ZTE Firefox OS bids for UK/US attention

2013081215542040Been waiting for a Firefox OS phone to land in the UK or US? ZTE have announced that they will be eBaying the ZTE Open Firefox OS phone in both territories through their existing UK and US eBay stores. They have even been running auctions for pre-order collectible versions of the phone – you still have 3 days to bid on the UK pre-order auction but it’s already up to £73 (the list price in the UK will be £59.99).

So, what’s the ZTE Open got? Well, the product page shows a 3.4″ HVGA display with one and two point touch, 2G, 3G, Bluetooth and Wi-Fi, GPS/AGPS and a MSM7225A Qualcomm chipset – Wikipedia lists that as a up to 800 Mhz Cortex A5 core with Adreno 200 GPU. This is the kind of low end level device that Firefox OS was initially targeted at and if you are a developer, its probably the cheapest way to get yourself a Firefox OS phone especially now the Geeksphone devices are either pre-order for a €149 Peak+ or the discontinued (and €91) Keon.

And when it comes to the crunch, there is nothing like running your app on an actual device, no matter how good the emulators.

Snippets: Tails, Vim 7.4 and Wi-Fi SD hacking


  • Not Telling Tails: If you need to cover your tracks on the internet and locally, then Tails (The Amnesiac Incognito Live System) will help as its a Debian GNU/Linux distribution with built in Tor support and other privacy tools which doesn’t even leave local logs. Latest version is 0.20 and details can be found in the Tails 0.2.0 announcement.
  • Vim scrubs up: Vim 7.4 was released last week. Highlights are a new, faster regexp engine, a thousand fixes and small improvements according to the announcement on the developer mailing list which also contains links to the various versions and a reminder to contribute to the ICCF Holland to help children in South Uganda if you like Vim.
  • Wi-Fi SD Hacked : Want to ding into a Wi-Fi SD Card? This blog posting shows how to get into the embedded Linux system on the card all the way to a remote shell. There’s a lot you can pack into an SD card.

Random issues on Android

Source: http://bit.ly/11YB4uK
Source: http://bit.ly/11YB4uK

Random numbers are hard to get right and it appears that faith in the word “Secure” in front of the word “Random” has tripped up developers again, this time with Bitcoin wallets on Android. Those developers have now been alerted to the fact when they are generating a random number to sign Bitcoin transactions, that random number isn’t of high enough quality and make it a lot easier to crack the signing.

These Android apps have been using the Java SecureRandom class as implemented on Android, which in turn took its code from the Apache Harmony project. As shown back in March by Chris Meyer and associates at the RSA Conference 2013, the Apache Harmony SecureRandom implementation is actually not very random at all. The less entropy there is seeding the random number generator, the more likely it is to generate the same random numbers and the more likely someone can use brute force in a reasonable time to crypto that uses those random numbers. With the Android implementation, most cases have an entropy down at 64 bits and in the worst case it goes as low as 31 bits.

But this problem does not apply to other implementations of Java’s SecureRandom: OpenJDK’s version shows “no obvious weaknesses” while GNU Classpath’s version is fine under normal load but does have some issues on heavily loaded systems. Even then, Meyer’s advice is to never use a PRNG (Pseudo Random Number Generator) in critical environments and rely on hardware entropy collectors and random number generators.

Snippets: PyPy.js, reBlink, Patch Tuesday


  • PyPy.js: Have you considered a Python JIT compiler in the browser? Ryan Kelly, a Mozilla developer, has and is porting PyPy, the Python JIT, to the browser using Emscripten and getting the JIT compiler to emit asm.js code. Asm.js is a subset of Javascript which has a specialised optimiser. It’s early days for PyPy.js, but first benchmarking of the proof of concept does show how much impact the Asm.js optimisations have on performance bringing the code to half the speed of the C based JIT.
  • Blink Now: Missing the <blink> tag already after Firefox 23 removed it? Brad Gessler has the answer with his “cooler native HTML tags” like shudder, correction fluid, outline, blur, blurrier, smear, rumble and shudder and even sparkle.
  • Patching: Remember, next Tuesday is your monthly patch day for Microsoft – The advance notification has 3 critical and 5 important holes to be patched in Windows, Internet Explorer, Windows and Windows Server.

Rust now on Rust


Rust, the alternative systems language that’s in development at Mozilla where they are using it to create Servo, a next generation browser, has just hit a huge milestone and entered into some turbulent territory. The runtime system for Rust, including a task scheduler written in C++, has now been replaced by a runtime written in Rust. Brian Anderson on the explained with a mailing list post that this was part of a huge rewrite of how Rust is going to handle I/O using libuv and stopping tasks that are blocked on I/O from blocking other tasks. The long-term aim is to make I/O very scalable in Rust. The task scheduler was in the way though so, they’ve redone that in Rust removing all the foreign function interfaces and making something that will be a lot easier to maintain and enhance.

But as with all big changes, there are ramifications. The work will need to be completed, the IO system fully implemented, regressions deregressed, performance pulled up to previous speeds and bugs fixed.  Anderson details the work that is going to be done in his posting and covers what is already in progress saying he expects it to “validate Rust in the domains it’s aiming for: concurrent and systems programming”.

Google adds patents to pledge but…

PatentsIconGoogle has announced it is adding 79 patents to its open source patent non-assertion pledge. Of course the pledge is limited only to things where the patents infringed are within the open source element … so no mixing a bit of FOSS into your proprietary application and hoping you’ll get coverage. Although there are 79 patents in the new batch, there aren’t 79 ideas in there. The count includes patents in each territory too, so take “Computer network for www server data access over internet” that patent is counted ten times, for Belgium, Canada, Switzerland, Germany, UK, Italy, Japan, Netherlands, Taiwan and the US. And that’s quite an old patent which will expire in the US in June 2015… do read it if you want a blast from the past with its OS/2 Warp systems and RS/6000s.

Anyway, counting out the double counting, I make it 38 actual different patents spread around the globe. The original ten patents in Google’s first pledge were all US patents related to MapReduce so this double counting didn’t occur. Let’s call the total number of different patents 48… out of Google’s estimated (inc Motorola portfolio) of, albeit patents for the same things in different territories, 18,000+ patents. Some folks call it a drip-feed but it’s more akin to open source patent homeopathy. The dilution is so extreme that it will make no difference to the problem and any improvement in the patient’s condition are unlikely to come from this treatment. Google should take a page from Red Hat’s book – their patent promise covers all their software patents, no lists, no donation dramatica.

Snippets: AOSP, Google Cloud, PuTTY, gNewSense and Mozilla updates


  • AOSP – Android’s open source problem: JBQ,  , announced yesterday that he was stepping down as Technical Lead for AOSP, the Android Open Source Project. The problem appears to be a combination of Qualcomm’s desire to keep control of it’s SoC drivers and Google’s inability to shake them of that view despite building Nexus devices which use Qualcomm chips. JBQ has found himself in the middle of this and recent tweets quoted by Android Police seem to bear out that the pressure was getting to the AOSP leader who was being blamed for not getting factory restore images of various Nexus devices out of the door. If Google can’t do it for their own devices, the questions about Android’s open source credentials will come to the fore.
  • Google Cloud: The platforms of the Google Cloud have had some updates. Google Compute Engine now has layer 3 load balancing as an option, with balancing over a set of healthy Compute Engine VMs in a region. Google Cloud Datastore now has an SQL styled Google Query Language, support for metadata queries and how-tos for Ruby developers. Over on Google App Engine, the company has also made improvements to the PHP runtime’s Cloud Storage along with other more general changes.
  • gNewSense: Version 3.0 of the “Free as in freedom” (no non-free elements) GNU/Linux distribution gNewSense is now available. The big change with this release is a switch from Ubuntu to Debian as the base distribution. It supports i386, amd64 and mipsel architectures (the latter being the CPU of the Lemote Yeelong notebook as previously used by Richard Stallman until it was stolen).
  • More Mozilla updates: Firefox ESR 17.0.8 also arrived earlier this week with 2 critical and 6 high severity holes fixed. Details on the advisories page for Firefox ESR and downloads page. Same set of vulnerabilities are also fixed in Thunderbird ESR 17.0.8 (downloads here). Seamonkey, the forgotten browser suite, also got updated to version 2.20 with the same security fixes and enhancements that were applied to Firefox 23. It can be downloadable by anyone who wants to recall the heady days of the all in one browser suite.