Firefox suspicious subprocess (turned out to be legitimate FF behavior)












5















I've discovered this yesterday, as it was generating system load on otherwise idle Ubuntu 14.04 Desktop machine.



Today, I've confirmed such behavior also on another Ubuntu instance (17.10 in Virtualbox VM)



The sub-process in command line looks like below ( I've put this as picture below intentionally to prevent askubuntu.com from changing/escaping the content )



For me it looks like exploit/malware. Or at least there is something to hide.



this happens even for url https://www.google.com/



image






firefox security







share|improve this question




















  • 1





    Post text as text please, instead of screenshots. Use code formatting to preserve the content. askubuntu.com/editing-help#code

    – muru
    Nov 2 '17 at 8:40






  • 1





    What's your question? What are you trying to achieve or learn?

    – David Foerster
    Nov 3 '17 at 8:17











  • Hi, regarding "on hold" status and clarification requst - I've just asked community to verify if the parameters for sub-process are something normal or an indication of malware.

    – Piotr
    Nov 7 '17 at 9:42











  • Related (on Super User): Firefox running with rare arguments

    – Eliah Kagan
    Dec 11 '17 at 1:26











  • here is a oneliner to get usable pgrep firefox output: pgrep -fai firefox/firefox | awk '/contentproc/{for(i=6;i<=21;i++){$i="#"};print $0;next}{print $0}'

    – lesmana
    Apr 11 '18 at 18:39
















5















I've discovered this yesterday, as it was generating system load on otherwise idle Ubuntu 14.04 Desktop machine.



Today, I've confirmed such behavior also on another Ubuntu instance (17.10 in Virtualbox VM)



The sub-process in command line looks like below ( I've put this as picture below intentionally to prevent askubuntu.com from changing/escaping the content )



For me it looks like exploit/malware. Or at least there is something to hide.



this happens even for url https://www.google.com/



image






firefox security







share|improve this question




















  • 1





    Post text as text please, instead of screenshots. Use code formatting to preserve the content. askubuntu.com/editing-help#code

    – muru
    Nov 2 '17 at 8:40






  • 1





    What's your question? What are you trying to achieve or learn?

    – David Foerster
    Nov 3 '17 at 8:17











  • Hi, regarding "on hold" status and clarification requst - I've just asked community to verify if the parameters for sub-process are something normal or an indication of malware.

    – Piotr
    Nov 7 '17 at 9:42











  • Related (on Super User): Firefox running with rare arguments

    – Eliah Kagan
    Dec 11 '17 at 1:26











  • here is a oneliner to get usable pgrep firefox output: pgrep -fai firefox/firefox | awk '/contentproc/{for(i=6;i<=21;i++){$i="#"};print $0;next}{print $0}'

    – lesmana
    Apr 11 '18 at 18:39














5












5








5


1






I've discovered this yesterday, as it was generating system load on otherwise idle Ubuntu 14.04 Desktop machine.



Today, I've confirmed such behavior also on another Ubuntu instance (17.10 in Virtualbox VM)



The sub-process in command line looks like below ( I've put this as picture below intentionally to prevent askubuntu.com from changing/escaping the content )



For me it looks like exploit/malware. Or at least there is something to hide.



this happens even for url https://www.google.com/



image






firefox security







share|improve this question
















I've discovered this yesterday, as it was generating system load on otherwise idle Ubuntu 14.04 Desktop machine.



Today, I've confirmed such behavior also on another Ubuntu instance (17.10 in Virtualbox VM)



The sub-process in command line looks like below ( I've put this as picture below intentionally to prevent askubuntu.com from changing/escaping the content )



For me it looks like exploit/malware. Or at least there is something to hide.



this happens even for url https://www.google.com/



image






firefox security




firefox security






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 3 '17 at 8:57









muru

1




1










asked Nov 2 '17 at 8:38









PiotrPiotr

293




293








  • 1





    Post text as text please, instead of screenshots. Use code formatting to preserve the content. askubuntu.com/editing-help#code

    – muru
    Nov 2 '17 at 8:40






  • 1





    What's your question? What are you trying to achieve or learn?

    – David Foerster
    Nov 3 '17 at 8:17











  • Hi, regarding "on hold" status and clarification requst - I've just asked community to verify if the parameters for sub-process are something normal or an indication of malware.

    – Piotr
    Nov 7 '17 at 9:42











  • Related (on Super User): Firefox running with rare arguments

    – Eliah Kagan
    Dec 11 '17 at 1:26











  • here is a oneliner to get usable pgrep firefox output: pgrep -fai firefox/firefox | awk '/contentproc/{for(i=6;i<=21;i++){$i="#"};print $0;next}{print $0}'

    – lesmana
    Apr 11 '18 at 18:39














  • 1





    Post text as text please, instead of screenshots. Use code formatting to preserve the content. askubuntu.com/editing-help#code

    – muru
    Nov 2 '17 at 8:40






  • 1





    What's your question? What are you trying to achieve or learn?

    – David Foerster
    Nov 3 '17 at 8:17











  • Hi, regarding "on hold" status and clarification requst - I've just asked community to verify if the parameters for sub-process are something normal or an indication of malware.

    – Piotr
    Nov 7 '17 at 9:42











  • Related (on Super User): Firefox running with rare arguments

    – Eliah Kagan
    Dec 11 '17 at 1:26











  • here is a oneliner to get usable pgrep firefox output: pgrep -fai firefox/firefox | awk '/contentproc/{for(i=6;i<=21;i++){$i="#"};print $0;next}{print $0}'

    – lesmana
    Apr 11 '18 at 18:39








1




1





Post text as text please, instead of screenshots. Use code formatting to preserve the content. askubuntu.com/editing-help#code

– muru
Nov 2 '17 at 8:40





Post text as text please, instead of screenshots. Use code formatting to preserve the content. askubuntu.com/editing-help#code

– muru
Nov 2 '17 at 8:40




1




1





What's your question? What are you trying to achieve or learn?

– David Foerster
Nov 3 '17 at 8:17





What's your question? What are you trying to achieve or learn?

– David Foerster
Nov 3 '17 at 8:17













Hi, regarding "on hold" status and clarification requst - I've just asked community to verify if the parameters for sub-process are something normal or an indication of malware.

– Piotr
Nov 7 '17 at 9:42





Hi, regarding "on hold" status and clarification requst - I've just asked community to verify if the parameters for sub-process are something normal or an indication of malware.

– Piotr
Nov 7 '17 at 9:42













Related (on Super User): Firefox running with rare arguments

– Eliah Kagan
Dec 11 '17 at 1:26





Related (on Super User): Firefox running with rare arguments

– Eliah Kagan
Dec 11 '17 at 1:26













here is a oneliner to get usable pgrep firefox output: pgrep -fai firefox/firefox | awk '/contentproc/{for(i=6;i<=21;i++){$i="#"};print $0;next}{print $0}'

– lesmana
Apr 11 '18 at 18:39





here is a oneliner to get usable pgrep firefox output: pgrep -fai firefox/firefox | awk '/contentproc/{for(i=6;i<=21;i++){$i="#"};print $0;next}{print $0}'

– lesmana
Apr 11 '18 at 18:39










3 Answers
3






active

oldest

votes


















5














This is related to multi-process feature of Firefox, go through the following official link.



https://support.mozilla.org/en-US/questions/1147868#answer-938004



There are many other Linux threads on this, with same output as you posted, all related to multi-process feature of Firefox.






share|improve this answer
























  • THX. That's it! My initial concern was related to binary strings in command line. It attract my attention and motivated me to investigate this closer and consult with community. Most legitimate uses doesn't use such obfuscation so i have considered malware infection.

    – Piotr
    Nov 3 '17 at 8:35



















2














Recent versions of Firefox are running multi-process instead of a single process.



The multi-process is applicable to all Firefox users since Firefox 54 was debuted in June 2017. The Multiprocess Firefox documentation describes that Firefox run the browser UI in a separate process from web content. As a result, users may see the "suspicious subprocess" in process list.



Many end users seem to be concerned with the cryptic part of the subprocess, as raised in this forum on mozillaZine and this forum thread on Mozilla Support; just too many to be quoted here.



Direct answers




For me it looks like exploit/malware (Is the subprocess malicious?)




No, recent versions of Firefox behaviour is like that.




Or at least there is something to hide (Is there something to hide?)




No. End users may see differently than what developers see; very few users may have noticed that there is nothing hidden.



How can be sure



There are two reasons that we can be sure:




  1. The fact that the developers do not bother to explain the detail of the subprocess, is the reason we can be sure that is not malicious. At least, I have not found such detail to this date.


  2. This partial answer by TT Farreo at Stack Overflow in late-2017 has hinted that the cryptic part of subprocess is related to the list of blacklisted characters by Mozilla.



From the partial answer at Stack Overflow:




The list of weird looking characters seems to correspond to the blacklisted characters listed in http://kb.mozillazine.org/Network.IDN.blacklist_chars [...]




Now we can make sense of the strange characters:




  • See those fraction characters? Checked.

  • See those binary block characters? Checked.

  • See those invisible spaces? Checked.

  • See the squished unit of radian thingy? Checked.

  • See the question mark in black diamond character? Checked.


The answer at Stack Overflow has also included a link to the source code of content process used by Firefox. End users usually would not dive into that much detail, which is why this answer at Ask Ubuntu would be good enough as it is.



The subprocess is normal, that is all matters.






share|improve this answer

































    0














    I noticed the same thing last night and I started inspecting it with xxd. My best guess would have been that this is a way of communicating pointers to shared resources or identifying themselves (adjacent virtual locations and constant length would cause periodicity) but a few things convinced me otherwise.



    c783 cb90 3f3f d689 d68a d783 
    
d7b4 d889 d88a d9aa db94 dc81 
    
dc82 dc83 dc84 e185 9fe1 85a0 
    
e19c b5e2 8080 e280 81e2 8082 
    
e280 83e2 8084 e280 85e2 8086 
    
e280 87e2 8088 e280 89e2 808a 
    
3f3f 3fe2 8090 e280 99e2 80a4 
    
e280 a73f 3f3f 3f3f 3f3f e280 
    
afe2 80b9 e280 bae2 8181 e281 
    
84e2 8192 e281 9fe2 8593 e285 
    
94e2 8595 e285 96e2 8597 e285 
    
98e2 8599 e285 9a3f e285 9ce2 
    
859d e285 9ee2 859f e288 95e2 
    
88b6 e28e aee2 95b1 e2a7 b6e2 
    
a7b8 e2ab bbe2 abbd e2bf b0e2 
    
bfb1 e2bf b2e2 bfb3 e2bf b4e2 
    
bfb5 e2bf b6e2 bfb7 e2bf b8e2 
    
bfb9 e2bf bae2 bfbb e380 80e3 
    
8082 e380 94e3 8095 e380 b3e3 
    
82a0 e385 a4e3 889d e388 9ee3 
    
8eae e38e afe3 8f86 e38f 9fea 
    
9e89 efb8 94ef b895 efb8 bfef 
    
b99d efb9 9e3f efbc 8eef bc8f 
    
efbd a1ef bea0 3f3f 3fef bfbc 
    
efbf bd0a


    I trimmed up to the preceding newline (and left it, 0a, at the end.) I aligned it based only on the repetition, that's 12 bytes per line up to the partial 25th line. The reason I spaced the bytes the way I did was to show that there are (what look like) UTF8 continuations (the table at the bottom.) However, it's worth mentioning that following the convention of an established and well-known encoding offers the same benefit: you can represent large values but keep small ones compact. On the other hand, for some reason they appear to be stringing together ? and only bytes greater than 80. The next section of that Wikipedia page shows that there are printable characters within this range, but fewer and farther between. I don't believe the goal had anything to do with composing very wide UTF8 characters, but instead, it's as if they were avoiding the more universally-printable characters in the ASCII set. At this point the best I can come up with is that they knew they would have to encode and embed strings of arbitrary length, namely 'stringPrefs', and maybe opted to use high bytes sandwiched by low bytes just made it easier to extract. As far as I can tell, the ? serve as both delimiters and padding.



    I'm not satisfied, but I don't have much more to offer. For my benefit, I started to replace the most common characters and it's a little easier to see what's going on:



    c783 cb90      d689 d68a d783
    
d7b4 d889 d88a d9aa db94 dc81
    
dc82 dc83 dc84 e185 9fe1 85a0
    
e19c b5++ ---- ++-- 81++ --82
    
++-- 83++ --84 ++-- 85++ --86
    
++-- 87++ --88 ++-- 89++ --8a
    
       ++ --90 ++-- 99++ --a4
    
++-- a7                  ++--
    
af++ --b9 ++-- ba++ 8181 ++81
    
84++ 8192 ++81 9f++ 8593 ++85
    
94++ 8595 ++85 96++ 8597 ++85
    
98++ 8599 ++85 9a   ++85 9c++
    
859d ++85 9e++ 859f ++88 95++
    
88b6 ++8e ae++ 95b1 ++a7 b6++
    
a7b8 ++ab bb++ abbd ++bf b0++
    
bfb1 ++bf b2++ bfb3 ++bf b4++
    
bfb5 ++bf b6++ bfb7 ++bf b8++
    
bfb9 ++bf ba++ bfbb e3-- --e3
    
--82 e3-- 94e3 --95 e3-- b3e3
    
82a0 e385 a4e3 889d e388 9ee3
    
8eae e38e afe3 8f86 e38f 9fea
    
9e89 efb8 94ef b895 efb8 bfef
    
b99d efb9 9e   efbc 8eef bc8f
    
efbd a1ef bea0        ef bfbc
    
efbf bd0a


    I see a lot more structure than I could expect of encrypted and encoded strings, unless this is some kind of steganography. If anyone can take the baton, I'd be grateful, and not just because I'm curious - I'd like to know earlier than later if there's anything worth hiding in there.






    share|improve this answer
























    • If OP is asking whether the command line parameter of firefox is normal or not, the question seems to be answered already. What is the expected answer here...?

      – clearkimura
      Jan 28 '18 at 17:47






    • 1





      The question is answered partially. It has been established with high probability this is not malicious. But it's unclear why parameter is encoded in such weird way. Perhaps someone from Mozilla could provide valluable feedback

      – Piotr
      Jan 30 '18 at 14:34













    • @firefox-support

      – Piotr
      Jan 30 '18 at 14:39











    • @Piotr Can you edit the question, to mention that you are still looking for a better answer? Because I found the title "turned out to be legitimate..." and your comment "THX. That's it!" under the first answer seemed to indicate that you have found the answer already.

      – clearkimura
      Feb 1 '18 at 16:01











    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f971989%2ffirefox-suspicious-subprocess-turned-out-to-be-legitimate-ff-behavior%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    5














    This is related to multi-process feature of Firefox, go through the following official link.



    https://support.mozilla.org/en-US/questions/1147868#answer-938004



    There are many other Linux threads on this, with same output as you posted, all related to multi-process feature of Firefox.






    share|improve this answer
























    • THX. That's it! My initial concern was related to binary strings in command line. It attract my attention and motivated me to investigate this closer and consult with community. Most legitimate uses doesn't use such obfuscation so i have considered malware infection.

      – Piotr
      Nov 3 '17 at 8:35
















    5














    This is related to multi-process feature of Firefox, go through the following official link.



    https://support.mozilla.org/en-US/questions/1147868#answer-938004



    There are many other Linux threads on this, with same output as you posted, all related to multi-process feature of Firefox.






    share|improve this answer
























    • THX. That's it! My initial concern was related to binary strings in command line. It attract my attention and motivated me to investigate this closer and consult with community. Most legitimate uses doesn't use such obfuscation so i have considered malware infection.

      – Piotr
      Nov 3 '17 at 8:35














    5












    5








    5







    This is related to multi-process feature of Firefox, go through the following official link.



    https://support.mozilla.org/en-US/questions/1147868#answer-938004



    There are many other Linux threads on this, with same output as you posted, all related to multi-process feature of Firefox.






    share|improve this answer













    This is related to multi-process feature of Firefox, go through the following official link.



    https://support.mozilla.org/en-US/questions/1147868#answer-938004



    There are many other Linux threads on this, with same output as you posted, all related to multi-process feature of Firefox.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Nov 2 '17 at 9:19









    LegolasLegolas

    1,15359




    1,15359













    • THX. That's it! My initial concern was related to binary strings in command line. It attract my attention and motivated me to investigate this closer and consult with community. Most legitimate uses doesn't use such obfuscation so i have considered malware infection.

      – Piotr
      Nov 3 '17 at 8:35



















    • THX. That's it! My initial concern was related to binary strings in command line. It attract my attention and motivated me to investigate this closer and consult with community. Most legitimate uses doesn't use such obfuscation so i have considered malware infection.

      – Piotr
      Nov 3 '17 at 8:35

















    THX. That's it! My initial concern was related to binary strings in command line. It attract my attention and motivated me to investigate this closer and consult with community. Most legitimate uses doesn't use such obfuscation so i have considered malware infection.

    – Piotr
    Nov 3 '17 at 8:35





    THX. That's it! My initial concern was related to binary strings in command line. It attract my attention and motivated me to investigate this closer and consult with community. Most legitimate uses doesn't use such obfuscation so i have considered malware infection.

    – Piotr
    Nov 3 '17 at 8:35













    2














    Recent versions of Firefox are running multi-process instead of a single process.



    The multi-process is applicable to all Firefox users since Firefox 54 was debuted in June 2017. The Multiprocess Firefox documentation describes that Firefox run the browser UI in a separate process from web content. As a result, users may see the "suspicious subprocess" in process list.



    Many end users seem to be concerned with the cryptic part of the subprocess, as raised in this forum on mozillaZine and this forum thread on Mozilla Support; just too many to be quoted here.



    Direct answers




    For me it looks like exploit/malware (Is the subprocess malicious?)




    No, recent versions of Firefox behaviour is like that.




    Or at least there is something to hide (Is there something to hide?)




    No. End users may see differently than what developers see; very few users may have noticed that there is nothing hidden.



    How can be sure



    There are two reasons that we can be sure:




    1. The fact that the developers do not bother to explain the detail of the subprocess, is the reason we can be sure that is not malicious. At least, I have not found such detail to this date.


    2. This partial answer by TT Farreo at Stack Overflow in late-2017 has hinted that the cryptic part of subprocess is related to the list of blacklisted characters by Mozilla.



    From the partial answer at Stack Overflow:




    The list of weird looking characters seems to correspond to the blacklisted characters listed in http://kb.mozillazine.org/Network.IDN.blacklist_chars [...]




    Now we can make sense of the strange characters:




    • See those fraction characters? Checked.

    • See those binary block characters? Checked.

    • See those invisible spaces? Checked.

    • See the squished unit of radian thingy? Checked.

    • See the question mark in black diamond character? Checked.


    The answer at Stack Overflow has also included a link to the source code of content process used by Firefox. End users usually would not dive into that much detail, which is why this answer at Ask Ubuntu would be good enough as it is.



    The subprocess is normal, that is all matters.






    share|improve this answer






























      2














      Recent versions of Firefox are running multi-process instead of a single process.



      The multi-process is applicable to all Firefox users since Firefox 54 was debuted in June 2017. The Multiprocess Firefox documentation describes that Firefox run the browser UI in a separate process from web content. As a result, users may see the "suspicious subprocess" in process list.



      Many end users seem to be concerned with the cryptic part of the subprocess, as raised in this forum on mozillaZine and this forum thread on Mozilla Support; just too many to be quoted here.



      Direct answers




      For me it looks like exploit/malware (Is the subprocess malicious?)




      No, recent versions of Firefox behaviour is like that.




      Or at least there is something to hide (Is there something to hide?)




      No. End users may see differently than what developers see; very few users may have noticed that there is nothing hidden.



      How can be sure



      There are two reasons that we can be sure:




      1. The fact that the developers do not bother to explain the detail of the subprocess, is the reason we can be sure that is not malicious. At least, I have not found such detail to this date.


      2. This partial answer by TT Farreo at Stack Overflow in late-2017 has hinted that the cryptic part of subprocess is related to the list of blacklisted characters by Mozilla.



      From the partial answer at Stack Overflow:




      The list of weird looking characters seems to correspond to the blacklisted characters listed in http://kb.mozillazine.org/Network.IDN.blacklist_chars [...]




      Now we can make sense of the strange characters:




      • See those fraction characters? Checked.

      • See those binary block characters? Checked.

      • See those invisible spaces? Checked.

      • See the squished unit of radian thingy? Checked.

      • See the question mark in black diamond character? Checked.


      The answer at Stack Overflow has also included a link to the source code of content process used by Firefox. End users usually would not dive into that much detail, which is why this answer at Ask Ubuntu would be good enough as it is.



      The subprocess is normal, that is all matters.






      share|improve this answer




























        2












        2








        2







        Recent versions of Firefox are running multi-process instead of a single process.



        The multi-process is applicable to all Firefox users since Firefox 54 was debuted in June 2017. The Multiprocess Firefox documentation describes that Firefox run the browser UI in a separate process from web content. As a result, users may see the "suspicious subprocess" in process list.



        Many end users seem to be concerned with the cryptic part of the subprocess, as raised in this forum on mozillaZine and this forum thread on Mozilla Support; just too many to be quoted here.



        Direct answers




        For me it looks like exploit/malware (Is the subprocess malicious?)




        No, recent versions of Firefox behaviour is like that.




        Or at least there is something to hide (Is there something to hide?)




        No. End users may see differently than what developers see; very few users may have noticed that there is nothing hidden.



        How can be sure



        There are two reasons that we can be sure:




        1. The fact that the developers do not bother to explain the detail of the subprocess, is the reason we can be sure that is not malicious. At least, I have not found such detail to this date.


        2. This partial answer by TT Farreo at Stack Overflow in late-2017 has hinted that the cryptic part of subprocess is related to the list of blacklisted characters by Mozilla.



        From the partial answer at Stack Overflow:




        The list of weird looking characters seems to correspond to the blacklisted characters listed in http://kb.mozillazine.org/Network.IDN.blacklist_chars [...]




        Now we can make sense of the strange characters:




        • See those fraction characters? Checked.

        • See those binary block characters? Checked.

        • See those invisible spaces? Checked.

        • See the squished unit of radian thingy? Checked.

        • See the question mark in black diamond character? Checked.


        The answer at Stack Overflow has also included a link to the source code of content process used by Firefox. End users usually would not dive into that much detail, which is why this answer at Ask Ubuntu would be good enough as it is.



        The subprocess is normal, that is all matters.






        share|improve this answer















        Recent versions of Firefox are running multi-process instead of a single process.



        The multi-process is applicable to all Firefox users since Firefox 54 was debuted in June 2017. The Multiprocess Firefox documentation describes that Firefox run the browser UI in a separate process from web content. As a result, users may see the "suspicious subprocess" in process list.



        Many end users seem to be concerned with the cryptic part of the subprocess, as raised in this forum on mozillaZine and this forum thread on Mozilla Support; just too many to be quoted here.



        Direct answers




        For me it looks like exploit/malware (Is the subprocess malicious?)




        No, recent versions of Firefox behaviour is like that.




        Or at least there is something to hide (Is there something to hide?)




        No. End users may see differently than what developers see; very few users may have noticed that there is nothing hidden.



        How can be sure



        There are two reasons that we can be sure:




        1. The fact that the developers do not bother to explain the detail of the subprocess, is the reason we can be sure that is not malicious. At least, I have not found such detail to this date.


        2. This partial answer by TT Farreo at Stack Overflow in late-2017 has hinted that the cryptic part of subprocess is related to the list of blacklisted characters by Mozilla.



        From the partial answer at Stack Overflow:




        The list of weird looking characters seems to correspond to the blacklisted characters listed in http://kb.mozillazine.org/Network.IDN.blacklist_chars [...]




        Now we can make sense of the strange characters:




        • See those fraction characters? Checked.

        • See those binary block characters? Checked.

        • See those invisible spaces? Checked.

        • See the squished unit of radian thingy? Checked.

        • See the question mark in black diamond character? Checked.


        The answer at Stack Overflow has also included a link to the source code of content process used by Firefox. End users usually would not dive into that much detail, which is why this answer at Ask Ubuntu would be good enough as it is.



        The subprocess is normal, that is all matters.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 7 at 16:35

























        answered Feb 2 '18 at 9:55









        clearkimuraclearkimura

        3,88011954




        3,88011954























            0














            I noticed the same thing last night and I started inspecting it with xxd. My best guess would have been that this is a way of communicating pointers to shared resources or identifying themselves (adjacent virtual locations and constant length would cause periodicity) but a few things convinced me otherwise.



            c783 cb90 3f3f d689 d68a d783 
            
d7b4 d889 d88a d9aa db94 dc81 
            
dc82 dc83 dc84 e185 9fe1 85a0 
            
e19c b5e2 8080 e280 81e2 8082 
            
e280 83e2 8084 e280 85e2 8086 
            
e280 87e2 8088 e280 89e2 808a 
            
3f3f 3fe2 8090 e280 99e2 80a4 
            
e280 a73f 3f3f 3f3f 3f3f e280 
            
afe2 80b9 e280 bae2 8181 e281 
            
84e2 8192 e281 9fe2 8593 e285 
            
94e2 8595 e285 96e2 8597 e285 
            
98e2 8599 e285 9a3f e285 9ce2 
            
859d e285 9ee2 859f e288 95e2 
            
88b6 e28e aee2 95b1 e2a7 b6e2 
            
a7b8 e2ab bbe2 abbd e2bf b0e2 
            
bfb1 e2bf b2e2 bfb3 e2bf b4e2 
            
bfb5 e2bf b6e2 bfb7 e2bf b8e2 
            
bfb9 e2bf bae2 bfbb e380 80e3 
            
8082 e380 94e3 8095 e380 b3e3 
            
82a0 e385 a4e3 889d e388 9ee3 
            
8eae e38e afe3 8f86 e38f 9fea 
            
9e89 efb8 94ef b895 efb8 bfef 
            
b99d efb9 9e3f efbc 8eef bc8f 
            
efbd a1ef bea0 3f3f 3fef bfbc 
            
efbf bd0a


            I trimmed up to the preceding newline (and left it, 0a, at the end.) I aligned it based only on the repetition, that's 12 bytes per line up to the partial 25th line. The reason I spaced the bytes the way I did was to show that there are (what look like) UTF8 continuations (the table at the bottom.) However, it's worth mentioning that following the convention of an established and well-known encoding offers the same benefit: you can represent large values but keep small ones compact. On the other hand, for some reason they appear to be stringing together ? and only bytes greater than 80. The next section of that Wikipedia page shows that there are printable characters within this range, but fewer and farther between. I don't believe the goal had anything to do with composing very wide UTF8 characters, but instead, it's as if they were avoiding the more universally-printable characters in the ASCII set. At this point the best I can come up with is that they knew they would have to encode and embed strings of arbitrary length, namely 'stringPrefs', and maybe opted to use high bytes sandwiched by low bytes just made it easier to extract. As far as I can tell, the ? serve as both delimiters and padding.



            I'm not satisfied, but I don't have much more to offer. For my benefit, I started to replace the most common characters and it's a little easier to see what's going on:



            c783 cb90      d689 d68a d783
            
d7b4 d889 d88a d9aa db94 dc81
            
dc82 dc83 dc84 e185 9fe1 85a0
            
e19c b5++ ---- ++-- 81++ --82
            
++-- 83++ --84 ++-- 85++ --86
            
++-- 87++ --88 ++-- 89++ --8a
            
       ++ --90 ++-- 99++ --a4
            
++-- a7                  ++--
            
af++ --b9 ++-- ba++ 8181 ++81
            
84++ 8192 ++81 9f++ 8593 ++85
            
94++ 8595 ++85 96++ 8597 ++85
            
98++ 8599 ++85 9a   ++85 9c++
            
859d ++85 9e++ 859f ++88 95++
            
88b6 ++8e ae++ 95b1 ++a7 b6++
            
a7b8 ++ab bb++ abbd ++bf b0++
            
bfb1 ++bf b2++ bfb3 ++bf b4++
            
bfb5 ++bf b6++ bfb7 ++bf b8++
            
bfb9 ++bf ba++ bfbb e3-- --e3
            
--82 e3-- 94e3 --95 e3-- b3e3
            
82a0 e385 a4e3 889d e388 9ee3
            
8eae e38e afe3 8f86 e38f 9fea
            
9e89 efb8 94ef b895 efb8 bfef
            
b99d efb9 9e   efbc 8eef bc8f
            
efbd a1ef bea0        ef bfbc
            
efbf bd0a


            I see a lot more structure than I could expect of encrypted and encoded strings, unless this is some kind of steganography. If anyone can take the baton, I'd be grateful, and not just because I'm curious - I'd like to know earlier than later if there's anything worth hiding in there.






            share|improve this answer
























            • If OP is asking whether the command line parameter of firefox is normal or not, the question seems to be answered already. What is the expected answer here...?

              – clearkimura
              Jan 28 '18 at 17:47






            • 1





              The question is answered partially. It has been established with high probability this is not malicious. But it's unclear why parameter is encoded in such weird way. Perhaps someone from Mozilla could provide valluable feedback

              – Piotr
              Jan 30 '18 at 14:34













            • @firefox-support

              – Piotr
              Jan 30 '18 at 14:39











            • @Piotr Can you edit the question, to mention that you are still looking for a better answer? Because I found the title "turned out to be legitimate..." and your comment "THX. That's it!" under the first answer seemed to indicate that you have found the answer already.

              – clearkimura
              Feb 1 '18 at 16:01
















            0














            I noticed the same thing last night and I started inspecting it with xxd. My best guess would have been that this is a way of communicating pointers to shared resources or identifying themselves (adjacent virtual locations and constant length would cause periodicity) but a few things convinced me otherwise.



            c783 cb90 3f3f d689 d68a d783 
            
d7b4 d889 d88a d9aa db94 dc81 
            
dc82 dc83 dc84 e185 9fe1 85a0 
            
e19c b5e2 8080 e280 81e2 8082 
            
e280 83e2 8084 e280 85e2 8086 
            
e280 87e2 8088 e280 89e2 808a 
            
3f3f 3fe2 8090 e280 99e2 80a4 
            
e280 a73f 3f3f 3f3f 3f3f e280 
            
afe2 80b9 e280 bae2 8181 e281 
            
84e2 8192 e281 9fe2 8593 e285 
            
94e2 8595 e285 96e2 8597 e285 
            
98e2 8599 e285 9a3f e285 9ce2 
            
859d e285 9ee2 859f e288 95e2 
            
88b6 e28e aee2 95b1 e2a7 b6e2 
            
a7b8 e2ab bbe2 abbd e2bf b0e2 
            
bfb1 e2bf b2e2 bfb3 e2bf b4e2 
            
bfb5 e2bf b6e2 bfb7 e2bf b8e2 
            
bfb9 e2bf bae2 bfbb e380 80e3 
            
8082 e380 94e3 8095 e380 b3e3 
            
82a0 e385 a4e3 889d e388 9ee3 
            
8eae e38e afe3 8f86 e38f 9fea 
            
9e89 efb8 94ef b895 efb8 bfef 
            
b99d efb9 9e3f efbc 8eef bc8f 
            
efbd a1ef bea0 3f3f 3fef bfbc 
            
efbf bd0a


            I trimmed up to the preceding newline (and left it, 0a, at the end.) I aligned it based only on the repetition, that's 12 bytes per line up to the partial 25th line. The reason I spaced the bytes the way I did was to show that there are (what look like) UTF8 continuations (the table at the bottom.) However, it's worth mentioning that following the convention of an established and well-known encoding offers the same benefit: you can represent large values but keep small ones compact. On the other hand, for some reason they appear to be stringing together ? and only bytes greater than 80. The next section of that Wikipedia page shows that there are printable characters within this range, but fewer and farther between. I don't believe the goal had anything to do with composing very wide UTF8 characters, but instead, it's as if they were avoiding the more universally-printable characters in the ASCII set. At this point the best I can come up with is that they knew they would have to encode and embed strings of arbitrary length, namely 'stringPrefs', and maybe opted to use high bytes sandwiched by low bytes just made it easier to extract. As far as I can tell, the ? serve as both delimiters and padding.



            I'm not satisfied, but I don't have much more to offer. For my benefit, I started to replace the most common characters and it's a little easier to see what's going on:



            c783 cb90      d689 d68a d783
            
d7b4 d889 d88a d9aa db94 dc81
            
dc82 dc83 dc84 e185 9fe1 85a0
            
e19c b5++ ---- ++-- 81++ --82
            
++-- 83++ --84 ++-- 85++ --86
            
++-- 87++ --88 ++-- 89++ --8a
            
       ++ --90 ++-- 99++ --a4
            
++-- a7                  ++--
            
af++ --b9 ++-- ba++ 8181 ++81
            
84++ 8192 ++81 9f++ 8593 ++85
            
94++ 8595 ++85 96++ 8597 ++85
            
98++ 8599 ++85 9a   ++85 9c++
            
859d ++85 9e++ 859f ++88 95++
            
88b6 ++8e ae++ 95b1 ++a7 b6++
            
a7b8 ++ab bb++ abbd ++bf b0++
            
bfb1 ++bf b2++ bfb3 ++bf b4++
            
bfb5 ++bf b6++ bfb7 ++bf b8++
            
bfb9 ++bf ba++ bfbb e3-- --e3
            
--82 e3-- 94e3 --95 e3-- b3e3
            
82a0 e385 a4e3 889d e388 9ee3
            
8eae e38e afe3 8f86 e38f 9fea
            
9e89 efb8 94ef b895 efb8 bfef
            
b99d efb9 9e   efbc 8eef bc8f
            
efbd a1ef bea0        ef bfbc
            
efbf bd0a


            I see a lot more structure than I could expect of encrypted and encoded strings, unless this is some kind of steganography. If anyone can take the baton, I'd be grateful, and not just because I'm curious - I'd like to know earlier than later if there's anything worth hiding in there.






            share|improve this answer
























            • If OP is asking whether the command line parameter of firefox is normal or not, the question seems to be answered already. What is the expected answer here...?

              – clearkimura
              Jan 28 '18 at 17:47






            • 1





              The question is answered partially. It has been established with high probability this is not malicious. But it's unclear why parameter is encoded in such weird way. Perhaps someone from Mozilla could provide valluable feedback

              – Piotr
              Jan 30 '18 at 14:34













            • @firefox-support

              – Piotr
              Jan 30 '18 at 14:39











            • @Piotr Can you edit the question, to mention that you are still looking for a better answer? Because I found the title "turned out to be legitimate..." and your comment "THX. That's it!" under the first answer seemed to indicate that you have found the answer already.

              – clearkimura
              Feb 1 '18 at 16:01














            0












            0








            0







            I noticed the same thing last night and I started inspecting it with xxd. My best guess would have been that this is a way of communicating pointers to shared resources or identifying themselves (adjacent virtual locations and constant length would cause periodicity) but a few things convinced me otherwise.



            c783 cb90 3f3f d689 d68a d783 
            
d7b4 d889 d88a d9aa db94 dc81 
            
dc82 dc83 dc84 e185 9fe1 85a0 
            
e19c b5e2 8080 e280 81e2 8082 
            
e280 83e2 8084 e280 85e2 8086 
            
e280 87e2 8088 e280 89e2 808a 
            
3f3f 3fe2 8090 e280 99e2 80a4 
            
e280 a73f 3f3f 3f3f 3f3f e280 
            
afe2 80b9 e280 bae2 8181 e281 
            
84e2 8192 e281 9fe2 8593 e285 
            
94e2 8595 e285 96e2 8597 e285 
            
98e2 8599 e285 9a3f e285 9ce2 
            
859d e285 9ee2 859f e288 95e2 
            
88b6 e28e aee2 95b1 e2a7 b6e2 
            
a7b8 e2ab bbe2 abbd e2bf b0e2 
            
bfb1 e2bf b2e2 bfb3 e2bf b4e2 
            
bfb5 e2bf b6e2 bfb7 e2bf b8e2 
            
bfb9 e2bf bae2 bfbb e380 80e3 
            
8082 e380 94e3 8095 e380 b3e3 
            
82a0 e385 a4e3 889d e388 9ee3 
            
8eae e38e afe3 8f86 e38f 9fea 
            
9e89 efb8 94ef b895 efb8 bfef 
            
b99d efb9 9e3f efbc 8eef bc8f 
            
efbd a1ef bea0 3f3f 3fef bfbc 
            
efbf bd0a


            I trimmed up to the preceding newline (and left it, 0a, at the end.) I aligned it based only on the repetition, that's 12 bytes per line up to the partial 25th line. The reason I spaced the bytes the way I did was to show that there are (what look like) UTF8 continuations (the table at the bottom.) However, it's worth mentioning that following the convention of an established and well-known encoding offers the same benefit: you can represent large values but keep small ones compact. On the other hand, for some reason they appear to be stringing together ? and only bytes greater than 80. The next section of that Wikipedia page shows that there are printable characters within this range, but fewer and farther between. I don't believe the goal had anything to do with composing very wide UTF8 characters, but instead, it's as if they were avoiding the more universally-printable characters in the ASCII set. At this point the best I can come up with is that they knew they would have to encode and embed strings of arbitrary length, namely 'stringPrefs', and maybe opted to use high bytes sandwiched by low bytes just made it easier to extract. As far as I can tell, the ? serve as both delimiters and padding.



            I'm not satisfied, but I don't have much more to offer. For my benefit, I started to replace the most common characters and it's a little easier to see what's going on:



            c783 cb90      d689 d68a d783
            
d7b4 d889 d88a d9aa db94 dc81
            
dc82 dc83 dc84 e185 9fe1 85a0
            
e19c b5++ ---- ++-- 81++ --82
            
++-- 83++ --84 ++-- 85++ --86
            
++-- 87++ --88 ++-- 89++ --8a
            
       ++ --90 ++-- 99++ --a4
            
++-- a7                  ++--
            
af++ --b9 ++-- ba++ 8181 ++81
            
84++ 8192 ++81 9f++ 8593 ++85
            
94++ 8595 ++85 96++ 8597 ++85
            
98++ 8599 ++85 9a   ++85 9c++
            
859d ++85 9e++ 859f ++88 95++
            
88b6 ++8e ae++ 95b1 ++a7 b6++
            
a7b8 ++ab bb++ abbd ++bf b0++
            
bfb1 ++bf b2++ bfb3 ++bf b4++
            
bfb5 ++bf b6++ bfb7 ++bf b8++
            
bfb9 ++bf ba++ bfbb e3-- --e3
            
--82 e3-- 94e3 --95 e3-- b3e3
            
82a0 e385 a4e3 889d e388 9ee3
            
8eae e38e afe3 8f86 e38f 9fea
            
9e89 efb8 94ef b895 efb8 bfef
            
b99d efb9 9e   efbc 8eef bc8f
            
efbd a1ef bea0        ef bfbc
            
efbf bd0a


            I see a lot more structure than I could expect of encrypted and encoded strings, unless this is some kind of steganography. If anyone can take the baton, I'd be grateful, and not just because I'm curious - I'd like to know earlier than later if there's anything worth hiding in there.






            share|improve this answer













            I noticed the same thing last night and I started inspecting it with xxd. My best guess would have been that this is a way of communicating pointers to shared resources or identifying themselves (adjacent virtual locations and constant length would cause periodicity) but a few things convinced me otherwise.



            c783 cb90 3f3f d689 d68a d783 
            
d7b4 d889 d88a d9aa db94 dc81 
            
dc82 dc83 dc84 e185 9fe1 85a0 
            
e19c b5e2 8080 e280 81e2 8082 
            
e280 83e2 8084 e280 85e2 8086 
            
e280 87e2 8088 e280 89e2 808a 
            
3f3f 3fe2 8090 e280 99e2 80a4 
            
e280 a73f 3f3f 3f3f 3f3f e280 
            
afe2 80b9 e280 bae2 8181 e281 
            
84e2 8192 e281 9fe2 8593 e285 
            
94e2 8595 e285 96e2 8597 e285 
            
98e2 8599 e285 9a3f e285 9ce2 
            
859d e285 9ee2 859f e288 95e2 
            
88b6 e28e aee2 95b1 e2a7 b6e2 
            
a7b8 e2ab bbe2 abbd e2bf b0e2 
            
bfb1 e2bf b2e2 bfb3 e2bf b4e2 
            
bfb5 e2bf b6e2 bfb7 e2bf b8e2 
            
bfb9 e2bf bae2 bfbb e380 80e3 
            
8082 e380 94e3 8095 e380 b3e3 
            
82a0 e385 a4e3 889d e388 9ee3 
            
8eae e38e afe3 8f86 e38f 9fea 
            
9e89 efb8 94ef b895 efb8 bfef 
            
b99d efb9 9e3f efbc 8eef bc8f 
            
efbd a1ef bea0 3f3f 3fef bfbc 
            
efbf bd0a


            I trimmed up to the preceding newline (and left it, 0a, at the end.) I aligned it based only on the repetition, that's 12 bytes per line up to the partial 25th line. The reason I spaced the bytes the way I did was to show that there are (what look like) UTF8 continuations (the table at the bottom.) However, it's worth mentioning that following the convention of an established and well-known encoding offers the same benefit: you can represent large values but keep small ones compact. On the other hand, for some reason they appear to be stringing together ? and only bytes greater than 80. The next section of that Wikipedia page shows that there are printable characters within this range, but fewer and farther between. I don't believe the goal had anything to do with composing very wide UTF8 characters, but instead, it's as if they were avoiding the more universally-printable characters in the ASCII set. At this point the best I can come up with is that they knew they would have to encode and embed strings of arbitrary length, namely 'stringPrefs', and maybe opted to use high bytes sandwiched by low bytes just made it easier to extract. As far as I can tell, the ? serve as both delimiters and padding.



            I'm not satisfied, but I don't have much more to offer. For my benefit, I started to replace the most common characters and it's a little easier to see what's going on:



            c783 cb90      d689 d68a d783
            
d7b4 d889 d88a d9aa db94 dc81
            
dc82 dc83 dc84 e185 9fe1 85a0
            
e19c b5++ ---- ++-- 81++ --82
            
++-- 83++ --84 ++-- 85++ --86
            
++-- 87++ --88 ++-- 89++ --8a
            
       ++ --90 ++-- 99++ --a4
            
++-- a7                  ++--
            
af++ --b9 ++-- ba++ 8181 ++81
            
84++ 8192 ++81 9f++ 8593 ++85
            
94++ 8595 ++85 96++ 8597 ++85
            
98++ 8599 ++85 9a   ++85 9c++
            
859d ++85 9e++ 859f ++88 95++
            
88b6 ++8e ae++ 95b1 ++a7 b6++
            
a7b8 ++ab bb++ abbd ++bf b0++
            
bfb1 ++bf b2++ bfb3 ++bf b4++
            
bfb5 ++bf b6++ bfb7 ++bf b8++
            
bfb9 ++bf ba++ bfbb e3-- --e3
            
--82 e3-- 94e3 --95 e3-- b3e3
            
82a0 e385 a4e3 889d e388 9ee3
            
8eae e38e afe3 8f86 e38f 9fea
            
9e89 efb8 94ef b895 efb8 bfef
            
b99d efb9 9e   efbc 8eef bc8f
            
efbd a1ef bea0        ef bfbc
            
efbf bd0a


            I see a lot more structure than I could expect of encrypted and encoded strings, unless this is some kind of steganography. If anyone can take the baton, I'd be grateful, and not just because I'm curious - I'd like to know earlier than later if there's anything worth hiding in there.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Jan 22 '18 at 2:39









            John PJohn P

            1015




            1015













            • If OP is asking whether the command line parameter of firefox is normal or not, the question seems to be answered already. What is the expected answer here...?

              – clearkimura
              Jan 28 '18 at 17:47






            • 1





              The question is answered partially. It has been established with high probability this is not malicious. But it's unclear why parameter is encoded in such weird way. Perhaps someone from Mozilla could provide valluable feedback

              – Piotr
              Jan 30 '18 at 14:34













            • @firefox-support

              – Piotr
              Jan 30 '18 at 14:39











            • @Piotr Can you edit the question, to mention that you are still looking for a better answer? Because I found the title "turned out to be legitimate..." and your comment "THX. That's it!" under the first answer seemed to indicate that you have found the answer already.

              – clearkimura
              Feb 1 '18 at 16:01



















            • If OP is asking whether the command line parameter of firefox is normal or not, the question seems to be answered already. What is the expected answer here...?

              – clearkimura
              Jan 28 '18 at 17:47






            • 1





              The question is answered partially. It has been established with high probability this is not malicious. But it's unclear why parameter is encoded in such weird way. Perhaps someone from Mozilla could provide valluable feedback

              – Piotr
              Jan 30 '18 at 14:34













            • @firefox-support

              – Piotr
              Jan 30 '18 at 14:39











            • @Piotr Can you edit the question, to mention that you are still looking for a better answer? Because I found the title "turned out to be legitimate..." and your comment "THX. That's it!" under the first answer seemed to indicate that you have found the answer already.

              – clearkimura
              Feb 1 '18 at 16:01

















            If OP is asking whether the command line parameter of firefox is normal or not, the question seems to be answered already. What is the expected answer here...?

            – clearkimura
            Jan 28 '18 at 17:47





            If OP is asking whether the command line parameter of firefox is normal or not, the question seems to be answered already. What is the expected answer here...?

            – clearkimura
            Jan 28 '18 at 17:47




            1




            1





            The question is answered partially. It has been established with high probability this is not malicious. But it's unclear why parameter is encoded in such weird way. Perhaps someone from Mozilla could provide valluable feedback

            – Piotr
            Jan 30 '18 at 14:34







            The question is answered partially. It has been established with high probability this is not malicious. But it's unclear why parameter is encoded in such weird way. Perhaps someone from Mozilla could provide valluable feedback

            – Piotr
            Jan 30 '18 at 14:34















            @firefox-support

            – Piotr
            Jan 30 '18 at 14:39





            @firefox-support

            – Piotr
            Jan 30 '18 at 14:39













            @Piotr Can you edit the question, to mention that you are still looking for a better answer? Because I found the title "turned out to be legitimate..." and your comment "THX. That's it!" under the first answer seemed to indicate that you have found the answer already.

            – clearkimura
            Feb 1 '18 at 16:01





            @Piotr Can you edit the question, to mention that you are still looking for a better answer? Because I found the title "turned out to be legitimate..." and your comment "THX. That's it!" under the first answer seemed to indicate that you have found the answer already.

            – clearkimura
            Feb 1 '18 at 16:01


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f971989%2ffirefox-suspicious-subprocess-turned-out-to-be-legitimate-ff-behavior%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Quarter-circle Tiles

            Image
            up vote 0 down vote favorite I have $99$ identical square tiles, each with a quarter-circle drawn on it like this: [asy] size(1.5cm); draw(Arc((2,0),1,90,180),red+1); draw((0,0)--(2,0)--(2,2)--(0,2)--(0,0)); [/asy] When I arrange the tiles in a $9times 11$ rectangular grid, each with a random orientation, what is the expected value of the number of full circles I form? I think this problem has to do with finding the chance any given 2x2 square has a circle, but I can't find it. expected-value share | cite | improve this question asked Nov 20 at 15:03 6minecraftninja 1 2
            Read more

            build a pushdown automaton that recognizes the reverse language of a given pushdown automaton?

            Image
            0 I think it's similiar to NFAs. I replace the finite states of the given automaton for start-states for my new automaton. I do it with $epsilon$ -transition from the start state to the actual finite states of the given automaton. The start state of the given automaton will be my accepting(finite) state of my new one. All transitions will be reversed of course to recognize the reversed word. But how do I have to change the stack of the pushdown automaton? That's tricky. formal-languages automata context-free-grammar share | cite | improve this question edited Nov 29 '18 at 14:20 joee
            Read more

            Mont Emei

            Image
            Mont Emei.mw-parser-output .entete.map{background-image:url("//upload.wikimedia.org/wikipedia/commons/7/7a/Picto_infobox_map.png")} Vue du sommet Wanfo du mont Emei Géographie Altitude 3 099  m , Wanfo Coordonnées 29° 31′ 11″ nord, 103° 19′ 57″ est Administration Pays   Chine Province Sichuan Ville-préfecture Leshan Géolocalisation sur la carte : Sichuan Mont Emei Géolocalisation sur la carte : Chine Mont Emei modifier   Paysage panoramique du mont Emei, incluant le paysage panoramique du grand Bouddha de Leshan *   Patrimoine mondial de l'UNESCO Passerelle en bois sur le versant ouest Pays   Chine Subdivision Sichuan Type Mixte Critères (iv) (vi) (x) Superficie 15 400 ha Numéro d’identification 779 Zone géographique Asie et Pacifique  ** Année d’inscription 1996 (20 e session) * Descriptif officiel UNESCO ** Classification géog
            Read more