prisoninmate quotes a report from Softpedia: According to Matthew Garrett, a renowned CoreOS security developer, and Linux kernel contributor, Canonical's new snap package format is not secure at all when it is used under X.Org Server (X Window System), which, for now, it is still the default display server of the Ubuntu 16.04 LTS (Xenial Xerus) operating system. The fact of the matter is that X11's old design is well-known for being insecure, and Matthew Garrett took the time to demonstrate this by writing a simple snap package that can steal data from any other X11 software, in this case anything you type on the Mozilla Firefox web browser. As more developers will provide snaps for their apps, Canonical needs to do something about the security of snaps in Ubuntu when using X11 or switch to the Mir display server. In the meantime, the security of snaps remains unaffected for the Ubuntu Server operating system, which is usually used without a display server. Canonical has officially released Ubuntu 16.04 LTS, which is now available to download for those interested.

Reader prisoninmate writes: The latest, and hopefully, the greatest version of Ubuntu is now available to download. On the sidelines, Mozilla today announced the availability of future releases of its popular Firefox web browser in the snap package format for Ubuntu 16.04 LTS. Earlier today, Canonical unleashed the final release of the highly anticipated Ubuntu 16.04 LTS (Xenial Xerus) operating system, bringing users a great set of new features and improvements. Also today, it looks like Canonical has renewed its partnership with Mozilla to offer Firefox as the default web browser on Ubuntu 16.04 LTS and upcoming releases of the Linux kernel-based operating systems. As part of the new partnership, Mozilla is committed to distributing future versions of Firefox as a snap package. Having Firefox distributed in the snap format means that you'll have 0-day releases in Ubuntu 16.04. Yes, just like Windows and Mac OS X, users are enjoying their 0-day releases of Mozilla Firefox and don't have to wait for package maintainers of a particular GNU/Linux distribution to update the software in the main repositories. For Mozilla, having Firefox as a snap package means that they'll be able to continually optimize it for Ubuntu.

An anonymous reader writes: Mozilla seems to think a new future for Firefox [lies in Chrome]. While they claim that it is only about new ways of browser design, it is also an open secret that they are running into more and more problems lately with web compatibility. [Senior VP Mark Mayo caused a storm by revealing that the Firefox team is working on a next-generation browser that will run on the same technology as Google's Chrome browser. The project, named Tofino, will not use Firefox's core technology, Gecko, but will instead plumb for Electron, which is built on the technology behind Google's rival Chrome browser, called Chromium.] The benefit of Chromium/Electron would be that it is a solution they could pull much faster forward than their own Servo plans [Servo being Mozilla's Rust-based web engine]. What the real outcome of all this will be, only Mozilla knows so far. But inside Mozilla there is much resistance against such plans... Interesting times are ahead.

An anonymous reader writes: Security researchers claim that NoScript and other popular Firefox add-on extensions are exposing millions of end users to a new type of vulnerability which, if exploited, can allow an attacker to execute malicious code and steal sensitive data. The vulnerability resides in the way Firefox extensions interact with each other. From a report on SlashGear, "The problem is that these extensions do not run sandboxed and are able to actually access data or functions from other extensions that are also enabled. This could mean, for example, that a malware masquerading as an add-on can access the functionality of one add-on to get access to system files or the ability of another add-on to redirect users to a certain web page, usually a phishing scam page. In the eyes of Mozilla's automated security checks, the devious add-on is blameless as it does nothing out of the ordinary." Firefox's VP of Product acknowledged the existence of the aforementioned vulnerability. "Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative -- our project to introduce multi-process architecture to Firefox later this year -- we will start to sandbox Firefox extensions so that they cannot share code."

New reader DarkLordBelial writes: The newspaper Association of America (NAA) has sent a letter to Brave Software, makers of the Brave browser, detailing how little they think of Brave's proposed solution. In the letter, NAA says Brave Software "should be viewed as illegal and deceptive by the courts." The letter suggests that replacing adverts with their own selected ads is no different to republishing the content and therefore copyright infringement. In response, Brave Software says all such assertions are false and that the NAA has misunderstood their business model. Founded by Mozilla's co-founder, Brave pays its users in bitcoin to watch ads. According to the company's plan, a website gets 55 percent of the money, whereas rest is distributed among users and Brave.

An anonymous reader writes: Brave, a new privacy and speed focused web browser for Windows, Mac, Linux, iOS, and Android, backed by Mozilla co-founder Brendan Eich, will pay its users in bitcoin to watch ads. From a PCWorld article, 'Under this plan, advertisers pay for a certain number of impressions, and Brave aggregates those payments into one sum. Websites that participate in the scheme get 55 percent of the money, weighted by how many impressions are served on their sites. For both users and publishers, Brave deposits the money into individual bitcoin wallets, and both parties must verify their identity to claim the funds. This requires an email and phone number for users, and more stringent identification steps for publishers. Users who don't verify will automatically donate their share of the funds back to the sites they visit most.' It appears Brave's strategy hinges on, among other things, collecting your browsing data to display relevant ads. The aforementioned article also says that users will have an option to block all ads by paying a monthly subscription to Brave. Not sure how many people would want to buy that.

An anonymous reader quotes a report from VentureBeat: On top of the slew of news coming out of Microsoft's Build 2016 developer conference, a story broke yesterday that Microsoft was building an ad blocker into its Microsoft Edge browser. While this would be a big deal, it apparently isn't true. "We have no plans to build a native ad blocker into Microsoft Edge," a Microsoft spokesperson told VentureBeat. Microsoft was originally referencing the extension support it is building into Edge, which would allow ad blocking to work exactly like any other desktop browser. For those hoping for an Edge browser with built-in ad blocking, well, you're stuck with 'niche browsers' like Brave from Mozilla cofounder Brendan Eich and Adblock Browser.

On Wednesday, it was reported that FBI has contracted Cellebrite, an Israeli software provider specializing in mobile phone forensics, for $15,000 to break into the iPhone. It is believed that Cellebrite knows of a flaw in the iPhone which could allow circumvention of iOS' built-in security layers. Cellebrite could have worked with Apple on this flaw, but it chose to help FBI instead. It doesn't take rocket science to understand why Cellebrite chose to take the other route. The New York Times says that many security firms and hackers would love to work with Apple to further improve its products, but they don't because of a lack of incentive. There's little to no monetary incentive in helping the company with finding loopholes in its products. Apple -- unlike a number of Silicon Valley giants including Facebook, Microsoft, Google, Mozilla, and recently added to the list, Uber -- doesn't maintain a Bug Bounty program. Nicole Perlroth and Katie Benner report for the Times: When hackers do find flaws in Apple's code, they have little incentive to turn them over to the company for fixing. [...] Apple, which has had relatively strong security over the years, has been open about how security is a never-ending cat-and-mouse game and how it is unwilling to engage in a financial arms race to pay for code exploits. The company has yet to give hackers anything more than a gold star. When hackers do turn over serious flaws in its products, they may see their name listed on the company's website -- but that is it. That is a far cry from what hackers can expect if they sell an Apple flaw on the thriving underground market where a growing number of companies and government agencies are willing to pay hackers handsomely.

wiredmikey writes: Pwn2Own 2016 contestants hacked Apple's Safari Web Browser, Adobe Flash Player and Google Chrome, and earned more than $280,000 on the first day of the competition taking place this week alongside the CanSecWest conference in Vancouver, Canada. This is the first edition of Pwn2Own where contestants have been invited to escape a VMware virtual machine for a bonus of $75,000, though there has not been a successful exploit yet in this class by any contestant this week. It remains to be seen if contestants manage to surpass last year's total payout, when white hat hackers earned $552,000 at Pwn2Own.

An anonymous reader writes: Four major web browsers have announced support for the near-native compiling technology WebAssembly, and collaborated to bring an initial common game demo of Angry Bots, running via Unity and WebAssembly, to experimental builds of Chrome, Firefox, Microsoft Edge and, shortly, Safari. WebAssembly was launched last year in a joint project between Microsoft, Mozilla, Apple and Google as a potentially more efficient route to assembly-level performance than asm.js, which is in itself a low-level subset of JavaScript.

An anonymous reader writes: Mozilla has announced it is releasing the first alpha versions of its Servo browser this upcoming June. The project uses browser.html for the browser's UI and Rust for the browser's core. There's a similarity between how Microsoft launched Spartan (Edge) and how Mozilla is launching Servo now. While many might think Mozilla is sneakily working on a Firefox replacement, Mozilla has also invested quite a lot in Firefox these days, like WebExtensions and e10s, and it may be more plausible that Servo might slowly be integrated in Firefox to replace Gecko, rather than replace Firefox altogether, like Microsoft did with Edge to IE.

An anonymous reader writes: Firefox 45, set to be released today, will remove the Tab Groups feature, a feature that many people used, but Mozilla decided to ask due to buggy code. The good news is that a developer created a perfect replacement for this feature as an add-on. Users that use Tab Groups on a daily basis are urged to install the add-on before upgrading to Firefox 45. The add-on will take over from the browser's Tab Groups feature without any complex configuration. Users that update to Firefox 45 will have their tab groups moved to their Bookmarks as folders, which may be difficult to move back into the Tab Groups add-on later on, especially if some people have hundreds of URLs.

An anonymous reader writes: Microsoft, just like Google, Apple, and Mozilla, is part of the CA/BForum, an organization of web browser vendors and certification authorities (CAs). As a browser vendor, Microsoft maintains a list of authorized CAs and their respective root certificates. According to a message on the CA/BForum, there was an error on the server that was running a CRM application that managed this list of trusted certificates and the adjacent details regarding each certificate and CA. The data is lost forever and Microsoft is now asking CAs to resend their most recent audits. Currently a lot of certs are broken in Edge and IE. Microsoft says that it lost audit data for 147 root certificates, which resulted in many SSL/TLS certificates showing errors inside the company's products.

mikejuk writes: Mozilla has been clarifying some of its plans to convert the Firefox OS project into four IoT based projects. At a casual glance, this seems like a naive move that is doomed to failure. Project Link is a 'user agent' for the smart home, that helps the end user set preferences for device interaction, and automates those connections for the user in a secure environment. Next, Project Sensor Web will be a pilot project for crowdsourcing a pm2.5 sensor network. Project Smart Home is focused on bridging the gap in IoT smart home providers between completely boxed solutions like Apple HomeKit, and completely DIY solutions like Raspberry Pi. Finally, Project Vaani is a voice interface for IoT access, which Mozilla credits as the 'most natural way to interact with connected devices.' With Firefox losing market share and projects like Firefox OS, Thunderbird, Shumway, and Persona closing down, perhaps Mozilla should try and find its way back to core concerns. All four of the projects need significant AI expertise and a powerful cloud computing resource neither of which Mozilla is likely to be able to afford.

An anonymous reader writes: Mozilla has banned the popular (250,000+ installs) YouTube Unblock add-on that allowed users to view YouTube clips blocked in their country. The reason for this move is because the add-on was caught disabling a Firefox security setting (code signing) which the allowed it to silent-install another add-on, which Avast (antivirus software) was detecting as malware. Earlier in 2015, the same plugin was again caught cheating when it was using an self-contained update system that was bypassing Mozilla's add-on review process.

An anonymous reader writes: After researchers discovered that SHA-1 can be decrypted, Mozilla, together with Microsoft and Google, said they will no longer "trust" SHA-1-based certificates issued after January 1, 2016, and later stop supporting any type of SHA-1 certificates after June 30, 2016, or January 1, 2017. The foundation went back on its word this week, when Symantec begged Mozilla to allow it to issue nine new certificates for one of its clients, Worldpay PLC, which forgot to request these certificates before January 1. Symantec got what it wanted. Fortunately, other companies like Microsoft, Apple, or Google didn't cave under the pressure.

darthcamaro writes: For the last decade, the Pwn2own hacking competition has pitted the world's best hackers against web browsers to try and find zero-day vulnerabilities in a live event. The contest, which is sponsored by HPE and TrendMicro this year, is offering over half a million dollars in prize money, but for the first time, not a penny of that will directed to Mozilla Firefox. While Microsoft Edge, Google Chrome and Apple Safari are targets, Firefox isn't because it's apparently too easy and not keeping up with modern security: "'We wanted to focus on the browsers that have made serious security improvements in the last year,' Brian Gorenc, manager of Vulnerability Research at HPE said."

New submitter FlipperPA writes: It has just been announced that the 2016 vintage of DjangoCon US will be held in Philadelphia at The Wharton School of the University of Pennsylvania from July 17th through 22nd. DjangoCon US is a 6-day international community conference for the community by the community, held each year in North America, about the Django web framework. From its humble beginnings in a newsroom in Lawrence, KS, Django now powers some of the better known web sites on the planet, including The Washington Post, Mozilla, Instagram, Disqus, and Pinterest. Considered by many to be the "batteries included" web framework for Python, Django continues to attract new developers across the globe.

AmiMoJo writes: Four years ago Mozilla moved to a fixed-schedule release model, otherwise known as the Train Model, in which we released Firefox every six weeks to get features and updates to users faster. Now Mozilla is moving to a variable 6-8 week cycle, with the same number of releases per year but some flexibility to 'respond to emerging user and market needs' and allow time for holidays. The new release schedule looks like this:

• 2016-01-26 – Firefox 44
• 2016-03-08 – Firefox 45, ESR 45 (6 weeks cycle)
• 2016-04-19 – Firefox 46 (6 weeks cycle)
• 2016-06-07 – Firefox 47 (7 weeks cycle)
• 2016-08-02 – Firefox 48 (8 weeks cycle)
• 2016-09-13 – Firefox 49 (6 weeks cycle)
• 2016-11-08 – Firefox 50 (8 weeks cycle)
• 2016-12-13 – Firefox 50.0.1 (5 week cycle, release for critical fixes as needed)
• 2017-01-24 – Firefox 51 (6 weeks from prior release)

ewhac writes: Among its other desirable features, Firefox included a feature allowing very fine-grained cookie management. When enabled, every time a Web site asked to set a cookie, Firefox would raise a dialog containing information about the cookie requested, which you could then approve or deny. An "exception" list also allowed you to mark selected domains as "Always allow" or "Always deny", so that the dialog would not appear for frequently-visited sites. It was an excellent way to maintain close, custom control over which sites could set cookies, and which specific cookies they could set. It also helped easily identify poorly-coded sites that unnecessarily requested cookies for every single asset, or which would hit the browser with a "cookie storm" — hundreds of concurrent cookie requests.

Mozilla quietly deleted this feature from Firefox 44, with no functional equivalent put in its place. Further, users who had enabled the "Ask before accept" feature have had that preference silently changed to, "Accept normally." The proffered excuse for the removal was that the feature was unmaintained, and that its users were, "probably crashing multiple times a day as a result" (although no evidence was presented to support this assertion). Mozilla's apparent position is that users wishing fine-grained cookie control should be using a third-party add-on instead, and that an "Ask before accept" option was, "not really nice to use on today's Web."