Firefox, Chrome adding 'Do Not Track' tools

Firefox and Chrome

NEW YORK: The Firefox and Google Chrome web browsers are getting tools to help users block advertisers from collecting information about them.

Alex Fowler, a technology and privacy officer for Firefox maker Mozilla, said the "Do Not Track" tool will be the first in a series of steps designed to guard privacy. He didn't say when the tool will be available.

Google Chrome users can now download a browser plug-in that blocks advertisers - but only from ad networks that already let people decline personalised, targeted ads.

According to Google Inc, these include the top 15 advertising networks, as rated by the research group comScore, a group that includes AOL Inc, Yahoo! Inc and Google itself.

The next version of Microsoft Corp's Internet Explorer browser, which is still being developed, will include a similar feature, though people will have to create or find their own lists of sites they want to block.

Read more »

JavaScript Allows Web History Sniffing

Researchers at the University of California, San Diego said they're planning to broaden their research after they provided evidence earlier this month that Web sites and the advertisers on them can easily retain a history of the other sites you've recently visited--without your permission. According to the computer scientists, the front pages of the top 50,000 Web sites as ranked by Alexa include 485 that inspect style properties that can be used to infer the browser's history. Out those 485 sites, 63 actually transfer the browser's history to the network, a practice known as "history sniffing." One in the list--a porn site--appears in Alexa's top 100 sites.

According to a paper published on the topic, "An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications," the Web sites use the ubiquitous and highly useful JavaScript code for their behind-the-scenes sniffing work. JavaScript commonly provides interactive activities on a Web page. However, as is widely documented, the language also presents security vulnerabilities.


The UC San Diego project examined whether anybody was actually using history sniffing--a practice first raised in the academic community a decade ago--to get at users' private browsing history. "We were able to show is that the answer is yes," said computer science professor and report co-author Hovav Shacham.

History sniffing can divulge private information such as what banks or competitive sites have been visited by the user. A cyber criminal could use detail about banks to know what type of banking page to serve up to a person in a phishing attack. Competitive site information could be used by advertising companies to build user profiles without their knowledge.

"JavaScript is a great thing. It allows things like Gmail and Google Maps and a whole bunch of Web 2.0 applications; but it also opens up a lot of security vulnerabilities," said computer science professor and co-author Sorin Lerner. "We want to let the broad public know that history sniffing is possible, it actually happens out there, and that there are a lot of people vulnerable to this attack."

The key to the research involves the color of links. The links for pages a user hasn't yet visited are blue; those that have been visited are purple. Dongseok Jang, a Ph.D. student in computer science, created a monitoring tool to check whether JavaScript existed within the page--including within any ads on the page--to inspect how the link is displayed. If the link is displayed as a visited link, the JavaScript then "knows" the target URL is in the user's history. It can then use a widget to "inspect the browser history systematically," the report states.

"As soon as a JavaScript tries to look at the color of a link, we immediately put 'paint' on that," said Lerner. "Some sites collected that information but never sent it over the network, so there was all this 'paint' inside the browser. But in other cases, we observed 'paint' being sent over the network, indicating that history sniffing is going on."

"We detected when browser history is looked at, collected on the browser and sent on the network from the browser to their servers. What servers then do with that information is speculation," he noted.

The latest versions of browsers Firefox, Chrome, and Safari now block the history sniffing attacks the computer scientists looked for. However, Internet Explorer doesn't. In addition, the researchers said anyone using anything but the latest versions of the patched browsers is also vulnerable.

The "paint" tracking approach to monitoring JavaScript could be useful for more than just history sniffing, Lerner explained. "It could be useful for understanding what information is being leaked by applications on Web 2.0 sites. Many of these apps use a lot of JavaScript." That's what they plan to study next, in a broadening of their research.

Stop Using Internet Explorer

In a statement issued last 4 days (January 16, 2010), the German Federal Office for Security in Information Technology (known as BSI) recommends that all Internet Explorer users switch to an alternative browser. They may resume using Explorer after a fix is issued by Microsoft for a critical vulnerability that has been implicated in the Chinese cyberattack against Google.

If you missed it, McAffee released on January 15, 2010: a report outlining details of the cyber assault on Google and around 20 other major technology companies. It specifically implicates a critical flaw in all versions of IE that allows hackers to “perform reconnaissance and gain complete control over the compromised system.” Microsoft has responded that it is developing an update to the vulnerability.

According to the statement from BSI, even running Internet Explorer in “protected” mode is not enough to prevent a hacker from exploiting this security flaw.

IE, while the world’s most popular browser, has been steadily losing marketshare over perceptions that it is slower and less secure than rival browsers, especially Firefox. This incident won’t help.

The full statement, translated via Google, is below:

---

Translated Statement from Germany

---

“In Internet Explorer, there is a critical yet unknown vulnerability. The vulnerability allows attackers to inject malicious code via a specially crafted Web page into a Windows computer to infiltrate and set up. The last week became known hacker attack on Google and other U.S. companies has probably exploited the vulnerability.Affected are the versions 6, 7 to 8 Internet Explorer on Windows systems XP, Vista and Windows 7 Microsoft has released a security advisory in which it discusses ways of minimizing risk and is already working on a patch to close the security gap. The BSI expects that this vulnerability will be used in a short time for attacks on the Internet.

Running the Internet Explorer in ‘protected mode’ as well as disabling scripting Acitve Although more difficult to attack, but it can not completely prevented. Therefore, the BSI recommends to switch to the existence of a patch from Microsoft to an alternative browser.

Once the vulnerability has been closed, the BSI will provide information on its warning and information about public-CERT. Keep informed about the civic-CERT and the BSI warns citizens and small and medium enterprises from viruses, worms and vulnerabilities in computer applications. The expert analysis of the BSI around the clock, the security situation in the Internet and send alerts when action is needed and safety information via e-mail.”

Source : ERM Blog

The best technologies of the decade

With only few days left before we enter a new year, a lot of new technologies has been explored by us since last decade. The fastest growing technologies is in ICT. Below are the best of technologies so far that we can consider as the best within years period of time;

AJAX

It’s hard to remember what life was like before Asynchronous JavaScript and XML came along, so I’ll prod your memory. It was boring. Web 1.0 consisted of a lot of static web pages, where every mouse click was a round trip to the web server. If you wanted rich content, you had to embed a Java applet in the page, and pray that the client browser supported it.

Without the advent of AJAX, we wouldn’t have Web 2.0, GMail, or most of the other cloud-based web applications. Flash is still popular, but especially with HTML 5 on the way, even functionality that formerly required a RIA like Flash or Silverlight can now be accomplished with AJAX.

Twitter

When they first started, blogs were just what they said, web logs. In other words, a journal of interesting web sites that the author had encountered. These days, blogs are more like platforms for rants, opinions, essays, and anything else on the writer’s mind. Then along came Twitter. Sure, people like to find out what J-Lo had for dinner, but the real power of the 140 character dynamo is that it has brought about a resurgence of real web logging. The most useful tweets consist of a Tiny URL and a little bit of context. Combine that with the use of Twitter to send out real time notices about everything from breaking news to the current specials at the corner restaurant, and it’s easy to see why Twitter has become a dominant player.

Ubiquitous WiFi

I want you to imagine you’re on the road in the mid-90s. You get to your hotel room, and plop your laptop on the table. Then you get out your handy RJ-11 cord, and check to see if the hotel phone has a data jack (most didn’t), or if you’ll have to unplug the phone entirely. Then you’d look up the local number for your ISP, and have your laptop dial it, so you could suck down your e-mail at an anemic 56K.

Now, of course, WiFi is everywhere. You may end up having to pay for it, but fast Internet connectivity is available everywhere from your local McDonalds to your hotel room to an airport terminal. Of course, this is not without its downsides, since unsecured WiFi access points have led to all sorts of security headaches, and using an open access point is a risky proposition unless your antivirus software is up to date, but on the whole, ubiquitous WiFi has made the world a much more connected place.

Phones Get Smarter

In the late 90s, we started to see the first personal digital assistants emerge, but this has been the decade when the PDA and the cell phone got married and had a baby called the smartphone. Palm got the ball rolling with the Treos about the same time that Windows Mobile started appearing on phones, and RIM’s Blackberry put functional phones in the hands of business, but it was Apple that took the ball and ran for the touchdown with the iPhone. You can argue if the droid is better than the 3GS or the Pre, but the original iPhone was the game-changer that showed what a smartphone really could do, including the business model of the App Store,

The next convergence is likely to be with Netbooks, as more and more of the mini-laptops come with 3G service integrated in them, and VoIP services such as Skype continue to eat into both landline and cellular business.

Open Source Goes Mainstream

Aha..this is what I like most. Quick! Name 5 open source pieces of software you might have had on your computer in 1999. Don’t worry I’ll wait…

How about today? Firefox is an easy candidate, as are Open Office, Chrome, Audacity, Eclipse (if you’re a developer), Blender, VLC, and many others. Many netbooks now ship with Linux as the underlying OS. Open Source has gone from a rebel movement to part of the establishment, and when you combine increasing end user adoption with the massive amounts of FLOSS you find on the server side, it can be argued that it is the 800 pound Gorilla now.

As Gandhi said, “First they ignore you, then they laugh at you, then they fight you, then you win.” When even Microsoft is releasing Open Source code, you know that you’re somewhere between the fight and win stages.

Toward giant Resources

56K modems, 20MB hard drives, 640K of RAM, 2 MHz processors. You don’t have to go far back in time for all of these to represent the state of the art. Now, of course, you would have more than that in a good toaster…

Moore’s Law continues to drive technology innovation at a breakneck pace, and it seems that related technologies like storage capacity and bandwidth are trying to follow the same curve. Consider that AT&T users gripe about the iPhone’s 5GB/month bandwidth cap, a limit that would have taken 10 solid days of transferring to achieve with a dialup connection.

A iPhone has 3,200 times the storage of the first hard drive I ever owned, and the graphics card on Mac Pro has 16,000 times the memory of my first computer. We can now do amazing things in the palm of our hands, things that would have seemed like science fiction in 1999.

Google Chrome yet to be my default browser list

I've read a few reports mentioning that Google Chrome has great features. I can't comment much until I have tested and experienced it. My first impression on Chrome not really good. Google chrome browser cannot open my local portal to run oracle form server. The default error that I got on the chrome browser is "no plugin available to display this content".

It doesn't mentioned what kind of plugin I must have. I'm not facing any problem to open the same link using Firefox 2.0.0.11 Another thing that I noticed is, the bookmark feature not really user friendly. Since this Chrome still a beta version and I hope Google will work hard to integrate with other plugin developer in order to ensure that this browser can benefit the internet user world wide.

My advice to those who want to try this Chrome for testing and evaluation purposes, then you are encourage to download and play around with it.... but if you really want to replace your current browser, please stick to your current browser or you may try Minefield. Eventhough it is still beta version... it is better than Chrome beta version.

Minefield does not have so many features and pre-installed with new TraceMonkey JavaScript engine. Minefield's installation won't affect your current Firefox, so there's no risk trying it. It's quite fast.

Download Minefield 3.1beta here