Bugzilla API 1.3 Released

I am proud to announce the release of version 1.3 of the Bugzilla REST API. This maintenance release has a bug fix or two, and fully supports the version of Bugzilla 4.2 which has just been deployed on bugzilla.mozilla.org. For smooth interaction with BMO, you should be using this version.

The installation of BzAPI 1.1 on api-dev.bugzilla.mozilla.org will go away in 4 weeks, on 4th April. There is a limit to the number of old versions we can support on the server, particularly as the older ones can put a larger load on Bugzilla and may not work correctly. Please use either the /1.3 or the /latest endpoints. Now that BzAPI has been stable for some time, tools which earlier rejected using the /latest endpoint may want to reconsider.

File bugs | Feedback and discussion

No One Considered…

Micire’s talk was an excellent example of what can happen when a device maker doesn’t lock down its device. It seems likely that no one at Google or Samsung considered the possibility of the Nexus S being used to control space robots when they built that phone. But because they didn’t lock it down, someone else did consider it—and then went out and actually made it happen.

LWN (an awesome publication; do subscribe)

Bugzilla API 1.2 Released

I am proud to announce the release of version 1.2 of the Bugzilla REST API. This maintenance release has a bug fix or two, and some features useful to the admins of Bugzillas which BzAPI is pointed at.

The installation of BzAPI 1.0 on api-dev.bugzilla.mozilla.org will go away in 4 weeks, on 19th December. There is a limit to the number of old versions we can support on the server, particularly as the older ones can put a larger load on Bugzilla. Please use either the /1.2 or the /latest endpoints. Now that BzAPI has been stable for some time, tools which earlier rejected using the /latest endpoint may want to reconsider.

File bugs | Feedback and discussion

Google Calendar, and Meetings in UTC: The ‘Rekjavik Trick’

Google Calendar is great; I’m a big fan. A little while back, it acquired timezone support for events. More recently, it acquired split timezone support (start and end in different timezones), which is awesome for flights. And there’s a drop-down list of all the countries in the world with all of their applicable timezones. Surely that must be comprehensive, right?

Well, yes and no. I attend one meeting which is scheduled in UTC. There seems to be no entry in the massive timezone list for this. If you say you are in London (GMT+00:00), then your event will obey the UK DST rules, which means it won’t actually be in UTC during the summer.

However, there is a workaround. There is one country in the world which uses UTC and no DST – Iceland. So, if you want to have a meeting whose time is set year-round in UTC, then tell Google Calendar you are holding it in Rekjavik.

(It would be nice if Google would add an explicity “UTC” option to their massive timezones list, but this will do for now.)

Website Evangelism: Mobilizing Mozilla

Mozilla has recently (re)launched Firefox for Android, and is soon to launch Firefox OS. The success of these two products is key to our mission of keeping the web open.

However, both products are mobile products, and the mobile web is currently a WebKit-focussed semi-proprietary ecosystem.

It is vital to our success that the mobile web works well on Gecko. Much research has been done into how to do this. We control only half the experience. We can alter how we render the content we are sent, but not what content we are sent. So, we can make things a bit better by unprefixing CSS and DOM properties, fixing Gecko and User Agent string spoofing, but none of them is a silver bullet. Sometimes, the problem cannot be fixed on our side. The code uses too many WebKit-isms, or assumes it’s running on an iPhone. Just like we had to in 2000, we have to make the web better by helping developers to fix it.

We have some advantages over last time round. Not everyone has a mobile-specific website. Changing User Agent sniffing code is much easier than “rewrite your site to use neither document.layers nor document.all”. We have large desktop market share, a significant brand presence, and an enormous amount of goodwill from web developers who agree with our mission. And our community is much, much bigger.

However, we need to mobilize a significant tech evangelism effort. Currently, there are a few employees working part time on this problem. They have had some significant successes already – Google, Facebook, Twitter, Youtube, Instagram – indicating that we can make a difference this way. We have tools and metrics so we can be encouraged by progress. But the web is big, the problem is very large and we need an army. My assertion is this: unless you are directly involved in the development of Firefox OS or Firefox for Android, or have managed to get a device to test it on,

Website evangelism is the most effective way you can contribute to the Mozilla mission between now and March 2013.

(Yes, tweet that.) If you have control over your own time, and you believe in the Mozilla mission, ask yourself whether what you are doing now will have as much long-term impact as time spent doing this. Then, get involved. Geeks and non-geeks alike can make a difference here. Any questions? Lawrence Mandel is your man.

Bank Details Secrecy?

In order for someone to make a direct bank transfer into your account (an increasingly common way of moving money around, even between individuals), you need to give them your account number and sort code. This information is also printed at the bottom of cheques (I write less than 5 a year these days) and on debit cards.

Question: is there anything a person of evil intent can ‘usefully’ do with just your bank account number and sort code?

Remote Access for Tech Support

Pretty much every geek has the sad job of being the tech support guy for their family and, if they aren’t nimble, their friends too. This is particularly frustrating when:

  1. they expect you to know everything about their computer when you haven’t used Windows for 10 years
  2. their computer is slow as molasses due to being loaded down with c**pware
  3. you have to do the debugging over the phone

1 and 2 I can’t help with, but 3 I can. If you are a Linux user, and want to support Windows users using a simple graphical remote access system, here’s one way to do it. (Other suggestions welcomed.) The secret is to use UVNC Single Click. However, this system is not very well documented. This is what I did:

  1. Download the “custom.zip” file
  2. Hack the “helpdesk.txt” file inside it (here’s mine), and the logo files as well if you can be bothered (the result will not look particularly pretty however hard you work)
  3. Configure it with your fixed external IP or dynamic DNS, plus a non-standard high-numbered port
  4. Make sure the port you chose is open on your firewall, forwarding to 5500 on your machine
  5. Upload the zip file to UVNC’s .exe maker (the fixed username and password you need are printed on that same page; this may some sort of weird anti-spam thing)
  6. Send the result to your debug-ee (you may need to rename the .exe to .exe.dat or similar to dodge dumb mail filters)
  7. Use “ssvnc” to accept connections. Switch to “listen” mode, turn off SSL (I never got that working).
  8. Tell them to run the .exe and double-click one of the Connect options.
  9. Their desktop should appear in a window on your machine.

More “Transmittable” Short URLs

URL shortening services are very popular. They basically redirect a short URL – e.g. bit.ly/ABC123 – to a longer URL. (And keep logs, which can be monetized, hence Twitter’s t.co service and the requirement that tweets use it.) Most URL shortening services use the following set of characters in the unique tag: [A-Za-z0-9] – a total of 62. 6 characters is a normal number for the tag.

However, when reading such a short URL to someone, e.g. over the phone or across a conference table, a couple of problems can occur:

  • The person reading may misread; they may read “l” for “1″ or “0″ for “O”.
  • The person reading may under-specify, most commonly by not expressing the case

This makes reading out such short URLs a pain, as one has to make sure to specify case correctly, and to distinguish between similar-looking characters in a possibly-unfamiliar font, or in handwriting. These problems could be avoided, and URL reading would be much easier, if the set was instead [a-km-np-z0-9], and the shortener service treated a submitted tag as case-insensitive.

This would give a choice of only 34 characters. Surely that would mean the tag would have to be much longer? Actually no:

  • 62^6 = 56800235584
  • 34^6 = 1544804416
  • 34^7 = 52523350144

Short URLs could be made more transmittable at the cost of only being 1 character longer. I think some service might find that worth doing…

Fixing a Non-Booting CyanogenMod 7

Late on Friday afternoon, my day-to-day phone, a Samsung Galaxy S II which runs CyanogenMod 7.1, stopped booting – it got stuck at the “rotating arrow” blue Android for ever. I use my phone rather heavily, so this was a significant inconvenience – doubled by the fact that on Saturday morning, I flew to the Bay Area for a week at the Mozilla office. “What’s the confirmation code for collecting your train tickets, sir?” “Where are you staying in California, sir?” Er…

The last action I took before this happened is that I made a full system backup via Recovery mode (I use the excellent ClockWorkMod Recovery). I’m not sure if that’s what caused the problem, but it was instrumental in the solution. I could still boot into Recovery, and fortunately that also allows console access via adb shell.

Things which didn’t solve it or give any clues:

  • Looking to see if I’d filled a partition (I hadn’t)
  • Making a second backup, watching carefully for errors
  • Restoring the backup I’d made
  • “Fix permissions” in the Recovery options
  • Wiping the cache, dalvik cache and other non-destructive wipes
  • Reinstalling the same CyanogenMod build again

After some trepidation, I tried doing a full factory reset from Recovery. This got the phone booting again, but without any of my data :-(. Fortunately, ClockWorkMod has a “partial backup restore” function. I restored the data partition… and the phone stopped booting again.

So this is progress. I now had some idea where the problem lay. I finally found it using a laborious 5-minutes-per-cycle manual bisection technique. Delete half the stuff on the data partition, reboot, if it still fails, delete more, reboot… once you get it to boot, restore the data partition, narrow it down further. Once you find a top-level directory, repeat the process inside it.

The result: the existence of a single 0-byte file stopped my phone from booting entirely. The file was:

data/system/profiles.xml

I have no idea what that file does (there are only a few references online), how a 0-byte version of it got created, or why having it existent but empty breaks things but if it’s not present everything works fine. I have no idea if anyone else will ever see this problem, or if they will ever find this blog post. But still, here’s my Wisdom of the Ancients.

MITM Boxes Reduce Network Security Even More Than They Are Designed To

It was recently discovered by the Tor project that a manufacturer of Man-In-The-Middle boxes with SSL interception capability, called Cyberoam, have been embedding the same root certificate in all of their boxes.

Background: SSL is not supposed to be interceptable. The only way to do it is for the intercepting box to be the endpoint of the SSL session and then, after inspecting the traffic, send the information over a different SSL session to the client. Now that we have explicitly banned trusted CAs from facilitating this after the Trustwave incident, the box should not be able to generate its own trusted-by-default certificate for the target site. Instead, it generates a cert which chains up to the box’s own embedded root. Therefore, any user of a network whose owners wish to use a such a box to inspect SSL traffic will have been asked to import whichever root certificate the box uses into their trusted root store, in order to avoid getting security warnings – the very warnings which would otherwise correctly tell you that your communications are being intercepted.

If each box uses a different root certificate, this is not a big problem. (Well, apart from the general issue of having to permit your employer or school to intercept your secure communications.) However, as noted above, Cyberoam uses the same root for all the boxes they manufacture. This root reuse means that sites who have tried to use Cyberoam boxes to punch a small hole in their security for ostensibly reasonable purposes have actually punched a rather larger one.

If you have trusted this root, your communications could potentially be silently intercepted by anyone who owned a Cyberoam box, not just the legitimate owners of the network you were using. This would be true whether you were on that network, or elsewhere (e.g. if you went to another location with your phone or laptop). Furthermore, anyone who purchases a Cyberoam box can try and extract the root (they may have physical security in place, but that’s just a speedbump) and then they don’t even need a Cyberoam box to MITM you.

From reading their online docs, this problem seems to also occur with similar devices from Sonicwall (PDF; page 2) and Fortigate. (Thanks to a commenter on the Tor blog for noticing this.) I suspect that many vendors use this insecure configuration by default.

The Cyberoam default root certificate is not trusted by the Mozilla root store – Cyberoam is not a CA – and we do not plan to take action at this time. However, this is another important lesson in the unintended consequences of intentionally breaking the Internet’s security model. Messing with the Internet security infrastructure breaks things, in unexpected and risky ways. Don’t do it.

Suspect Syndication

Sometimes you discover the weirdest things about the Internet via unsuspected routes.

My post about Facebook and email addresses got a lot of pingbacks from around the world. Often, they were syndications, perhaps of dubious legality, of earlier articles. In several cases, the legality was clearly dubious, because the syndicator had gone to some effort to disguise the text. There were four like this one, where, fascinatingly, the text appears to have been run through a system which uses synonyms and other changes to make it not recognisable from a simple web search. Compare the original, from CNN Money (and also my blog, which they are quoting):

Blogger Gervase Markham, one of the first to draw attention to the change, was scathing in his comments on it.

“Facebook silently inserted themselves into the path of formerly-direct unencrypted communications from people who want to email me. In other contexts, this is known as a Man In The Middle (MITM) attack,” he wrote, referring to a tactic hackers use to intercept electronic messages. “What on earth do they think they are playing at?”

with this barely-understandable version:

Blogger Gervase Markham, one of a initial to pull courtesy to a change, was sardonic in his comments upon it.

“Facebook silently extrinsic themselves in to a trail of formerly-direct unencrypted communications from people who wish to email me. In alternative contexts, this is well known as a Man In The Middle (MITM) attack,” he wrote, referring to a tactic hackers make make make make make use of of of of of to prevent electronic messages. “What upon earth do they consider they have been personification at?”

Some of the changes don’t even seem like synonyms – “attention” -> “courtesy”? Note also the words repeated 5 times – looks like they replace “use” with “make use of”, but have run the algorithm over the text more than once!

Here’s another one, which makes heavy use of entities, replacing letters with lookalikes from Cyrillic or simply HTML entities:

Thе exchange, first uncovered bу hacker Gervase Markham, means thаt аnу email post you received through Facebook since Friday hаνе been routed back into the Facebook Post inbox, rather thаn into your email inbox. Annoying? I don’t know. something to ɡеt really angry about? I don’t know — maybe you wеrе expecting ѕοmе vastly time sensitive email to come through Facebook. but fοr the mοѕt раrt, wе’d estimate thаt public are more shocked thаt thеу hаνе аn @facebook email take up thаn the fact thаt Facebook pulled a switcharoo.

Does that look normal? Here’s the source:

Th&#1077 exchange, first uncovered b&#1091 hacker Gervase Markham, means th&#1072t &#1072n&#1091 email post you received through Facebook since Friday h&#1072&#957&#1077 been routed back into the Facebook Post inbox, rather th&#1072n into your email inbox. Annoying? I don’t know. something to &#609&#1077t really angry about? I don’t know — maybe you w&#1077r&#1077 expecting &#1109&#959m&#1077 vastly time sensitive email to come through Facebook. but f&#959r the m&#959&#1109t &#1088&#1072rt, w&#1077’d estimate th&#1072t public are more shocked th&#1072t th&#1077&#1091 h&#1072&#957&#1077 &#1072n @facebook email take up th&#1072n the fact th&#1072t Facebook pulled a switcharoo.

Can I Get A Witness?

The developer who started the Witness web app has had to bow out of the project. Are there any other Djangonauts/Pythonistas out there who would like to finish the building of something relatively small, self-contained and useful to Mozilla? Here’s a description of the project:

“Witness” will be a web app which provides proof that person A has agreed to legal document X.

There are loads of applications for this:

  • Proof that a Mozilla contributor has agreed to our Committer’s Agreement
  • Proof that someone has agreed to the IPR policy necessary for contributing to a standards body mailing list
  • Proof that someone has agreed to a trademark licence

These things can be done without an app, but it’s dull and tedious for the person doing the paperwork. Much better to get a computer to do it.

It would involve, among other things, playing with Persona/BrowserID. If you are interested, drop me a line and I’ll point you at the code.