will lead to a browser that doesn't chew up all of the computer's resources if used for more than a few hours.

(via /.) ¶ ajax bugs firefox open-source tech web 1

Brad Fitzpatrick, the founder of LiveJournal and architect of OpenID, has put forward his thoughts on the social graph problem — which is to say, the present state of affairs in which each social software application has its own social graph (of which user is connected to whom) which its users have to independently maintain — and how to go about aggregating these graphs into something less unwieldy:

Currently if you're a new site that needs the social graph (e.g. dopplr.com) to provide one fun & useful feature (e.g. where are your friends traveling and when?), then you face a much bigger problem then just implementing your main feature. You also have to have usernames, passwords (or hopefully you use OpenID instead), a way to invite friends, add/remove friends, and the list goes on. So generally you have to ask for email addresses too, requiring you to send out address verification emails, etc. Then lost username/password emails. etc, etc. If I had to declare the problem statement succinctly, it'd be: People are getting sick of registering and re-declaring their friends on every site., but also: Developing "Social Applications" is too much work.

Facebook's answer seems to be that the world should just all be Facebook apps. While Facebook is an amazing platform and has some amazing technology, there's a lot of hesitation in the developer / "Web 2.0" community about being slaves to Facebook, dependent on their continued goodwill, availability, future owners, not changing the rules, etc. That hesitation I think is well-founded. A centralized "owner" of the social graph is bad for the Internet.

From the user's point of view, this will allow some fairly nifty magic to happen, saving users the hassle of registering on yet another social network site and rounding up their friends:

A user should then be able to log into a social application (e.g. dopplr.com) for the first time, ideally but not necessarily with OpenID, and be presented with a dialog like: "Hey, we see from public information elsewhere that you already have 28 friends already using dopplr, shown below with rationale about why we're recommending them (what usernames they are on other sites). Which do you want to be friends with here? Or click 'select-all'."

What's happening with this proposal? so far, they have prototypes of the APIs, working on the data for 5 sites (LiveJournal and Vox are, not surprisingly, two of them), the start of a Firefox plug-in to drag MySpace, kicking and screaming, to the party, and the start of a website allowing users to register their points of presence in social networks; a limited beta is expected at some time in the future. There are apparently a lot of people from different organisations working on this, much as there were on the OpenID project, and a Google group has been set up for discussion of the details.

Note that this only covers social network (i.e., "x is a friend of y") data, and not the actual content (birthdays, photos, favourite movies/bands). There is another project named Move My Data, which aims to make the actual user data portable between accounts, though so far it seems to consist of a vague proposal.

(via /.) ¶ facebook firefox identity livejournal myspace openid semantic web social graph problem social networking social software tech web 0

Firefox crashed for me three times today. It just crashed twice in succession.

The crashes, apparently, are caused by Firefox allocating more and more memory for web pages, DHTML objects and such, never freeing any and, once memory runs out, dying horribly. Apparently our technological civilisation, which has put men on the moon and mapped the human genome, is incapable of implementing a web browser that does not leak memory like a sieve and spontaneously die from time to time.

I've heard it claimed that Mozilla/Firefox's memory leak is not a bug but a feature; the theory being that it's Nature's own caching mechanism, ensuring that the browser runs more and more efficiently (at least until it exhausts all system memory and dies, that is). Which is a nice piece of sophistry.

Anyway, for those using Firefox, there is a minor salvation in the Tab Mix Plus extension's session management facility, which saves your session and, should your browser crash, offers to restore it for you. Of course, should Firefox happen to die when reloading all the saved pages, it could be a problem, but not to worry: another feature (and definitely not a bug) is that, if that happens, Tab Mix Plus throws out some of the pages (seemingly at random) before the next attempt; thus, you eventually get to a set of pages which will reload without crashing, and all is well with the world. What would we do without such self-regulating mechanisms?

¶ firefox software tech 4

The Mozilla Foundation has posted the winners of a Firefox extension contest. Interestingly, three of the winners (Reveal, Showcase and FoXpose) are implementations of an Apple Exposé-style thumbnail view, only for browser tabs and windows.

(via Make) ¶ firefox software 0

Firefox extension of the day: NoScript, which allows you to enable JavaScript selectively only for specific trusted sites, disabling it for everyone else. Which, in the age of sneaky phishing attacks (not to mention sites which obnoxiously maximise their windows, disable the right mouse button or do similarly annoying things), it could be quite useful.

¶ firefox javascript security tech 2

Mozilla FireFox: the "We're here, we're furry, get used to it" browser? (via David Gerard's LJ)

¶ firefox furries 5