Firefox 4 RC (for Android): Hands On

Firefox 4 RC for Android may eventually torch the stock Android browser. It's faster than previous releases, dons a trimmer interface, and tucks new tricks up its e-sleeve, notably smart taps and single-click bookmarks.

Pile on the Add-Ons — for customizing the browser's look and feel (and functionality)—and Firefox Sync — for synchronizing bookmarks, history, passwords, and preferences with your desktops — and Mozilla moguls will find plenty of reasons to bookmark the mobile browser.

Yet, despite bringing a real frontrunner to the desktop market, Firefox is still just a candidate in the mobile space. It's faster than previous builds, but, compared with Android's stock browser andOpera Mobile 11, it doesn't lap the pack. It lacks multimedia dexterity: Firefox doesn't yet support Flash and cannot access a surprising amount of HTML5 content. And if you're reading this on an Android tablet, this fox isn't available on Honeycomb, yet. For Mozilla users who prize synchronicity, the Release Candidate is worth a click; however, for anyone who isn't wedded to Firefox on the desktop, hold out for additional support.

The Big Picture on the Small Screen
Mozilla has bred a leaner fox with keener eyes. Firefox dedicates the entire screen to web pages. Swiping from the right bezel towards the screen reveals a tray with navigation buttons (back and forward), settings, and a star icon for single-click bookmarking. Under settings, you can manage downloads, add Add-ons—though, with about 150 in total, mobile availability is still limited—and adjust settings. For those accustomed to the stock browser's wrap text feature, Mozilla's "Reformat on zoom" option is a must-enable.

Closing the tray and returning your web page is as easy as swiping towards the bezel. Swiping on the left side of the screen reveals a tray with your open tabs and a folder stuffed with browsing history and bookmarks. And whether you're in the left or right tray, a search bar drapes from top of screen, complete with mobile Add-ons (in this case, search options) for Google, Amazon, Twitter, and Wikipedia. Compared to the stock browser, which requires you to use the phone's physical buttons to navigate between windows or explore history, Mozilla has created a more elegant and intuitive solution.

Phone Home, Home Phone
In addition to its streamlined interface, Firefox Sync is the definitive enticement to download the mobile Release Candidate. The process is simple. From the latest version of the desktop client, sign up for a free account and synchronize data through the Sync pane in Firefox settings. To access that data on your phone, open your mobile settings and Enable Sync. Mozilla gives you a code to input on your desktop to pair the two. Voilà: all of your desktop preferences, saved passwords, bookmarks and history flow into your mobile client; conversely, mobile changes appear at home. If Firefox is your default browser, Sync puts the home in phone—and visa versa.

A Spry Fox…
The other key enhancement for Android users occurs under the hood. In the release notes, Mozilla claims to have improved startup speed and page load times. For the most part, it's true.

I tested Firefox 4 RC on a Spring HTC Evo 4G running the most current available version of Android (2.2) with the latest version of Adobe Flash (10.2); I used two preliminary JavaScript benchmark tests: SunSpider (0.9.1) and Google V8 (version 6). In the SunSpider test where a lower score is desirable, Firefox led the pack (3080.4 ms), followed by Opera (4133.2) and the stock browser (4564.2). When it came to the V8 test, however, results mixed: the stock browser took the lead (310), with Firefox (296) nipping its heals, and Opera (179) playing the role of laggard. In real-world use, it feels a whole lot closer. Firefox is quick, but not quick enough to replace the stock browser.

…At a Cost
That added octane doesn't come cheaply. According the release notes, Mozilla disabled Adobe Flash and other plugins because it "compromised user experience." Compared to both Opera Mobile 11 and the stock browser, through which I browsed and played Flash videos—if sluggishly—Firefox webpages looked like Swiss cheese. Add to Flash-less-ness the browser's limitations with HTML5 video (lacking H.264 support), and even the New York Times homepage starts to look patchy. If you're looking to view any web video on the go, I'd highly recommend waiting for the Gold Master, in which Mozilla might permit users to enable video plugins, even if it does "compromise user experience."

This Fox is Still a Kit
Firefox 4 RC for Android transfers to the mobile browser much of what invigorated the desktop client, including a fresh new look with a speedier engine, Add-ons, and Firefox Sync. Unfortunately, those valuable new features enter in medias res. The new look is welcome, but the speed bump comes at the cost of multimedia dexterity. While mobile Add-ons hold promise, there aren't enough available (yet) to customize the browser. And Firefox Sync is an exciting addition, but its value only extends to Mozilla faithful. If Firefox is your default desktop browser, the latest version of Firefox for Android grows that experience, though I would recommend waiting a little bit longer until this fox finds its legs.

Read more »

GNOME.Asia Summit 2011

It is a great pleasure to announce that public registration [1] for the GNOME.Asia Summit 2011 [2] is officially opened. It will be our forth summit and happens on the weekend of April 2 and 3, 2011 in Bangalore (India), right after the GNOME 3.0 Bangalore Hackfest [3]. The main theme of the summit will be "The Next Generation Free Desktop: GNOME 3.0" [4]. We will be able to jump on the opportunity of having a lot of the GNOME developers [5] already on site to aim for the greatest GNOME.Asia Summit of all time.

Please join and help us to spread the word by putting up one of our
banners [6] into your blog / website as well as inviting your friends to join the event! Thank you!

GNOME.Asia Summit 2011

Date: April 2-3 (Sat - Sun) 8:30am to 6:00pm
Venue: Dayananda Sagar Educational Institutions, Shivage Malleshwara
Hills, Kumaraswamy Layout, Bangalore
Theme: The next Generation Free Desktop

About GNOME.Asia Summit

GNOME.Asia Summit is an annual conference for GNOME users and developers in Asia. The event focuses primarily on the GNOME desktop and other devices that use GNOME, and also covers GNOME-based applications and GNOME development platform tools. It brings together the GNOME community in Asia to provide a forum for users, developers, foundation leaders, governments and businesses to discuss both the present technologies and future developments. GNOME.Asia Summit has been held in Beijing, China in 2008 and Ho-Chi-Minh City, Vietnam in 2009. The summit has been recognized as one of the top three FLOSS conferences in China in 2008 by the Chinese government, the biggest FLOSS conference in Vietnam in 2009 by the Vietnamese government and one of the biggest FLOSS conference in Taiwan in 2010.

Useful links

[1] http://2011.gnome.asia/en/p/Register2011/
[2] http://2011.gnome.asia/en/p/index/
[3] http://live.gnome.org/Hackfests/GNOME.Asia2011
[4] http://gnome3.org
[5] http://2011.gnome.asia/Speakers2011/
[6] http://live.gnome.org/GnomeAsia/2011Summit/PromoteRegistration

source:
GNOME.Asia Committee

Read more »

Metasploit Framework 3.6.0 released

The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

Changes: This release adds 15 new exploits for a total of 64 new modules since version 3.5.1. Includes Post Exploitation modules that provide local exploits and additional data gathering capabilities.

Download

Read more »

JS Recon - javascript based port scanner and detector

site: http://www.andlabs.org/tools/jsrecon.html

What is JS-Recon?

JS-Recon is a network reconnaissance tool written in JavaScript by making use of HTML5 features like Cross Origin Requests(CORs) and WebSockets

Currently supported functionality:

• Port Scans
• Network Scans
• Detecting private IP address

Supported Browsers:

It works on the latest versions of Chrome, Safari and Firefox that support CORs and WebSockets.

Use it on Chrome and Safari for best results. Firefox throws exceptions sometimes when scanning through COR, not sure why this happens. Scans using WebSockets work properly though.

Currently it has been tested only on Windows XP and Win7 systems. Behavior could differ on Linux and Mac

How does it work?:

Cross domain XHR has five possible readystate statuses and WebSocket has four possible readystate statuses. When a new connection is made to any service the status of the readystate property changes based on the state of the connection. This transition between different states can be used to determine if the remote port to which the connection is being made is either open, closed or filtered.

* Port Scanning:

When a WebSocket or COR connection is made to a specific port of an IP address in the internal network the initial state of WebSocket is readystate 0 and for COR its readystate 1. Depending on the status of the remote port, these initial readystate statuses change sooner or later. The below table shows the relation between the status of the remote port and the duration of the initial readystate status. By observing how soon the initial readystate status changes we can identify the status of the remote port.

There are some limitations to performing port scans this way. The major limitation is that all browser’s block connections to well known ports and so they cannot be scanned. The other limitation is that these are application level scans unlike the socket level scans performed by tools like nmap. This means that based on the nature of the application listening on a particular port the response and interpretation might vary.

There are four types of responses expected from applications:

1. Close on connect: Application terminates the connection as soon as the connection is established due to protocol mismatch
2. Respond & close on connect: Similar to type-1 but before closing the connection it sends some default response
3. Open with no response: Application keeps the connection open expecting more data or data that would match its protocol specification
4. Open with response: Similar to type-3 but sends some default response on connection, like a banner or welcome message

The behavior of WebSockets and COR for each of these types is shown in the table below.

* Network Scanning:

The port scanning technique can be applied to perform horizontal network scans of internal networks. Since both an open port and a closed port can be accurately identified, horizontal scans can be made for specific ports that would be allowed through the personal firewalls of most corporate systems.

Identification of an open or closed port would indicate that a particular IP address is up.

Ports like 445 or 3389 are ideal for such purpose as these are usually allowed across personal firewalls of desktop systems. It has been found that port 445 is of Application type-1 on Windows 7 and can be detected whether it is open or closed. However port 445 on Windows XP and port 3389 are of application type-3 and the host can only be detected if these ports are closed on such systems.

* Detecting Private IP Address:

Most home user’s connected to WiFi routers are given IP addresses in the 192.168.x.x range. And the IP address of the router is often 192.168.x.1 and they almost always have their administrative web interfaces running on port 80 or 443.

These two trends can be exploited to guess the private IP address of the user in two steps:

Step 1: Identify the user’s subnet 
This can be done by scanning port 80 and/or 443 on the IP addresses from 192.168.0.1 to 192.168.255.1. If the user is on the 192.168.3.x subnet then we would get a response for 192.168.3.1 which would be his router and thus the subnet can be identified. 

Step 2: Identify the IP address 
Once the subnet is identified we scan the entire subnet for a port that would be filtered by personal firewalls, port 30000 for example. So we iterate from 192.169.x.2 to 192.168.x.254, when we reach the IP address of the user we would get a response (open/closed) because the request is generated from the user’s browser from within his system and so his personal firewall does not block the request.

Limitations:

Blocked Ports:
To avoid Cross Protocol exploitation almost all popular browsers block connections to certains well known ports. Due to this the status of these ports cannot be determined.

Linear Scanning:
The determination of port status is based on timing of the readyState status changes. Opening multiple simultaneous connections interferes with this timing leading to unreliable results. Hence to avoid such situations all scans are performed one port at a time.

Internal Networks Only:
As stated above, timing is critical to identification of port status. Depending on the location of the target device this timing could vary. JSRecon has been tuned to scan internal networks with very low turn around time. Scanning external networks would require only two minor changes - values of the variables open_port_max and closed_port_max must be suitable updated.

Read more »

Ubuntu Developer Week 2011: February 28th - March 4th

The Ubuntu Developer Week event will take place from February 28th to
March 4th, 2011, and will cover several aspects of Ubuntu development,
from crash-courses in getting started with working on Ubuntu to more
advanced topics.

Join #ubuntu-classroom on irc.freenode.net from 28th Feb to 4th Mar
and check out https://wiki.ubuntu.com/UbuntuDeveloperWeek for more
information.

Ubuntu developers and enthusiasts wanting to contribute will get
together online for five days of sessions hosted by some of Ubuntu's
greatest developers.

Here are some of the topics the developers will go over in the sessions:

· Getting Started with Ubuntu Development;
· How to use Ubuntu Distributed Development;
· How to get changes into Ubuntu;
· How to make changes in stable releases of Ubuntu;
· How to collaborate with Debian;
· Getting new apps into Ubuntu;
· Unity hacking (fixing Unity bugs, writing compiz plugins, learning libunity);
· Ubuntu One App Programme;
· Hooking in Ubuntu translations;
· How to write IRC bots;
· How to use Zeitgeist;
· How to use TestDrive;
· Ubuntu 11.04 stuff: Unity 2D, OMAP4 and ARM, Q&A with Ubuntu
Engineering Director, etc;
· Helping out the LoCo Directory;
· Django hacking;
· How to get better bug reports;
· Boto EC2 Cloud API;
· How to use Launchpad’s Daily Builds;
· and much more!

To participate, all you have to do is join the #ubuntu-classroom
channel on irc.freenode.net. Sessions start Monday, February 28th,
2011 at 16:00 UTC. The odd hour was chosen to accommodate for as many
people from around the world as possible.

The main channel will be in English, to ensure that the highest number
of people can join, but there will be translations in several
languages for those who aren't comfortable enough with their English
to ask questions. Translations include: German, French, Italian,
Catalan, Finnish, Danish and Spanish.

In only 5 years, Ubuntu has become the most popular Linux-based
operating system in the world with millions of users. Did you ever
wondered how the Ubuntu development works? Do you want to know how to
get involved yourself? You can get more information about Ubuntu
Developer Week here.

Read more »