Some Firefox users have discovered that the new default Windows 10 browser, which is shipped to their devices via Windows Update, sometimes imports the data from Mozilla's application even if they don't give their permission. Softpedia reports: Some of these Firefox users decided to kill the initial setup process of Microsoft Edge, only to discover that despite the wizard shutting down prematurely, the browser still copied data stored by Mozilla's browser. Several users confirmed on reddit that this behavior happened on their computers too. Microsoft has remained tight-lipped on this, so for the time being, it's still not known why Edge imports Firefox data despite the initial wizard actually killed off manually by the user. Users who don't want to be offered the new Edge on Windows Update can turn to the dedicated toolkit that Microsoft released earlier this year, while removing the browser is possible by just uninstalling the update from the device.

Ars Technica's technology reporter Jim Salter tested Walmart's 11.6-inch EVOO laptop, which sells for $139 and ships with just 2GiB of RAM and a 32GB SSD, which he worries "simply is not enough room for Windows itself, let alone any applications." The first thing I noticed while looking through the Windows install is that our "internal" Wi-Fi is actually a cheap USB 2.0 Realtek adapter — and it's 2.4GHz-only 802.11n, at that. The second thing I noticed was the fact that I couldn't install even simple applications, because the laptop was in S mode. For those unfamiliar, S mode locks a system into using only the Edge browser and only apps from the Microsoft Store. Many users end up badly confused by S mode, and some unnecessarily buy a new copy of Windows trying to get out of it. Fortunately, if you click the "learn more" link in the S mode warning that pops up when you attempt to load a non-Store app, you are eventually led to a free Microsoft Store app which turns S mode off. On my first try, this app crashed. But on the second, it successfully disabled S mode, leaving me with a normal Windows install....

I verified that I was on an older version of Windows 10 — build 1903, from March 2019 — and initiated an upgrade to build 2004, from April 2020. Windows 10 was having none of it. It wanted at least 8GiB of free space on C:, and I couldn't even get to 6GiB free, after only a day of using the system.... Meaningful benchmark results were impossible to attain on this laptop, since it was too slow and quirky to even run the benchmarks reliably. But I didn't let a silly thing like "being obviously inappropriate" stop me from slogging painfully through the benchmarks and getting what numbers I could. The first suite up, PCMark 10, eventually produced a score of zero. I didn't know that a zero score was even possible. Apparently, it is... Cinebench R20 also took several tries to complete successfully, and eventually the test produced a jaw-droppingly bad score of 118...

Under Fedora 32 — selected due to its ultra-modern kernel, and lightweight Wayland display manager — the EVOO was incredibly balky and sluggish. To be fair, Fedora felt significantly snappier than Windows 10 had on this laptop, but that was a very, very low bar to hurdle. The laptop frequently took as long as 12 seconds just to launch Firefox. Actually navigating webpages wasn't much better, with very long pauses for no apparent reason. The launcher was also balky to render — and this time, with significantly lower memory usage than Windows, I couldn't just blame it on swap thrashing... [W]ith the laptop completely open, several questions are answered — the reason I hadn't heard any fan noise up until this point is because there is no fan, and the horrible CPU performance is because the CPU can't perform any better than it does without cooking itself in its own juices....

At first, I mistakenly assumed that the A4-9120 was just thermally throttling itself 24/7. After re-assembling it and booting back into Fedora, I found the real answer — the normally 2.5GHz chip is underclocked to an anemic 1.5GHz. The system BIOS confirms this clockrate but offers no room to adjust it — which is a shame, since the system never hit temperatures higher than about 62C in my testing.
His verdict? Walmart's EVOO laptop "doesn't have either the RAM or the storage to do an even vaguely reasonable job for normal people doing normal things under Windows, even when limited to S mode...

"There may be a purpose this laptop is well-suited to — but for the life of me, I cannot think what it might be."

An anonymous reader quotes a report from ZDNet: Mozilla has announced today that its highly anticipated VPN (virtual private network) service will launch later this summer, "in the next few weeks." The product has also been renamed from its original name of Firefox Private Network to its new brand of the "Mozilla VPN." The name change came after Mozilla expanded the VPN product from the initial Firefox extension to a full-device VPN, capable of routing traffic for the entire OS, including other browsers. Currently, the Mozilla VPN offers clients for Windows 10, Chromebooks, Android, and iOS devices. Mozilla said beta testers also requested a Mac client, which they plan to provide, along with a Linux app.

Websites are still capable of detecting when a visitor is using Chrome's incognito (private browsing) mode, despite Google's efforts last year to disrupt the practice. From a report: It is still possible to detect incognito mode in Chrome, and all the other Chromium-based browsers, such as Edge, Opera, Vivaldi, and Brave, all of which share the core of Chrome's codebase. Furthermore, developers have taken the scripts shared last year and have expanded support to non-Chrome browsers, such as Firefox and Safari, allowing sites to block users in incognito mode across the board. Currently, there is no deadline for a new Chrome update to block incognito mode detections, however, today, Google might be interested more than ever in fixing this issue.

An anonymous reader writes: Mozilla today launched Firefox 77 for Windows, Mac, and Linux. Firefox 77 includes faster JavaScript debugging, optional permissions for extensions, and Pocket recommendations in the U.K. You can download Firefox 77 for desktop now from Firefox.com, and all existing users should be able to upgrade to it automatically. According to Mozilla, Firefox has about 250 million active users, making it a major platform for web developers to consider. [...] Other than Pocket recommendations arriving in the U.K. (they've been in Canada, Germany, and the U.S. since April 2018), this is primarily a developer release. Firefox's Debugger is now better at handling large web apps with all their bundling, live reloading, and dependencies. Mozilla is promising performance improvements that speed up pausing and stepping, as well as cutting down on memory usage over time. Source maps should also see performance boosts -- some inline source maps load 10 times faster -- and improved reliability for many configurations. The debugger will now also respect the currently selected stack when stepping, which is useful when you've stepped into a function call or paused in a library method further down in the stack.

Long-time Slashdot reader lpq writes: I followed a link that pointed at a Microsoft security advisory about ".lnk" files. The original link, https://www.microsoft.com/en-us/technet/security/advisory/2286198.mspx, produced this message:

Your request has been blocked. This may be due to several reasons. 1. You are using a proxy that is known to send automated requests to Microsoft. Check with your network administrator if there is any proxy and what User-Agent they are sending in the request header. 2. Your request pattern matches an automated process. To eliminate, reduce the volume of requests over a period of time. 3. Reference ID: 41.70790b91.4823110533.409105b4

It turns out the advisory number doesn't matter, just the extension for "Active Microsoft Server Page" (https.../.mspx) at the end. I guess there were too many security advisory lookups for MS to handle! *snort*!
The .mspx extension indicates a page using a special internal Microsoft rendering framework with a custom web handler (built in ASP.Net). But I ran some tests Saturday, and observed the exact same glitch described above using three different browsers — Firefox, Edge, and Brave. Anyone have a theory about what's going on?

Leave your thoughts in the comments. Why is Microsoft blocking its own server pages?

Chrome and Firefox are blocking direct access to the movie download pages of popular torrent site YTS. According to Google's safe browsing report, YTS.mx is a "deceptive site" that may trick visitors into doing dangerous things. The warning is likely the result of malicious advertisements. TorrentFreak reports: While the site's homepage can be visited just fine, navigating to a torrent detail page throws up the following warning in Chrome. "Deceptive site ahead. Attackers on yts.mx may trick you into doing something dangerous like installing software or revealing your personal information (for example, passwords, phone numbers, or credit cards)." Firefox shows a similar alert and also prevents people from going directly to the download pages. In both browsers, people can, however, accept the risk and visit the page they were looking for.

It's not clear what the exact problem is but the Chrome warning mentions that YTS was caught phishing. This is also reflected in Google's Safe Browsing report, which states the torrent site recently tried to trick visitors into sharing personal info or downloading software. Whether any of this is intentional remains a question. It seems more likely that the warning was triggered by some type of malicious advertisement.

"Around 70% of our serious security bugs are memory safety problems," the Chromium project announced this week. "Our next major project is to prevent such bugs at source."

ZDNet reports: The percentage was compiled after Google engineers analyzed 912 security bugs fixed in the Chrome stable branch since 2015, bugs that had a "high" or "critical" severity rating. The number is identical to stats shared by Microsoft. Speaking at a security conference in February 2019, Microsoft engineers said that for the past 12 years, around 70% of all security updates for Microsoft products addressed memory safety vulnerabilities. Both companies are basically dealing with the same problem, namely that C and C++, the two predominant programming languages in their codebases, are "unsafe" languages....

Google says that since March 2019, 125 of the 130 Chrome vulnerabilities with a "critical" severity rating were memory corruption-related issues, showing that despite advances in fixing other bug classes, memory management is still a problem... Half of the 70% are use-after-free vulnerabilities, a type of security issue that arises from incorrect management of memory pointers (addresses), leaving doors open for attackers to attack Chrome's inner components...

While software companies have tried before to fix C and C++'s memory management problems, Mozilla has been the one who made a breakthrough by sponsoring, promoting and heavily adopting the Rust programming language in Firefox... Microsoft is also heavily investing in exploring C and C++ alternatives⦠But this week, Google also announced similar plans as well... Going forward, Google says it plans to look into developing custom C++ libraries to use with Chrome's codebase, libraries that have better protections against memory-related bugs. The browser maker is also exploring the MiraclePtr project, which aims to turn "exploitable use-after-free bugs into non-security crashes with acceptable performance, memory, binary size and minimal stability impact."

And last, but not least, Google also said it plans to explore using "safe" languages, where possible. Candidates include Rust, Swift, JavaScript, Kotlin, and Java.

"Firefox will prevent websites from forcing users to directly save PDFs without opening them in the web browser window," reports The Windows Club.

"Mozilla is rolling out this feature to the masses with the stable release of Firefox 78." Right now, Mozilla has added this feature to Firefox 78 in the Nightly channel.

The issue was first raised in 2011, and it took Mozilla 9 years to fix it. Many websites host and offer PDF documents with the following HTTP header:

Content-Disposition: attachment; filename="whatever.pdf."

This is an indication to the web browser that the PDF file should be saved with the specified name rather than try opening it in the web browser window. But since Firefox has a built-in PDF viewer, it should be for users to decide whether they want to view or save PDF documents.

Mozilla today launched Firefox 76 for Windows, Mac, and Linux. Firefox 76 includes new Firefox Lockwise password functionality, Zoom improvements, and a handful of developer features. From a report: Lockwise, the password management service formerly known as Firefox Lockbox, is getting smarter. The Firefox feature already lets you generate, manage, and protect all those passwords for streaming services, grocery deliveries, and anything else that helps during the pandemic. If you share your device with family or roommates, Lockwise in Firefox 76 can now protect your saved passwords. When you try to view or copy a password from your "Logins and Passwords" page, you will be prompted for your device's account password.

[...] Firefox 76 adds support for Audio Worklets, which run custom JavaScript audio processing code for applications like VR and gaming on the web. Unlike their predecessor, ScriptProcessorNode, worklets run off the main thread in a similar way to web workers. Mozilla also notes Audio Worklets are "being adopted by some of your favorite software programs." The company specifically called out Zoom, which has become a phenomenon of its own during the pandemic. In short, you now join Zoom calls in Firefox without having to download or install the Zoom client.

An anonymous reader writes: Browser maker Mozilla is working on a new service called Private Relay that generates unique aliases to hide a user's email address from advertisers and spam operators when filling in online forms. The service entered testing last month and is currently in a closed beta, with a public beta currently scheduled for later this year, ZDNet has learned. Private Relay will be available as a Firefox add-on that lets users generate a unique email address -- an email alias -- with one click. The user can then enter this email address in web forms to send contact requests, subscribe to newsletters, and register new accounts. "We will forward emails from the alias to your real inbox," Mozilla says on the Firefox Private Relay website. "If any alias starts to receive emails you don't want, you can disable it or delete it completely," the browser maker said.

"We're updating our bug bounty policy and payouts to make it more appealing to researchers and reflect the more hardened security stance we adopted after moving to a multi-process, sandboxed architecture," reports the Mozilla security blog: Besides rewarding duplicate submissions, we're clarifying our payout criteria and raising the payouts for higher impact bugs. Now, sandbox escapes and related bugs will be eligible for a baseline $8,000, with a high quality report up to $10,000. Additionally, proxy bypass bugs are eligible for a baseline of $3,000, with a high quality report up to $5,000...

Additionally, we'll be publishing more posts about how to get started testing Firefox — which is something we began by talking about the HTML Sanitization we rely on to prevent UXSS. By following the instructions there you can immediately start trying to bypass our sanitizer using your existing Firefox installation in less than a minute...

Lastly, we would like to let you know that we have cross-posted this to our new Attack & Defense blog. This new blog is a vehicle for tailored content specifically for engineers, security researchers, and Firefox bug bounty participants.
They point out that Firefox has one of the world's oldest bug bounty programs, dating back to 2004 -- and it's still going strong. "From 2017-2019, we paid out $965,750 to researchers across 348 bugs, making the average payout $2,775 — but as you can see in the graph below, our most common payout was actually $4,000!"

Vivaldi, the browser launched by former Opera CEO Jon von Tetzchner, has long positioned itself as a highly customizable alternative to Chrome and Firefox for power users. Today, the team is launching version 3.0 of its desktop browser, with built-in tracker and ad blockers, and it's bringing its Android browser out of beta. From a report: I've long been a fan of Vivaldi, but the company was relatively late to the tracking protection game. Now it's doubling down by integrating a blocklist powered by DuckDuckGo's Tracker Radar. Like competing browsers, Vivaldi offers three blocking levels that users can easily toggle on and off for individual websites. Those blocking levels are relatively blunt, though, with the options to either block trackers, block trackers and ads, or disable blocking. Competitors like Edge offer slightly more nuanced options for blocking trackers, though I would expect Vivaldi to adopt a similar scheme over time.

Ghacks writes: Observant Firefox users on Windows who have updated the web browser to Firefox 75 may have noticed that the upgrade brought along with it a new scheduled tasks. The scheduled task is also added if Firefox 75 is installed on a Windows device. The task's name is Firefox Default Browser Agent and it is set to run once per day...
Mozilla says:

• "We're collecting information related to the system's current and previous default browser setting, as well as the operating system locale and version. This data cannot be associated with regular profile based telemetry data..."
• "We'll respect user configured telemetry opt-out settings by looking at the most recently used Firefox profile."
• "We'll respect custom Enterprise telemetry related policy settings if they exist. We'll also respect policy to specifically disable this task."

"Collecting telemetry is one way we're able to ensure we can understand default browser trends in a way that helps us improve Firefox. It's our hope that by better understanding more about our users and their choices around browser preferences, we can continue to build a better Firefox."

Long-time Slashdot reader AmiMoJo writes, "Opting out can be done via the Privacy & Security section of the preferences screen. You can view collected telemetry and view your current settings at about:telemetry."

Bleeping Computer also notes that by default, "For some time, Firefox has been collecting telemetry data about how you use the browser, such as the number of web pages you visit, safebrowsing information, the number of open tabs and windows, what add-ons are installed, and more. This telemetry data is kept for 13 months and IP addresses listed in server logs are deleted every 30 days.

"On my computer, Firefox has collected over 400KB of information."

On Wednesday, Mozilla chair and longtime leader Mitchell Baker was named permanent CEO of the company that makes the Firefox web browser. From a report: Mitchell became interim CEO of Mozilla in December 2019, after former CEO Chris Beard resigned. The company conducted an external candidate search over the last eight months, and concluded the Mitchell is the right leader for Mozilla at this time, according to a company blog post published Wednesday. "Increasingly, numbers of people recognize that the internet needs attention," Baker said in another Mozilla blog post Wednesday. "Mozilla has a special, if not unique role to play here. It's time to tune our existing assets to meet the challenge. It's time to make use of Mozilla's ingenuity and unbelievable technical depth and understanding of the "web" platform to make new products and experiences. It's time to gather with others who want these things and work together to make them real."

An anonymous reader writes: Mozilla today launched Firefox 75 for Windows, Mac, and Linux. Firefox 75 includes a revamped address bar with significant search improvements, a few performance tweaks, and a handful of developer features. You can download Firefox 75 for desktop now from Firefox.com, and all existing users should be able to upgrade to it automatically. According to Mozilla, Firefox has about 250 million active users, making it a major platform for web developers to consider.

When the coronavirus crisis took hold, millions found themselves spending more time in their browsers as they learn and work from home. But the crisis is also impacting software developers. Google was forced to pause its Chrome releases, which typically arrive every six weeks. Ultimately, Chrome 81 was delayed, Chrome 82 is being skipped altogether, and Chrome 83 has been moved up a few weeks. Microsoft has followed suit with Edge's release schedule, consistent with Google's open source Chromium project, which both Chrome and Edge are based on. Mozilla wants to make clear it is not in the same boat. The company took an indirect jab at Google and Microsoft today, saying: "We've built empathy into our systems for handling difficult or unexpected circumstances. These strengths are what allow us to continue to make progress where some of our competitors have had to slow down or stop work."

Long-time Slashdot reader AmiMoJo quotes Softpedia: It was probably just a matter of time, but the thing so many people, including everyone at Microsoft, expected finally happened: Microsoft Edge surpassed Mozilla Firefox to become the world's second most-used desktop browser. Data provided by market analysis firm NetMarketShare reveals that the whole thing happened in March, when the adoption of the Chromium-powered Microsoft Edge improved to a level that allowed it to overtake Mozilla's own browser.

So right now, Microsoft Edge is the second most-used desktop browser on the planet with a share of 7.59%, while Mozilla Firefox is now third with 7.19%.

As for who's leading the pack, Google Chrome continues to be number one with a share of 68.50%.

Social networking giant Twitter today disclosed a bug on its platform that impacted users who accessed their platform using Firefox browsers. From a report: According to Twitter, its platform stored private files inside the Firefox browser's cache -- a folder where websites store information and files temporarily. Twitter said that once users left their platform or logged off, the files would remain in the browser cache, allowing anyone to retrieve it. The company is now warning users who share workstations or used a public computer that some of their private files may still be present in the Firefox cache. Malware present on a system could also scrape and steal this data, if ever configured to do so.

An anonymous reader writes: We keep seeing stories about how providers are slowing down their streaming speed to reduce bandwidth usage during this period when many are being asked to stay at home... But it seems that many are totally ignoring a very obvious way to reduce usage significantly, and that is by disabling autoplay on their web sites and in their apps.

To give an example, a couple of days ago I was watching a show on Hulu, and either I was more sleepy than I thought or the show was more boring than I had expected (probably some combination of both), but I drifted off to sleep. Two hours later I awoke and realize that Hulu had streamed two additional episodes that no one was watching. I searched in vain for a way to disable autoplay of the next episode, but if there is some way to do it I could not find it.

What I wonder is how many people even want autoplay? I believe Netflix finally gave their users a way to disable it, but they need to affirmatively do so via a setting somewhere. But many other platforms give their users no option to disable autoplay. That is also true of many individual apps that can be used on a Roku or similar device. If conserving bandwidth is really that important, then my contention is that autoplaying of the next episode should be something you need to opt in for, not something enabled by default that either cannot be disabled or that forces the user to search for a setting to disable.
"Firefox will disable autoplay," writes long-time Slashdot user bobs666 (adding "That's it use Firefox.") And there are ways to disable autoplay in the user settings on Netflix, YouTube, Hulu, and Amazon Prime.

But wouldn't it make more sense to disable autoplay by default -- at least for the duration of this unusual instance of peak worldwide demand?

I'd be interested in hearing from Slashdot's readers. Do you use autoplay -- or have you disabled it? And do you think streaming companies should turn it off by default?

The former editor-in-chief of the Linux Journal just published an annotated version of Zoom's privacy policy. Searls calls it "creepily chummy with the tracking-based advertising biz (also called adtech). I'll narrow my inquiry down to the "Does Zoom sell Personal Data?" section of the privacy policy, which was last updated on March 18. The section runs two paragraphs, and I'll comment on the second one, starting here:

Zoom does use certain standard advertising tools which require Personal Data ...

What they mean by that is adtech. What they're also saying here is that Zoom is in the advertising business, and in the worst end of it: the one that lives off harvested personal data. What makes this extra creepy is that Zoom is in a position to gather plenty of personal data, some of it very intimate (for example with a shrink talking to a patient) without anyone in the conversation knowing about it. (Unless, of course, they see an ad somewhere that looks like it was informed by a private conversation on Zoom.)

A person whose personal data is being shed on Zoom doesn't know that's happening because Zoom doesn't tell them. There's no red light, like the one you see when a session is being recorded. If you were in a browser instead of an app, an extension such as Privacy Badger could tell you there are trackers sniffing your ass. And, if your browser is one that cares about privacy, such as Brave, Firefox or Safari, there's a good chance it would be blocking trackers as well. But in the Zoom app, you can't tell if or how your personal data is being harvested.

(think, for example, Google Ads and Google Analytics).

There's no need to think about those, because both are widely known for compromising personal privacy. (See here. And here. Also Brett Frischmann and Evan Selinger's Re-Engineering Humanity and Shoshana Zuboff's In the Age of Surveillance Capitalism.)
Zoom claims it needs personal data to "improve" its users "experience" with ads -- though Searls isn't satisfied. ("Nobody goes to Zoom for an 'advertising experience,' personalized or not. And nobody wants ads aimed at their eyeballs elsewhere on the Net by third parties using personal information leaked out through Zoom.") His conclusion?

"What Zoom's current privacy policy says is worse than 'You don't have any privacy here.' It says, 'We expose your virtual necks to data vampires who can do what they will with it.'"