Mozilla and Security
Tuesday March 28th, 2000
Nothing like a little rhetoric to get you hopping in the morning. This latest comes from some guy called AP who made a submission to Slashdot regarding a discussion currently going on in n.p.m.security. In it, he states that the Mozilla team is contemplating limiting access to security bugs, implying that the team is substituting obscurity for security. He fans the flames by saying "Are Mozilla developers missing the point of open source (implying open security bugs) or are they under pressure from Netscape?"
If you read the discussion thread titled "Security bugs and disclosure" in n.p.m.security, you will see that the discussion is not exactly what AP portrayed, and mozilla.org members are actually having a serious discussion about disclosure, security and Open Source. This is what Open Source is about, people!!! What kind of access would you have to this kind of discussion if the process was closed? Open Source isn't just about open code - it's about open discussion, as well. And mozilla.org has provided ample opportunity for discussion regarding practically every level of the development process. I think the fact that AP came across this discussion at all proves that the discussion process is adequately open.
If you have opinions regarding this, you should feel free to post them in the security newsgroup, but please read the previous posts in the thread, because they are reasonable posts from people who are trying to do the right thing.
Well, some people are dumb, and the Internet just gives them a medium which is easier to get heard on. But you can't do anything other than just fan the flames right back at them, accuse them of being a Microsoft employee, or do IP tracing finding out who they are and suing them for slander.
#5 Re: First Response
by regex <email@example.com>
Tuesday March 28th, 2000 9:22 AM
Things like this anonymous, undocumented accusations (mozilla team && security reporting) are generally a waste of time. And of course the first thing I would do is check the slashdot access.logs and start doing iptracing ...jk. No really, please people to benefit the community, our community, if you make statements like this say where on earth you got this idea. Otherwise you look like an idiot. To the mozilla team, to shutup idiots like this in the future just reply with a 5-line response saying "You're a complete idiot, go back to efnet #cgi where you belong" in so many words... cheers! ms
#2 The answer is PARTICIAPTION
Tuesday March 28th, 2000 8:14 AM
I just love /. posters. I don't think I saw a single post there rated a 2 or better from someone who had contributed anything to mozilla. I don't think I've even seen any of those names in the npm newsgroups. What a waste of time. I gotta stop reading /.
(you know it -posted with 032708 nightly)
Normally, I read Slashdot once or twice a week, when I know I have an hour or two to waste. I used to do it every day, then got fed up and stopped.
I think it's a neat news resource, but you definitely have to watch out for trolls (or whatever you call 'em) like that AP's submission.
It is a very interesting debate on n.p.m.security and even on /. there are a few good points. Of course most of the /. posts are redundant or just typical "zealot" responces.
Hyatt and the rest on the thread seem to have a good solution.
As I said in the newsgroup, it's vital that the people having this extremely sensible discussion (who seem to be coming to the right conclusion, as well) don't get deflected by abuse/Slashdot weenie zealotry.
There is no point in revealing security bugs to anyone who has no familiarity at all with the Mozilla codebase - how could they possibly track down something faster than people who know it inside out? Restricting access is fine - we just need to work on the details of _who_.
#9 It's not _who_ you know...
by silent_node <firstname.lastname@example.org>
Tuesday March 28th, 2000 5:02 PM
Well, I'm sorry Gerv is missing the point. If someone lacks the familiarity with the Mozilla codebase to track down "something", then those with that familiarity will beat the know-nothings to the *glory*.
You can't reasonably restrict access to those who know, because there's no sure test to see who those people are. You can crow all you want about the proficiency of those who "know it inside out", and I'm sure rightfully so, but if you wish to reap the benefits of open-source then you can't restrict access.
#12 Re: Let's not get deflected...
by bambamm20 <email@example.com>
Tuesday April 25th, 2000 7:37 AM
This is a very arogant and un-open source statement that you just made. If they release the security bugs to the publicpeople will be aware of what is going on and how are they vulnerable in the first place. Second of all releasing the security bugs allowes thousands upon thousands of programmers to look over and scrutinize the source code... You don't have to write the code to understand it. How do you think the LINUX kernel developed over the years, do you really think they were familiar with the kernel source code......NOPe, they looked over it and contributed to it helping make it stronger and more secure, and stable at that. So all the talk of only the one who wrote it can understand it is pre sensationalism. I say free the source and the bugs we have a right to know, we also have a right to fix it(open-source). If the bugs arent released and the public is not made aware, I say it is no different than IE where the user knows none of it's vulnerabilities, and they can't do anything about them, because they have to wait till the beurocrats get around to fixing it. Release it. I say. best thing to do.
#7 You don't need a schematic to slash a tire
Tuesday March 28th, 2000 1:33 PM
Some people don't get it. Cracking is easy. Always will be. If you can think in complete sentences and paragraphs you can crack.
And as for the revealing of bugs: If you couldn't describe the bug you couldn't know it exists. Therefore your assumption that few people could understand the issues is false. If you present the bug, qualified people will understand it. How many Mozilla no-developers would download the code in the first place? Thge code is 20MBs the binary only 5-7MBs. It doesn't make sense to not disclose.
Why do you assume the population is made of incompetent FOX potatoes?
Open Source is Open Hardware applied to software. Why is that so hard to understand?
99% of those who contribute to slashdot in the forums cannot code - evidence is in the posts. the code is there, and they cannot understand it. While I do not understand much of the code, at least i dont ask netscape to hold my hand with it like /.ers do.
#10 Re: slashdot sucks (moderated -1)
by silent_node <firstname.lastname@example.org>
Tuesday March 28th, 2000 5:17 PM
-1 to your karma for being a Troll with a stick up his a**!
99% of your contribution on the subject of SlashDot is worthless. The 1% that is good is based on the fact that at least your post is short.
#13 We Should get the source and the bugs!
by bambamm20 <email@example.com>
Tuesday April 25th, 2000 8:19 AM
As an advocate for the opensouce movement I do have to say that releasing the bugs is the best option. The enduser should be made aware of where and how is he vulnerable. The end user should also be able to fix and tailor the code to fix these "bugs". Hey all lets get a grip here for a second. Opensource is all about open source. equal playing field. Only making a selected few aware of where the security bugs are makes a solution to the bugs much more distant, if you release the information then you can have thousands upon thousands of coders looking for a solution to the bugs. As they say the more the merry. More people being able and empowerd to fix what is wrong with the product brings about a better turn around time. the solution will come much faster, eventually some one out there will come across the proper solution and contribute it to the project. As some one said before ti doesn't take much to hack, it really doesn't take much to punch a PHAT security hole in a browser. Not to self incriminate myself or something but IE is still pretty vulnerable, and yes there are solutions for the "big hole" yet, I don't know the source code so i can't fix it and contribute it to them. Same goes for netscape, it is vulnerable too. Exploits to security breeches are easy to develop even without knowing what to expoit. Im response to some ones coment a couple messages ago. Someone mentioned that only the ones who wrote the source code can understand it, I think that is total missinformation and propaganda on that persons part. Mostlikely all that person does is surf the web and knows nothing about coding. To make this a point anyone can contribute to MOZILLA this is why, It is modular. In other words it is broken up into several peices which work together. so if a programmer one day decides to look at the code and wants to adjust something to make it function better, he can. That was the problem with netscape it was a sloppy code all slapped together noone new the righside up or down. Tat is why they decided to start from scrath!. Now a good programmer can come and look at it and make adjustments without much effort. Another note on this subject is that this is what the open-source comunity is all about. Being able to voulinteer code that is helpfull. so that is a minus for that member who i wont mention which stated that only the person ho wrote the programm can understand it, Just the oposite guy! and on that notion that is one of the cornerstones of opensource. Being able to vey code and change it to suit you if you understand how to programm. Free The BUGS empower the end user.
I'm running the latest Linux mozilla build and clicking on 'news:' links doesn't produce the expected result but instead pops up a box saying it's trying to download a file of message/rfc... Until this is fixed would it be possible for MozillaZine to also link to the dejanews archive containing the specified thread.