The Verge reports: Firefox's latest update brings native support for Macs that run on Apple's Arm-based silicon, Mozilla announced on Tuesday. Mozilla claims that native Apple silicon support brings significant performance improvements: the browser apparently launches 2.5 times faster and web apps are twice as responsive than they were on the previous version of Firefox, which wasn't native to Apple's chips...

Firefox's support of Apple's Arm-based processors follows Chrome, which added support for Apple's new chips shortly after the M1-equipped MacBook Pro, MacBook Air, and Mac mini were released in November.
Firefox 84 will also be the very last release to support Adobe Flash, notes ZDNet, calling both developments "a reminder of the influence Apple co-founder Steve Jobs has had and continues to exert on software and hardware nine years after his death." Jobs wrote off Flash in 2010 as successful Adobe software but one that was a 'closed' product "created during the PC era — for PCs and mice" and not suitable for the then-brand-new iPad, nor any of its prior iPhones. Instead, Jobs said the future of the web was HTML5, JavaScript and CSS.

At the end of this year Google Chrome, Microsoft Edge and Apple Safari also drop support for Flash.

Senior Apple execs recently reflected in an interview with Om Malik what the M1 would have meant to Jobs had been alive today. "Steve used to say that we make the whole widget," Greg Joswiak, Apple's senior vice president of Worldwide Marketing told Malik.

"We've been making the whole widget for all our products, from the iPhone, to the iPads, to the watch. This was the final element to making the whole widget on the Mac."
ZDNet also notes that Firefox 84 offers WebRender, "Mozilla's faster GPU-based 2D rendering engine" for MacOS Big Sur, Windows devices with Intel Gen 6 GPUs, and Intel laptops running Windows 7 and 8. "Mozilla promises it will ship an accelerated rendering pipeline for Linux/GNOME/X11 users for the first time."

Firefox now also uses "more modern techniques for allocating shared memory on Linux," writes Mozilla, "improving performance and increasing compatibility with Docker."

And Firefox 85 will include a new network partitioning feature to make it harder for companies to track your web surfing.

Apple, Google, Microsoft and Mozilla have teamed up to block the Kazakhstan government's attempts to force its citizens to install a "national security certificate" on every internet-capable device in the country. "That government-issued root certificate would allow authorities to keep tabs on people's online traffic, essentially becoming a back door to access citizens' data," reports Engadget. From the report: In its announcement, Mozilla said it was recently informed that ISPs in Kazakhstan have recently started telling customers that they're required to install the digital certificate to be able to access foreign websites. ZDNet reported earlier this month that Kazakh IPS have been cutting people's access to websites like Google, Twitter, Facebook, Instagram and Netflix unless they install the certificate.

When users in Kazakhstan who complied with their ISPs' demand try to access websites on their devices, they'll get an error telling them that the certificate shouldn't be trusted. The companies are also encouraging those users to research the use if VPN or the Tor Browser for web browsing and to change the passwords for their accounts. The Kazakhstan's government made a similar attempt back in 2015 and then again in 2019, but tech giants did what they're doing now to put a stop to those plans.

InfoWorld reports: Firefox users can expect improved JavaScript performance in the Firefox 83 browser, with the Warp update to the SpiderMonkey JavaScript engine enabled by default.

Also called WarpBuilder, Warp improves responsiveness and memory usage and speeds up page loads by making changes to JiT (just-in-time) compilers... Warp has been shown to be faster than Ion, SpiderMonkey's previous optimizing JiT, including a 20 percent improvement on Google Docs load time. Other JavaScript-intensive websites such as Netflix and Reddit also have shown improvement...

Warp has replaced the front end — the MIR building phase — of the IonMonkey JiT... Mozilla also will continue to incrementally optimize the back end of the IonMonkey JiT, as Mozilla believes there is still room for improvement for JavaScript-intensive workloads.

Shotgun (Slashdot reader #30,919) shared these thoughts from The Register: Every now and again the U.S. Congress manages to do its job and yesterday was one of those days: the Senate passed a new IoT cybersecurity piece of legislation that the House also approved, and it will now move to the President's desk.

As we noted back in March when the IoT Cybersecurity Improvement Act was introduced, the law bill is actually pretty good: it asks America's National Institute of Standards and Technology (NIST) to come up with guidelines for Internet-of-Things devices and would require any federal agency to only buy products from companies that met the new rules. It gives a minimum list of considerations to be covered: secure code, identity management, patching and configuration management. It also requires the General Services Administration — the arm of the federal government that sources products and comms for federal agencies — to come up with guidelines that would require each agency to report and publish details of security vulnerabilities, and how they resolved them, and coordinate with other agencies.

Industry has also got behind the effort — Symantec, Mozilla, BSA The Software Alliance (which includes Apple, Microsoft, IBM, Cloudflare, the CTIA and others) — and Congress has managed to keep its fingers out of things it knows nothing about by leaving the production of standards with the experts, using federal procurement to create a de facto industry standard.
Though it will still be legal sell insecure IoT devices, "for those looking for good, secure products, there will be a baseline standard across the industry..." the article concludes.

"[T]his is an essential first step to getting secure IoT in place."

Mozilla has opened today a public comment and consultation period about the ways it could enable support for the controversial privacy-centric DNS-over-HTTPS (DoH) protocol inside Firefox. From a report: The browser maker's decision to open a rare public consultation period comes after the organization faced criticism last year in the UK for its plans to support DoH inside Firefox. UK government officials, law enforcement agencies, and local internet service providers criticized Mozilla for developing and wanting to roll out DoH, a feature they said could have helped suspects bypass enterprise firewalls and parental controls blocklists -- even earning the browser maker a nomination for an "Internet Villain" award from a local ISP. All last year's hoopla was caused by DoH, a web protocol developed as an alternative to the classic DNS (Domain Name System). DoH works by encrypting DNS queries (which are normally sent out in clear text) and hiding them inside normal-looking HTTPS web traffic.

Mozilla today launched Firefox 83 for Windows, Mac, and Linux. An anonymous reader shares a report: Firefox 83's highlight feature is HTTPS-Only Mode, in which the browser attempts to establish fully secure connections to every website (just like the EFF's HTTPS Everywhere). If it can't, Firefox asks for your permission before connecting to a website that doesn't support secure connections. To enable HTTPS-Only Mode, click on Firefox's menu button, hit Preferences, then Privacy & Security, scroll down to HTTPS-Only Mode, and choose "Enable HTTPS-Only Mode in all windows." [...] Firefox 83 also brings performance improvements (improved page load performance by up to 15%, page responsiveness by up to 12%, and reduced memory usage by up to 8%). Firefox 83 is also the penultimate version of the web browser that will run Flash software; Firefox 85 will completely disable it when it arrives on Jan. 12, 2021.

Mark Di Stefano, reporting for The Information (paywalled): A few years back, two Brussels-based lobbyists from midsize tech companies were out for drinks, and in the course of the conversation they realized they had a common problem. Google, Amazon, Apple and Facebook were sucking all of the oxygen out of European debates about regulating the internet, leaving out the voices of smaller companies -- despite the fact that those policies can have a very different impact on them. The European lobbyists and policy officers from other companies -- a motley array that included Mozilla, Stripe, Transferwise, Etsy, Dropbox and Spotify -- began meeting regularly in Brussels, often in bars and restaurants, to share their experiences, according to two people familiar with the matter. Some of them jokingly referred to the outings, which haven't been previously reported, as "whine and dines." The companies, which have continued to gather during the pandemic over video calls, even have a name for their informal network, the two people said: the challenger group. "It was really soothing to meet up with other companies doing the same thing," Raegan MacDonald, policy chief of Mozilla, said during an interview with The Information. "We finally said, let's do stuff together.... The work together has been helpful and fruitful, not just cathartic."

While members of the group won't say much about what that "stuff" is exactly, one of their priorities is having a voice in the upcoming overhaul of internet regulations in Europe, the biggest since the early 2000s. The European Commission -- the executive branch of the European Union, responsible for its legislation and policies -- plans to release the first drafts of this overhaul in the coming weeks, which will introduce sweeping new powers for competition regulators to intervene in tech markets.

A group of journalists has built a browser extension, called Simple Search, to show you what Google search would look like without the information panels, shopping boxes, and search ads. The Verge reports: Introducing the extension, Maddy Varner and Sam Morris describe it as a conscious throwback to an earlier version of Google search, before the integration of the Knowledge Graph and its accompanying information boxes. "The extension lets you travel back to a time when online search operated a little differently," they write. "Nowadays, you don't always have to click any of the 'blue links' to get information related to your search -- Google gives you what it thinks is important in info boxes of information pulled from other websites." The extension works on Google and Bing searches and is available for both Firefox and Chrome browsers.

Google will deploy a new security feature in Chrome next year to prevent tab-nabbing, a type of web attack that allows newly opened tabs to hijack the original tab from where they were opened. From a report: The new feature is scheduled to go live with Chrome 88, to be released in January 2021. While the term "tab-nabbing" refers to a broad class of tab hijacking attacks [see OWASP, Wikipedia], Google is addressing a particular scenario. This scenario refers to situations when users click on a link, and the link opens in a new tab (via the "target=_blank" attribute). These new tabs have access to the original page that opened the new link. Via the JavaScript "window.opener" function, the newly opened tabs can modify the original page and redirect users to malicious sites. This type of attack has powered quite a few phishing campaigns across the years. To mitigate this threat, browser makers like Apple, Google, and Mozilla have created the rel="noopener" attribute.

Emil Protalinski, reporting for VentureBeat: For more than a decade, I've used Net Applications' NetMarketShare tool to track the desktop browser and operating system markets. The monthly reports have been critical in gauging which browsers and new versions of operating systems are gaining or losing market share. Last week, Net Applications released its final NetMarketShare report. The loss could not come at a worse time. After Chrome cemented its spot as the world's de facto browser, there hasn't been a lot of movement. But that might be about to change. Chrome's creator, Google, is facing the biggest U.S. antitrust case in a generation. Mozilla, which depends on Google for almost all its revenue, is rightly worried about becoming "collateral damage."

[...] So why is Net Applications killing off NetMarketShare? Don't act surprised when I tell you the undisputed market leader has something to do with it. In January, Google proposed deprecating the User-Agent string (used to identify which browser and operating system is being used) as part of its war on fingerprinting. Net Applications says the change will break NetMarketShare's device detection technology and "cause inaccuracies for a long period of time." Add the ongoing problem of filtering out bots to prevent skewing of the result, and Net Applications decided it was best to throw in the towel after 14 years. Net Applications provided its reports based on data captured from 100 million sessions each month over thousands of websites.

This year Let's Encrypt announced that it's issued a billion certificates, and it's been estimated they've made certs for almost 30% of web domains. But Friday they posted that "The DST Root X3 root certificate that we relied on to get us off the ground is going to expire — on September 1, 2021. Fortunately, we're ready to stand on our own, and rely solely on our own root certificate."

"However, this does introduce some compatibility woes." Some software that hasn't been updated since 2016 (approximately when our root was accepted to many root programs) still doesn't trust our root certificate, ISRG Root X1. Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let's Encrypt.

Android has a long-standing and well known issue with operating system updates. There are lots of Android devices in the world running out-of-date operating systems. The causes are complex and hard to fix: for each phone, the core Android operating system is commonly modified by both the manufacturer and a mobile carrier before an end-user receives it. When there's an update to Android, both the manufacturer and the mobile carrier have to incorporate those changes into their customized version before sending it out. Often manufacturers decide that's not worth the effort. The result is bad for the people who buy these devices: many are stuck on operating systems that are years out of date.

Currently, 66.2% of Android devices are running version 7.1 or above. The remaining 33.8% of Android devices will eventually start getting certificate errors when users visit sites that have a Let's Encrypt certificate. In our communications with large integrators, we have found that this represents around 1-5% of traffic to their sites. Hopefully these numbers will be lower by the time DST Root X3 expires next year, but the change may not be very significant.
Let's Encrypt engineer Jacob Hoffman-Andrews explains that "In the time between now and September 29 we plan to start serving certificates with the 'alternate' link relation 186 to allow Automatic Certificate Management Environment (ACME) clients to programmatically select a chain they prefer." But Friday's blog post explains that won't solve everything: There will be site owners that receive complaints from users and we are empathetic to that being not ideal. We're working hard to alert site owners so you can plan and prepare. We encourage site owners to deploy a temporary fix (switching to the alternate certificate chain) to keep your site working while you evaluate what you need for a long-term solution: whether you need to run a banner asking your Android users on older OSes to install Firefox, stop supporting older Android versions, drop back to HTTP for older Android versions, or switch to a CA that is installed on those older versions.
Gizmodo notes that Firefox will be unaffected "since it relies on its own certificate store that includes Let's Encrypt's root, though that wouldn't keep applications from breaking or ensure functionality beyond your browser." They describe Let's Encrypt as "the Mozilla-partnered nonprofit," and offers this succinct summary of the problem.

"One of the world's top certificate authorities warns that phones running versions of Android prior to 7.1.1 Nougat will be cut off from large portions of the secure web starting in 2021."

An anonymous reader quotes a report from The Register: The Brave web browser will soon block CNAME cloaking, a technique used by online marketers to defy privacy controls designed to prevent the use of third-party cookies. The browser security model makes a distinction between first-party domains -- those being visited -- and third-party domains -- from the suppliers of things like image assets or tracking code, to the visited site. Many of the online privacy abuses over the years have come from third-party resources like scripts and cookies, which is why third-party cookies are now blocked by default in Brave, Firefox, Safari, and Tor Browser.

In a blog post on Tuesday, Anton Lazarev, research engineer at Brave Software, and senior privacy researcher Peter Snyder, explain that online tracking scripts may use canonical name DNS records, known as CNAMEs, to make associated third-party tracking domains look like they're part of the first-party websites actually being visited. They point to the site https://mathon.fr/ as an example, noting that without CNAME uncloaking, Brave blocks six requests for tracking scripts served by ad companies like Google, Facebook, Criteo, Sirdan, and Trustpilot. But the page also makes four requests via a script hosted at a randomized path under the first-party subdomain 16ao.mathon.fr. When Brave 1.17 ships next month (currently available as a developer build), it will be able to uncloak the CNAME deception and block the Eulerian script. Other browser vendors are planning related defenses. "Mozilla has been working on a fix in Firefox since last November," notes The Register. "And in August, Apple's Safari WebKit team proposed a way to prevent CNAME cloaking from being used to bypass the seven-day cookie lifetime imposed by WebKit's Intelligent Tracking Protection system."

Microsoft has released a Windows update that removes Adobe's Flash Player before it reaches end of support on December 31, 2020. ZDNet reports: Update KB4577586 is part of Microsoft's effort to follow through with plans it announced along with Adobe, Apple, Facebook, Google, and Mozilla in 2017 to end support for Flash by December 2020. The Flash-removing update is available for all supported versions of Windows 10 and Windows Server, as well as Windows 8.1.

This new update removes Flash Player from Windows devices and cannot be uninstalled, Microsoft says in a new support note. However, it isn't rolling out via Windows Server Update Service (WSUS) just yet, and the update needs to be downloaded and installed from the Microsoft Update Catalog. It will become available to WSUS in early 2021, but admins can import it to WSUS manually today. Microsoft is releasing the Flash-removing update ahead of the end of support so that enterprise customers can test the impact on business applications when Flash is removed from a Windows PC or server. But the company says it will continue to deliver Flash security updates until support ends.

Microsoft has also detailed two methods that users and admins can follow to continue using Flash Player after the update is installed. Users can reset a device to an earlier system restore point. However, users need to explicitly enable this feature and a system restore point must have been created on the Windows device before the update is applied. The other option is to reinstall Windows without applying the update.

"No one asked Microsoft to port its Edge browser to Linux," writes Steven J. Vaughan-Nichols at ZDNet, adding "Indeed, very few people asked for Edge on Windows.

"But, here it is. So, how good — or not — is it..?" The new release comes ready to run on Ubuntu, Debian, Fedora, and openSUSE Linux distributions... Since I've been benchmarking web browsers since Mosaic rolled off the bit assembly line, I benchmarked the first Edge browser and Chrome 86 and Firefox 81 on my main Linux production PC.... First up: JetStream 2.0, which is made up of 64 smaller tests. This JavaScript and WebAssembly benchmark suite focuses on advanced web applications. It rewards browsers that start up quickly, execute code quickly, and run smoothly. Higher scores are better on this benchmark.

JetStream's top-scorer — drumroll please — was Edge with 136.971. But, right behind it within the margin of error, was Chrome with a score of 132.413. This isn't too surprising. They are, after all, built on the same platform. Back in the back was Firefox with 102.131. Next up: Kraken 1.1. This benchmark, which is based on the long-obsolete SunSpider, measures JavaScript performance. To this basic JavaScript testing, it added typical use-case scenarios. Mozilla, Firefox's parent organization, created Kraken. With this benchmark, the lower the score, the better the result. To no great surprise, Firefox took first place here with 810.1 milliseconds (ms). Following it was Chrome with 904.5ms and then Edge with 958.8ms.

The latest version of WebXPRT is today's best browser benchmark. It's produced by the benchmark professionals at Principled Technology. This company's executives were the founders of the Ziff Davis Benchmark Operation, the gold-standard of PC benchmarking. WebXPRT uses scenarios created to mirror everyday tasks. These include Photo Enhancement, Organize Album, Stock Option Pricing, Local Notes, Sales Graphs, and DNA Sequencing. Here, the higher the score, the better the browser. On this benchmark, Firefox shines. It was an easy winner with a score of 272. Chrome edges out Edge 233 to 230.
The article concludes that "Oddly, Edge, which turned in a poor performance when I recently benchmarked it on Windows, did well on Linux. Who'd have guessed...? Edge is a good, fast browser on Linux. If you're a Windows user coming over to Linux or you're doing development work aimed at Edge, then by all means try Edge on Linux. It works and it works well."

Yet Vaughan-Nichols admits he's still not going to switch to Edge. "Chrome is more than fast enough for my purposes and I don't want my information tied into the Microsoft ecosystem. For better or worse, mine's already locked into the Googleverse and I can live with that."

The Python programming language "is a big hit for machine learning," read a headline this week at ZDNet, adding "But now it needs to change."

Python is the top language according to IEEE Spectrum's electrical engineering audience, yet you can't run Python in a browser and you can't easily run it on a smartphone. Plus no one builds games in Python these days. To build browser applications, developers tend to go for JavaScript, Microsoft's type-safety take on it, TypeScript, Google-made Go, or even old but trusty PHP. On mobile, why would application developers use Python when there's Java, Java-compatible Kotlin, Apple's Swift, or Google's Dart? Python doesn't even support compilation to the WebAssembly runtime, a web application standard supported by Mozilla, Microsoft, Google, Apple, Intel, Fastly, RedHat and others.

These are just some of the limitations raised by Armin Ronacher, a developer with a long history in Python who 10 years ago created the popular Flask Python microframework to solve problems he had when writing web applications in Python. Austria-based Ronacher is the director of engineering at US startup Sentry — an open-source project and tech company used by engineering and product teams at GitHub, Atlassian, Reddit and others to monitor user app crashes due to glitches on the frontend, backend or in the mobile app itself... Despite Python's success as a language, Ronacher reckons it's at risk of losing its appeal as a general-purpose programming language and being relegated to a specific domain, such as Wolfram's Mathematica, which has also found a niche in data science and machine learning...

Peter Wang, co-founder and CEO of Anaconda, maker of the popular Anaconda Python distribution for data science, cringes at Python's limitations for building desktop and mobile applications. "It's an embarrassing admission, but it's incredibly awkward to use Python to build and distribute any applications that have actual graphical user interfaces," he tells ZDNet. "On desktops, Python is never the first-class language of the operating system, and it must resort to third-party frameworks like Qt or wxPython." Packaging and redistribution of Python desktop applications are also really difficult, he says.

An anonymous reader shares a report: Site Isolation is a modern browser security feature that works by separating each web page and web iframes in their own operating system process in order to prevent sites from tampering or stealing with each other's data. The feature was first deployed with Google Chrome in mid-2018, with the release of Chrome 67. Although initially, Site Isolation was meant to be deployed as a general improvement to Chrome's security posture, the feature came just in time to serve as a protective measure against the Spectre vulnerability impacting modern CPUs. Seeing the feature's success, Mozilla also announced plans to support it with the Firefox browser in February 2019, as part of an internal project codenamed Fission.

For both Google and Mozilla, implementing Site Isolation was a time-consuming operation, requiring engineers to re-write large chunks of their browsers' internal architecture. The process took about two years for both Google and Mozilla. While Site Isolation is now a stable feature inside Chrome, this work is now nearing its completion inside Firefox. According to an update to the Project Fission wiki page, Site Isolation can now be enabled inside versions of Firefox Nightly, the Firefox version where new features are tested.

Mozilla has responded to the U.S. Department of Justice's antitrust lawsuit against Google, but rather than commending the DOJ's action, the Firefox browser maker has voiced concerns that its commercial partnership could make it "collateral damage" in the fight against Google's alleged monopolistic practices. From a report: The DOJ, with support from 11 U.S. states, confirmed yesterday that it is suing Google for allegedly violating anti-competition laws by crowding out rivals in the internet search and advertising markets. "Small and independent companies such as Mozilla thrive by innovating, disrupting, and providing users with industry-leading features and services in areas like search," Mozilla chief legal officer Amy Keating wrote in a blog post. "The ultimate outcomes of an antitrust lawsuit should not cause collateral damage to the very organizations -- like Mozilla -- best positioned to drive competition and protect the interests of consumers on the web."

Mozilla has a long and complicated history with Google. In recent years, Mozilla has launched countless privacy campaigns against the internet giant's various online properties, and just last month it introduced a new browser add-on to crowdsource research into YouTube's opaque recommendation algorithm. On the other hand, Mozilla relies heavily on royalties from a search engine partnership with Google. The duo recently extended their deal to make Google the default search engine inside Firefox in the U.S. and other markets, which will reportedly secure Mozilla up to $450 million over the next three years.

Engadget reports: One big benefit of iOS 14 is that you can set non-Apple-made apps as your default, including for email and web browsing. Hot on the heels of you being able to set Chrome and Gmail as your clients of choice, Firefox is enabling you to make its browser the default on iPhones and iPads. Naturally, you'll need to have both the latest version of the operating system and the apps, and then just make the switch inside settings.
Meanwhile, Bleeping Computer profiles some of the new features in this week's release of Firefox 81, including:

• The ability to control videos via your headset and keyboard even if you're not using Firefox at the time

• A new credit card autofill feature for Firefox users in the U.S. and Canada

• A new theme called AlpenGlow

• Firefox can now be set as the default system PDF viewer

"Mozilla has fixed a bug that can be abused to hijack all the Firefox for Android browsers on the same Wi-Fi network and force users to access malicious sites, such as phishing pages," reports ZDNet: The bug was discovered by Chris Moberly, an Australian security researcher working for GitLab. The actual vulnerability resides in the Firefox SSDP component. SSDP stands for Simple Service Discovery Protocol and is the mechanism through which Firefox finds other devices on the same network in order to share or receive content (i.e., such as sharing video streams with a Roku device).

When devices are found, the Firefox SSDP component gets the location of an XML file where that device's configuration is stored. However, Moberly discovered that in older versions of Firefox, you could hide Android "intent" commands in this XML and have the Firefox browser execute the "intent," which could be a regular command like telling Firefox to access a link...

The bug was fixed in Firefox 79; however, many users may not be running the latest release. Firefox for desktop versions were not impacted.

Software engineer Cal Paterson writes: Mozilla recently announced that they would be dismissing 250 people. That's a quarter of their workforce so there are some deep cuts to their work too. The victims include: the MDN docs (those are the web standards docs everyone likes better than w3schools), the Rust compiler and even some cuts to Firefox development. Like most people I want to see Mozilla do well but those three projects comprise pretty much what I think of as the whole point of Mozilla, so this news is a a big let down. The stated reason for the cuts is falling income. Mozilla largely relies on "royalties" for funding. In return for payment, Mozilla allows big technology companies to choose the default search engine in Firefox - the technology companies are ultimately paying to increase the number of searches Firefox users make with them. Mozilla haven't been particularly transparent about why these royalties are being reduced, except to blame the coronavirus. I'm sure the coronavirus is not a great help but I suspect the bigger problem is that Firefox's market share is now a tiny fraction of its previous size and so the royalties will be smaller too - fewer users, so fewer searches and therefore less money for Mozilla.

The real problem is not the royalty cuts, though. Mozilla has already received more than enough money to set themselves up for financial independence. Mozilla received up to half a billion dollars a year (each year!) for many years. The real problem is that Mozilla didn't use that money to achieve financial independence and instead just spent it each year, doing the organisational equivalent of living hand-to-mouth. Despite their slightly contrived legal structure as a non-profit that owns a for-profit, Mozilla are an NGO just like any other. In this article I want to apply the traditional measures that are applied to other NGOs to Mozilla in order to show what's wrong. These three measures are: overheads, ethics and results.