Hackers spent at least a year spying on Mozilla to discover Firefox security holes – and exploit them - cypherpunks

newer
Re: Script Kiddie Killed in Drone...

Hackers spent at least a year spying on Mozilla to discover Firefox security holes – and exploit them

older
Re: Hackers spent at least a year...

Georgi Guninski

5 Sep 2015 5 Sep '15

3:35 p.m.

Just to change the current boring discussion about fucked RFCs. http://www.theregister.co.uk/2015/09/04/mozilla_firefox_bugzilla_leak/ Hackers spent at least a year spying on Mozilla to discover Firefox security holes – and exploit them Bugzilla infiltrated, private vulns slurped since at least 2014 ==== comments: 2014 appears too high bound for me, might be wrong. Likely the mozilla u$a comrades caught the less skilled attackers, not those with r00t access (having in mind what a mess their code is).

Show replies by date

Alfonso De Gregorio

5 Sep 5 Sep

3:48 p.m.

On Sat, Sep 5, 2015 at 3:35 PM, Georgi Guninski wrote:

...

Just to change the current boring discussion about fucked RFCs.

http://www.theregister.co.uk/2015/09/04/mozilla_firefox_bugzilla_leak/

Hackers spent at least a year spying on Mozilla to discover Firefox security holes – and exploit them Bugzilla infiltrated, private vulns slurped since at least 2014

==== comments:

2014 appears too high bound for me, might be wrong.

Likely the mozilla u$a comrades caught the less skilled attackers, not those with r00t access (having in mind what a mess their code is).

Yesterday Mudge highlighted on Twitter https://twitter.com/dotMudge/status/639866226592882689 : 1990's CERT compromised for vendor vulns. 2015 Mozilla's Bugzilla popped for the same reason. Tactics only change when they stop working. Which is quite true. Therefore, I ask vulnerability sellers: How effective your favorite exploit acquisition platform / program is at preventing this from happening again? Cheers, -- Alfonso

Georgi Guninski

6 Sep 6 Sep

3:51 p.m.

On Sat, Sep 05, 2015 at 03:48:48PM +0000, Alfonso De Gregorio wrote:

...

.... I ask vulnerability sellers: How effective your favorite exploit acquisition platform / program is at preventing this from happening again?

You mean something like the the dear nsa: http://www.theregister.co.uk/2015/09/04/nsa_explains_handling_zerodays/ Mind-blowing secrets of NSA's security exploit stockpile revealed at last Incredible document has to be seen to be believed

Alfonso De Gregorio

5:44 p.m.

On Sun, Sep 6, 2015 at 3:51 PM, Georgi Guninski wrote:

...

On Sat, Sep 05, 2015 at 03:48:48PM +0000, Alfonso De Gregorio wrote:

...
.... I ask vulnerability sellers: How effective your favorite exploit acquisition platform / program is at preventing this from happening again?

You mean something like the the dear nsa: http://www.theregister.co.uk/2015/09/04/nsa_explains_handling_zerodays/

Mind-blowing secrets of NSA's security exploit stockpile revealed at last Incredible document has to be seen to be believed

It made me reconsider the true meaning of [XXXXXXXXXXX] to read about [XXXXXXXXXXX] and, especially, [XXXXXXXXXXX]. More seriously: After years of fierce debate, vulnerability disclosure is still looking for a convincing answer. The NSA may contribute its substantial share to discussion --- albeit less to the practice --- of vulnerability disclosure. Needless to say, it would have been more helpful to read a less heavily redacted 'Vulnerabilities Equities Policy and Process' to this end. On September 29, NTIA will convene a meeting on this topic. For those considering to attend it http://www.ntia.doc.gov/september-29-multistakeholder-meeting-vulnerability-... Will we never stop from drinking from the (endless?) stream of exploitable vulnerabilities? -- Alfonso

Juan

5 Sep 5 Sep

10:10 p.m.

On Sat, 5 Sep 2015 18:35:37 +0300 Georgi Guninski wrote:

...

Likely the mozilla u$a comrades caught the less skilled attackers, not those with r00t access (having in mind what a mess their code is).

Ah, but firefox keeps getting an even cooler GUI every day. How can you not like them?

John Young

10:43 p.m.

New subject: Hackers spent at least a year spying on Mozilla to discover Firefox security holes and exploit them

Every upgrade of Mozilla (and all browsers) has diminished security and increased ads and user profiling. Sites which nag visitors to upgrade to latest versions are complicit. So too are ad blockers and security promoters part of the racket. Unceasing program upgrades, nagging and underwriting hacking security panic are Silicon Valley-Alley fracking. No surprise that FVEY capitalizes on the eagerness to cooperate against Net users. Man in the Machine about Jobs hardly scratches the surface, complicit too in the hawking of cyber derring do in the Era of Snowden Without Harming the US: "Be sure to use encryption," Jobs would applaud that planned parenthood documentrary. At 06:10 PM 9/5/2015, you wrote:

...

On Sat, 5 Sep 2015 18:35:37 +0300 Georgi Guninski wrote:

...
Likely the mozilla u$a comrades caught the less skilled attackers, not those with r00t access (having in mind what a mess their code is).

Ah, but firefox keeps getting an even cooler GUI every day. How can you not like them?

Georgi Guninski

6 Sep 6 Sep

5:58 a.m.

On Sat, Sep 05, 2015 at 07:10:10PM -0300, Juan wrote:

...

Ah, but firefox keeps getting an even cooler GUI every day. How can you not like them?

Don't forget the new privacy enhancing features. AFAIK Debian and the FSF have forks of firefox. Did they manage to get rid of sufficiently enough spyware? (This doesn't appear easy IMHO).

rysiek

7 Sep 7 Sep

4:28 p.m.

Dnia niedziela, 6 września 2015 08:58:41 Georgi Guninski pisze:

...

On Sat, Sep 05, 2015 at 07:10:10PM -0300, Juan wrote:

...
Ah, but firefox keeps getting an even cooler GUI every day. How can you not like them? Don't forget the new privacy enhancing features.

Like EME? ;) http://rys.io/en/141

...

AFAIK Debian and the FSF have forks of firefox.

Did they manage to get rid of sufficiently enough spyware?

No. Even the simple things are apparently ignored: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654336 http://rys.io/en/53

...

(This doesn't appear easy IMHO).

Some things would appear easy. Like *not* removing the "delete history after X days" setting. Now in Firefox you can only either have history, or not have it at all. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147

Ulex Europae

4:55 p.m.

New subject: Hackers spent at least a year spying on Mozilla to discover Firefox security holes and exploit them

At 12:28 PM 9/7/2015, rysiek wrote:

...

...
Georgi Guninski pisze:

Did they manage to get rid of sufficiently enough spyware?

No. Even the simple things are apparently ignored: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654336 http://rys.io/en/53

...
(This doesn't appear easy IMHO).

Some things would appear easy. Like *not* removing the "delete history after X days" setting. Now in Firefox you can only either have history, or not have it at all.

Various extensions have been known to "fix" or "restore" various things that Firefox should do or used to do, although I cannot address the purity of the manner by which they do so. I wonder, is there an A-list of must-have extensions for Firefox? Because "the internet is for porn," and porn doesn't work on text-only browsers... How about a blacklist of extensions to avoid at all costs? UE

stef

6:49 p.m.

New subject: Hackers spent at least a year spying on Mozilla to discover Firefox security holes ? and exploit them

On Mon, Sep 07, 2015 at 12:55:11PM -0400, Ulex Europae wrote:

...

I wonder, is there an A-list of must-have extensions for Firefox? Because "the internet is for porn," and porn doesn't work on text-only browsers...

NoScript, RequestPolicy, RefControl, CookieMonster, policeman, https-everywhere, monkeysphere, RedirectCleaner, CertPatrol|Convergence, BetterPrivacy, random-agent-spoofer, ssleuth -- otr fp: https://www.ctrlc.hu/~stef/otr.txt

rysiek

11:57 p.m.

New subject: Hackers spent at least a year spying on Mozilla to discover Firefox security holes ? and exploit them

Dnia poniedziałek, 7 września 2015 20:49:10 stef pisze:

...

On Mon, Sep 07, 2015 at 12:55:11PM -0400, Ulex Europae wrote:

...
I wonder, is there an A-list of must-have extensions for Firefox? Because "the internet is for porn," and porn doesn't work on text-only browsers...

NoScript, RequestPolicy, RefControl, CookieMonster, policeman, https-everywhere, monkeysphere, RedirectCleaner, CertPatrol|Convergence, BetterPrivacy, random-agent-spoofer, ssleuth

And PrivacyBadger, I might add. Also, Self-Destructing Cookies is an interesting one, as while CookieMonster allows you to keep track of which sites can or cannot set cookies, that's for-session granularity. Self-Destructing Cookies destroys cookies after a set time after closing a given tab. I use both. And if you're into this kind of stuff, Lightbeam. Just for shits and giggles. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147

Cathal Garvey

8 Sep 8 Sep

8:41 a.m.

New subject: Hackers spent at least a year spying on Mozilla to discover Firefox security holes ? and exploit them

There's two categories or buckets here if you're playing to win; One is a list of extensions you can install on *anyone's* computer without them even noticing the privacy/security boost they're receiving (because if they notice, you lose because they blame the new *ware for all their trivial problems). The other list is the power-user stuff that really works, but which n00bs will reject out of ignorance, blaming the protective software instead of the buggy websites it exposes. My short-list for install-on-everyone's-computer is: * Disconnect * HTTPS-Everywhere * uBlock Origin (don't change default settings) * Disable 3rd Party Cookies NoScript, Cookie-killers, RequestPolicy etcetera are too prone to creating problems for browser users; to an enlightened user, blame the website, work around, or make an exception and move on. But to a n00b, exposing errors in tracker-rich sites is unacceptable, sadly. On 08/09/15 00:57, rysiek wrote:

...

Dnia poniedziałek, 7 września 2015 20:49:10 stef pisze:

...
On Mon, Sep 07, 2015 at 12:55:11PM -0400, Ulex Europae wrote:

...
I wonder, is there an A-list of must-have extensions for Firefox? Because "the internet is for porn," and porn doesn't work on text-only browsers...

NoScript, RequestPolicy, RefControl, CookieMonster, policeman, https-everywhere, monkeysphere, RedirectCleaner, CertPatrol|Convergence, BetterPrivacy, random-agent-spoofer, ssleuth

And PrivacyBadger, I might add.

Also, Self-Destructing Cookies is an interesting one, as while CookieMonster allows you to keep track of which sites can or cannot set cookies, that's for-session granularity. Self-Destructing Cookies destroys cookies after a set time after closing a given tab. I use both.

And if you're into this kind of stuff, Lightbeam. Just for shits and giggles.

-- Scientific Director, IndieBio EU Programme Now running in Cork, Ireland May->July Learn more at indie.bio and follow along! Twitter: @onetruecathal Phone: +353876363185 miniLock: JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM peerio.com: cathalgarvey

Peter Gutmann

7:20 a.m.

New subject: Hackers spent at least a year spying on Mozilla to discover Firefox security holes ? and exploit them

stef writes:

...

On Mon, Sep 07, 2015 at 12:55:11PM -0400, Ulex Europae wrote:

...
I wonder, is there an A-list of must-have extensions for Firefox? Because "the internet is for porn," and porn doesn't work on text-only browsers...

NoScript, RequestPolicy, RefControl, CookieMonster, policeman, https- everywhere, monkeysphere, RedirectCleaner, CertPatrol|Convergence, BetterPrivacy, random-agent-spoofer, ssleuth

You forgot the most critical ones, the extensions you need to undo all the crap that Mozilla have piled onto Firefox since they started on their copy- everything-Chrome-does spree. Classic Theme Restorer is the first extension I load on any new install (even before NoScript), it's now comprehensive enough that it's probably the only one you need, although Hide Tab Bar With One Tab is also useful. Peter.

stef

10:25 a.m.

New subject: Hackers spent at least a year spying on Mozilla to discover Firefox security holes ? and exploit them

On Tue, Sep 08, 2015 at 07:20:41AM +0000, Peter Gutmann wrote:

...

stef writes:

...
On Mon, Sep 07, 2015 at 12:55:11PM -0400, Ulex Europae wrote:

...
I wonder, is there an A-list of must-have extensions for Firefox? Because "the internet is for porn," and porn doesn't work on text-only browsers...

NoScript, RequestPolicy, RefControl, CookieMonster, policeman, https- everywhere, monkeysphere, RedirectCleaner, CertPatrol|Convergence, BetterPrivacy, random-agent-spoofer, ssleuth

You forgot the most critical ones, the extensions you need to undo all the

well, i prefer vimperator, this list is intentionally neglecting UI plugins. also you should look into random-agent-spoofer it does disable a lot of the mozilla sabotage crap.

...

crap that Mozilla have piled onto Firefox since they started on their copy- everything-Chrome-does spree. Classic Theme Restorer is the first extension I load on any new install (even before NoScript), it's now comprehensive enough that it's probably the only one you need, although Hide Tab Bar With One Tab is also useful.

-- otr fp: https://www.ctrlc.hu/~stef/otr.txt

Peter Gutmann

6 Sep 6 Sep

11:01 a.m.

Juan writes:

...

On Sat, 5 Sep 2015 18:35:37 +0300 Georgi Guninski wrote:

...
Likely the mozilla u$a comrades caught the less skilled attackers, not those with r00t access (having in mind what a mess their code is).

Ah, but firefox keeps getting an even cooler GUI every day. How can you not like them?

Not to mention their plan to deprecate their extension API, which is the only thing still separating them from actually being Chrome. It looks like there could be a race between them naturally driving their market share to zero before the API-deprecation, or the API-deprecation forcing the issue. What we'd really need is a reboot of the project to take it back to its roots, removing layers and layers of accumulated bloat and "features" no-one wants, run by dedicated developers who actually listen to their users rather than doing whatever they think is trendy (mostly just cloning Chrome) and forcing it on their users. It'd be like Firefox rising anew from the ashes. They could call it, oh, I dunno, something like "Phoenix". Peter.

Georgi Guninski

11:26 a.m.

On Sun, Sep 06, 2015 at 11:01:39AM +0000, Peter Gutmann wrote:

...

Not to mention their plan to deprecate their extension API, which is the only thing still separating them from actually being Chrome. It looks like there could be a race between them naturally driving their market share to zero before the API-deprecation, or the API-deprecation forcing the issue.

IMHO they will kick the bucket as soon as google stop pouring money in them.

...

What we'd really need is a reboot of the project to take it back to its roots, removing layers and layers of accumulated bloat and "features" no-one wants, run by dedicated developers who actually listen to their users rather than doing whatever they think is trendy (mostly just cloning Chrome) and forcing it on their users. It'd be like Firefox rising anew from the ashes. They could call it, oh, I dunno, something like "Phoenix".

Back to the roots? According to quote: "Roots are the branches down in the earth. Branches are roots in the air -- Stray Birds". If you want the roots, consider spamming Brendan Eich, he has ideas about "expanding JS", which I won't comment. If you ask me, starting from zero is better. Likely, this will require nontrivial amounts of money.

...

From experience, older mozilla code contained dereferencing NULL on purpose, which can only compete with certain openssl's construct I don't quite remember well ATM (it was even funnier).

Cathal (Phone)

12:28 p.m.

TBF, Servo is kind of a total rewrite of exactly the sort the world needs: memory and type safe from the ground up. What Servo needs then (besides 'completion') is a type/memory safe JS engine to replace Gecko, and likewise a LibreSSL-like replacement for OpenSSL. While they've got nothing to lose though, they should go further than a mere reboot. They should resume *leading* FFS, for example by making their JS engine strict by default so they become the go-to development browser again. "If it works on FF it will work anywhere" would be a nice selling point I think. They should also take privacy seriously and totally rethink their funding model. Patreon? Premium versions? I don't care, almost anything but built-in ads and bloatware will do. Baking in P2P in a real way would be nice. WebRTC-based replacement for Bittorrent Sync? Peer to Peer calls using Jitsi instead of (vomit) "Hello"? P2P filesharing and content publication, backed by subscription for "available while I'm offline"? Loads of scope for Mozilla and not enough vision. I hate Google more than what Mozilla are becoming but that doesn't mean I'm proud to use FF. It kills my battery, WebRTC is still broken, and it keeps getting worse. On 6 September 2015 12:01:39 IST, Peter Gutmann wrote:

...

Juan writes:

...
On Sat, 5 Sep 2015 18:35:37 +0300 Georgi Guninski wrote:

...
Likely the mozilla u$a comrades caught the less skilled attackers, not those with r00t access (having in mind what a mess their code is).

Ah, but firefox keeps getting an even cooler GUI every day. How can you not like them?

Not to mention their plan to deprecate their extension API, which is the only thing still separating them from actually being Chrome. It looks like there could be a race between them naturally driving their market share to zero before the API-deprecation, or the API-deprecation forcing the issue.

What we'd really need is a reboot of the project to take it back to its roots, removing layers and layers of accumulated bloat and "features" no-one wants, run by dedicated developers who actually listen to their users rather than doing whatever they think is trendy (mostly just cloning Chrome) and forcing it on their users. It'd be like Firefox rising anew from the ashes. They could call it, oh, I dunno, something like "Phoenix".

Peter.

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

Georgi Guninski

2:20 p.m.

On Sun, Sep 06, 2015 at 01:28:49PM +0100, Cathal (Phone) wrote:

...

TBF, Servo is kind of a total rewrite of exactly the sort the world needs: memory and type safe from the ground up.

Is this one, from mozilla r3s34rch? https://github.com/servo/servo/blob/master/README.md A lot of dependencies I see: On Debian-based Linuxes: sudo apt-get install curl freeglut3-dev \ libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \ gperf g++ cmake python-virtualenv \ libssl-dev libbz2-dev libosmesa6-dev libxmu6 libxmu-dev libglu1-mesa-dev Could point which parts of Servo display jpg/png and render fonts? The above dependencies are provably not memory safe, sorry.

3300

Age (days ago)

3303

Last active (days ago)

List overview

Download

17 comments

10 participants

participants (10)

Alfonso De Gregorio
Cathal (Phone)
Cathal Garvey
Georgi Guninski
John Young
Juan
Peter Gutmann
rysiek
stef
Ulex Europae