A new online tool "analyzes publicly disclosed data breaches and gives concrete advice to victims," reported CNET last week. Now the site's creator, data breach expert jimvandyke, is asking Slashdot's readers for feedback: At BreachClarity.com, just enter the name of any data breach you were in (such as 'Anthem', 'Equifax', 'Yahoo', etc.), and click the bright green 'search' button. Every publicly-reported breach since January 2017 (and noteworthy older ones) are in the database, and eventually every publicly-reported breach will be in the database, thanks to my non-profit partner the IDTheftCenter.org (ITRC). Breach Clarity is now available for free in basic form to consumers, as a very simple UI sitting in front of a comprehensive algorithm of my own design.

The goal of Breach Clarity is to help people by demystifying how any new data breach creates identity-holder risk of identity theft, identity fraud, and other harms. My goal in creating Breach Clarity is to move past the myths and victim-blaming (for instance, my research finds that very few people are actually 'apathetic' or 'lazy' when it comes to security, and it's simply not true that 'everyone's data is all already out there' for any cyber-criminal who wants to commit fraud in another person's name).

Breach Clarity uses dynamic research, technology, and design-thinking to protect people in the face of an onslaught of ongoing data breaches (The ITRC recorded 1,244 publicly reported US ones last year, leading to over $10B in annual identity crimes as reported by my former company Javelin Strategy & Research!)... If you like what you see, please use it and spread the word.
The original submission says the site's creator is currently "a one-person pre-funded operation, aiming to create an advanced and more full-featured version of Breach Clarity that will be licensed for financial institutions and employers." But if this is beta testing, there's some great technical support. "If you're confused by what you see, you can actually call the phone number in the upper right of BreachClarity and talk to a real person for free. You'll reach my partner, the ITRC, who gets grant funding from law enforcement and foundations."

CNET notes that "You can already find out if you've lost login credentials and other sensitive information by visiting Have I Been Pwned or Firefox Monitor. Breach Clarity takes things a step further by helping you decide what to do afterward."

Twelve years after it was first notified of the issue, Mozilla has finally shipped a fix this week that will prevent abusive websites -- usually tech support scam sites -- from flooding users with non-stop "authentication required" login popups and prevent users from leaving or closing their browsers. From a report: The fix has been shipped in Firefox v68, the current Nightly release, and will hit the browser's stable branch sometimes in early July. According to Firefox engineer Johann Hofmann, starting with Firefox 68, web pages won't be allowed to show more than two login prompts. Starting with the third request, Firefox will intervene to suppress the authentication popup.

Mozilla previously shipped a fix for this issue, but it was incomplete, as it blocked authentication prompts that originated from subresources, such as iframes. This latest patch completes the fix by blocking all types of authentication required prompts -- including those generated by the site's main domain.

Mozilla said this week that it intends to run two experiments over the course of this month to determine the most adequate way of dealing with push notification spam, a growing problem that is slowly deteriorating the web experience for everyone. From a report: The experiments will run in Firefox Nightly (v68) and Firefox Beta (v67). The Firefox Nightly experiment will run from April 1 to April 29. During this time, Mozilla said Firefox Nightly would only allow websites to show a push notification permission only after the user has clicked or pressed a key while on a website. All attempts to show a push notification permission request before a click or key press will be blocked by default. [...] In the last two weeks of the experiment, Firefox will show an icon in the URL bar, but with no visible popup on the page. Users can click this icon and accept any push notification permission requests if they wish so. Further reading: Mozilla and Scroll Partner To Test Alternative Funding Models for the Web.

If you're a Firefox true believer, or even just a Firefox user, your password struggles just got a little easier with the release of Firefox Lockbox for Android devices. From a report: The password manager, based on login information already in Firefox, makes it easier to sign into apps as well. It integrates with login autocomplete systems in both Apple's iOS and Google's Android software, Mozilla said. It's not as fancy as password managers like LastPass, BitWarden, 1Password and Dashlane, and the only browser it works with is Firefox. On the other hand, if you're already in the Firefox world, it's basically already set up for you. There's no migration process as with dedicated password managers.

A research duo who hacked a Tesla were the big winners at the annual Pwn2Own white hat security contest, reports ZDNet. "The duo earned $375,000 in prize money, of the total of $545,000 awarded during the whole three-day competition... They also get to keep the car." Team Fluoroacetate -- made up of Amat Cama and Richard Zhu -- hacked the Tesla car via its browser. They used a JIT bug in the browser renderer process to execute code on the car's firmware and show a message on its entertainment system... Besides keeping the car, they also received a $35,000 reward. "In the coming days we will release a software update that addresses this research," a Tesla spokesperson told ZDNet today in regards to the Pwn2Own vulnerability.

Not coincidentally, Team Fluoroacetate also won the three-day contest after earning 36 "Master of Pwn" points for successful exploits in Apple Safari, Firefox, Microsoft Edge, VMware Workstation, and Windows 10... [R]esearchers also exploited vulnerabilities in Apple Safari, Microsoft Edge, VMware Workstation, Oracle Virtualbox, and Windows 10.

An anonymous reader writes: Mozilla today launched Firefox 66 for Windows, Mac, Linux, and Android. The release includes autoplaying content (audio and video) blocked by default, smoother scrolling, better search, revamped security warnings, WebAuthn support for Windows Hello, and improved extensions. The company says its main goal with this release is to reduce irritating experiences such as auto-playing videos, pop-ups, and page jumps. Firefox 66 for desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. The Android version is trickling out slowly on Google Play.

An anonymous reader quotes a report from Motherboard: Now, for Pi Day (March 14), music software programmer Canton Becker has crafted a million-hour song based on Pi that unfolds generatively on a virtual tape deck. Titled "Shepard's Pi," the song combines two of Becker's favorite infinities: Pi, and an auditory illusion called a Shepard tone, which he describes as an "unsettling sonic illusion of a pitch that climbs or descends forever, never reaching a top or a bottom." Found at PiSongs.com, users can tune into "Shepard's Pi" in real time with a custom virtual tape deck. The track itself evolves moment to moment, but the synthesized and sampled tones will be familiar to anyone who has ever listened to the electronic music of Kraftwerk, Tangerine Dream, Aphex Twin, and Global Communication. Far from being a mere gimmick, it is a highly evocative and transporting piece of electronic music, alternately ambient, glitchy, and interestingly rhythmic. The 58,999 GB MP3 file needed to be distributed via a webpage or app, so Becker "started hacking away at the basic algorithm in the programming languages PHP and Javascript," reports Motherboard. "In between coding marathons, Becker composed and recorded the loops and samples that would form the basis of the song. He experimented with sounds that would work well together regardless of being stacked one upon the other."

"When users hit 'play' on the virtual tape deck, the algorithm actually 'performs' the piece," the report says. "This way, the 114-year song can fit in just one gigabyte of space, which is mostly comprised of the digits of Pi. The virtual tape deck was also a solution to a built-in quirk of browsers such as Chrome, Safari, and Firefox -- users must click on a webpage to trigger a sound." From start to finish, the song lasts 999,999 hours, "a limitation imposed by only considering the first one billion digits of Pi."

In 2017, Mozilla experimented with a service that let you transfer 1GB files by sharing a web address with the recipient. Firefox Send is now out of testing and boasts a magnified 2.5GB file-size limit if you log into your Firefox account. From a report: Firefox Send is handy for those moments when you need to share video, audio or photo files that can be too big to squeeze into an email attachment. [...] Firefox Send, which will also be available as an Android app, illustrates one of Mozilla's efforts to diversify beyond the Firefox browser. Mozilla touts Firefox Send as focusing on privacy and uses encryption to protect files. Firefox Send files are available for up to seven days and can be password-protected. You can also limit the number of times they're downloaded.

"Japanese police have brought in, questioned, and charged a 13-year-old female student from the city of Kariya for sharing [links to] browser exploit code online," writes ZDNet. An anonymous reader shares their report: The code was a mere prank that triggered an infinite loop in JavaScript to show an "unclosable" popup when users accessed a certain link, Japanese news agency NHK reported yesterday. The popup could be closed in some browsers -- such as Edge and Firefox on desktop -- but couldn't be closed in others, such as Chrome on desktop and the majority of mobile browsers.

The popup was hosted in several places online, and police say the teenager helped spread the links... The teenage girl did not create the malicious code, which had been shared on online forums by multiple users for the past few years. NHK reported that police also searched the house of a second suspect, 47-year-old man from Yamaguchi, and are also looking at three other suspects for the same "crime" of sharing the link on internet forums.
Ars Technica found a tweet suggesting that the code was actually written in 2014.

Microsoft this week revamped Skype's browser-based client with a slew of new features. From a report: The Seattle company this week announced the rollout of a major Skype for Web update, which introduces high-definition video calling, a redesigned notifications panels, a revamped media gallery, and more. It's available on any PC running Windows 10 and Mac OS X 10.12 or higher with the latest versions of Google Chrome or Microsoft Edge. The bulk of the new capabilities debuted in preview last October, but they're available widely starting this week. Skype for Web does not support Safari, Firefox, and Opera browsers, Microsoft has confirmed.

Mozilla is scheduled to add a new user anti-fingerprinting technique to Firefox with the release of version 67, scheduled for mid-May this year. "Called 'letterboxing,' this new technique adds 'gray spaces' to the sides of a web page when the user resizes the browser window, which are then gradually removed after the window resize operation has finished," reports ZDNet. From the report: Advertising networks often sniff certain browser features, such as the window size to create user profiles and track users as they resize their browser and move across new URLs and browser tabs. The general idea is that "letterboxing" will mask the window's real dimensions by keeping the window width and height at multiples of 200px and 100px during the resize operation -- generating the same window dimensions for all users -- and then adding a "gray space" at the top, bottom, left, or right of the current page.

The advertising code, which listens to window resize events, then reads the generic dimensions, sends the data to its server, and only after does Firefox remove the "gray spaces" using a smooth animation a few milliseconds later. In other words, letterboxing delays filling the newly-resized browser window with the actual page content long enough to trick the advertising code into reading incorrect window dimensions. The feature was first developed for the Tor Browser, and can be seen in action here. In order to enable the feature in Firefox, "users will first need to visit the about:config page, enter 'privacy.resistFingerprinting' in the search box, and toggle the browser's anti-fingerprinting features to 'true,'" reports ZDNet.

An anonymous reader quotes a report from Patently Apple: Firefox browser-maker Mozilla is considering whether to block cybersecurity company DarkMatter from serving as one of its internet security gatekeepers after a Reuters report linked the United Arab Emirates-based firm to a cyber espionage program. Reuters reported in January that DarkMatter provided staff for a secret hacking operation, codenamed Project Raven, on behalf of an Emirati intelligence agency. The unit was largely comprised of former U.S. intelligence officials who conducted offensive cyber operations for the UAE government. Former Raven operatives told Reuters that many DarkMatter executives were unaware of the secretive program, which operated from a converted Abu Dhabi mansion away from DarkMatter's headquarters.

Those operations included hacking into the internet accounts of human rights activists, journalists and officials from rival governments, Reuters found. DarkMatter has denied conducting the operations and says it focuses on protecting computer networks. While Mozilla had been considering whether to grant DarkMatter the authority to certify websites as safe, two Mozilla executives said in an interview last week that Reuters' report raised concerns about whether DarkMatter would abuse that authority. Mozilla said the company has not yet come to a decision on whether to deny the authority to DarkMatter, but expects to decide within weeks. Further reading available via Reuters

The World Wide Web Consortium (W3C) today declared that the Web Authentication API (WebAuthn) is now an official web standard. From a report: First announced by the W3C and the FIDO Alliance in February 2016, WebAuthn is now an open standard for password-free logins on the web. It is supported by W3C contributors, including Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent, and Yubico. The specification lets users log into online accounts using biometrics, mobile devices, and/or FIDO security keys. WebAuthn is supported by Android and Windows 10. On the browser side, Google Chrome, Mozilla Firefox, and Microsoft Edge all added support last year. Apple has supported WebAuthn in preview versions of Safari since December.

An anonymous reader shares a report: News subscription service Scroll, which is yet to launch to consumers but has received the backing of several top publishers, courted another major player today: Mozilla. The browser maker says it will work with Scroll to better understand how consumers react to ad-free experiences on the web and subscription-based funding models. As part of the deal, Mozilla said it would test features and product ideas provided by Scroll, which itself has been conducting internal tests with a number of outlets. Small groups of Firefox users will be invited at random to share feedback and also respond to surveys, Mozilla said.

Opera has unveiled a major redesign for its browser that's expected to ship in version 59. As Peter Bright writes via Ars Technica, "the new appearance adopts the same square edges and clean lines that we've seen in other browsers, giving the browser a passing similarity to both Firefox and Edge." From the report: The principles of the new design? "We put Web content at center stage," the Opera team writes on its blog. The design is pared down so that you can browse "unhindered by unnecessary distractions." Borders and dividing lines have been removed, flattening out parts of the browser's interface and making them look more uniform and less eye-catching. The new design comes with the requisite dark and light modes, a welcome trend that we're glad to see is being widely adopted.

Being Web-centric is not a bad principle for an application such as a browser, where the bulk of the functionality and interest comes from the pages we're viewing rather than the browser itself. At first blush, I think that Opera has come up with something that looks good, but it does feel like an awfully familiar design rationale. [...] Opera plans to ship the R3 release in March, and a developer preview can be downloaded today to give the new appearance a spin. The new design isn't the only notable feature of R3; it also integrates a crypto wallet for Ethereum transactions. In conjunction with Opera on your phone, this feature can be used to securely make online payments to sites using Coinbase Commerce for their payment processing.

jrepin writes: Today, KDE launched Plasma 5.15, the first stable release of the popular desktop environment in 2019. For this release the Plasma team has focused on hunting down and removing all the paper cuts that slow you down. Plasma 5.15 brings a number of changes to the configuration interfaces, including more options for complex network configurations. Many icons have been added or redesigned to make them clearer. Integration with third-party technologies like GTK and Firefox has been improved substantially. Discover, Plasma's software and add-on installer, has received tons of improvements to help you stay up-to-date and find the tools you need to get your tasks done. For a more detailed list of features/changes, you can browse the full Plasma 5.15 changelog.

Video game publisher Ubisoft is working with Mozilla to develop an AI coding assistant called Clever-Commit, head of Ubisoft La Forge Yves Jacquier announced during DICE Summit 2019 on Tuesday. From a report: Clever-Commit reportedly helps programmers evaluate whether or not a code change will introduce a new bug by learning from past bugs and fixes. The prototype, called Commit-Assistant, was tested using data collected during game development, Ubisoft said, and it's already contributing to some major AAA titles. The publisher is also working on integrating it into other brands. "Working with Mozilla on Clever-Commit allows us to support other programming languages and increase the overall performances of the technology. Using this tech in our games and Firefox will allow developers to be more productive as they can spend more time creating the next feature rather than fixing bugs. Ultimately, this will allow us to create even better experiences for our gamers and increase the frequency of our game updates," said Mathieu Nayrolles, technical architect, data scientist, and member of the Technological Group at Ubisoft Montreal.

An anonymous reader shares a report: Samsung's mobile internet browser, if you ask its users, is pretty great. A lot of folks even say it's better than Chrome. That appreciation has manifested in the app hitting a very exclusive Play Store milestone: Samsung Internet Browser now has more than one billion installs. That impressive figure puts the browser's install base ahead of those of Firefox and Opera combined. Now, there are a couple of caveats here: for one, Samsung's browser comes pre-loaded on Samsung devices, of which each activation counts as an "install." What's more, both Firefox's and Opera's Play Store listings report that each browser has "100,000,000+" installs, which, because of the somewhat silly way figures are reported on Android's app marketplace, means their combined installs total anywhere between 200 million and 999,999,998. Still, though, Samsung's browser is on more devices than the both of 'em.

The Google Play Store has been caught hosting an app designed to steal cryptocurrency from unwitting end users, according to researchers with Eset security company. "The malware, which masqueraded as a legitimate cryptocurrency app, worked by replacing wallet addresses copied into the Android clipboard with one belonging to attackers," reports Ars Technica. "As a result, people who intended to use the app to transfer digital coins into a wallet of their choosing would instead deposit the funds into a wallet belonging to the attackers." From the report: So-called clipper malware has targeted Windows users since at least 2017. The clipper malware available in Google Play impersonated a service called MetaMask, which is designed to allow browsers to run apps that work with the digital coin Ethereum. The primary purpose of Android/Clipper.C, as Eset has dubbed the malware, was to steal credentials needed to gain control of Ethereum funds. It also replaced both bitcoin and Ethereum wallet addresses copied to the clipboard with ones belonging to the attackers. Eset spotted the app shortly after its introduction to Google Play on February 1. Google has since removed it. Stefanko said it's the first time clipper malware has been hosted in the Android app bazaar. Eset malware researcher Lukas Stefanko wrote: "This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, the service currently does not offer a mobile app -- only add-ons for desktop browsers such as Chrome and Firefox. Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims' cryptocurrency funds."

Microsoft cybersecurity expert Chris Jackson recently published a post on the official Windows IT Pro blog, titled "The perils of using Internet Explorer as your default browser." Jackson urges users that it's time to stop using its old web browser, a product Microsoft officially discontinued in 2015. From a report: In his post, Jackson explains how Microsoft customers still ask him Internet Explorer related questions for their business. The fact of the matter is that while most average internet users have moved on to Google Chrome, Firefox, or Microsoft's Edge, some businesses are still working with older web apps or sites that were designed for Internet Explorer. Instead of updating its tech, many companies have chosen to just keep using the various enterprise compatibility modes of Microsoft's old web browser. But, Jackson says "enough is enough." It's time to event stop calling Internet Explorer a web browser.