2 Years At Mozilla

Exactly 2 years ago today I started work with Mozilla, and it’s been the best two years of my working life! I’ve been thinking for some time when I might say today, in fact have been agonizing over it a little bit. So many other Mozillians have made beautifully eloquent posts about their experience. Working at Mozilla has meant a great deal to me and it’s really changed the way I think about myself, my coworkers and my life in general. So many people have helped me and encouraged to me and I don’t have the words to thank them all.

When I started working at Mozilla it was a bit of a culture shock. I had just spent four years working for healthcare company coming from that to the open-source world of Mozilla took some getting used to. I initially described it as moving from a closed Stalinist country to classical Athens. Mozilla’s openness really does pervade everything our community is at the core of what we do. The entire concept has been a joy to work on and in the next year I hope to extend it further with a bunch of stuff that we’re working on to reengage security contributors.

A special thanks to all the members of the Security Assurance and Security Engineering teams. Everyone has been supportive, helpful and patient with me; as well as teaching me a great deal and giving me a place to grow. I know the future holds many challenges and achievements for us, I can’t wait to get to work on them. Being a part of this community is more than a job, its a purpose that matters!

The Essence of Leadership (a response)

Pascal Finette did An interesting blog the other day on “The Essence of Leadership”. It got me thinking about the subject and what I think is the core of the matter:

1. Lead themselves first, they accept responsibility for their own growth and progress.
2. Understand that learning is a process for life.
3. Connections matter, and that genuine communication empowers everyone when it shows respect for other people and viewpoints.
4. Legacy matters, how we act today sets the stage for the future.
5. Empowering others is a prime directive for success

To some degree this is about the difference between management and leadership, that’s better left for another post.

TSA Waste

Created by: OnlineCriminalJusticeDegree.com

Setting up ZNC on Mozilla People for Limechat

I like using LimeChate for my IRC client, but since I don’t have a way to maintain an always on connection I was missing information happening in channels we use for work. My coworkers user IRSSI on their people accounts and ssh in to get the scroll back. Honestly I just don’t like the asthetics of IRSSI and I have invested some time in good themes for LimeChat and getting things just the way I like it. So I dug a bit more and found a bouncer called ZNC and set off to see if I could get it installed.

First I tried to install it directly and that did not work, in fact the commands said they would report my activity to our ops security group (good thing I work with that team). After poking around on our IRC channels I found out znc is already installed on our people accounts for Mozilla and I just needed to get a config. The easiest way to do this is to run “znc -c, –makeconf“; I found the list of commands by doing a znc -? while ssh-ed into my people account.

The interactive setup was pretty easy, if you have setup an IRC client for doing work at mozilla a good deal of the setup is the same. The biggest difference is you have to give the program a port to listen on, and you need to remember that port for configuring your client be it LimeChat or another. Here are some example choices:

What port would you like ZNC to listen on? (1 to 65535): #
Would you like ZNC to listen using SSL? (yes/no) [no]: yes
Would you like ZNC to listen using ipv6? (yes/no) [no]: no
Listen Host (Blank for all ips):

It will then ask you to setup a user, again pretty easy, then it asks about modules but I did not setup any of these as I did not see a use. You will need the info for your irc server in my case irc.mozilla.org, what port it listens on, (6697) and weather it uses ssl (it does) After that it will ask for the channels you want to have it be on. Don’t forget to provide the passwords for password protected channels. Then you can start it up.

The last part of this is setting up your client. you will want to use localhost as your server and the port you setup in your conf and don’t forget to use SSL. You will also need the username and password you setup during your config. The last part of this that took me a while to figure out was that I had to setup an ssh pass for the local host. On my OS X box that looks like this (you can make this a permanent alias for convenience) “ssh -L####:localhost:#### username@people.mozilla.com” where #### is the port you specified in your config and username is your people account username. Once this is done you can connect your client and your off.

I have found that any channels I have joined, not just the ones in my conf do have scrollback and other than the server and ssh redirect irc works exactly like a normal connection directly to the mozilla irc servers. As such I have only setup the znc to join channels that are critical for me and I manage the other channels from my irc client.

Thanks to bwinton, the team on #IT and my coworkers for sending me down this path.

Thought Snack

“You want free speech? Let’s see you acknowledge a man whose words make your blood boil, who’s standing center stage and advocating at the top of his lungs that which you would spend a lifetime opposing at the top of yours.”

~ The American President (1995)

I’m just going to leave this favored quote of mine here as food for thought.

SOPA Protest

Going dark to protest SOPA see you on the other side.

2011 in review

The WordPress.com stats helper monkeys prepared a 2011 annual report for this blog.

Here’s an excerpt:

A New York City subway train holds 1,200 people. This blog was viewed about 7,400 times in 2011. If it were a NYC subway train, it would take about 6 trips to carry that many people.

Click here to see the complete report.

November: A Busy month

So no blogging for a while, its been a busy month. In addition to being a family man of 3 kids, involved in Scouting with my son and just general life it’s been a month of traveling.

First, I spoke at SkyDogCon 2011 in Nashville, TN on The Neurobiology of Decision Making (youtube). I was the first speaker and it was my first time speaking at a conference, I was very pleased that it was well received. I met SkyDog at DerbyCon 2011 which was my first small con and I really enjoyed it. I had easily as much fun at SkyDogCon and really enjoyed getting to spend more time with individuals talking about Mozilla, Firefox and other fun topics. It was also great fun hacking the arduino badges and learning how to pick a lock. The staff treated me exceptional well, the speakers were a fun bunch to hang out with. I really hope I get a chance to speak again at next years con.

The weekend after that I was at MozCamp EU in Berlin, Germany, again as a speaker but more importantly as a member of the Security Team. I really wanted to meet and make some connections with contributors and further the message of “we’re all in this together for the betterment of our users”. It was also a moving experience for me personally, last time I was in Germany was 1987 and as 3rd generation American of German immigrants it was really painful to see Germany divided. I fulfilled a 24yr old promise to myself to walk beneath the Brandenburg Gate.

From Berlin

Then we have the fall holiday here in the USA known as Thanksgiving. Unfortunately for me I caught some bug in my travels through London and Berlin and was pretty ill. A trip to the Dr. for meds to keep the rest of my family well and not to ruin the holiday finished up any time before the holiday and family, geocaching with the kids, socializing and eating at up the rest of my blogging time.

The rest of my month was taken up the the usual security meetings & Firefox meetings; you know the get stuff built and shipped movements.

Thankfully the traveling, meeting, talking and thinking time has left me with many things to talk about. I hope all my readers had as good a month as I did.

OWASP Louisville Meeting Announcement

Meeting: Louisville OWASP – Nov 11th , 11:30 AM – 1 PM

Meeting Location:
Sullivan University Campus, 3101 Bardstown Road, Room 254, Louisville KY 40205 – (about 15 minutes from the airport…on I-264 East)

When you arrive at the University’s main building, Drive around past the front visitor’s doors to the parking area on the right side of the Main Building. Room 254 can be accessed via a back stairway near a break area on the back right-hand side of the building, very easy to spot.

Desktop Betrayal: Exploiting Clients through the Features They Demand
In this talk, Tom Eston will explore the use of client features to gain privileged access to client systems. During previous talks around social networks, Tom Eston and fellow security researcher Kevin Johnson discovered that most of the damage they could perform against a target didn’t use an exploit against any vulnerable system. Tom and Kevin were able to create various attacks that made use of features being used on client machines. While this talk will not disclose any vulnerabilities within popular client software, Tom will be releasing multiple attacks that use these clients against their users. Tom will be discussing attacks using JavaScript, HTML5, PDF files, Flash, Data URIs, Web Workers and more. Tom will also discuss code to perform these attacks as well as add-ons to popular tools such as BeEF (Browser Exploitation Framework) that will enable these tools to make use of the attacks.

Tom Eston is the manager of the SecureState Profiling Team. Tom leads a team of highly skilled penetration testers that provides attack and penetration testing services for SecureState’s clients. Tom focuses much of his research on new technologies such as social media, mobile devices and new web technology. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is also a security blogger, co-host of the Security Justice and Social Media Security podcasts and is a frequent speaker at security user groups and national conferences including DerbyCon, Notacon, OWASP AppSec, Black Hat USA, DEFCON and ShmooCon.

Microsoft’s Browser Security Website / Marketing

Alright to star this one off I think I need to do a few house keeping items:
Disclaimer:
This blog is my opinion, thoughts or whatever you choose to call it. This does not represent the opinion of anyone or entity other than myself and should not be taken as a position of my employer or the developer community. Yada-yada you should understand this.

Full Disclosure
I currently work for Mozilla, the group/movement behind Firefox. I have also worked in the past for Microsoft.

Ok, now lets get started. Microsoft launched a site called yourbrowsermatters.org and right off the bat my first issue is that they did this under a .org banner. Which to most people means some nice non-profit is doing this, as that is what .org addresses are for. In my opinion, this is an attempt to hide the true backer of the site, Microsoft. Yesterday when this site showed up it had a nice Windows flag style icon on the bottom (today Oct-12-2011 this is gone). Unlike most Microsoft sites the Microsoft and Azure items are at the bottom and quite small. Nor does the methodology page (http://yourbrowsermatters.org/docs/methodology.pdf) mention Microsoft. The site does use a “Metro-style” interface and unless users are familiar that means little to them. As well the methodology doc has the same layout as many Microsoft docs, but yet again unless you are familiar I doubt one would notice this. So right off the bat this began to tickle my thinking.

Also this site does not really test anything. It takes the User Agent string from the browser (which can be changed) and returns a pre-built answer for that string. How do I know, well I used the User Agent Switcher add-on for Firefox to try this out and just by switching this string I get different answers. So they could have just as easily just produced a chart that showed what they think the outcome is. Also keep in mind this is for Windows only, this does not give a score for other operating systems or OS protection models.

My take
ghackes.net did a nice write up on this as well, since this covered some of this nicely I suggest you read the analysis there as I don’t want to be repetitive on certain aspects.

So lets take a look at the whole criteria:

Category:Dangerous Downloads

1. Does the browser help protect you from websites that are known to distribute socially engineered malware?
• This is a rehash of the NSS Labs Socially Engineered Malware Report, on its face this is a semi-interesting report. but I think it’s also somewhat skewed. I am still working my way through all of this report, but my first concern is around making claims with fixed versions (Apple® Safari® 5, Google Chrome™ 12 , Windows® Internet Explorer® 9 Mozilla® Firefox® 4, Opera™ 11) used in the report but using that to infer about newer versions (namely Firefox 4 ≠Firefox 7 in capability). Our current rapid release process allows us to make all kinds of changes and using a static set to make an inference about something newer is just not something I can support.
• Yes there are going to be differences between SmartScreen in Windows and StopBadware used by others, but to think they would be this large seems off to me, again I need to do more analysis of the methodology. Also why Firefox and Chrome would be so different in results when using the same list is something that bears more analysis.
2. Does your browser provide a distinct warning when you download and application that is of higher risk but not yet confirmed as malware?
• So no, Firefox does not have this capability today and we are looking into adding it. What is it? Well you take the hash of the file being downloaded and if it’s known to be a problem you tell the user, if you don’t know, you tell the user. This could be good for users if you actually know something or if they don’t really understand what they are downloading.

Category: Phishing Sites

1. Does the browser have a feature that can help protect you from phishing sites?
• Everyone gets marks for this as we all have something, so lets move along.

Category: Attack on your browser and its plug-ins

1. Does the browser have the ability to restrict an extension or a plugin on a per site basis?
• This is a point of contention, only IE gets points her. Our plugin model is directly comparable, and this is a relatively important feature. Practically speaking it’s only “more secure” if plugins default to OFF and you let users build up a whitelist which is NOT what IE does. Chrome sort of does (yes for Java, no for Flash). We definitely have a different extension model. Compare Greasemonkey, where each installed user script has a default list of sites/pages it applies to but the user can manage that list. Given that extensions and plugins are very different how does one really rate this?
2. Does the browser have a system for auto updating browser extensions?
• This is one spot where Chrome and Firefox have a feature that IE currently does not.

Category: Effective Sandbox

1. Does the browser process utilize Windows Protected Mode or implement a similar mechanism such that browser processes cannot modify parts of the system that it doesn’t have access to?
• As far as I can tell this is a literal use of the Windows Protected Mode, and no Firefox is not using this today for a variety of reasons.
2. Does the browser extend the sandbox such that it cannot read data from parts of the system that it doesn’t have access to?
• See #1
3. Does the browser benefit from Windows operating system features that protect against arbitrary data execution?
• We do this, why this does not show up for some Firefox UA strings on this site I don’t know.
4. Does the browser benefit from Windows operating system features that randomize the memory layout to make it harder for attackers to find their target?
• See answer to 3.
5. Does the browser benefit from Windows operating system features that protect against structured exception handling overwrite attacks
• So according to to the criteria doc link for this one this is talking about /SAFESEH, odd we don’t get a tick here as we do this on our Windows builds.

Category: Attacks on Websites

1. Does the browser automatically block insecure content from secure (HTTPs) pages?
• They are giving points for mixed content handling
2. Does the browser filter out scripts on the client to help protect against Cross-Site Scripting (XSS) attacks?
• I think I can consed on this one, even thought we do have this feature landing soon.
3. Can the browser sanitize HTML to remove potentially problematic code?
• They are giving points for their own ToStaticHTML API usage, we’ve looked at it but there is not agreement that this is the correct what to help protect from web developers doing potentially dangerous things.
4. Does the browser have features that websites can take advantage of to help protect you from Cross Site Request Forgery attacks, also known as “Click Jacking”?
• So we all get points for something that are 2 different things CSRF is not also known as Click Jacking, so this one just confuses me. In fact these 2 items require very different mitigations.

Bottom Line
So if we look at the “output” no browser has a”perfect” score, they all have things missing. The great disappointment here for me is this could have been a very good site to help encourage users who are on any older platform to pick a more modern one for safety; instead this has been warped into what I perceive as a marketing tool to promote IE. This was best said by Maxim on the browserupgrade@list.otalliance.org list“

I’m disappointed that Microsoft is using similar language to OTA’s Why Your Browser Matters campaign to serve as a marketing tool to pitch IE as superior to other browsers. The goal of this campaign was supposed to be to get people to upgrade older browsers to newer browsers, not to push one browser over another.

It’s particularly frustrating that Microsoft misrepresents Firefox as not protecting users from social engineering malware sites. This is patently untrue.

Regards,
Maxim

I shall now get off my soapbox for the time being.