Monday, August 22, 2011

Master password in Fennec

Last week we finally fixed the master password bug 592772. It had one of the longest history: 130+ comments, and 12 versions of the patch! A funny thing about it is that the final patch is actually almost the same as the very first version, except for some minor tweaks.

OK, some background. The need for this functionality had arisen when we implemented support for SD card, specifically - moving the user profile to an SD card when application is moved there. It was a wanted feature, because the user profile may grow to tens of megabytes (37MB was mentioned), which is quite a lot for many phones. Mike Beltzner formulated this pretty well in his comment:
While I understand that instinct, and further understand that the newer generations of Android phones are not as limited as the Nexus One and its contemporaries in terms of the internal/SD memory split, I can also tell you that as a Nexus One owner, this really does prevent me from using Fennec as intended. My choices are:
- Fennec + Sync and a limited number of other applications
- Fennec w/o Sync and my applications
- No Fennec and my applications
The feature, while helping the users to free some internal phone memory, had a big drawback - it made all the user data fully exposed and easily accessible, as the SD card uses FAT file system and doesn't have any protection. So if the card is lost or stolen, someone could get access to all personal information in the Firefox user profile, most importantly - all the stored passwords for the web sites.

To avoid that the important data had to be encrypted. Desktop Firefox already has such a feature called "master password". The key*.db file in the user profile could be encrypted with the password, so when a web site login data needs to be saved, or Firefox detects it can auto-fill the login information on a site, the user is prompted to enter "the master password for the Software Security Device".

The original goal of the master password bug 592772 was just to implement the same functionality - basically just have a preference, and prompt the user for a password similar way how it's done on desktop. But a simple prompt had some UX issues. It could come up several times in a row when more than one site requiring access to the password database was open, or in some specific cases, like in the bugs 624552 and 624570. So there came up an idea to implement a new feature, later called "auto-password". The idea was pretty simple: use the same internal master password functionality, but do not ask the user to enter the password, but rather generate it automatically, and store in the system, so the data would be protected the same way as on desktop, but without the "UX hell".

I did some research on the ways how to store the generated password, and implemented a prototype, which used AuthenticationService and an Authenticator - similar way how it is done for all Android applications logging the user in like Gmail, Facebook, etc, but unlike those, stored the password locally rather than on the server. But it wasn't the best way. Apparently the current version of Android does not have any system-wide secured storage, which could be used for our purpose, so the only place to store the password was the internal application data directory. It revealed one more important issue. Our application was marked as debuggable in Android manifest file, to make debugging easier, obviously. But that flag made all application data readable, and accessible by other applications, and through USB connection. This bit was fixed in a separate bug, turning off the debuggable flag in the official builds.

The unnecessary complexity of the authenticator approach implementation, where all its functionality was not really used, and some minor issues related to it (for example, our authentication service that was used only internally, was visible in the system settings, which we didn't really want) lead to a simplified approach to store the generated password in the application's SharedSettings, which, despite the name, are private to the application, and with debuggable option off, are not accessible by the others. Then there was another modification, with the password stored in a simple file inside the Firefox data directory. This was done to avoid an extra call to Java layer through Android bridge, as the latest implementation was all in the platform code.

The last approach to the auto-generated master password feature combined the auto-password service and the original UI preference, to allow the security-conscious users still have their own master passwords, which were not stored anywhere on the device. The feature passed the security review, with the comments that it might be useful not only on Android, but on other systems as well, where the generated password could be securely stored in a system key ring. But later during the last code review more concerns were raised by Brian Smith, with an alternative suggestion: instead of implementing a whole new auto-password feature, which would encrypt the passwords database and store the key in internal memory, just keep that passwords database itself in the same internal memory, by splitting the user profile. This was actually discussed before, but it wasn't clear how difficult it would be to implement the profile splitting.

During another security review, for the whole approach to store user profile data on the SD card, those concerns and possible ways to resolve them were discussed, and the final decision was to drop the auto-password feature, look into the profile splitting possibility, and implement the master password UI, as it was originally planned.

That was the final implementation submitted, which will be included in the next release: just a master password preference, similar to the one on desktop. The auto-password feature was moved to a separate bug 678412, with a "work-in-progress" patch attached.

Monday, August 1, 2011

Mozilla blog

I tried to hide from blogging about Mozilla stuff I work on, as I'm a bit shy :), but I guess I have to do it eventually. It is actually useful as a lot of information gets lost, if not recorded anywhere, so a blog should be a good place to keep that.

I joined Mozilla two years ago, in July 2009, to work on Fennec. There was a plan to make a version for Symbian, and my previous experience with Symbian could help. But the focus at that time was on Windows Mobile, and as I developed for that system as well, I started working on Fennec for WM. We were almost ready for the first release, when Microsoft killed Windows Mobile in favor to the new shiny Windows Phone 7. It turned out that the new version unfortunately was not compatible with the previous ones, as it didn't have an SDK to develop apps in C++ using the underlying Windows CE, like all the previous versions including PocketPC and Windows Mobile. That's when I switched to Android, as it became our main priority.

From time to time I work on the issues, which require a lot of investigation, and have a lot of questions raised. I will try to post here about those issues to have some coverage on what's happening behind the scenes.

Saturday, July 30, 2011

Becoming a website admin and designer...

We've started a new business - unique T-shirt design!

My responsibility is obviously - the web site set up, support, and maintenance. It's actually pretty interesting and somewhat new experience for me.

I didn't want to start anything from scratch, because I knew there were some ready-to-use content management systems. I had a quick look at Joomla, did some research on Drupal. But they were too powerful and complicated, so I looked for alternatives. It turned out there are quite a lot of specialized e-commerce engines, and many of them are free. I liked the name OpenCart, tried it, and without much hesitation selected it as our platform. It's not too complicated and pretty usable. There are different modules and extensions available, so it was possible to customize it for our purposes.

The site is now live and working! Check it out:

Our first and my favorite design:

Sunday, April 24, 2011

New PC: Video cards swapping - II

Yesterday I decided to swap the video cards back.

Regardless of the good cooler, the 9800GT was becoming too hot. Apparently there is just not enough air and ventilation - thanks again to Dell motherboard design. The video card is positioned at the very bottom, next to the only PCI slot, so there is less than an inch space between the radiator and the bottom of the main case chamber. The optional fans of the Turbo Module barely fit there, almost touching the wires. Under heavy load the card temperature was over 100°C!

So I decided to return the original ATI HD5670 back - it's a bit less powerful, but being newer it uses less power than 9800GT, so runs much cooler. I put the card back thinking I was just returning to the original configuration, but what a mistake! Well, the old PC didn't have any issues - Windows XP just reused the nVidia driver, I just disabled autostart of the Catalyst, which was complaining about the missing ATI card.

Windows 7 in the new PC didn't have problems either - again, just reused the ATI driver, and I re-enabled the Catalyst autostart.

But completely different story with Ubuntu. It just didn't boot to the GUI! The monitors stayed black and were blinking with the power indicators, which meant there was no proper signal from the video card. Booting in recovery mode and attempt to reconfigure graphics didn't help. Neither the playing with xorg.conf. I removed everything related to nVidia - no luck. Removed ATI drivers as well - nothing... Then somewhere in the logs I noticed mentioning of VMWare and some warnings. I remembered that VMWare gets pretty deeply into the system, it even compiled some kernel modules during installation. So I decided to give it a try. Found how to uninstall it (followed instructions on this page: sudo vmware-installer -u vmware-player), and then after more playing with recovery mode that the system finally could boot successfully into X.

It wasn't the end though. There was no network connection! Apparently when VMWare was ununstalled, it took the network with it. More googling helped to find that "eth0" is not in /etc/network/interfaces anymore. Just added it to the first line ("auto lo eth0"), rebooted, and voilĂ  - it worked!

Now I have just reinstalled ATI drivers, and re-configured the multi-display mode, and finally my computer is working again. No more experiments!

Sunday, April 17, 2011

New PC: Video cards swapping

ATI HD5670, which came with my new PC, is not very powerful video card. It's better than some totally budget ones, but it's definitely at the low end. So I decided to compare it with the nVidia 9800GT, which I had in my old PC, and probably swap them. Several years ago 8800GT (which 9800GT is based on, it's basically the same) was almost on the top of the line, and according to the tests I found on Internet, it's still a bit faster than the HD5670.

But first I wanted to replace the cooler on that 9800GT, because the original one was too loud and the card was getting pretty hot on load. Checked what NCIX had on sale, and bought this one - Accelero S1 Rev.2 passive VGA cooler:

The drop in the temperature was huge. With the old cooler the GPU/Ambient temperatures were ~70°C/47°C on idle, and ~80°C/56°C on load. With the Accelero S1 they dropped down to 45°C/34°C and 68°C/43°C accordingly. And that's without fans, in complete silence! Heat pipes are very efficient!

So, I tried both cards in two computers, ran 3DMark06 on both, and here's the result:

3DMark Score NVIDIA GeForce 9800 GT, 512MB ATI Radeon HD 5670, 1GB
Old computer
(Intel Core 2 Duo Processor E7300 2.66 GHz)
New computer
(Dell XPS 9100, Intel Core i7-930 Processor 2.8 GHz)

Based on these results, I'm leaving the 9800GT in the new machine, and will see how it will work.

Monday, April 11, 2011

New PC: Why I don't like brand named PCs

I was complaining about limited SATA connections on Dell motherboard.

Turned out I was wrong. Look at this picture - here are the available connectors:

Those black and blue ones at the edge of the board are used for the the HDD and DVD drives, so there was only one available. But when I was checking BIOS setup today, I noticed it lists more SATA slots. I did one more closer inspection, and finally understood what those numbers and text near the SATA ports on the motherboard mean. Those black and blue connectors are actually double ports! Right under the ones, which are visible and have cables connected, there are two more connectors, which are hidden and not noticeable from any possible angle. And even when I found them, it was very difficult to connect the SATA cables there - without seeing and with limited access.

I've never seen the SATA connectors design like this! If I had a manual for the motherboard, I could figure that out earlier, but alas, seems like there is no such manual coming with Dell XPS.

So, finally it looked like I could connect my other HDD. But that was a hasty conclusion. I was still unable to connect the additional drive, because the SATA power cable was not long enough. It was designed to work only for a specific hard drives position in the original XPS case - the distance between the connectors is very short. I could use one cable with three connectors to power two drives, and the second cable, even though it had three more connectors, could only be used either for the DVD drive, or for another hard drive, but not for both of them. Normally the power supplies have at least a couple of molex connectors. Even though they are not used for the HDDs these days, there are adapters for other components, like fans, special motherboards, PCIe cards. But Dell power supply does not have any, so I couldn't even use this way. I need a SATA power splitter.

How many more surprises should I expect from this Dell?!?

Here's a list of annoyances I had to face with this Dell:
  • It is too loud
    • Cheap and extremely noisy VGA cooler
    • Stock CPU cooler - noisy and not very good
    • No HDD vibration dampers
  • Non-standard design of the motherboard, and no documentation for the motherboard
    • A bigger and better 3rd party CPU cooler doesn't fit
    • Difficult to find and use extra SATA ports
    • Not enough fan power connectors on the motherboard
    • Only Dell front panel with non-standard USB ports can be connected (and cannot run without it)
  • No molex connectors from the power supply
  • SATA power cables are designed to be used only for a specific HDD configuration
  • Not enough USB ports on the back

The main idea is: all the components of this Dell PC were designed for a specific configuration. The customization/upgrade/replace abilities are extremely limited. This kind of a PC is intended for the users who are not expected to do anything with it. Want to change something? Order another configuration or even another model!

It is not for me for sure. I've never wanted to buy a brand name PC for myself - saw several of such machines, and every one of them used some custom components, which were difficult to customize or upgrade. This is the first time when I had to get a brand name PC, and it will be the last one!

Thursday, March 31, 2011

New PC: Making it quiet - III

As I mentioned in the previous post, the Arctic Cooling Freezer 13 Pro cooler didn't fit into Dell XPS case. What to do? I didn't like the option of exchanging it for a smaller one, as smaller fan would be louder, as its smaller fan needs to rotate on the higher RPM, which eliminates the main goal of making my PC quiet. So I decided to replace the case. I didn't like the XPS 9100 case anyway - it was not designed with silence in mind. Nothing was done to make it quieter - no insulation, the hard drives, DVD drive, and fans are screwed directly to the case, without any vibration dampers. The only good thing - it had 120 mm case fan, which wasn't too loud, rotating at not very high RPM.

I did a lot of research on the quiet PC cases, and selected one, which got a good review on Silent PC Review, and was frequently mentioned in the reviews of other cases, as one of the best - Antec P183:

The main silencing features of this case are: three-layer, sound-deadening side panels and front door; HDD mounting with special cages and silicon anti-vibration grommets; a separate chamber for the power supply in the bottom of the case also helps to reduce noise.

This case was in stock at A-Power, so I bought it from there. I spent the whole evening moving all Dell components from the XPS to this new case. It is slightly bigger than XPS 9100, and with the top fan removed, the Arctic Cooling Freezer 13 Pro fits perfectly.

Of course it didn't go as smooth as I planned. When I installed all the parts, connected everything, and powered it up, the computer didn't want to boot. It kept complaining about the front USB not connected. It also wanted a case fan, so I connected one, and the error message disappeared. But that front USB was painful! First I tried to connect the case front panel - the error was still there on the next boot. Then I got a card reader with ports USB from the old computer, connected that panel, switched on - the same error message. Finally I just disassembled the XPS front panel, removed the card reader with USB ports from there, connected the cables to the motherboard, and that helped! The computer had finally booted. Apparently those original USB ports from the XPS are special. It looks like they have some capacitors, which are probably used to detect the connection, so the motherboard only works with the original USB ports panel!

I didn't really need those ports and the card reader, but didn't have a choice - they had to be connected for the computer to boot, so I put the USB panel inside the case (just used some wires to keep it in place), and connected a couple of USB extenders, so I could at least use those ports. I also found a place for the card reader: could put it into 5" mounts in the front of the case. It doesn't look very aesthetically pleasing, as it's supposed to be covered by the cool shiny semi-transparent panel of the XPS case, and that panel is not detachable. But at least it is connected properly, so the computer boots, and the reader is even accessible, so I could use it to read from the SD cards used in our cameras.

Now, the results.

Arctic Cooling Freezer 13 Pro with heat pipes and big 120mm fan works much better than the stock Intel cooler. Here are the temperatures:

Idle Load
Stock cooler 38-40°C 70-73°C
Arctic Cooling Freezer 13 Pro 34-35°C 57-60°C

And most importantly - the computer is now noticeably quieter than before! It is a combination of several things:
  • The case is specially designed to be quiet
  • Video card cooler is replaced with a big copper one with a low RPM fan
  • CPU cooler is replaced with AC Freezer 13 Pro
  • Case fans are replaced with SilenX low RPM & low noise ones
It is not dead silent yet, as there are still 5 working fans inside, but the noise they produce is very low. During the day with all the normal sounds around I can barely hear it. And even in the night it's not very noticeable.
I'm happy! :)

Friday, March 25, 2011

New PC: Making it quiet - II

My Dell XPS is still loud. Next component to replace is the CPU cooler. It seems to make the most noticeable sound now, especially on load - when building the CPU is used up to 100%, gets hot, and its fan starts buzzing like it's going to take-off.

After reading some reviews and checking what is available at NCIX, where I usually buy my computer parts, I decided to get Arctic Cooling Freezer 13 Pro:

It is supposed to be very quiet and work much better than the original cooler.

So, I got it, opened the case of my Dell, and found the next surprise: the CPU socket on this motherboard is very close to the edge, so close that the huge radiator of the Freezer 13 Pro does not fit into the place without removing the power supply. What a disappointment!

Now I have to decide what to do - take a smaller cooler so it fits there, or bite a bullet, and move the whole computer into another, even bigger case.

Wednesday, March 16, 2011

New PC: Making it quiet

This Dell XPS is pretty loud. I knew it wouldn't be the best, but I didn't expect it to be that bad. It might be OK in a regular office environment, but in my home office, where there is no much noise around, the computer is the loudest piece of equipment.

The most annoying thing is the video card. By the way, its brand is "Pegatron" - I've never heard of this name before. Apparently that's a part of ASUS company, which split several years ago. This video card has a very cheap small and extremely noisy fan. I was tired of that noise, and after I got a permission from Mozilla IT guy to modify my PC (as long as I don't break it :)), I started from that annoying little VGA cooler.

I had a pretty big and heavy copper VGA cooler, which I bought several years ago for my HTPC. Since then I upgraded the motherboard in the HTPC, to the one with integrated nVidia 8200, so this VGA cooler was not used. Luckily its mounting screws could be adjusted to fit the holes on the this ATI HD5670, and the radiator did not touch any parts, so I installed it. There was one problem though - the original fan on the VGA cooler was connected to the card itself, and that connector was too small for a 3rd-party cooler fan. Dell motherboard doesn't have any more fan connectors, so I had to be inventive - I cut two pieces from a paper clip, ground them down a bit, inserted into a floppy drive power cable, and connected the fan to that improvised power source. It worked! I put everything together, and now my computer is noticeably quieter without that constant buzz from the video card.

Tuesday, March 15, 2011

New PC: Need more hard drives

I still had a lot of useful files on my old PC, and it wasn't convenient to access them. It's especially confusing when there are copies of the same files and folders on two machines (like "My Documents" folder, where I had a lot of stuff - from everyday notes, to my financial data needed for tax return). As I've switched to a new PC, I decided to move the hard drive with all my stuff into it. I also had an SSD in the old PC, which I wanted to use.

So, I repartitioned an older 500GB disk, which I had available, moved the system and all the required data to it, got SSD and the HDD from the old PC, opened Dell XPS, ready to install those two drives, and suddenly stopped confused, as there were no place to connect these drives - there was only one SATA connector available! Also there were no place where I could put the SSD so I could screw it to the case - the case was designed only for 3.5" drives.

Well, it's not the first time when I had to invent something, so I managed to connect the SSD and fix it in place, but another HDD was out of luck.
Does this Dell motherboard really have only one extra SATA port?!?

Thursday, February 10, 2011

New PC

In January I switched from a contract to a full time position at Mozilla, and as an employee I was eligible for a new computer. I definitely needed a powerful machine, as full Firefox build takes about an hour on my 3 year old PC with Intel Core 2 Duo E7300 CPU. I knew I needed something like Intel i7, so I asked about that and Mozilla ordered me one. I would prefer to assemble a computer myself (at least select the components), but as it had to be ordered and paid by the company, I didn't have much choice, had to go with some brand name. Dell was one of the obvious choices, so I just pointed at some Dell XPS with i7 and configuration close to what I wanted, and it was ordered.

Yesterday it was finally delivered! That's Dell XPS 9100, Intel i7-930, 2.8 GHz, 12 GB RAM, 1TB HDD, ATI Radeon HD5670. Here it is:

This thing is big and heavy! The box, which it came in, was huge! The Purolator guy who delivered it was driving a full size truck, which he backed up to our driveway, and took it all. Normally he drives a regular post office delivery vehicle, but not this time. I guess the big truck was chosen just because of my box. :)

So, I got the new PC set up and running, got Ubuntu installed, copied most important stuff from the old PC, set up Mozilla environment, and tried the build. It took about 20 minutes! A huge improvement compared to the old PC! Now I can build even during the work day, not overnight, as I usually did before.

By the way, it took me a while to install Ubuntu. I wanted 32 bit version, as it's known to have less compatibility issues, but its installation was consistently failing somewhere in the middle. I burned three CDs on two different CD-writers, tried USB-drive - no luck. Only the alternative (text-based) setup worked, though it was very slow. But after I finally installed and ran the system I realized, that 32 bit limits the available RAM to 4GB. Somehow I forgot about that, or rather just didn't think that Linux has the same limitations as Windows (why would it be different?). I just didn't use 64 bit system, and didn't have more than 4GB of RAM in my PC before, so my unconscious mind didn't tell anything. Anyway, I installed the amd64 version, got access to total 12GB of RAM, and now I'm all set.