V.10 seems to work much better than any V.9 iteration. No more crashing and the add-ons and extensions work properly. I guess I will be able to stay with Firefox for a while yet.

Extended Support Release

Mozilla also released the enterprise version of Firefox, called ESR (Extended Support Release), which will release updates on a slower cycle (once per year) so that businesses don’t have to worry about their internal tools and security protocols failing. This should help make Firefox more popular in the corporate world.

We use Darik’s Boot and Nuke (“DBAN“) which is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which also makes it an appropriate utility for bulk or emergency data destruction. DBAN is a means of ensuring due diligence in computer prepartation for IIR. It is also a good way to periodically clean a Microsoft Windows installation of viruses and spyware.

This article describes more advanced methods of customizing Mozilla applications, by editing the configuration files.

about:config entries

about:config is a feature of Mozilla applications which lists application settings (known as preferences) that are read from the profile files prefs.js and user.js, and from application defaults. Many of these preferences are not present in the Options or Preferences dialog. Using about:config is one of several methods of modifying preferences and adding other “hidden” ones.

Editing the user.js and prefs.js files are an alternative method of modifying preferences and recommended for very advanced users only. Unless you need a prefs.js and/or user.js file modified for a specific purpose, you should use about:config instead.

This article refers to the Firefox V. 9 edition of the browser. These entries may have adverse effects on Thunderbird and Mozilla Suite/SeaMonkey and older versions of Firefox. These settings will affect all profiles of the browser.

In Firefox, type about:config in the Location Bar (address bar) and press Enter to display the list of preferences. You may get a warning page next, just click OK and move on.

about:config > browser.display.use_document_fonts > change value to 0

0: Never use document’s fonts
1: Allow documents to specify fonts to use
2: Always use document’s fonts (deprecated)

Don’t let the site access to the fonts on your computer. That grants too much access that can be abused.

about:config > browser.sessionhistory.max_entries > change value to 2

The maximum number of pages in the browser’s session history, i.e. the maximum number of URLs you can traverse purely through the Back/Forward buttons. Default value is 50.  Set it to 2 so that the site you visit can’t see where you have been during your Investigative Internet Research (IIR) assignment.

about:config > dom.storage.enabled > double click to false

dom.storage.enabled is a mechanism allowing web pages to store information with a web browser (similar to cookies) called “client-side session and persistent storage.” Although use of session storage is subject to a user’s cookie preferences, this preference allows it to be disabled entirely.

about:config > geo.enabled > double click to false

True is location aware browsing enabled. Default is true. You want to disable this. See http://www.mozilla.com/en-US/firefox/geolocation/ for details of geolocation in Firefox.

The basic privacy settings in general settings, are found in the options bar in Firefox 9.0 (Firefox > Options > Options) or for iOS, Preferences.

1. Content: Enable block popup windows and disable Javascript when it isn’t needed.
2. Privacy: Enable the DNT (Do-Not-Track). For History, use custom settings. “Always use private browsing mode” should be enabled. “Remember my browsing history”, “Remember download history” and “Remember search and form history” should be turned off. “Accept cookies from sites”, but un-check “Accept third party cookies” as they aren’t needed often. Location bar: select “Suggest nothing”.
3. Security: Enable “Warn me when sites try to install add-ons”, “Block reported attack sites” and “Block reported web forgeries”. Under Passwords, disable “Remember passwords for sites” and use a master password.
4. Advanced – General – System Defaults: Disable “Submit crash reports and performance data”.
5. Advanced – Network – Offline Storage: Check “Override automatic cache management and limit cache to 0MB space”. Further—you can un-check “Tell me when a website asks to store data for offline storage use”.
6. Advanced – Encryption: Ensure both “Use SSL 3.0 and Use TLS 1.0″ are enabled. Then click validation > check “When an OCSP server connection fails, treat the certificate as invalid”.

Why does it cost so much just to look on the Internet?”

I get this question a lot, and too often from “professionals” who should know better. I will list a few of the reasons here.

To begin with, I never know how the research results will be used in the future. That means that the results must be properly documented so that it would be reproducible if someone else with similar skill did the searches at the same time as I did.

If at some future date what I find becomes important evidence, then how it was found, where it was found, when it was found, and what it actually looked like becomes very important. My report and the supporting material may be the only proof of the existence of the material being entered into evidence.

The computers must be free of malicious code (S. 31 Canada Evidence Act). We often set aside a computer for this purpose after doing some Spring-Cleaning.

The logic of the research process must be clear and easy to explain to anyone. This logic must be explained in the report. Search statements must be recorded. The project directory and file naming and structures must be logical and properly documented. The evidence must have a clear and documented chain of custody.

Providing this evidence requires skill, training, experience, software, computers, office space, support staff, and time.  Finally, did you know it takes at least twice as long to do the report as it does to do the research?

Researchers from the University of California at San Diego delivered a paper at the FAST-11 Conference in San Jose, Calif., last week that shows it’s almost impossible to reliably erase data from a solid state drive.

The report, Reliably Erasing Data from Flash-Based Solid State Drives (PDF), goes through all of the known techniques for erasing data and they found the best method was a big hammer.

The recent PC World article: Get Internet Access When Your Government Shuts It Down Does your government have an Internet kill-switch? Read our guide to Guerrilla Networking and be prepared for when the lines get cut, shows that the situation in Egypt has spurred geeks everywhere to start building Appocalypse apps  that may be headed our way to deal with similar situations in the future.

The Open Mesh web site content is  heavy going but useful if you have the technical knowledge.

New Firefox Add-On Detects Firesheep, Protects You on Open Networks

If you’re concerned about using open Wi-Fi networks because of Firesheep, the highly popular new hacking tool, you should check out BlackSheep, a Firefox add-on that makes surfing on open networks safe once again.

• http://lifehacker.com/5516188/
• http://lifehacker.com/228887/bruce-schneier-on-how-to-choose-secure-passwords
• http://www.schneier.com/blog/archives/2007/01/choosing_secure.html
• http://lifehacker.com/software/top/geek-to-live–choose-and-remember-great-passwords-184773.php
• http://lifehacker.com/software/security/pick-a-good-password-part-ii-032274.php
• http://lifehacker.com/software/top/geek-to-live–choose-and-remember-great-passwords-184773.php
• http://lifehacker.com/software/passwords/keepass-password-manager-38223.php
• http://www.baekdal.com/tips/password-security-usability
• http://www.hungry-hackers.com/2009/12/how-to-hack-passwords-using-a-usb.html

Protect yourself by forcing the authentication through TLS or stop logging into Facebook using public networks.