Skuto writes: After offering a total prize fund of up to 1M USD for a successful Chrome hack (http://news.slashdot.org/story/12/02/28/1833229/google-offers-1-million-for-chrome-exploits), it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser. They will win at least 60k USD out of Google's prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome's much lauded sandboxing (http://arstechnica.com/business/news/2011/12/chrome-sandboxing-makes-it-the-most-secure-browser-vendor-study-claims.ars) is not a silver bullet for browser security.
Skuto writes: At yesterdays linux.conf.au Browser miniconference in Ballarat, Australia, Mozilla engineer Nicholas Nethercote gave a detailed presentation about the history of Firefox's memory consumption. The 37 slides-with-notes explain in gritty detail what caused Firefox 4's memory usage to be higher than expected, how many leaks and accidental memory use bugs were tracked down with Valgrind plugins, as well as the pitfalls of common memory allocation strategies. Current work is now focused on reducing the memory usage of popular add-ons such as AdBlock, GreaseMonkey and Firebug. Required reading for people working on large software projects, or those who missed that Firefox is now one of the most memory-efficient browsers in heavy usage.
Skuto writes: NIST just announced the final selection of algorithms in the SHA-3 hash competition. The algorithms that are candidates to replace SHA-2 are BLAKE, Grøstl, JH, Keccak and Skein. The selection criteria included performance in software and hardware, hardware implementation size, best known attacks and being different enough from the other candidates. Curiously, some of the faster algorithms were eliminated as they were felt to be "too fast to be true". A full report with the (non-)selection rationale for each candidate is forthcoming.