Followup: Password Manager changes (coming in FF3 Alpha 5)

As I’ve previously blogged about, I’ve been working on some changes to the Firefox Password Manager. The first part, a long slog of untangling and porting the old C++ code to JS, is now complete.

The code landed earlier this month via bug 374723, and as part of the change it’s been renamed to “Login Manager”. This work was all backend work, so there are no user-visible features yet… That part comes next. And did I mention test cases? There are now automated test cases! Double-plus yay!

These changes should now make it much easier to write a component integrating Login Manager with the OS X Keychain (or the Gnome Keychain, or whatever). Basically, the code just has to implement the nsILoginManagerStorage interface and add some glue to make the Login Manager use it. Unfortunately this isn’t a high-priority item at the moment, but if anyone in the community wants to pick up the torch I’d be happy to help with the integration. There’s already some code in Camino for Keychain, although I don’t know what state it’s in.

Finally, the new Login Manager has one downside… The interfaces for using it have changed, so extensions that might have been using the old interfaces will need to be updated to use the new ones instead. But the interfaces are documented, and there’s a usage writeup on DevMo. There may be some more minor API tuneups before FF3 is released, but I’m not expecting anything major.


“We shred every day.”

Erring on the side of security can sometimes be a little frustrating…

A few months ago I junked my aging paper shredder. I had purchased it for about $25 some years prior, but it had become rather cranky and instead of shredding paper it mostly just… mangled. When it wasn’t busy jamming itself. So, I appended a “buy new shredder” task to my To Do List and diverted various home office trash to a To Be Shredded Pile… Paid bills, legal documents, bank statements, etc. [No juicy secrets here, I’m afraid. Just a sensible precaution against identity theft.]

Fast forward to last week, and I was still sans shredder but with a sizable stack of records awaiting destruction. I had been shopping around, but hadn’t found a model I liked.

The most basic (and cheapest) models are “strip cut” shredders. They work by — wait for it — cutting the page into long strips, usually 1/4″ wide. I think these models are just about worthless, as reassembling a page from such strips isn’t any more difficult than doing a jigsaw puzzle. A large producer of shredded waste (like a corporation or government agency) might be able to get away with this, since the overwhelming bulk is low-value bureaucratic paperwork. Finding a needle in such a haystack requires a lot of work. But even then, when there’s a will there’s a way… After the US Embassy in Tehran was seized in 1979, the Iranians reconstructed many documents that had been hastily shredded. And after East Germany fell, the Germans got busy processing 33 million shredded documents from the Stasi’s archives.

Here’s a random Flickr shot to illustrate the size of shredder strips:

For a shred with greater security, “cross-cut” models are the way to go. Instead of a 1/4″ wide strip running the length of the page, cross-cut shredders additionally chop up the strips into chunks that are usually 1-2″ long. They thus produce a lot more pieces for every page. Plus, this method provides some protection against user mistakes… If you feed a document sideways into a strip-cut shredder, the strips are just easily-readable lines from the page (a cross-cut shredder would only have a word or two per piece). Apparently some of the folks at the Enron shredding parties made this goof, and recovering those documents was much easier as a result.

So, then, buying a shredder should be a simple matter, right? Well, ugh, not so much… There are a zillion brands available, each with different capacities and shred size. And to make things worse, all but the most basic models seem overpriced to me; the $500 shredders do the same thing as the $25 shredders. Sure, the motor is bigger and beefier, but $475 bigger?!

I got the better of my indecision by throwing fiscal responsibility to the wind and buying Staple’s 770M “Microcut shredder”. $150, but at least it was on sale. It has the smallest shred size (2mm x 8mm) of any shredder I could find, so I figure if I’m going to buy an overpriced shredder I should at least get some better security out of it. Here’s the results:

In the end, consumer-grade shredders — even cross-cutting microshred models — don’t offer ultimate security. There are now companies such as ChurchStreet Technology, who use optical scanners and sophisticated software to automatically reassemble shredded scraps. But these services are very expensive (up to $10,000 per cubic foot!), and I think the process of scanning lots of little pieces of paper likely to always remain relatively expensive and slow. In other words, someone snooping is much more likely to go after an easier target. Security, as always, is relative.

More info:
* Wikipedia’s Paper shredder page
* “Back Together Again”, article in the New York Times discussing shredders, document recovery, and more.

GPS satellite SVN-15 retired

[From SpaceflightNow…]

Frank Czopek, the GPS Block II and IIA project manager, recalled SVN-15’s rocky start before it got off the ground as well as its history once it became operational in 1990.

The satellite earned the nickname “Firebird,” as well as other nicknames such as “Old Smokey” and “Sparky II,” after the vehicle caught fire one Friday afternoon, Mr. Czopek said.


Animated PNG

In late March, support for Animated PNGs (APNGs) landed on the Mozilla trunk. The web can finally ditch GIF-format animations, as the APNG format offers a superior feature set… Most notably, full 24-bit color and alpha transparency. I was eager to try this out, but there were no editors to build such animations. What to do? Well, I built one. Here’s the first result:

[You’ll only see an animated logo if you’re running a recent trunk build.]

The editor is mostly complete, and I’ll release it as a browser extension once the patch for APNG image encoding support lands (bug 372741). Mozilla is a nifty platform for developing this kind of tool, as I get cross-platform support essentially for free.

Thanks to Grey Hodge for the layered source images.

Chromatabs 2

I released an update to Chromatabs today… [Edit: It’s no longer in the AMO Sandbox.]

This version adds the ability to color tabs based on the site’s favicon. (This is off by default; you can enable it in the extension’s preferences.]

Here’s what it looks like with a few select sites:

It’s just averaging the pixels in the favicon, which is why Flickr’s color is purple (a blend of the pinkish-red and blue in the icon). It would probably be better to build up a histogram, and then select the most prominent color… But averaging works fairly well and is easy. ­čÖé The code is smart enough to ignore pixels that are almost white or black, which would otherwise pollute the average color. I’ve noticed that a surprising number of sites have black-and-white site icons (eg BBC), so Chromatabs will fall-back to the old method of picking a color for the site in such cases. [Grayscale confuses it sometimes, though.]

I’ve found that using the favicon to determine colors for tabs seems more useful, because the color actually has some relevance to the site. Of course, for sites without an favicon it doesn’t help at all.


Oh, and one more thing (as Steve Jobs is wont to say)…

I’ve been thinking about some ideas to improve the visibility of the foreground tab, which is sometimes hard to pick out (especially with colored tabs, although I think even the default theme is too non-distinct). Here’s a mockup of what I’m currently thinking about — subtle gradients on either side, vaguely as if the neighboring tabs are curving into darkness.

(*cough* I just noticed I styled the wrong tab in the mockup, as the URL bar clearly says “” and not “” Oh well, no one is prefect! [sic :)])

Outside the Asylum

I grabbed a box of tissues for my desk today, and saw this on the back:

For Professional use?! So, what happens if they’re used in an amateurish or unintended way? Who’s qualified for use? Are instructions or technical support available?

I wouldn’t be surprised if I open it up and discover a small booklet explaining the Terms and Conditions I have agreed to by opening the box…