Mozilla Launches Student Coding Program "Winter of Security"

First time accepted submitter NotInHere (3654617) writes "Mozilla has introduced a new program called MWoS, or 'Mozilla Winter of Security,' to involve university students in security projects. The attending students will write code for a Mozilla security tool during (northern hemisphere) winter. Unlike GSoC, attending it involves no monetary payment, but the student's universities are expected to actively cooperate and to give the students a credit for their work. From the article: 'MWoS is a win for all. Students get a chance to work on real-world security projects, under the guidance of an experienced security engineer. Professors get to implement cutting-edge security projects into their programs. Mozilla and the community get better security tools, which that we would not have the resources to build or improve ourselves.'"

They just removed a major security feature in FF

[chrisvdb]

I'm not sure if I really understand where Mozilla is heading... I chose Firefox over Chrome because of a) secure password sync'ing across devices (real end to end encryption for cloud storage and master password for local storage) and b) addons on Firefox mobile version.

Recently they decided to implement another password sync'ing scheme as the old one (based on pairing devices) was apparently too hard to use for the modal FF user (stats showed that less than 1% of their userbase was using old sync). Unfortunately the new system is by design not nearly as secure as the old system. After a few weeks of enabling the new sync'ing tool I randomly noticed that passwords no longer got sync'ed correctly. Turned out that the new sync system does not work when a master password is enabled. No mention of this in the release notes, no warning message during installation.

With the new sync system we not only get less security by design, on top we're no longer able to locally protect stored passwords with a master password. That means that every malicious/buggy application on your computer is able to read _all_ your saved passwords in plaintext. Take a look at https://bugzilla.mozilla.org/show_bug.cgi?id=995268 for the details. Password sync'ing security is now at par with Chrome, so b) is now the only reason why I'm still staying with FF.

If you take the time to read the bug report it really feels that Mozilla is losing touch with the power users in their pursuit of the average user. They forget that power users influence the rest...

Anyway, I think it's rather ironical that they are doing this security thing while they are knowingly removing security features at the same time.

Re:Expecting cooperation from universities...

[monkeyhybrid]

If you're from a good university you dont really need such programs

Working in a professional environment as part of your education can be a very valuable experience and shouldn't be sniffed at. I had the good fortune to do something similar when I was younger, and looking back at it now, I can really appreciate how it helped sharpen my skills and gave me greater insight into what real world software development is like.