Full Disk Encryption Offered as a Service

PGP Corporation has become the first company to offer full disk encryption on a software-as-a-service (SaaS) subscription, which it claims brings the technology within the reach of small businesses for the first time.
Selling through Managed Service Provider Network (MSPN) channel partners in the U.K. and the U.S., enterprises will be offered PGP's Windows or Mac Whole Disk Encryption software on a month-by-month 'pay as you grow' contract, increasing or decreasing the number of seats as they please.
The service includes the PC encryption software, a key recovery service should that be necessary, plus reports on the encryption status of each machine for compliance and auditing. Laptops using the software can only be accessed by providing a key, which means that should they be lost or stolen, hard drive data remains encrypted an inaccessible.
The costs themselves are comparable over a year to buying the software on a stand-alone basis, PGP admitted, but this removed the obstacle of deployment and ongoing management that has, up to now, put off many smaller enterprises with around 100 mobile users. Pricing is straightforward, with monthly billing in arrears and volume discounts.
Deployment is probably the biggest advantage of the SaaS model because it means that companies don't have to commit staff and infrastructure to getting full disk encryption projects off the ground. Using either one of the appointed partners - Gradian in the U.K., and Aurora and ANI Direct in the U.S. - it should be possible to get the technology into a small enterprise within days or weeks, instead of months as might otherwise be the case.
"Market data shows that customers, such as small businesses, branch offices and departmental groups, are becoming more comfortable consuming security technology as a service offering as it greatly simplifies set-up and ongoing infrastructure maintenance," said Phillip Dunkelberger, PGP's president and CEO.
"End-user customers and channel partners of the PGP Managed Service Provider Network can now more easily get started and quickly reduce IT expenditures by using PGP Whole Disk Encryption in a SaaS environment," he said.
Lost laptops containing unencrypted data have become an almost routine way for enterprises of all sizes lose sensitive data, a frequency IDC's Charles Kolodgy was quoted by PGP as having recently described as "obscene".
Monthly prices and volume discounts had yet to be confirmed at the time of going to press, but were said to be in line with the annual per-seat prices already quoted for stand-alone use. This is £95 (approx $160) per annum.


Reference : http://www.pcworld.com/article/152769/disk_encryption.html?tk=rss_news

Hacker Spoof, VMware Goof

With all eyes turned to the Olympics in Beijing this week -- what with all the swimming records being blown away -- IT news eased into its usual August slow period. Hackers switched from duping people with CNN news alerts as a lure to sending out millions of messages with fake MSNBC links in them. U.K. hacker Gary McKinnon got to stay in England a little longer as he continues to fight extradition to the U।S. And more news started to pop up regarding the IT angle on the U.S. presidential race as Democrats and Republicans prepared for party conventions.

1. Hackers spoof MSNBC alerts in new twist on massive malware ruse: Hackers who had been trying to lure victims to malware-infested sites masquerading as CNN.com have now switched to fake breaking news alerts from MSNBC. The miscreants had spread as many as 2 million bogus news messages an hour by the middle of Wednesday using the new ruse, which leads victims to fake sites that pop up a box saying they need to update Adobe's Flash software to see a video clip of the news. Security researchers expect the hack to continue.
2. VMware CEO apologizes for 'time bomb' mess: VMware developers left code in ESX 3.5 and ESXi Server 3.5 updates that made users unable to power up virtual machines when Aug. 12 arrived. Users got error messages saying that their virtualization software licenses expired that date. They inundated VMware support forums about the problem, which the company patched. The new CEO, Paul Maritz, also issued an apology for the "disruption and difficulty."
3. Court delays British hacker's extradition to U.S.: Gary McKinnon's extradition to the U.S. was delayed by the European Court of Human Rights, whose ruling allows him to stay in the U.K. at least until the court reconvenes on Aug. 28 and can further consider his case.
U.S. prosecutors have charged McKinnon, who lives in London, with hacking into U.S. military networks, knocking 2,000 computers offline and deleting 2,455 user accounts as well as logs related to tracking Navy vessels. He has been fighting extradition, saying he was bullied by U.S. authorities into confessing in exchange for a lesser sentence.
4. Is America ready for its first BlackBerry president?: How much technology expertise the next U.S. president ought to possess is a subject for debate, but there is widespread agreement that technology knowledge is beneficial for the commander in chief to have.
Republican candidate John McCain is reportedly not terribly interested in technology and doesn't much use it, while Democrat Barack Obama is counted among Washington, D.C.'s cadre of BlackBerry users. What may be more important, some analysts say, is how much stock the next president's advisers and top aides put in technology and its uses. This takes us to ...
5. McCain promotes online security, privacy policies: McCain released a statement on his online security and privacy position saying that consumer education, technological innovation and beefed-up law enforcement, along with industry self-regulation, are needed to support "personal security for Americans in the digital age."
6. Intel drops Centrino Atom brand after five months: Intel's Centrino Atom brand has gone the way of New Coke, dropped after only five months in lieu of the company using just the Atom brand. The similarly named brands caused a bit of confusion. Atom-based laptops didn't use the Centrino Atom brand because they had a different version of the Atom processor and a two-chip chipset, while Centrino Atom uses a single-chip chipset.
7. When Apple's reach exceeds its grasp: In a mere five years Apple transformed itself from a niche company making non-Windows computers into a consumer electronics monolith.
Along the way, the company's reputation as a PC industry iconoclast has morphed into a perception that Apple is "a technology juggernaut with immense power at its disposal as it steamrolls over everyone else ... while creating one industry-busting product after another."But that image is off-base, given the number of times Apple hasn't quite managed to achieve the reach it seems to be grasping for.
8. How the feds are locking down their networks: In the past nine months, the U.S. government has decreased the number of external network connections it operates from 8,000 to about 2,700 as part of an ambitious plan to get rid of Internet connections that are vulnerable to attack. The government's access points will have state-of-the-art security policies and managed security services.
9. Republican National Convention venue gets network makeover: The IT challenges of transforming the Xcel Energy Center in St. Paul, Minnesota, into the venue for the Republican National Convention have thus far been manageable, but much work remains to be done, according to Max Everett, the CIO of the committee in charge of the event. The RNC opens Sept. 1 at the center, which is used primarily as the home of the Minnesota Wild professional hockey team.
10. Meet Dell's 19-hour laptop: Dell announced that it will soon launch its lightest ultraportable commercial laptop, and also a laptop that can run for up to 19 hours on battery power।
Reference : http://www.pcworld.com/article/149913/2008/08/.html?tk=rss_news

Defcon Talk Exposes Disclosure Divide

A court order put a stop to a planned presentation at the Defcon hackers convention by three MIT students who found security flaws in the electronic ticketing system used by the mass transit authority in Boston. But the ruling reopened the schism in the IT security community over the issue of how vulnerabilities should be publicly disclosed.
Critics of the temporary restraining order issued last Saturday by a federal judge in Boston have labeled it an infringement of the students' First Amendment rights and an example of "prior restraint" on free speech. Many said such actions leave vulnerable systems open to attackers and put a chill on security research, driving legitimate researchers underground.
Others, though, see the case involving the students and the Massachusetts Bay Transportation Authority (MBTA) as another example of publicity-hungry security researchers driven more by ego and the desire for fame than by any sincere interest in improving security.
The always-simmering disclosure debate boiled over again after the MBTA obtained the 10-day gag order barring the MIT undergrads - Zack Anderson, Russell "RJ" Ryan and Alessandro Chiesa - from publicly disclosing information about the flaws in its e-ticketing system. The order was handed down the day before a scheduled Defcon session in which the students planned to detail the holes, which they say they found during independent penetration testing.
In an affidavit, the MBTA claimed that the students didn't give it sufficient information about the vulnerabilities beforehand. The transit authority added that it wasn't trying to permanently gag the students and that it just wanted some time to determine the validity and seriousness of the flaws and a course of action for addressing them.
But the Electronic Frontier Foundation (EFF), a high-tech civil rights group that is representing the three students in court, contended that the gag order was unconstitutional and wholly unnecessary. Some of the material that the students planned to present had been previously published elsewhere, the EFF noted. And, it said, the students hadtold the MBTA that they wouldn't release technical details that hackers could use to take advantage of the flaws.
Bruce Schneier, chief security technology officer at BT Group PLC, joined 10 computer science professors and researchers in signing a letter opposing the restraining order that the EFF included as part of a motion to reconsider the decision (download PDF). Schneier said this week that publicly disclosing vulnerabilities is often the only way to prod businesses to address them.
"Companies won't make [their systems] better by themselves," Schneier said। MBTA officials, he claimed, "are counting on the legal system to protect their shoddy work" on IT security।


Forewarned Is Forearmed
Schneier agreed that it's good practice in general to give organizations some advance notice before publicly disclosing flaws in their systems. But, he said, it's often hard to determine exactly what might be construed as "reasonable disclosure" and what might not be.
Steven Bellovin, a computer science professor at Columbia University who also signed the letter, said it's a fallacy to assume that a security problem goes away or remains hidden from view "simply because you don't talk about it" in public.
"I'm not saying the first thing you do when you find a vulnerability is to post it on your blog," Bellovin said. "But getting injunctions against people is like saying [to them], 'If you didn't find it, this problem wouldn't exist.'"
As long as the students didn't plan to use what they had discovered for malicious purposes, they had every right to talk about it, asserted Jim Kirby, a senior network engineer at DataWare Services, an IT services firm in Sioux Falls, S.D. "Anyone who says otherwise is invited to read the Constitution," Kirby said, adding that the restraining order was an effort "to enforce security by obscurity."
Other critics pointed out that much of the information has already become public anyway, since the students' slides were included on a CD given to Defcon attendees. In fact, the MBTA this week asked the court to modify the gag order so it covered only "nonpublic" information. A hearing on that motion, and one by the EFF seeking a reconsideration of the restraining order, was held on Thursday by a different judge in U.S. District Court in Boston. But he declined to take any action on the motions.
On the other side of the disclosure debate, David Jordan, chief information security officer for Virginia's Arlington County, said the reasonable course of action would have been for the students to help the MBTA address the flaws before disclosing them publicly.
"When you discover major flaws in a system that society relies on, you go to the people who own the system and work with them," Jordan said "You don't stand up on a podium and say, 'Look how clever I am.'"
He added that in such cases, the goal of security researchers often seems to be to further their own agendas instead of helping others fix problems. "It's all about improving one's own self-absorbed ego," Jordan said.
The students did meet with an MBTA police officer and an FBI agent on Aug. 4 and then delivered a short report on their findings to the MBTA prior to Defcon, according to a court document filed by the EFF (download PDF).
But Gartner Inc. analyst John Pescatore said the MBTA wasn't given a reasonable amount of time before the scheduled Defcon presentation to fix the problems or develop work-arounds for them.
The intent of disclosing flaws should be to make software and systems more secure, "not to make headlines or sell tickets to security conferences," Pescatore said. In this case, he added, "the students went for publicity."
In doing so, they didn't follow well-understood principles of responsible disclosure, according to Pescatore। "Responsible vulnerability disclosure really does clean up the software equivalent of dead wood," he said. "But releasing vulnerability info for sport or publicity does not."

Reference : http://www.pcworld.com/article/149860/2008/08/.html?tk=rss_news

Cisco Routers Again Take Hacker Spotlight

The Cisco hacking scene has been pretty quiet for the past three years, but at this week's Black Hat hacker conference in Las Vegas, there's going to be a little noise.
Security researchers will give talks on rootkits and new hacking and intrusion-detection software for the routers that carry most of the Internet's traffic.
Three years ago, security researcher Michael Lynn shined a spotlight on Cisco's products when he talked about how he ran a simple "shellcode" program on a router without authorization. Lynn's controversial talk was the biggest story at Black Hat 2005. He had to quit his day job to get around a company prohibition on discussing Cisco, and both he and the conference organizers were quickly sued by Cisco. The networking company argued that Lynn's presentation slides contained information that violated the company's intellectual property rights, and Lynn's talk was literally ripped out of the conference materials package. In a settlement agreement, the researcher was barred from further discussing his work, but copies of his presentation (pdf) were posted online.
Today, Cisco Chief Security Officer John Stewart is remarkably candid about the experience, saying that his company acted for the right reasons -- protecting its customers and intellectual property -- but went too far. "We did some sort of silly things," he said. "Which is why I personally sponsored Black Hat at the platinum level ever since. Because I think we had some atonement to do."
Lynn wasn't without a job for long. He was quickly snatched up by Cisco competitor Juniper Networks, but for a few years after his talk, there wasn't much public discussion of Cisco hacking, according to Jeff Moss, Black Hat's director.
Moss believes that economics may have driven some Cisco researchers underground. Any code that exploits Cisco vulnerabilities is so prized that any hacker who chooses to disclose his findings, rather than sell them to a security company or government agency, is often giving up a lot of money, Moss said. Mike Lynn's vulnerability was worth about US$250,000, he reckons.
But this year things have opened up. Black Hat organizers plan three talks on Cisco routers and the Internetwork Operating System that they run. "All of a sudden this year a lot of stuff has been breaking loose," Moss said.
Lately, with Microsoft Windows no longer the fertile ground for bug hunting that it once was, researchers are looking at other products to hack. And Cisco's routers are an interesting target. They command more than 60 percent of the router market, according to research firm IDC.
"If you own the network, you own the company," said Nicolas Fischbach, senior manager of network engineering and security with COLT Telecom, a European data service provider. "Owning the Windows PC is not really a priority anymore."
But Cisco's routers make a harder target than Windows. They're not as well-known to hackers and they come in many configurations, so an attack on one router might fail on a second. Another difference is that Cisco administrators are not constantly downloading and running software.
Finally, Cisco has done a lot of work in recent years to cut down on the number of attacks that can be launched against its routers from the Internet, according to Fischbach. "All the basic, really easy exploits you could use against network services are really gone," he said. The risk of having a well-configured router hacked by someone from outside of your corporate network is "really low."
That hasn't deterred the latest crop of security researchers.
Two months ago Core Security researcher Sebastian Muniz showed new ways of building hard-to-detect rootkit programs for Cisco routers, and this week his colleague, Ariel Futoransky, will give a Black Hat update on the company's research in this area.
Also, two researchers from Information Risk Management (IRM), a security consultancy based in London, plan to release a modified version of the GNU Debugger, which gives hackers a view of what happens when Cisco IOS software processes their code, and three shellcode programs that can be used to control a Cisco router.
IRM researchers Gyan Chawdhary and Varun Uppal have taken a second look at Lynn's work. In particular, they took a close look at the way Lynn was able to circumvent an IOS security feature called Check Heap, which scans the router's memory for the type of modifications that would allow a hacker to run unauthorized code on the system.
They discovered that while Cisco had blocked the technique that Lynn used to trick Check Heap, there were still other ways to sneak their code onto the system. After Lynn's disclosure, Cisco "simply patched the vector," said Chawdhary. "In a sense the bug still remains."
By modifying one part of the router's memory, they were able to bypass Check Heap and run their shellcode onto the system, he said.
The researcher Lynn credited with making his own research possible, Felix "FX" Lindner, will also be talking about Cisco hacking at Black Hat. Lindner, head of Recurity Labs, plans to release his new Cisco forensics tool, called CIR (Cisco Incident Response), which he has beta tested for the past several months. There will be a free version, which will check a router's memory for rootkits, while a commercial version of the software will be able to detect attacks and perform forensic analysis of the devices.
This software will give networking professionals like Fischbach a way to go back and look at the memory of a Cisco device and see if it has been tampered with. "I think there's a use for it," he said. "To me, it's part of the toolkit when you do forensics, but it's not the only tool you should rely on."
There are still major barriers for any Cisco attacker, Stewart says. For example, many attackers are reluctant to hack routers, because if they make a mistake, they knock out the entire network. "We sort of get a pass because no one wants to monkey with the infrastructure that they're using," he said. "It's like screwing up the freeway while you're trying to go to a different city. "
Though Cisco may not have any major security worries right now, Stewart is taking nothing for granted.
In fact, he also admitted that his company has been lucky so far and he knows that could change if enough people like Lindner start working on the problem। "We've got time," he said. "We've got the opportunity to be better, and we should continually invest on lowering the attack surface."
Reference : http://www.pcworld.com/article/149448/2008/08/.html?tk=rss_news

Hands On: 12 Quick Hacks for Firefox 3

Think you've seen all there is to see of Firefox 3's new features? Wait, there's more -- check out these cool and useful hacks FireFox ३.० has been out for two weeks now, so get with the program: It's time to hack it. The newest version of Mozilla's browser has plenty of new features, including the site identification button, the Bookmarks Library and what has become known as the "Awesome Bar" -- and I'll show you how to hack them all.
You can also force the browser to use Gmail for mailto: links, discover a hidden "Easter egg" and more. So fire up your browser and get ready to teach it some new tricks.
A note before we begin: One of the best ways to hack Firefox 3 is via about:config, which lets you change a wide variety of Firefox settings and preferences. Many of the hacks in this story make use of this nifty and practical utility.
To use about:config, you'll always repeat a few basic steps:
1. In the address bar, type about:config and press Enter.
2. A message will appear reading "This might void your warranty!" Ignore that nonsensical warning and click "I'll be careful, I promise!"
3. In the filter box, type the name of the setting you want to adjust. You'll see that entry appear in the area below. (If the name of the setting is very long, typing the first part of it will generate a list; you can then pick the setting you want.)
4. Make changes to the setting as instructed.
1. Klaatu Barada Nikto!
You may not know it, but Firefox has a mascot -- a robot that you can find in a hidden Easter egg in Firefox 3. In the address bar, type about:robots and you'll see the cheerful metal guy. The robot-related quotes displayed are from books and movies in which robots play a significant role, such as Blade Runner and The Hitchhiker's Guide to the Galaxy .
If you look at the title for the page, you'll find what at first glance may seem to be gibberish: Gort! Klaatu barada nikto! In fact, that's the phrase used by Helen Benson in the science fiction classic The Day the Earth Stood Still , ordering the robot Gort not to destroy the Earth।

2। Tell Firefox 3 to Have Yahoo Mail Handle mailto: Links
Until Firefox 3, if you used a Web-based e-mail account such as Yahoo Mail or Gmail, you were left out in the cold when you clicked a mailto: link. Mailto: links automatically begin an e-mail message to a specific sender, using your default e-mail handler. But with previous versions of Firefox, those links worked only with client-based e-mail software, and not with any Web-based e-mail programs.
With Firefox 3, that changes. The browser includes built-in integration with Yahoo Mail -- if you know where to look. And although it doesn't have the same integration with Gmail, there's a way to hack it to make it do so.
1. Select Tools -- Options and click the Applications icon at the top of the page.
2. Click mailto, and select Use Yahoo! Mail.
3. Click OK.
From now on, when you click a mailto: link, you'll be sent to your Yahoo! Mail account and a new e-mail will be created, to be sent to where the mailto: link directed it। (If you're not already logged into Yahoo Mail, you'll have to type in your username and password first.)

3. Tell Firefox 3 to Have Gmail Handle mailto: Links
Gmail, surprisingly, doesn't show up in the Firefox list of mailto: handlers. But you can add it. Just follow these steps:
1. In the address bar, type about:config and press Enter. Ignore the warranty warning.
2. In the filter box, type gecko.handlerservice.
3. From the entries that appear, double-click gecko.handlerServiceAllowRegisterFromDifferentHost. This will change its value from false to true.
4. In the address bar, copy this code, exactly as you see it, then press Enter:
javascript:window.navigator.registerProtocolHandler("mailto","https://mail.google.com/mail/?extsrc=mailto&url=%s","GMail")
5. Below the address bar, you'll get a message asking if you want to add Gmail as the application for mailto: links. Click the Add Application button.
6. Next time you click a mailto: link, a screen will appear that lets you choose an appropriate application. Select Gmail, check the box next to "Remember my choice for mailto: links," then click OK.
From now on, Gmail will handle the links. As with Yahoo Mail, if you're not currently logged in, you'll first have to type in your e-mail and password, and then Gmail will create the e-mail.

4. Use the Site Identification Button to Download All Graphics and Media
One of Firefox 3's niftiest new features is the site identification button, the button just to the left of the Address Bar that displays an icon representing the site that you're currently visiting. The button is far more than mere decoration -- it can tell you a great deal of information about the site you're visiting and lets you do some nice tricks as well.
If you click the button, then click More Information from the dialog box that appears; you'll come to a Page Info screen with multiple buttons on the top. Once you get there, there are plenty of tricks you can try. Here are two of them:
Before Firefox 3, one of the most popular extensions was DownloadThemAll, which, among other things, let you download all of a Web page's graphics and media simultaneously. With Firefox 3, you can throw that extension away, because a similar capability is built right into the browser.
Just click the Media button on the Page Info screen for a list of the page's various elements. You can scroll to any graphic to see a preview, then click Save As to save it. Download multiple files by holding down the Ctrl key and selecting them, and then clicking Save As. To download them all, press Ctrl-A, which will highlight all the files, and click Save As.
If for some reason you want to block images from a site from being displayed in Firefox, check the Block Images box, and the site won't display images।

5. Get Web Page Details
If you're in the Web business, there's plenty of information you may want to know about a given Web page. What metatags are your competitors using, for example? How "heavy" are the pages you create -- in other words, how large are they in kilobytes?
The General tab of the Page Info screen tells you that and more। Click the General tab, and you'll see page size, the date the page was modified, metatags and more.

6. Shrink the Back Button
Firefox 3's Back button looks like an arrow on steroids। If that bothers you, you can shrink it down to normal size. Right-click an empty spot on the toolbar, select Customize, and check the box next to Use Small Icons. Click Done. The Back button will now be smaller -- and the same size as the forward button. Keep in mind, though, that all the other icons on the toolbar will be smaller as well.

7. Find All Your Passwords
If you're like most people, you have plenty of passwords associated with Web sites. And most likely, you've forgotten most or all of them. Firefox remembers your passwords, so you'll be logged into your sites automatically. But what if you need to log into the sites on another PC? Or what if you'd like to keep a record of your passwords, in case they get wiped out?
Firefox 3 gives you an easy way to find all your passwords and user names associated with Web sites:
1. Select Tools -- Options and click the Security icon.
2. In the Passwords section, click Saved Passwords. A screen appears with a list of Web sites and usernames associated with each site.
3। Click Show Passwords. A warning screen will appear, asking if you want to show your passwords. Click Yes. You'll now see all your passwords, along with site URLs and usernames. Write them down or take a screen capture to print out, and put them in a safe place.

8. Change the Maximum Number of Awesome Bar Results
The address bar in Firefox has gotten such a makeover and has been given so many new capabilities that many people now refer to it as the Awesome Bar. (Mozilla refers to it as the Smart Location Bar.) No matter what you call it, though, it's eminently hackable.
First, a little background about the Awesome Bar's new features. In earlier versions of Firefox, when you typed text into the address bar, it showed you a drop-down list of URLs you'd recently visited and narrowed down the list as you typed in more text. So, for example, if you typed the letter "c" by itself, you'd get a long list of sites you'd recently visited that start with "c," and then as you typed additional letters, the list would shorten. You could scroll to any URL on the list and press Enter to visit there.
The Awesome Bar adds some oomph to that. First off, it not only lists recently visited sites as you type, but it grabs URLs from your bookmarks as well. And it doesn't just look for URLs that match the first letter -- it also looks at page titles and tags. What's more, it uses an algorithm to figure out what are the most likely sites you want to visit and puts those first on the list. And it shows you not just a list of URLs, but much more for each URL, including the site's favicon, its full title and whether you've bookmarked the page.
By default, the Awesome Bar returns a list with a maximum of 12 entries. You can change that maximum to another number:
1. Type about:config into the address bar and click "I'll be careful, I promise!" when you get the security warning.
2. Type (or paste) this text into the filter box: browser.urlbar.maxRichResults. You can also just type browser.urlbar and pick out browser.urlbar.maxRichResults from the resulting list.
3. Double-click the browser.urlbar.maxRichResults entry. In the "Enter integer value" pop-up, type the maximum number of results you want to appear and click OK. From now on, that will be the maximum number.
Note that even after you do this, you will only see the default six results as you type। To see more, scroll through the list.

9. Ban Bookmarks from the Awesome Bar
If for some reason you don't want bookmarks to appear in the Awesome Bar, there's an easy way to ban them. Download the Hide Unvisited 3 add-on, and only recently visited pages will appear. Keep in mind that if you've recently visited a page that you've bookmarked, that page will appear in the Awesome Bar. It will only keep off bookmarks that you haven't recently visited.
If you'd prefer to do the same thing by yourself rather than relying on an add-on, here's what to do:
1. Type about:config into the address bar.
2. Type this text into the filter box: browser.urlbar.matchOnlyTyped (or type . browser.urlbar and choose from the list).
3. Double-click the browser.urlbar.matchOnlyTyped entry so that the value changes from false to true.
4. Clear your history list.
From now on, only sites you've visited recently will show up; bookmarks won't।

10. Kill the Awesome Bar ... Sort Of
If you're a retro kind of person, you can kill the Awesome Bar, and make it look and work somewhat like the old reliable address bar in earlier versions of Firefox. The oldbar add-on will make the Awesome Bar look like the Firefox 2 location bar। But the changes are only skin deep -- even when you use this add-on, the Awesome Bar will still use its algorithms to determine what sites it shows. It just won't show all the details.

11. Force Old Extensions to Work in Firefox 3
When you install Firefox 3, it checks to see if your old extensions have been updated for the new version of the browser. If it finds they haven't, it disables them.
If you like living on the edge, you can change a couple of settings to force Firefox to use your old extensions. Be forewarned, though, that doing this can cause compatibility problems and other woes.
Go to the following settings in about:config, and change both to false by double-clicking them:
extensions.checkCompatibility
extensions.checkUpdateSecurity
If you don't want to muck around with about:config but still want to force old extensions to work in Firefox 3, download and use the Nightly Tester Tools extension. For instructions on how to use it, check out my blog entry about some of my favorite Firefox 3 add-ons।

12. Hack Firefox's New Zoom Feature
Firefox 3 adds some very nice capabilities to Zoom, which now magnifies images as well as text. But if it doesn't do everything you want it to, or you don't like some of the features, they can be hacked. Here's how to do it with about:config.
You can zoom in and out of pages with Firefox using the Ctrl + and Ctrl - combinations, or by selecting View -- Zoom. When you zoom pages in a Web domain (such as computerworld.com), the next time you visit any page in that domain, Firefox 3 will remember your zoom level and display it at that level.
You may, however, prefer that Firefox always display a page at a normal zoom, no matter how you displayed it the last time you visited। If so, you can change the following setting from true to false by double-clicking it in about:config: browser.zoom.siteSpecific.
Reference : http://www.pcworld.com/article/id,147823-pg,1/article.html