Time filter

Source Type

United States

Zakai A.,Mozilla
SPLASH'11 Compilation - Proceedings of OOPSLA'11, Onward! 2011, GPCE'11, DLS'11, and SPLASH'11 Companion | Year: 2011

We present Emscripten, a compiler from LLVM (Low Level Virtual Machine) assembly to JavaScript. This opens up two avenues for running code written in languages other than JavaScript on the web: (1) Compile code directly into LLVM assembly, and then compile that into JavaScript using Emscripten, or (2) Compile a language's entire runtime into LLVM and then JavaScript, as in the previous approach, and then use the compiled runtime to run code written in that language. For example, the former approach can work for C and C++, while the latter can work for Python; all three examples open up new opportunities for running code on the web. Emscripten itself is written in JavaScript and is available under the MIT license (a permissive open source license), at http://www.emscripten.org. As a compiler from LLVM to JavaScript, the challenges in designing Emscripten are somewhat the reverse of the norm - one must go from a low-level assembly into a high-level language, and recreate parts of the original high-level structure of the code that were lost in the compilation to low-level LLVM. We detail the methods used in Emscripten to deal with those challenges, and in particular present and prove the validity of Emscripten's Relooper algorithm, which recreates high-level loop structures from low-level branching data. Source

News Article | March 15, 2016
Site: http://motherboard.vice.com/

A large number of the internet’s major websites still don’t use encryption, or haven’t implemented it correctly, potentially exposing their users to hackers and spies. Despite a widespread movement toward more encryption on the web, which is commonly referred to as HTTPS and signalled with a green lock pad on your browser’s address bar, only 25 of the world’s top 100 websites use it by default, according to a new survey published by Google on Tuesday. The internet giant published data on other websites, as well as its own services, in an effort to encourage—and perhaps even shame—more site owners and webmasters to adopt better practices to protect users privacy and security. “As more people spend more of their time on the web, [encryption] is an increasingly essential element of online security,” Google employees Rutledge Chin Feman and Tim Willis wrote in a blog post. Among the sites that still don’t use any encryption, or don’t implement it with all modern protections and by default, there’s major news sites, such as those of the BBC, The New York Times, and CNN, as well most major porn websites, or retailers like eBay or Amazon. While another kind of encryption, that protecting data on people’s phones, is on everyone’s minds, web encryption is also important for regular people’s lives. Without that extra “S,” which signals the use of the encryption standard Transport Layer Security (TLS), everything you do on a site isn’t fully private or secure, allowing anyone that has access to data flowing through the internet to not just see it, but also intercept and manipulate it. Not using an encrypted connection means a hacker using the same Wi-Fi at your favorite coffee shop could steal your passwords or banking information, and that your internet service provider can better track your online activity and sell your private data to advertisers. But it also means that a repressive government can know exactly what articles or sites you’re visiting, and could even censor only certain pages within a website. Government spies could also take advantage of the lack of encryption to infect your computer with malware or spyware, or use your connection as part of a cyberattack on somebody else. “HTTPS provides confidentiality (traffic is unintelligible to those without [encryption] keys) and integrity (traffic is verified when it arrives at its destination as being the same traffic that was sent),” Joseph Hall, the chief technologist with the Center for Democracy and Technology, told Motherboard in an online chat. “Integrity is increasingly the value the entire Crypto War is missing, ensuring that any middleman between the browser and the destination cannot add, subtract, or modify content in transit.” That’s why privacy and security advocates have been pushing for the whole internet to be encrypted, and not just login portals or pages containing users’ private data. “This planet is going to need a secure medium of communication, and that’s going to have to be a secure version of the web,” Peter Eckersley, chief computer scientist at the Electronic Frontier Foundation, told Motherboard. Google has been one of the big companies and organization pushing for more encryption, but others, such as Apple, Mozilla, and the EFF, has all been part of the movement. There have been several challenges that have been slowing down a fully encrypted web. First of all, getting a TLS or SSL security certificate for a website was expensive and involved considerable bureaucracy. But that’s not the reality anymore, thanks to recent initiatives such as Let’s Encrypt, and CloudFlare’s Universal SSL, which make it easy and free to implement encryption on websites. Last week, the Let’s Encrypt project announced that in just three months since its public launch, it has already provided HTTPS certificates for 2.5 million web domains. However, for websites with a complex infrastructure, and content served by third-parties, such as ads, moving to HTTPS isn’t like just flipping a switch. That’s why websites, especially news ones, can only be encrypted if the ads they are serving are also encrypted. In the past, Google has called for more encryption across the internet (including emails) and recently hinted that it wanted to shame all websites that didn’t use it. But even Google itself hasn’t achieved the dream of going full HTTPS. Across Google services, 75 percent of user requests now travel over an encrypted connections, up from 52 percent at the end of 2013, according to the company's own data, published in a new section of its transparency report. But that’s excluding YouTube, which obviously represent a huge amount of traffic to Google servers. Google for now isn’t releasing statistics on the video site, only saying they’re working on it. (A company spokesperson declined to comment.) It’s unclear what this means exactly, but it’s possible that some parts of YouTube still aren’t fully encrypted, or that Google is still surveying the video site’s infrastructure. Google reportedly implemented some HTTPS encryption on YouTube back in 2014, when a researcher revealed that governments using tools from surveillance companies such as FinFisher and Hacking Team were taking advantage of unencrypted YouTube video streams to infect targets with spyware. One thing is clear, while it may be slow, the movement toward a more encrypted web seems unstoppable. “In 2016 every website needs to be HTTPS, whether it’s a new website coming online, or an old one,” Eckersley said.

News Article | September 7, 2016
Site: http://motherboard.vice.com/

Soon, Google Chrome will phase out full support for Flash, meaning that, on most sites, users will have to manually activate the aging software if necessary. The move is largely for security reasons: Researchers regularly find dangerous vulnerabilities in Flash. On Tuesday, porn site Pornhub said it would be ditching all Flash content from its site, opting instead for HTML5, the most recent version of the web language that offers more support for multimedia content. Since hackers have had a number of successes at compromising porn sites, it’s notable that one of the largest is taking this step, albeit when Flash is already on its last legs. “It was just a matter of time until we switched, as HTML5 is becoming the standard across platforms. Now makes the most sense as Google and Firefox are slowly pushing Flash support out of their browsers. Plus HTML5 has improved security, better power consumption and it’s faster to load,” Corey Price, vice president of Pornhub, told Motherboard in an email. “All adult sites should make the transition to HTML5. Flash is nearly dead,” he added. In January, hackers took advantage of two Flash vulnerabilities to deploy malware on Windows machines, which, according to the Guardian, led Mozilla to disable Flash in its Firefox browser until users had updated to a current version. That same month, YouTube announced it would stop serving its videos via Flash for anyone using a modern browser. The attacks keep coming. In June, Adobe patched a critical vulnerability in Flash that was being exploited in the wild, after fixing other issues in March, April and May of this year as well. In July, Adobe fixed a staggering 52 vulnerabilities in Flash. At the time of writing, other porn sites including YouPorn, xHamster, and RedTube are all serving their content over Flash in a fully up-to-date Google Chrome browser. RedTube, which is an affiliate of Pornhub, is expected to make the switch in a few weeks, according to a company spokesperson. YouPorn and xHamster did not respond to a request for comment. “Support for new technologies is critical to stay ahead of the competition but also to keep up with new performance and security standards imposed by web browsers,” Jérôme Segura, lead malware intelligence analyst at cybersecurity company Malwarebytes, told Motherboard in a Twitter message. “The Flash Player is very much like Windows XP in that its lifespan was extended way past its prime.” “Contrary to some beliefs, these top adult sites are very concerned about their security and spend considerable resources to keep malicious ads (malvertising) out and also invest in proactive research to secure their infrastructure,” he added. Pornhub was only serving Flash to a minority of its visitors. According to Pornhub spokesperson Chris Jackson, 70 percent of the company's traffic comes from mobile. However, Price said that, “This transition will affect close to 20 million daily visitors”—so still a relatively large number of users. “We expect the transition to be seamless for our users. Our new player has been tested for several months on numerous browsers and platforms,” he said. Want more Motherboard in your life? Then sign up for our daily newsletter.

News Article | April 13, 2016
Site: http://motherboard.vice.com/

In February, the FBI was ordered to provide the full malware code used to hack visitors of a dark web child pornography site to the defense in an affected case. Then the Department of Justice pushed back, and asked the judge to reconsider the decision. But experts feel the FBI may be sitting on something much worse than a tool used to just catch suspected criminals: a vulnerability in the Firefox browser, a piece of software used by hundreds of millions of people all over the world. “The Tor Browser is simply Firefox running in a hardened mode,” Nicholas Weaver, a senior researcher at the International Computer Science Institute at UC Berkeley, wrote on the Lawfare blog last week. Because the site the FBI took over was on the dark web, visitors typically had to use the Tor Browser to access it. “While many Firefox exploits will not work against the Tor browser—particularly those relying on Flash—the converse is not necessarily true. To the contrary, any Tor browser exploit is almost certainly a Firefox exploit too,” Weaver added. In February 2015, the FBI seized child pornography site Playpen, and for 13 days ran it from a government facility in Virginia. During this time, the agency deployed what it calls a network investigative technique (NIT), or in other words, a hacking tool. According to testimony provided by FBI Special Agent Daniel Alfin, “The NIT was deployed against users who accessed posts in the 'Preteen Videos—Girls Hardcore' forum because users accessing posts in that forum were attempting to access or distribute or advertise child pornography.” In a more recent affidavit, in response to claims from a technical expert held by the defense, Alfin wrote that, “As used here, a computer 'exploit' consists of lines of code that are able to take advantage of a software vulnerability,” and added that “an 'exploit' allowed the FBI to deliver a set of instructions—the NIT—to Michaud's computer.” Michaud is one of at least 137 people charged with child pornography offenses in the US as part of the investigation into Playpen, codenamed "Operation Pacifier." The specifics behind NITs have been disclosed in the past: in a 2012 investigation also targeting suspected child pornography visitors on the dark web, the FBI used a Flash applet from the popular hacking suite Metasploit. But this case is seemingly different, with the Department of Justice fighting to keep details of the technique used on Playpen under wraps, even though the code would only be provided to the defense and under a protective order. “The FBI's strenuous efforts to shield their exploit from disclosure to me suggests that it likely still works,” Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in an encrypted phone call. (Soghoian has been called as an expert by the defense in an affected case.) If the vulnerability used to hack visitors of Playpen does affect Firefox as well as the Tor Browser, and it has yet to be plugged, “The government is essentially choosing to keep hundreds of millions of people vulnerable in case a few of them turn out to be criminals later,” he said. Indeed, software vulnerabilities can be discovered by other parties, such as researchers, foreign governments, or criminals. In an NSA presentation published by The Guardian in 2013, the presentator indicated that the agency needed a “native Firefox exploit” to target Tor Browser users, because of the add-ons bundled with the software, and the general security advice given to users. But it's important to stress that it is not totally clear whether the FBI did use a zero-day vulnerability. There is the chance that the Department of Justice is trying to avoid revealing extra information about an already public issue or technique, although it's not immediately clear why that would be the case. Using its NIT, the FBI obtained over a thousand IP addresses for US-based users of Playpen, according to a plea agreement in an affected case. A Europol presentation uncovered by Motherboard claims the agency has generated 3,229 cases as part of Operation Pacifier, including 34 in Denmark. Motherboard also found cases in Chile, Greece and the UK, and potentially related arrests in Turkey and Colombia. An average of 11,000 unique visitors accessed Playpen each week, according to court documents. “We are in discussions with Mozilla to find solutions to the problem,” Kate Krauss, spokesperson for the Tor Project, told Motherboard in an email. A spokesperson from Mozilla said, “We are always looking for potential vulnerabilities in Firefox but, without more information, we cannot investigate whether the FBI used a specific vulnerability. When we become aware of vulnerabilities, we aim to fix them in a timely fashion.” “The Tor Browser is based on Firefox but also has some Tor-specific code. As said, without more information, we have no way of knowing whether a specific issue in the Tor Browser also affects Firefox,” the spokesperson added. Mozilla said it has never received a vulnerability disclosure from the FBI, and the Tor Project said it has not received a disclosure from any US agency since March 2015, when the Playpen operation ended. “I cannot comment at all on potential vulnerabilities,” Christopher Allen, a spokesperson for the FBI, told Motherboard in an email.

News Article | January 24, 2016
Site: http://motherboard.vice.com/

Ad blockers are becoming increasingly common, but if you’re an avid reader, maybe you feel a little twinge of guilt at depriving your favorite website the smidgen of revenue it earns off your clicks. Brendan Eich, the co-founder of Mozilla and inventor of JavaScript, wants to assuage your guilt with his new project, Brave. Brave functions as a browser on desktop and mobile devices, blocks ads and trackers from the sites you visit, and incorporates HTTPS Everywhere, a browser plugin developed by the Electronic Frontier Foundation that ensures an encrypted connection whenever possible. Sounds somewhat similar to AdBlock, Peace, and every other ad-blocking browser you’ve heard of recently, right? Here’s the difference: Brave blocks ads, but then replaces them with other ads. Brave is being referred to as a browser, and while you can install it on your computer or phone and use it browse the web, it’s important to note that its primary function is as a vehicle for ad sales. Eich himself doesn’t call Brave a browser, but rather a “browser-based ad-tech platform.” Brave isn’t intended to revolutionize web browsing; in fact, it’s based on pre-existing browsers like Firefox and Chromium. Instead, Brave aims to reinvent online advertising. Brave comes with all the harbingers of techno-utopianism—amped-up privacy features, a profit-sharing model that lets everyone involved feel a bit like an entrepreneur, and, of course, bitcoin. The ad-free browsing experience has been attempted before, but developers have run into controversy from web publishers, who say that ad-blocking thwarts a major revenue stream. The problem came to a head with the launch of Peace, created by Tumblr co-founder Marco Arment, last year. Arment pulled his ad blocker from the App Store after just 36 hours, writing on his blog that the success of the app didn’t feel good. “Ad blockers come with an important asterisk: while they do benefit a ton of people in major ways, they also hurt some, including many who don’t deserve the hit,” he wrote on his blog. But even though the premise of replacing ads with even more ads seems bizarre, the utopian approach might actually work. “Blockers can make the user experience of the Web much better. But as Marco Arment noted, they don’t feel good to many folks. They feel like free-riding, or even starting a war,” Eich explains on Brave’s website. “With enough people blocking ads, the Web’s main funding model is in jeopardy.” Brave intends to serve only “clean ads” that won’t track users or slow down browsing. The revenue generated by these clean ads will be split between Brave, advertisers, web publishers, and users. Publishers will receive the largest cut—55 percent of the revenue—while Brave, advertisers, and users will each receive 15 percent. Eich’s sales pitch to users is simple: block the ads that slow down your browser and invade your privacy, while still financially supporting the websites you love. Users receive small bitcoin payments for their browsing, which they can pay forward to their favorite websites in exchange for ad-free viewing. The incorporation of HTTPS Everywhere is also an important security step for mobile browsing explains Yan Zhu, Brave’s senior software engineer for privacy and security. Zhu previously made the browser extension, which forces a more secure https connection on sites that allow it, available for Firefox on Android. But users had to jump through too many hurdles: first, installing a non-default browser, and then downloading the browser extension. “They had to take extra steps and that created an adoption problem,” Zhu told Motherboard by phone. With Brave, “We just want you to download the browser and have https on.” Building security in at the browser level instead of relying on extensions also makes browsing faster, Zhu explained. With faster browsing and stronger security, Brave could easily attract users (it needs around 7 million users to be viable, according to Ars Technica). But the pitch for publishers is a little trickier —Brave pushes them into a bitcoin-based payment system by automatically establishing bitcoin wallets for publishers and depositing their cut of the ad revenue into them. It’s up to publishers to figure out how to collect. Still, the concept isn’t unheard of. Google offers a similar strategy, called Contributor, which allows users to make micropayments to websites in exchange for a reduction in advertising. Brave published its source code on Github this week, so more technical users can install and test it today. Non-technical users will have to wait for the official launch, which has not yet been announced but is expected later this year.

Discover hidden collaborations