Linus Torvalds Calls Intel Patches 'Complete and Utter Garbage'

Found on Slashdot on Monday, 22 January 2018
Browse Software

Linus calls it "very much part of the whole 'this is complete garbage' issue. The whole IBRS_ALL feature to me very clearly says 'Intel is not serious about this, we'll have a ugly hack that will be so expensive that we don't want to enable it by default, because that would look bad in benchmarks'."

"The whole point of having cpuid and flags from the microarchitecture is that we can use those to make decisions. But since we already know that the IBRS overhead is huge on existing hardware, all those hardware capability bits are just complete and utter garbage. Nobody sane will use them, since the cost is too damn high."

Luckily Linus does not simply buy everything Intel's PR department releases. He would not make a good diplomat, but at least he knows what he is talking about.

Mozilla Tests Firefox "Tab Warming"

Found on Bleeping Computer on Monday, 15 January 2018
Browse Software

According to a description of the feature, Tab Warming will watch the user's mouse cursor and start "painting" content inside a tab whenever the user hovers his mouse over one.

Firefox will do this on the assumption the user wants to click and switch to view that tab and will want to keep a pre-rendered tab on hand if this occurs.

"For many cases, I don’t actually think tab warming will be very noticeable," Conley said. "In my experience, we’re able to render and upload the layers for most sites quickly enough for the difference to be negligible."

As the expert said, the gain is measured in milliseconds, but in some cases this will prevent users from viewing a blank or incompletely rendered page when switching tabs.

So Mozilla has decided to bloat its already vanishing browser with another useless feature that is they don't even consider noticeable. Great way to put another nail into the coffin of a once promising browser.

The Brutal Lifecycle of JavaScript Frameworks

Found on Stackoverflow on Sunday, 14 January 2018
Browse Software

JavaScript UI frameworks and libraries work in cycles. Every six months or so, a new one pops up, claiming that it has revolutionized UI development.

There was a time when jQuery was the darling of JavaScript tags on Stack Overflow, accounting for almost 8% of new questions. This picture quickly changed as AngularJS and later React were released, cannibalizing jQuery’s mindshare amongst the community. Then starting around 2016, there is a quick shift from AngularJS to Angular, which represents the subsequent versions (Angular 2+), as developers began to migrate to the latest and greatest flavors of the popular framework from Google.

So you develop your new shiney project with the latest hyped framework, only to get stuck next year when everybody moved on and (if you are really unlucky) the framework you picked has dropped dead. That means you have to spend extra time migrating to the now latest framework what usually leaves a lot of cruft behind. Rinse and repeat every year, and your code turns into a nightmare. The Javascript scene seems to be exceptionally good at taking the wrongest turns.

Incident report: npm, Inc. operations incident of January 6, 2018

Found on The npm Blog on Saturday, 13 January 2018
Browse Software

On Saturday, January 6, 2018, we incorrectly removed the user floatdrop and blocked the discovery and download of all 102 of their packages on the public npm Registry. Some of those packages were highly depended on, such as require-from-string, and removal disrupted many users’ installations.

However, during the time between discovery and restoration, other npm users published a number of new packages that used the names of deleted packages.

Seriously, relying on nm is the worst you can do. You open your software, and all the system it gets installed on, to extra attack vectors. Developing software does not mean that you copy and paste libraries from others together, along with some lines of glue which you picked up on some random forum; and if you need to include stupid deps like left-pad, you should be fired right on the spot. If you still think the npm idea is not that bad, this guy should help you understand how bad npm is.

Skype finally getting end-to-end encryption

Found on Ars Technica on Thursday, 11 January 2018
Browse Software

The newest Skype preview now supports the Signal protocol: the end-to-end encrypted protocol already used by WhatsApp, Facebook Messenger, Google Allo, and, of course, Signal. Skype Private Conversations will support text, audio calls, and file transfers, with end-to-end encryption that Microsoft, Signal, and, it's believed, law enforcement agencies cannot eavesdrop on.

While that is basically a step into the right direction, the use of Signal is questionable. Yes, it is (A)GPL licensed, but Moxie Marlinspike does not allow 3rd parties to join their network, thus blocking development of alternative clients and servers. Furthermore, you have to tie your account to your phone number, what should never be a requirement for anybody who wants privacy. So you just move from one walled garden into another.

Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers

Found on Bleeping Computer on Wednesday, 10 January 2018
Browse Software

The issues were reported by a large number of users on the Ubuntu forums, Ubuntu's Launchpad bug tracker, and Reddit thread. Only Ubuntu users running the Xenial 16.04 series appear to be affected.

A Canonical spokesperson was not available for comment on the issue, but two new Ubuntu 16.04 updates with Linux kernel image 4.4.0-109 were released two hours before this article's publication.

Does nobody even bother to test patches anymore? They hurry so much to release an update that the entire testing and quality checking process is skipped.

Why is ​Firefox Quantum so fast? Mozilla reveals a tweak that turbo-charged its browser

Found on ZDNet on Saturday, 23 December 2017
Browse Software

The technique was developed by Mozilla engineer Honza Bambas, who calls it "tailing". It works by delaying scripts from tracking domains when a page is actively loading and rendering.

Page load performance is improved by saving on network bandwidth and computing resources while loading a page, in a way that prioritizes site requests over tracking requests.

Geez, why not just drop all connections to trackers if they are already identified? Not that it matters much, because those who already have adblockers and other privacy plugins won't even notice that "speed-tweak".

Mozilla Slipped a ‘Mr. Robot’-Promo Plugin into Firefox and Users Are Pissed [Updated]

Found on Gizmodo on Saturday, 16 December 2017
Browse Software

It was automatically added to Firefox users’ browsers this week with no explanation except the cryptic message, “MY REALITY IS JUST DIFFERENT THAN YOURS,” prompting users to worry on Reddit that they’d been hit with spyware.

It is currently unclear what user-privacy considerations Mozilla management made before deciding to auto-install the Mr. Robot plugin into Firefox.

It feels like Mozilla is deliberately trying to do its best to annoy and alienate its userbase.

Apple iOS 11 security 'downgrade' decried as 'horror show'

Found on The Register on Friday, 01 December 2017
Browse Software

Oleg Afonin, a security researcher for password-cracking forensic IT biz Elcomsoft, in a blog post on Wednesday called iOS 11 "a horror story" due to changes the fruit-themed firm made to its mobile operating system that stripped away a stack of layered defenses.

"Once an intruder gains access to the user’s iPhone and knows (or recovers) the passcode, there is no single extra layer of protection left," Alfonin explains in his post. "Everything (and I mean, everything) is now completely exposed. Local backups, the keychain, iCloud lock, Apple account password, cloud backups and photos, passwords from the iCloud Keychain, call logs, location data, browsing history, browser tabs and even the user’s original Apple ID password are quickly exposed."

Perhaps it was done because users complained and it's more convenient if you only have to remember one passcode. You get convenience, you lost security.

Wondering why your internal .dev web app has stopped working?

Found on The Register on Thursday, 30 November 2017
Browse Software

Rather than connecting to private stuff on an internal .dev domain to pick up where they left off, a number of engineers and sysadmins are facing an error message in their web browser complaining it is "unable to provide a secure connection."

Chrome forces connections to all domains ending in .dev (as well as .foo) to use HTTPS via a HTTP Strict Transport Security (HSTS) header. This is part of Google's larger and welcome push for HTTPS to be used everywhere for greater security.

In another commit, Google renames Chrome to GTNB: Google's Nanny Telemetry Browser. Yes, security is important, but you don't mess with your user's setups. It's main use is on internal testing systems, and if you need the security of HTTPS on your Intranet, then your security problems are somewhere else, and much bigger than you thought.