Little Pig, Little Pig! Let Me Admin! (Security Thread)

[Thad]

Clickbait garbage aside, the WaPo also published this absolutely fascinating longform article today:

Well, last week, but it's still a good article.

[Büge]

Mozilla is laying off 250 people and planning a ‘new focus’ on making money



uh oh

[Thad]

Firefox is also getting a stronger focus on user growth “through differentiated user experiences.”

You know, you might have thought of that before you spent the past decade trying to make Firefox look and feel exactly like Chrome.

[Brantly B.]

Mozilla is laying off 250 people and planning a ‘new focus’ on making money



uh oh

August 14

[Mongrel]

I am not looking forward to customizing a new browser so extensively. Sigh.

[Thad]

An Alexa bug could have exposed your voice history to hackers

I understand the appeal of Alexa. I have family who have it. Being able to say "Alexa, play Favorite Things by John Coltrane" and it does is some Star Trek shit. That's fucking cool; I won't deny it.

But Jesus Christ the idea of an Internet-connected device that listens to everything you say is viscerally horrifying to me. I can't ignore the Orwell underneath the Gernsback.

[Brantly B.]

Yeah, now count how many of those you actually have right now.

[Thad]

Yeah, now count how many of those you actually have right now.

Devices that are currently configured to listen to everything I say, all the time? None.

Devices that an attacker could reconfigure to listen to everything I say, all the time? Quite a few.

Devices that track my physical position at all times and which I keep in my pocket everywhere I go? One.

Websites I visit that track where I come from, where I go, what I do while I'm there, and probably have a reasonably accurate profile of my PII despite use of adblockers, script-blockers, privacy extensions, and VPN? All of them.

[Mongrel]

It's funny, I stopped taking my cellphone out ever since I realized I'd have to wipe it down with alcohol every time I came home.

[mharr]

On browsers: I just picked up a hand-me-down android phone and made a discovery among the third party browser options.

Remember Opera, and how it completely shit the bed after going corporate? Turns out some of the original devs span up an employee owned company around that time and are making https://vivaldi.com - I'm not a security expert but nothing about this one is setting off my bullshit filters.

[Brantly B.]

Firefox on Android drops support for all but nine extensions.

Well, that didn't take long.

[Thad]

When asked why Mozilla had stripped back the number of extensions, a company spokesperson replied: “Extensions can add powerful customization features to Firefox. However, we have noticed that the number of add-ons available for Firefox today can be overwhelming for some users. And even though our policy provides clear guidelines for the behavior of add-ons, they sometimes find it difficult to decide which tools and developers they consider most trustworthy. That's why we established the ‘recommended extensions’ program: a collection of curated extensions that meet our highest standards for security, functionality and usability, which we are now bringing to another platform with the new Firefox for Android.”

Firefox is also getting a stronger focus on user growth “through differentiated user experiences.”

You know, you might have thought of that before you spent the past decade trying to make Firefox look and feel exactly like Chrome.

It could be the usual echo-chamber stuff where people mistakenly assume that they're representative of a given product's userbase even though they're actually not, but...it kinda seems to me like the remaining Firefox userbase has a very large proportion of power users, and maybe Mozilla should start listening to them and stop taking away the customization options that are one of the major reasons they/we still use Firefox.

[Brantly B.]

Debatable on desktop, but on mobile I can't think of a single reason why you'd be opting to use Firefox other than you prefer its extension library. It sure as hell isn't for the performance or stability.

Of course, we can't assume that murdering Firefox isn't the goal, here.

[Blossom]

Functional adblock and privacy, not feeding everything you do to Google. Which, of course, goes with this.

[Brantly B.]

You're already on iOS/Android so privacy is a lie. But yes, there (was) some extra protection.

[Thad]

Debatable on desktop, but on mobile I can't think of a single reason why you'd be opting to use Firefox other than you prefer its extension library.

Functional adblock

Not without extensions.

and privacy

Firefox has better out-of-box privacy features than most browsers, but extensions help here too. If you're not using HTTPS Everywhere and Privacy Badger, you should be.

not feeding everything you do to Google.

Chromium isn't Chrome, though; there are a number of browsers available for Android that don't send any more data back to Google than Firefox does. (Firefox does default to using Google as its search engine, including for autocomplete on things you type into the location bar, but that can be changed or disabled. The same is true of most Chromium-derived browsers.)

And like Brent said, if you're using Android, the Google tracking is built into the OS at a lower level than the browser. I remember you were a Cyanogenmod user back in the day so maybe you're still using an AOSP-derived ROM without GSM, but that's orthogonal to your browser choice.

I can understand being averse to Chromium-based browsers on general principle (I am; monoculture is bad and we're already looking at a redux of the bad old days when website designers targeted a single popular browser instead of complying with standards), but on the whole the main reason Firefox for Android is a better tool for avoiding Google's tracking than Chromium-based browsers is because of its extension library.

[Brantly B.]

was

[Thad]

Hey, F-Droid hasn't prompted me to update Fennec yet.

[Thad]

Adding: I checked the list of recommended extensions (it's up to 54 now, so more than the initial 9 but still a fraction of what was previously available) and it's got uBlock Origin, Privacy Badger, HTTPS Everywhere, and NoScript. I still think this is a boneheaded move on Mozilla's part, but I also think you can make a pretty credible case that the remaining extensions are enough to provide a pretty thorough protection against tracking at the browser level (bearing in mind that that's not the same thing as protection against tracking at the OS level).

[Thad]

Recently-patched Windows exploit allows unprivileged network users to gain domain controller passwords.

If this is relevant to you then you're probably reading this at work while waiting for an after-hours security update to finish.