Black Hat 2008: What’s next for Firefox security

Mozilla security chief [Window Snyder] made some surprising announcements about Firefox Next, Mozilla’s next major browser overhaul. In her chat at the Black Hat security conference, she introduced three new initiatives that focused on threat modeling, training, and vulnerability metrics. For the threat modeling initiative, she’s hired Matasano Security consultants to review Firefox’s code for weaknesses and recommend mitigation tactics to protect the browser from hacker attacks. This isn’t inherently unusual; what is abnormal is that the information, once the work is done, will be revealed to the public. The training initiative will have IOActive trainers working with Mozilla engineers on secure computer programming practices. At the end, according to [Snyder], online versions of the classes will be released to the public, along with the class materials. The last initiative revolves around security metrics, and is already in progress. Essentially, the project will ideally take the focus off of patch-counting and provide a better assessment of security and vulnerability issues. [Snyder] says “We’re in the early phase, working on incorporating feedback from the rest of the industry.” She also reveals some more Firefox developments, including possibly incorporating NoScript into the core browser and implementing protected mode, but they’re still a long way from becoming standard features.

Black Hat 2008: French hacking failure


French reporters at Black Hat crossed the line when they sniffed fellow reporters’ login info on the designated “safe” wired network. Proud of their handiwork, they were nabbed when they tried to get their spoils posted on the wall of sheep, which is used to publicly post attendees credintials. It turns out that monitoring communications without informing one of the parties involved is a felony, so although it is legal to sniff convention goers’ login info with their knowledge, hacking reporters covering the event is a no-no. An FBI agent we ran into commented that in his experience, they’d probably just turn it over to the local US attorney’s office to see if they wanted to proceed with an investigation.

We’re in the Defcon press room today and there’s still a buzz about these “sleazy” French reporters. We’re tunneling through our cell connection like any sane person at a security conference.

USB wall charger


[rbhays] did this sweet little hack back in 2006. He took a Motorola cellphone wall charger and modified it into a USB wall charger. He needed to charge his iPod, but misplaced the original charger. A replacement would have cost him $30. So he did what any respectable hacker would do, he cut up something else to make it work for him.

He had one sitting around that was equipped with a mini USB end. He checked it out and it was the perfect voltage. Some commenters below the project noted that their motorola charger had a higher voltage rating than his. Those would still work, but would require some extra steps to bring the voltage down.

After some careful soldering, and a bit of super glue, he’s left with a perfectly good wall charger. He can charge most things that only use the juice from the wall. Some things refuse to charge though, such as Zunes. There was another project by [Cvesey] that claims to charge Zunes as well. While wall chargers may be available fairly cheaply now, many of us have some of these cellphone chargers just sitting around. Now we have a use for them.