Black Hat 2008: What’s next for Firefox security

Mozilla security chief [Window Snyder] made some surprising announcements about Firefox Next, Mozilla’s next major browser overhaul. In her chat at the Black Hat security conference, she introduced three new initiatives that focused on threat modeling, training, and vulnerability metrics. For the threat modeling initiative, she’s hired Matasano Security consultants to review Firefox’s code for weaknesses and recommend mitigation tactics to protect the browser from hacker attacks. This isn’t inherently unusual; what is abnormal is that the information, once the work is done, will be revealed to the public. The training initiative will have IOActive trainers working with Mozilla engineers on secure computer programming practices. At the end, according to [Snyder], online versions of the classes will be released to the public, along with the class materials. The last initiative revolves around security metrics, and is already in progress. Essentially, the project will ideally take the focus off of patch-counting and provide a better assessment of security and vulnerability issues. [Snyder] says “We’re in the early phase, working on incorporating feedback from the rest of the industry.” She also reveals some more Firefox developments, including possibly incorporating NoScript into the core browser and implementing protected mode, but they’re still a long way from becoming standard features.

Comments

  1. cb says:

    Whoa, noscript in the core? That would be seriously awesome and bypass some of the dance the extension has to do to get it to work (though ff3 improved things). I wonder if they’re going to make adblock+ features more integrated — blocking things from known-bad and user-defined hosts would be much easier that way. in fact, that could replace the first few extensions that I install before I actually use the browser…

  2. gunpowder says:

    She’s kind of cute. :)

  3. joesph-walton says:

    uh… black hat?
    more like black face… am i rite?

  4. TJHooker says:

    @joesph-walton: congratulations, you’re a racist.

    This chic can overflow my buffers any time..

    This chic is hot like fajita meat..

    ..Goes to start bug hunting in Mozilla code…

  5. jenzo says:

    @tjhooker: congratulations you are a sexist, and both of you are douchebags.

  6. Anonymous says:

    identifying race is racist. thank you. this is useful information.

  7. Schlens says:

    Uh… seriously: What role does the race play here? If you said “None”, you got it right.

    Now, adding security is a good thing. But IMHO the mozilla project should also pay attention to quite some other things, e.g. stability, speed, memory consumption, protection against badly written extensions and plugins, proper multithreading, …

  8. TJHooker says:

    @Anonymous/#5: Identifying a back person as “black face” isn’t racist, under any context? Wow, I need to go retake linguistics if that isn’t racist.

  9. anonymous says:

    [tjhooker]: she has a pretty and black face, and those are valid observations. your objection is inappropriate.

    what you seem to be objecting to is the _mention_ of and idea of conciousness about skin color, spurred by a common-sense connection between article title and picture. you call that racist, despite the lack of any judgment on any property of the person so far beside the compliment.

    this isn’t vaudville “black face” impersonation. this isn’t that context. in another context, calling you a canine would be a prelude to violence and showing the sole of my foot a digusting display of disrespect.

    any physical response can be justified if intent is deemed equivalent to imaginary offense. however, they are not the same. so until you actually _ask_ whether [joesph-walton] had ulterior meanings, try not assigning some of your own for irrelevant purposes.

  10. miked says:

    an attractive young female the knows code? the odds are good that the goods are odd.

  11. TJHooker says:

    The person directly associated it with the fact “black” was in the name of the event she attended, and then followed it with “more like black face… am i rite?”.

    This isn’t rocket science, or even advanced linguistics.

    I’d like to throw down some triple syllable words to really set it in stone, but it’s just racism under every context of ever written and spoken language. Excusing it is kind of instigating trolling and repetitive explanations of core language skills.

  12. Matasano Security is the firm that ‘accidentally’ leaked the DNS exploit details on their blog and then pulled it down and apologized, saying they meant to “only post it after someone ELSE leaked it”, right?

    great…now firefox is gonna get a LeakThis! button right next to the Home button that autoposts stuff from your email account to your blog with no confirmation.

  13. krautinator says:

    Who the hell cares.

    She’s more of a mocha color.

    Diversity fucking rules, I’m sure any of you would drink her up like a hot lil’ latte, so quit talking shit.

    Putting aside testostorone, why the hell hasn’t this happened sooner lol?

  14. TJHooker says:

    I was bored. That’s the only reason I pointed it out. Seeing people excuse something so obvious was what made me make more responses.

    She’s the co-founder of one of the consultant firms they’re bringing in.

  15. anonymous says:

    “but it’s just racism under every context of ever written and spoken language”

    You’re in fucking outer space. Are there no black people there? Must not be, or you’d have heard things in unbigoted context.

  16. TJHooker says:

    @13: How the hell is this bigotry?

    Like I said this isn’t advanced linguistics. The way they phrased it doesn’t fit any other context. If it does then please enlighten me on what that is, using the whole context, and not just a fragment.

    Like I said, the context is so blunt/obvious that by conjuring excuses you’re doing nothing but trolling; frivolously at that.

  17. TJHooker says:

    @14: I agree, I did use too much sexual innuendo.

    Too bad political correctness isn’t used on ALL things politically incorrect here. I’m sure you calling me out on my first post is a bit hypocritical given stuff you’ve posted on the net before.

  18. anonymous says:

    oh, now racism isn’t bigotry. i need to update my dictionary, it was published before 1984.

  19. TJHooker says:

    @17: Perhaps go back to grade school and take literature classes, or even introduction to english, too.

    I was clearly addressing the “or you’d have heard things in unbigoted context” statement towards me.

    What’s funny is you actually in turn agreed that racism is being used, but sadly do to your poor interpretation/reading skills you labeled me as a racist(hopefully it won’t be terrorist next(

  20. Almost_There says:

    Did anyone else notice that FireFox’s Security Chief is a Fox?

  21. They should really take a peek at some of the work Ronald van den Heetkamp has done with Opera and javascript wrappers…

  22. Wwhat says:

    I don’t want noscript in mozilla’s hands, it’s better that it’s independent and constantly tweaked by enthusiast rather than in control of google-lovers who might have an interest to at some point allow some stuff we the user would not want to allow.
    0nce too much is under some central control the road to disaster is nicely paved.

  23. NORINE says:

    I’ve started looking all around for this specific information. Fortunately my partner and i noticed it on Msn.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,386 other followers