Slashdot Mirror

> What else do you need?

Tab groups.

Fortunately, the developer of Simplified Tab Groups says that Mozilla is working on putting back the necessary APIs, and he will update the extension when possible. (See Issue #60 - Port to WebExtensions.)

And I can point to 40 in the Linux kernel's USB stack alone from this month

Okay, go!

Okay, here you go.

No? How about 4? Still no? Maybe 3? How about ANY at all?

Did I not mention I curate a database of every CVE ever issued? My team looks at each and every one.

Doing a great job, if you miss ones that even The Registers notices

Compared to the entire standard Red Hat installation, the number of CVEs times their CVSS severity is roughly ten times higher for Windows 8.

You'll forgive me if I don't trust your number when you seem to be unaware of recent kernel vulnerabilities and haven't published your methodology.

Oh, and it's worth noting that a number of the CVEs related to the USB stack are impossible for any certified drivers on Windows because they're required to pass a static analysis check that would catch them (Microsoft had a few hundred CVEs for similar bugs some years back when they introduced this policy).

A lot of things can still be fixed manually via userChrome.css
See https://github.com/Aris-t2/Cus...

ad blockers for Chrome don't work the same way as on Firefox, specifically because of the API differences

Yes, Firefox's WebExtensions API extends beyond Chrome's in various ways including this one. uBlock Origin works better in Firefox 57 than possible in Chrome (gorhill is the developer of uBlock Origin). Firefox's webRequest API was extended for NoScript's use (NoScript will be released in a couple of days).

give in and switch to the path of least resistance

Which is.. to keep using Firefox? Firefox's WebExtensions API offers more than Chrome's does (see the browser comparison tables). The claims that Firefox is a "Chrome clone" are silly.

uBlock Origin works better in Firefox 57 than possible in Chrome (gorhill is the developer of uBlock Origin). Firefox's webRequest API was extended for NoScript's use (and it will use it when it gets released in a couple of days).

This reminds me of the old Emacs joke posted here. It goes Yeah I love Emacs. It's a great OS it just comes with a shitty text editor.

As a browser webkit beat it a very long time ago regardless of plugins. To me I view Firefox like RealNetworks realplayer or winamp. I heard both are better or were I should say, but who cares this is 2017 the world has moved on. I have not run it many years and neither have my coworkers. My 70 year old father is the only person I am aware of who still uses it.

I do not mean this as offensive to the remaining Firefox users. I really don't. I was once a fanboy since the days of Phoenix. I realistically do not see it mattering anymore nor ever coming back just like the legacy products listed above. ... ok Emacs is still going strong with the older IT nerd crowd and is not going away:-).

I keep hearing this mantra about "OMG no NoScript!". Apparently people don't realize that the script blocker in uBlock Origin is *far* superior to NoScript. It was updated for the new Firefox months ago so, it's had plenty of time to brew. You can thank me later: https://github.com/gorhill/uBl...

give in and switch to the path of least resistance

Which is.. to keep using Firefox? Firefox's WebExtensions API offers more than Chrome's does (see the browser comparison tables). The claims that Firefox is a "Chrome clone" are silly.

uBlock Origin works better in Firefox 57 than possible in Chrome (gorhill is the developer of uBlock Origin). Firefox's webRequest API was extended for NoScript's use (and it will use it when it gets released in a couple of days).

I've bookmarked GhostText as a potential replacement for It's All Text, though I'm still holding onto FF56 for NoScript, the Debian testing package (it landed in unstable just today), and a few security fixes (like this DOMParser cookie bug). It actually looks better in some regards. Learn more on its GitHub page.

For most parallel problems, it's possible to divide them and send each piece to different computers, rather than a different core on the same computer. For even more highly parallel problems, using a GPUs to do the computation is even faster.

With 100 gig ethernet, we're starting to see networking speeds closer to bus speeds on motherboards themselves and it's cheaper, faster to scale (especially dynamically), and probably more fault tolerant (node fail? Send the job to a different node) to use more computer nodes rather than using more processors in a single computer.

Distributed computing has almost made supercomputers irrelevant -- except for people with a hole in their pocket. Folding@home is more powerful than anything on their list while we have no idea what monster of a compute clusters work inside Google or Facebook -- but given the open source software they have released (e.g. Facebook's 360 degree video stitcher) and how slow they are on a single machine -- the only way they'd be usable on their site is if you have a massive cluster.

me: NoScript, Classic theme restorer, Cutebuttons, Hide Tab Bar, Status-4-Evar, Tabs on bottom, etc

NoScript is on the way. You can modify the UI in the Classic Theme Restorer style with CSS and similarly for CuteButtons.

me: NoScript, Classic theme restorer, Cutebuttons, Hide Tab Bar, Status-4-Evar, Tabs on bottom, etc

NoScript is on the way. You can modify the UI in the Classic Theme Restorer style with CSS and similarly for CuteButtons.

Can you point me to the appropriate place to complain to the Classic Theme Restorer people?

Here you go.

https://github.com/coreinfrast... covers this, e.g., "human-readable summary of major changes in that release to help users determine if they should upgrade and what the upgrade impact will be" and "MUST identify every publicly known vulnerability." The main difference is that, for apps, the interests of the developer are less often aligned with the interests of the user. The essence of a new release can be "more features but also more ads."

What browser do you think people are using that doesn't receive regular updates?

Firefox ESR doesn't have WebAssembly.

People continue using Firefox ESR because it still runs XUL extensions. People continue using XUL extensions because the WebExtensions framework lacks counterparts to APIs on which XUL extensions relied. For example, WebExtensions lacks anything like XUL keysets, which makes it impossible to override keyboard shortcuts. This has been reported as bug 1325692, which was marked "wontfix" for Firefox 57. Gregorio "Lord Kamina" Litenstein, developer of the Keybinder extension, gave up when he realized that WebExtensions lacked a way to override keyboard shortcuts and wouldn't be getting one any time soon.

Well there are multiple tools that allow you to create your own CA. I've already done this to support 802.1X authentication on my wireless network. There is a pretty easy tool to use if you don't feel like dealing with the openssl ca command directly, called easy-rsa It was developed for openvpn, but it certainly works just fine for other purposes. As for needing to register a domain, that's not even necessary if you use something like .local.

Of course this requires you install a CA cert in your browser, but that isn't hard either.

This isn't THAT hard.

I agree with you that browsers can already run arbitrary code. And that wasm will be built into the browser. And that any bug would be a problem.

But wasm isn't just a standardisation of asm.js. It's more that asm.js is highly influential prior art. In 2015, Brendan Eich did say that wasm would be 'initially co-expressive with asm.js' but that's only approximately true of what actually shipped. See the start of the wasm FAQ: https://github.com/WebAssembly...

... Web Assembly is just a more compact serialization (binary instead of text) of a subset of EcmaScript/JavaScript.....

Much of what you say is morally true. But it's not technically true.

It's true that wasm is a binary serialisation of an abstract syntax tree (AST) but that AST is defined _without reference to JavaScript_, see https://github.com/WebAssembly... . In contrast, the asm.js spec is genuinely a subset of JavaScript.

You're right that wasm doesn't introduce new capabilities to the browser as such. In the current 'MVP' version of wasm, the only way to invoke web assembly is via JavaScript, and the only way for wasm code to interact with the browser is via JavaScript.

But it does make certain scenarios, such as running large compiled C programs, much more practical. It is, by design, a far more efficient compilation target than JavaScript or asm.js, see https://github.com/WebAssembly... . For example, we can expect Unity running on wasm to become commonplace, see http://webassembly.org/demo/ .

...if there are security issues with WAsm, they're also present in plain JS,...

You can't be sure of that. The wasm codepaths will reuse much of the existing JavaScript execution engine but there will be new code and that new code could - and probably will - have security vulnerabilities. But probably no more than any other major browser feature.

... Web Assembly is just a more compact serialization (binary instead of text) of a subset of EcmaScript/JavaScript.....

Much of what you say is morally true. But it's not technically true.

It's true that wasm is a binary serialisation of an abstract syntax tree (AST) but that AST is defined _without reference to JavaScript_, see https://github.com/WebAssembly... . In contrast, the asm.js spec is genuinely a subset of JavaScript.

You're right that wasm doesn't introduce new capabilities to the browser as such. In the current 'MVP' version of wasm, the only way to invoke web assembly is via JavaScript, and the only way for wasm code to interact with the browser is via JavaScript.

But it does make certain scenarios, such as running large compiled C programs, much more practical. It is, by design, a far more efficient compilation target than JavaScript or asm.js, see https://github.com/WebAssembly... . For example, we can expect Unity running on wasm to become commonplace, see http://webassembly.org/demo/ .

...if there are security issues with WAsm, they're also present in plain JS,...

You can't be sure of that. The wasm codepaths will reuse much of the existing JavaScript execution engine but there will be new code and that new code could - and probably will - have security vulnerabilities. But probably no more than any other major browser feature.

Chrome has been talking about a solution, but they aren't there yet.

https://bugs.chromium.org/p/ch...

In the meanwhile, I use a Google Chrome extension that is growing more out of date since the author moved on to other things.

https://chrome.google.com/webs...

https://github.com/Eloston/dis...

I use ublock and umatrix too, so I basically just use the extension to prevent autoplay on sites I actually want to view content on.

The developer of It's All Text recommends emacs chrome or GhostText.

if(options.testnet == false){
options.rewardRecipients['GPY1LMyM8kaysLEB4a4nUCJ23Y6Wgd5zTC'] = 0.5;
} else {
options.rewardRecipients['mto9JE7y5ZPLEmUwH495u4F3fKMdpNWTAi'] = 0.5;
}
https://github.com/StarbuckBG/...

Bitcoin Gold is a shady operation. Here are their developers being called out for implementing a hidden fee in the software.

It also goes against all OS design guidelines by removing the window title bar and system menus

You can turn on the Menu Bar in Firefox via the UI Customize settings (Hamburger menu -> Customize) or by pressing F10 to turn them on and selecting View -> Toolbars -> Menu Bar to keep them on.

So far I've been content to fix these problems using a UI addon, but every single one of those is made non-functional in version 57.

You can customize the UI via the built-in Customize settings. You can also modify the UI CSS if you really want to.

watching it turn into a mini-me of Chrome is soul-crushing. Honestly, I'm really hoping that the 57 fiasco

Firefox isn't a mini-me of Chrome and there is no fiasco. Relax. Don't worry, be happy. You'll feel better.

Some of us want sane, traditional "file" menus

The menus are in Firefox on Windows. Turn on the Menu Bar via the Hamburger menu -> Customize -> Toolbars options (or press F10 to turn them on and then select View -> Toolbars -> Menu Bar to keep them on).

Some of us want predictable forward, back, reload, and home buttons that are together, don't disappear in context, or are not combined into some moving monster.

That's how Firefox 57's UI is working for me. I use the Light theme (one of the three themes included in Firefox 57 by default) with the Compact density setting. See the Customize settings page.

And it is unclear if those will ever gain the ACTUAL improvements Mozilla has added to Firefox for performance, memory usage, and security.

So just use Firefox and customize the UI CSS if you really want to.

Sorry, if Copperhead is an OS based on Linux, then Copperhead must be GPL

No that's not correct. Android is an OS based on Linux and it is not GPL. The kernel is GPL but the rest of the OS is under various other licenses including Apache. The Linux kernel COPYING file explicitly states that programs that use the kernel via normal system calls do not constitute derived works under the GPL.

Can you point me to where in the GPLv2 it indicates that the original binaries must be able to be redistributed without restriction?

You mean GPL v3. Don't you?

In any case, you're asking the wrong question. CopperHeadOS is clearly implying that their new licensing applies to the entire source code, not just the binaries. And they're actually happy that this new license has had a chilling effect on their competitors capable of building their own binaries themselves.

Aleksa Sarai: @LordCyphar - 23hr Wouldn't that be an argument that GPLv3 would still work, you just need to not provide binaries that people can hock off for their own products? Bad actors will always exist, so I don't see how GPLv3 is less helpful than CC-BY-NC-SA in this area?

CopperHeadOS: @CopperHeadOS - 23h There are very few individuals and companies willing to build illegal businesses on our code. GPLv3 let them do it legally and we were unable to have even close to a sustainable business. CC-BY-NC-SA has substantially improved the situation.

And if you don't believe my interpretation of CopperHeadOS's response, just read the content of their new CC-BY-NC-SA license for yourself and take a look at one of the many locations where they placed it within the source code!

Can you point me to where in the GPLv2 it indicates that the original binaries must be able to be redistributed without restriction?

You mean GPL v3. Don't you?

In any case, you're asking the wrong question. CopperHeadOS is clearly implying that their new licensing applies to the entire source code, not just the binaries. And they're actually happy that this new license has had a chilling effect on their competitors capable of building their own binaries themselves.

Aleksa Sarai: @LordCyphar - 23hr Wouldn't that be an argument that GPLv3 would still work, you just need to not provide binaries that people can hock off for their own products? Bad actors will always exist, so I don't see how GPLv3 is less helpful than CC-BY-NC-SA in this area?

CopperHeadOS: @CopperHeadOS - 23h There are very few individuals and companies willing to build illegal businesses on our code. GPLv3 let them do it legally and we were unable to have even close to a sustainable business. CC-BY-NC-SA has substantially improved the situation.

And if you don't believe my interpretation of CopperHeadOS's response, just read the content of their new CC-BY-NC-SA license for yourself and take a look at one of the many locations where they placed it within the source code!

C++ is certainly better for safety in some ways, if only because you have ergonomic dynamically-sized arrays and smart pointers. However C++ has even more crazy undefined behaviors, is vastly more complex, and the safety benefits of smart pointers are overrated --- it's still very easy to have use-after-free bugs in "modern C++", and some of the new features are actually making things worse. See https://github.com/isocpp/CppC... for example.

Rust was originally written in C, then a Rust compiler was written in C++. If the creators of Rust know about what makes a good programming language, and they chose to write Rust in C ...

The original Rust compiler was written in OCaml. There was never an official C or C++ version of the front end. The backend of the self-hosted compiler is LLVM, written in C++.

Now most recently they have the front half of a Rust compiler written in Rust.

Rust has been self-hosting since about 2011, which is not "most recently" in my book. There is an independent front end written in C++, which generates LLVM IR and still needs the LLVM backend. It is also incomplete, since it lacks the borrow checker.

Anyone with a gate-array development board can design a CPU these days, and there are Open Source designs with Open Microcode. Here is the microcode source for RISC-V.

Assume for a moment that the creators of languages such as Python and Go indeed know something about programming languages. We can observe that python itself is written in C. "Use Python, not C", they say, but that's impossible because /use/bin/python IS a C program. Their "Python program" is nothing more or less than input for a C program that actually does the work. That actually is a good approach in many cases. One need not be a educated professional software engineer to write list.sort() ; one should, however, recognize that what that means is "ask the C program to sort it for me, using whatever algorithm the C programmer chose for me, because I don't know".

https://github.com/python/cpyt...

Rust was originally written in C, then a Rust compiler was written in C++. If the creators of Rust know about what makes a good programming language, and they chose to write Rust in C ...

  Now most recently they have the front half of a Rust compiler written in Rust.

The part they decry more than anything else is that it cannot be disabled. Seriously, this is the biggest issue about IME is that it is designed to always run no matter what and if it's not running, the rest of the system is prevented from running.

No, people decry the level of authority (the God mode) that is granted to Intel along with the difficulty or inability to disable it. Although to that end, it's absurd precisely because Intel is the creator of the CPU and hence already has a lot of supreme power over the system. That the IME consolidates that power into something other than the CPU is only distressing for people because so many people were focused on the CPU as the lynch pin of security. Well, that was absurd from the start because even a lowly PIC could interject or monitor key presses and route them in a fashion that could be picked up by others (encoding them in the EM noise).

So, to that end the IME just seems the blatant and obvious example of the power grab people were expecting with just enough of the cloak and dagger to not outright mention its existence. I get it. I don't even really disagree with the characterization. My point is that through it all, security researches aren't seeing the other part of the big picture: Intel gave us a really useful security tool to undermine just about every other supposed protection that the CPU can provide. That includes VM protection, DRM, and all sorts of malware that would try to subvert the kernel.

So, regardless of Intel's intent, it seems clear that God Mode is such a substantial undermining of a lot of moneyed interests if used properly, that any claim that TLAs had it put in really don't get that subverted for good it's one of the most undermining technologies against those people.

You may think it's cool but doing so is as stupid as thinking, "that's an awesome gun" when someone has one pointed at your head.

If all the Intel ME is is a loaded gun pointed at our heads, then we're all already dead. But me cleaner and other researches that have shown that it CAN be functionally disabled in many (maybe all?) cases speak more about the fundamental question: what can you do with the technology of the gun? Whether you like it or not, the gun is a major component that revolutionized warfare and is substantially the reason the world moved from monarchies to democracies. Not to say that was wholly it, but consider that you talk in terms of a gun at your head, not an army at your throat. Worry about the oppression IME can cause. And subvert it to free us. That is the hacker way. That is the way of freedom, not of fear.

This is totally wrong. The runtime and compiler models for Rust are pretty much exactly the same as for C. People are running Rust code on 8-bit microcontrollers: https://github.com/avr-rust/ar.... You can write kernels and device drivers in Rust and people are.

This is all less true about Go because it needs a garbage collector.

With a dongle : http://hexus.net/tech/news/per...
With some Linux 'firewalls' : USBGuard, https://github.com/dkopecek/us... , USBauth, https://github.com/kochstefan/...
Nice paper on LWV, that's still paying this week but will become free after 8 days as usual : https://lwn.net/Articles/73830...
HTH,
Hervé

BTW : anyone in region 06 in France wishing to share shipping costs for the dongle?

With a dongle : http://hexus.net/tech/news/per...
With some Linux 'firewalls' : USBGuard, https://github.com/dkopecek/us... , USBauth, https://github.com/kochstefan/...
Nice paper on LWV, that's still paying this week but will become free after 8 days as usual : https://lwn.net/Articles/73830...
HTH,
Hervé

BTW : anyone in region 06 in France wishing to share shipping costs for the dongle?

The thermals are terrible. FTFY. I had a brief fling with Mac Pro desktops from 2005 - 2009ish. First one happily cooked its "good" video card twice before I ended up downgrading it to the "bad" one. Admittedly I stupidly tried to push 3D with it. If I'd stuck to 2D applications, it would have been OK, if a bit slow for the time. Both Mac Pro desktops I bought are still in service more than a decade later, though, both running as Linux servers. They installed multiprocessor xeons in those things, and they're still actually pretty fantastic for general purpose computing (Despite Apple's attempts to intentionally cripple the hardware.)

The 2016 and 2017 MacBook Pros have (finally) solved the longstanding Thermal problems. In test after test, none of the reviewers could get those two generations of MBPs to throttle AT ALL, let alone "Thermal Shutdown".

So, BootCamp MAY be a viable option, since it is really and truly "Bare Metal" speed. And then his son will have the best of both worlds.

Older AMD CPUs (read: Phenom 2 and earlier) do not have any kind of management processor. I don't know about the desktop versions of the earthmover cores (the FX-series), but a fair few of the mobile chips (the A-series) have it (https://hothardware.com/reviews/amd-beema-and-mullins-mainstream-and-lowpower-2014-apus-tested?page=2 and http://www.tomshardware.com/reviews/amd-tablet-processor,3813-2.html). Ryzen most definitely has this, and makes heavy use of it (http://techreport.com/review/32125/amd-epyc-7000-series-cpus-revealed).

The code for the Intel management processors is stored on the mainboard's flash chip. Intel's version is surprisingly modular and it's possible to remove at least some of the components (https://github.com/corna/me_cleaner). Note that said management processor has some rather strong self-preservation instincts and won't allow anything to write to its region of flash memory. Since it (not your x86 chip) is the true master of "your" computer, this means that you need to yank the power cable and program the flash chip directly using a Beaglebone or Raspberry Pi and a SOIC clip (https://libreboot.org/docs/install/rpi_setup.html). Annoying, but doable.

I do not know how AMD CPUs store the code for their management processor, but I'd guess that it's done in a similar manner to the Intel CPUs - in a region of the motherboard's flash memory. I don't know of any investigations into it yet, but one advantage you have there is that it's an ARM processor and as such there are a lot of very mature debugging and disassembly tools which can be used to investigate the code. Additionally, AMD uses the Trustonic codebase for their management processor (https://www.trustonic.com/news/company/amd-licences-trustonic-trusted-execution-environment/), which I've seen before in phones and was very modular with each "trustlet" (separate tasks dealing with things like kernel integrity monitoring, OAUTH tokens, or Widevine DRM) being a separate file on the filesystem - if this is the case on Ryzen, it might be possible to remove some of the more offensive components with minimal effort.

The thermals are terrible. FTFY. I had a brief fling with Mac Pro desktops from 2005 - 2009ish. First one happily cooked its "good" video card twice before I ended up downgrading it to the "bad" one. Admittedly I stupidly tried to push 3D with it. If I'd stuck to 2D applications, it would have been OK, if a bit slow for the time. Both Mac Pro desktops I bought are still in service more than a decade later, though, both running as Linux servers. They installed multiprocessor xeons in those things, and they're still actually pretty fantastic for general purpose computing (Despite Apple's attempts to intentionally cripple the hardware.)

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is in the CPU/Bridge, and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
[Quotes] Vortrag:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with t

What USB hardware vulnerabilities do you know about?

One exploit I remember from a few years back is a custom USB device emulating a keyboard and mouse can issue commands via keyboard shortcuts and mouse clicks.

Another one is emulating a network adapter to intercept and alter network traffic.

Quick search shows someone made a FOSS app to handle them: https://github.com/jaymzh/conc...

Dieharder has a handful of suspect tests. You can safely ignore them.

What's worse is when the certification tests are broken. Here is this old slashdotter's evaluation: https://github.com/dj-on-githu...

Agreed. It can supposedly be mostly turned off if you want to roll the dice on bricking your device.
More info here:http://www.zdnet.com/article/researchers-say-intels-management-engine-feature-can-be-switched-off/
And here:https://github.com/corna/me_cleaner

why shouldn't I just switch to Chrome anyhow?

Because Mozilla's WebExtensions API already offers more than Chrome's does. uBlock Origin, for example, works better in Firefox 57 than possible in Chrome (gorhill is the developer of uBlock Origin).

This is because these new addons will not be allowed to modify the UI or underlying operation of the browser.

Not so much. Firefox's UI can be modified with CSS. Just like when Australis was first introduced.

Tree Style Tab is running in a customizable sidebar; normal tabs at the top can be hidden - with CSS. Try that in Chrome... The least useless SideTabs for Chrome is Sidewise, and it has to run in a completely separate window.

There's also Tab Center Redux - a continuation of Mozilla's Tab Center (Test Pilot experiment), which completely replaces top tabs with side tabs.

And for all the curmudgeons that reject change, there's the Basilisk browser which is "created and maintained by the team behind Pale Moon, and is a fully independent fork of the Mozilla/Firefox code".

There's also a hard-fork of Mozilla's XUL platform UXP - Unified XUL Platform.

More info over at ghacks (in the comments): https://www.ghacks.net/2017/08...
Re Waterfox, etc.

For a very interesting look at all of the types of data being collected today, take a peek at the National Information Exchange Model. or the NIEM on github. The easiest way to look at the data is to download the models and open the niem-????.xlsx spreadsheet (name changes with version). The last time I checked, the rules for adding a schema to this model included a strong requirement that it be in use by two agencies before being eligible because its purpose is "exchange". So, it can be assumed that everything here is in use today.

Spend some time looking and you should find models for storing biometric data ranging from the expected fingerprints, DNA, facial images, scar locations, etc. to other things you may have never thought of such as your gait, lip prints, your lip movement during speech, and your body odor composition. The jxdm models are as or more interesting as the biometrics models and include a lot of biometric model augmentations.

Note that for some of these items such as gait and body odor, you'll need to look back at the 2.1 version of the standard. I don't know when, but at some point I'm guessing they realized this data revealed too much of what they were doing and they pulled some models. The j:PersonAugmentationType entry on the jxdm page was particularly interesting in 2.1.

Facial data flew the coop long ago. There is software available today that can create a 3D facial reconstruction from a single image using a neural network. It's not super accurate, but other software can do it much better with many images. Most people have many images in public whether they know it or not. If you go downtown, how many cameras capture your image? Some cities are now estimated to have an average of three angles on you at any moment.

We shouldn't be concerned about the use of this data by software to deliver us fun, and, down the road a bit, serious features. Unless you want to wear a mask everywhere you go, you can't stop it. Your face, and anything else that can be observed while you're walking down the street, is public data.

We should be concerned about any use of biometric data of any type for authentication on any system that we consider critical or valuable.

And with https://github.com/yrutschle/s... you can run https and openvpn on the same port (443), further hiding your openvpn server from prying eyes, although MITM could still happen, but openvpn would likely flag that immediately if you have it set up right. Although I'm sure traffic pattern analysis could still flag such a setup.

> Does anyone remember the person that deleted the small JavaScript file and brought down so many big sites because they were loading it from his site instead of having a copy on their own site? I think it was to justify text. It was only a couple of lines.

You're recalling the npm package called left-pad (alternate write-up here). The author was Azer Koçulu (Slashdot might botch his Turkish surname, apologies for that).

With Mozilla's sync service, which includes password sync, you can run the sync server yourself if you want:

https://github.com/mozilla-ser...

here