Careful with Firefox

[Mystic]

Well, I am glad uc50ic4more that you agree with a couple of my suggestions.

If you research some of the previous posts here you will find where I was attacked for daring to suggest that open source software could be attacked and that perhaps malware could even be deliberately put into open source software. When I suggested that a country might be involved in allowing malware to be put into software I was attacked for suggesting that. Some people went on and on about how open source code is available to anybody and how open source code is checked. Well, nobody seemed to be checking the code for add-ons too well at Mozilla.

There has already been state sponsored cyper terrorism. I can think of at least two examples. One was an attack on certain critical computers on the internet.

I take comfort is this: I was proven correct in the end. And some of the people who attacked me can now live with their posts.

 

[Mystic]

Well, maybe I am a stick in the mud, SteveC. We will see if you produce those engine photogrpahs.

 

[StevieC]

What engine photographs?

 

[Mystic]

I promise and let this post serve as proof that as soon as I get a chance to do it on an engine that needs it, that I will take before and after pictures and follow the directions as prescribed by ARX.

You have my word! Quoted from StevieC.
_________________________
I think you said the above in a reply, StevieC. Hey, just forget it. Another guy is in the process of posting before and after photographs.

 

[Garak]

Originally Posted By: Mystic
I was attacked personally here when I dared to suggest that open source software could be attacked by malware writers, or malware even deliberately be put into open source software.


Put the flame retardant undies on again!

Any software could have malware code within it. At least with open source code, there are potentially many eyes who can review and audit the code.

No one should think that all Firefox add-ons are perfectly secure. I'd never consider using a Firefox add-on that wasn't well reviewed and well tested. That's just common sense, and that was my policy before anyone "discovered" any possible security breaches.

No matter what OS or browser one is using, one should not just install software willy nilly from questionable sources. That's been an important part of computer security for many years.

 

[simple_gifts]

Quote:

At least with open source code, there are potentially many eyes who can review and audit the code.


This event is actually a vindication of the OSS model and shows its strengths, rather than a condemnation. Mozilla admitted a weakness in their code review process and have already taken steps to mitigate.

Compare this to IE development which appears to suffer for security issues for over 20 years.

This is a dent in the armor (now repaired), not a sky is falling event.

Review the comments provided by Mozilla re: one of the exploits:
http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/
Quote:

Mozilla Sniffer was not developed by Mozilla, and it was not reviewed by Mozilla. The add-on was in an experimental state, and all users that installed it should have seen a warning indicating it is unreviewed. Unreviewed add-ons are scanned for known viruses, trojans, and other malware, but some types of malicious behavior can only be detected in a code review.

 

[StevieC]

Originally Posted By: Mystic
I promise and let this post serve as proof that as soon as I get a chance to do it on an engine that needs it, that I will take before and after pictures and follow the directions as prescribed by ARX.

You have my word! Quoted from StevieC.
_________________________
I think you said the above in a reply, StevieC. Hey, just forget it. Another guy is in the process of posting before and after photographs.
I know I was kidding... I will as soon as I get confirmation I can do it on an engine that needs it!

Although Cronk seems to be beating me to the punch as he already has pic's up of his sludgy Chevy engine and he is going to do 2 ARX runs so it might be a waste for me to do it.

 

[uc50ic4more]

Originally Posted By: Mystic
Well, nobody seemed to be checking the code for add-ons too well at Mozilla.


This is where, I think, respectfully, you're missing the point: Mozilla does not check squat with community-submitted add-ons; and they say very explicitly that they do not check squat.

If I install some software on my Debian machine from a Debian repository, I feel *very* safe knowing that this software was looked at, tested and compiled by some volunteers who take this stuff very, very seriously (this includes a small handful of Firefox add-ons, by the way!). I also know that installing software from somewhere other than a Debian repository represents some measure of risk; in terms of stability, compatibility and security... Such is the nature of all community-based projects, software or not: The project will have auditing and security measures in place, but things taking place outside of that structure are *caveat emptor*!

 

[StevieC]

Originally Posted By: uc50ic4more
Originally Posted By: Mystic
Well, nobody seemed to be checking the code for add-ons too well at Mozilla.


This is where, I think, you're missing the point: Mozilla does not check squat with community-submitted add-ons; and they say very explicitly that they do not check squat.


The responsibility is on the person using Firefox to make sure that the add-on's are safe. They don't take an "Apple" approach and try to control everything.

 

[Mystic]

Well, this post was about being careful with Firefox add-ons, so apparently the post is correct. You do need to be careful with firefox add-ons. Everybody seems to agree with that.

And the facts are there have been problems with Firefox add-ons. Malware was discovered in some, plus a critical security hole. People need to be aware that apparently the websites of Firefox add-on developers are being targeted for attack by malware writers. The worm, Trojan Horse program, and password stealing software had to come from somewhere. They did not come out of nowhere. Heck, malware writers might attempt to write their own add-on and install malware in that software. That may even have happened.

And I think the claim made by many, including several security experts, that Firefox is a more secure web browser than IE has been disproven. Go to the Sophos website and download the white paper on the 10 internet security myths. Go to the Secunia security website and check out how various web browsers compare.

 

[Mystic]

StevieC, you do a lot of kidding, don't you. Don't worry-I really don't care if you supply those photographs or not. Cronk is already doing so anyway.

And I think a lot of people are ready to move on anyway.

 

[uc50ic4more]

Originally Posted By: Mystic
Well, this post was about being careful with Firefox add-ons, so apparently the post is correct. You do need to be careful with firefox add-ons. Everybody seems to agree with that.


Absolutely, Mystic; and in addition to agreeing with that, it's also very important to let people *know* about the security vulnerabilities (on sites like this). You're very correct in thinking that a lot of folks just hear that Firefox is "more secure" than IE, and therefore trust anything having anything to do with Firefox implicitly and always, which is a horrendous mistake. When (never "if"!) holes are found, it is usually only computer nerds that find out about them. Mozilla won't patch them and include them with updates: the user is utterly on his/ her own to find out and get fixes for add-ons.

Somehow correlating malicious programming, the nature of community-submitted add-ons and the entire ethos of Mozilla's open source development, though, seemed a stretch in your original post; that's all.

Originally Posted By: Mystic
And I think the claim made by many, including several security experts, that Firefox is a more secure web browser than IE has been disproven. Go to the Sophos website and download the white paper on the 10 internet security myths. Go to the Secunia security website and check out how various web browsers compare.


Browser security is a broad enough topic that facts can *always* be spun to favour this or that browser. "Facts" (generated or observed usually by those conducting the tests, who are almost always funded or patronized by someone who'd like those tests to come to specific conclusions...) can be cherry-picked and presented in ways that mislead or misinform; or at least confuse people like (all of) us who wouldn't know how to audit or test the code properly. We need to be skeptical of those who say that browser or OS "A' is better than browser or OS "B" always.

 

[Mystic]

Kind of a big dent in the armor-CoolPreviews by itself was being downloaded at a rate of 77,000 copies a week. So many thousands of computers were put at risk. There were 2000 copies of the password stealing software downloaded. How many computers got infected with the worm and the Trojan Horse?

If something like this had happened with some Microsoft software there would have been screams from one side of the internet to the other. Everytime a security hole is found in Microsoft software a huge deal is made of it on the internet.

But if something bad happens with open source software it is just a 'dent in the armor.' Somebody somewhere needs to make sure that 'dent' is repaired before it becomes a waterfall.

Firefox now makes up some 10% to 20% of web browsers. And a great many people use Firefox add-ons. Tell me this post was not timely.

And people everywhere need to realize that the evil people are watching for any opening. And they are not just watching Microsoft. Open source software and Mac software is being studied also. A lot of Mac people do not even use an antivirus program.

I think this post was very timely. The post was about the need to be careful with Firefox add-ons and even my biggest critics seem to agree that is important.

 

[Mystic]

Well, uc50ic4more, you are one of the few open source people I can agree with very strongely. You make a lot of sense in your posts.

I get turned off by some of the so-called security experts. Most seem to say things like use Firefox rather than IE-Firefox is more secure. And they talk about the vaunted zero day exploit that apparently they think is going to take down the internet.

Actually, no matter what web browser a person is using (IE, Firefox, Google Chrome, Safari, whatever) ANYBODY can be hit with a driveby download of malware. Driveby downloads are probably a much greater threat than a zero day exploit. And driveby downloads are TODAY! And you don't have to visit some dark and evil website in some dark and evil corner of the internet to be hit by that driveby download. A lot of good websites have been poisoned by malware. And things get worse every year. If this keeps up a lot of people will stop using the internet.

I know a woman who has a computer at home but will not use the internet. There are a great many people who visit only a few trusted websites and never explore far into the internet. All of this insanity on the internet could someday spell the end of the internet. Evil people need to be brought to justice. This happens to some degree but the internet is international.

Zero day exploits are dangerous. But even if some zero day exploit did take down the internet (pretty unlikely-for one thing there are many different kinds of servers) the computer people would have the internet back up and running again quickly. Just keeping software updated can help reduce the threats of zero day exploits.

Probably a bigger threat today on the internet is the driveby download. Just using a certain web browser is not going to protect you from a driveby download. Each download can include a worm or Trojan Horse program designed especially for the operating system of the computer being attacked and each worm or Trojan Horse program can be unique.

A lot of security books need to be rewritten. And those books need to be written by somebody who truly understands security and does not have some kind of a grudge against any corporation or operating system.

I myself usually visit only a few websites today. If things get much worse I am going to start using that write protected CD with a compact version of Linux and a web browser on it. Or leave the internet.

 

[simple_gifts]

Moral is use software from trusted sources; open or proprietary code.

 

[StevieC]

Originally Posted By: Mystic
StevieC, you do a lot of kidding, don't you. Don't worry-I really don't care if you supply those photographs or not. Cronk is already doing so anyway.

And I think a lot of people are ready to move on anyway.


The lighter side of life is much nicer I feel.

 

[Mystic]

It seems to me that add-ons that are accepted by Mozilla should be trusted software. That people should be able to download such software to improve Firefox and not have to worry about a worm or Trojan Horse program, or some kind of password stealing software.

Most people probably feel that if a add-on is made available for download by Mozilla, that add-on is safe to use.

Microsoft makes some kinds of software that are optional-such as Windows Live software. People seem to be able to download Windows Live software and not have to worry about malware being included in the software.

Are we supposed to expect less from Mozilla?

 

[uc50ic4more]

Originally Posted By: Mystic
Most people probably feel that if a add-on is made available for download by Mozilla, that add-on is safe to use.


Good point. The main place for folks to get these things *is* at addons.mozilla.org, and for a massive majority of users this implies an endorsement or at least some oversight; yet at the very bottom of the page is this crafty bit of business:

Quote:
Mozilla is providing links to these applications as a courtesy, and makes no representations regarding the applications or any information related thereto. Any questions, complaints or claims regarding the applications must be directed to the appropriate software vendor.


But now that I think about it, Mystic, there should be a clear and obvious explanation when you get to that site that these are NOT MOZILLA PRODUCTS OR PROJECTS.

Originally Posted By: Mystic
Everytime a security hole is found in Microsoft software a huge deal is made of it on the internet.


Indeed, and most of us secretly feel good when the Yankees lose, too.

It also *is* a bigger deal when the company that makes the OS, browser and office suite that is in >90% of business and home computers has a hole in it. When security vulnerabilities strike Linux-based OS's, for example, Linux users usually ask their mothers to slide some more food under the basement door and hunker down finding the fix. Mac users will order another $8 coffee in the Starbucks where they're sitting and keep thinking about how beautiful they are until Apple tells them what they should do. Windows users are usually left clueless; partly because of poor communication and partly because most users make the naive assumption that their stuff will just work and don't check security bulletins twice a day.

I do think, though that it is a credit to the Mozilla folks and the open source development model that this became public immediately and was disclosed to everyone. I think corporations like Microsoft and Apple would have had *nothing* to do with disclosing anything to anyone.

http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/

 

[Mystic]

Well, actually I do personally get kind of tired of the Yankees winning all the time. Or for that matter the Redsox. I kind of like when somebody who has not won the World Series in a long time wins. There is something cool about that. But the guy I work with at work is a diehard Yankees fan and I can't talk like that with him. Not that I have anything against the Yankees or Redsox. I just like for the underdog to win sometimes. Especially when the Redsox beat the Rockies.

Some of the other stuff you said is kind of funny too and in some ways true. Stereotypes of course. Not everybody who owns an Apple Computer is rich. But some Apple users do wait for the Mothership to tell them what to think. Not every Windows user is clueless, but enough are so that is one of the reasons for the security issues we do have in the world.

By the way, Mozilla, according to Threatpost, is offering a $3000.00 bounty to anybody who finds major security bugs in the software for their software like Firefox, Firefox Mobile or whatever it is called, and Thunderbird.

 

[Garak]

Originally Posted By: Mystic
And I think the claim made by many, including several security experts, that Firefox is a more secure web browser than IE has been disproven. Go to the Sophos website and download the white paper on the 10 internet security myths. Go to the Secunia security website and check out how various web browsers compare.


Just because a security or antivirus website says something is true doesn't make it true. By their very nature, they are in the business of providing computer security. It's not in the interest of Sophos or Symantec for everyone to run a secure OS and browser. The domination of IE and Windows is what has made these companies their money.

If everyone switched to Linux tomorrow, those companies would be done for, unless they decided to market based upon more smoke and mirrors. As it is, they exaggerate threats, but at least the threats exist.

With respect to Firefox add-ons, as I said before, people have to use common sense, and that's sorely lacking among the average computer user. They use an inherently insecure operating system (Windows) which allows any software package to modify anything in the system (including the registry) and then they download add-ons and other miscellaneous software without having a clue of what they actually do.

It's simple. Do not download unknown software. It's irrelevant as to whether it's open source or proprietary. If it took pundits and security experts this long to realize that Firefox add-ons could present a security risk, perhaps they're in the wrong line of work.